Setting up digital certificates for Websphere Commerce
There is almost always going to be situations where your websphere commerce instance would need to interact with various external systems like payments, fulfilment, inventory systems. The interactions between external systems would almost always be through a secure channel (https, sftp, etc).
For example, to set up websphere commerce as a webservice consumer, we need to trust the certificate presented by the server hosting the webservice else you will get a SSLHandshakeException.
There are two ways to do this. One way is to update the cacerts in the websphere application server path. The cacerts file is the trusted store for the websphere application server and is available at the path C:\RAD601\runtimes\base_v6\java\jre\lib\security assuming that C:\RAD601 is your RAD installation.
To update the cacerts, follow the steps below:
- Copy the certificate file (usually .pem or .cer) file to a temporary directory in your local drive
- Change directory to C:\RAD601\runtimes\base_v6\java\jre\bin
- Run the following command
keytool –import –v –keystore C:\RAD601\runtimes\base_v6\java\jre\lib\security\cacert –alias AliasName –file c:\file.pem
Assuming that C:\RAD601 is the RAD installation directory and base_v6 is the websphere application server instance directory.
AliasName is the name for the certificate in the trusted store.
C:\file.pem is my certificate file.
- Enter default password as “changeit” when prompted
- Type “yes” if you are prompted whether to trust the certificate or not
- You will see a message like “Certificate was added to keystore” if it was successful.
The second way, and the preferred way, to trust the certificate is as given below
- Change directory to C:\RAD601\runtimes\base_v6\java\jre\bin and execute ikeyman.exe
- The IBM key manager window opens as shown above.
- Select Open (2nd Icon) and the open window appears. Now click on browse and traverse to the wasprofile\etc directory in websphere commerce toolkit path. Assuming C:\WCToolkitEE60 is the websphere commerce toolkit installation directory.
C:\WCToolkitEE60\wasprofile\etc
- Select the DummyServerTrustFile.jks and then select Open
- Enter default password as “WebAS”
- Click on Add to add a new certificate to the trust store. Select Browse and traverse to the certificate path and then select the certificate and click OK
- Now the certificate is added to the Dummy certificate trust file in websphere commerce.
- Now we need to tell websphere application server about the DummyServerTrustFile.jks. This can be done by opening the websphere application server console on the browser and login
Usually http://localhost:9060/ibm/console
- Select Servers à Application Servers and then select the server (default is server1).
- Once the server configuration properties are displayed, select Java & Process Management option. Under that select the Process Definition option and then Java Virtual Machine from the Additional properties
- Enter the following in the Generic JVM arguments space and then restart the application server
-Djavax.net.ssl.keyStore=C:\WCToolkitEE60\wasprofile\etc\DummyServerTrustFile.jks -Djavax.net.ssl.keyStorePassword=WebAS -Djavax.net.ssl.trustStore=C:\WCToolkitEE60\wasprofile\etc\DummyServerTrustFile.jks -Djavax.net.ssl.trustStorePassword=WebAS
This will enable the websphere commerce trust store to be established in websphere application server.
Hi, I found your post very clear and useful. I was wondering if you could help me with a commerce issue: I'm trying to invoke a commerce webservice (provided by the platform) building my own JAX-WS client. Even if I'm putting password and username in the soap header I always get security exceptions. But I can invoke the websphere commerce webservices with SoapUI. Can you help me?
ReplyDeleteIam sorry.. I know its been a while.. were you able to solve the issue ?
ReplyDelete