securing u2 soap server
TRANSCRIPT
![Page 1: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/1.jpg)
1
Securing U2 Soap Server
Introduction To enable SSL on the Client(Consumer-to-U2SS side), we need a U2 soap server Certificate. There are three possible methods to obtain the Server Certificate:
1. Use U2 UniAdmin to generate a self –signed certificate 2. Obtain one from a commercial site (CA Authority). 3. Use the Java keytool program.
U2 DB
teklap4.usco.ibm.com
SOAP
Processor
UOJ Connection
Pools
Jetty Http Server
SOAP Responses
SOAP Requests
SOAP over HTTP(s)/SSL
UniRPC/SSL
U2 Soap Server
Consumers
CLIENT
SERVER
SERVER
CLIENT Consumers
EF020C9DB8.usco.ibm.com
![Page 2: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/2.jpg)
2
Information and Naming Conventions
For the purposes of this document, UniAdmin will be used to generate the U2 soap server root certificate request file, the U2 soap server root certificate file, and the U2 soap server Leaf CA certificate file. The Java keytool will be used to create the U2 soap server Leaf CA certificate request file. The U2 soap server root certificate file is called u2ssroot.cer The U2 soap server certificate file is called u2SoapServer.cer The U2 soap server qualified domain name is teklap4.usco.ibm.com This document will demonstrate securing the components in the following drawing:
![Page 3: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/3.jpg)
3
1. Create Self-signed Root Certificate – u2ssroot.cer
a. Create the certificate directory
First, decide on a common place to store all your certificates (a good practice), here we assume it is C:\certs\SoapServer
b. Create a Certificate Request
1) From Start->Programs->IBMU2->UniAdmin 2) Once in UniAdmin, define a U2 Server under U2 Servers (if there are none) 3) Connect to a U2 Server (here assume a UV server) 4) Click “SSL Configure” 5) In “SSL Configuration” window, Click “Generate a Certificate Request…” 6) Follow the UniAdmin wizard, and specify a “Certificate Request File” path, and certificate request file name:
“C:\ certs\U2SoapServer\u2ssroot.req” Also click SHA1 digest algorithm.
7) For “Request Properties”, we assume the following values: C US ST Colorado L Denver
O IBM Corp. OU U2 soap server self signed root certificate CN teklap4.usco.ibm.com (fully qualified domain name) Email [email protected] 8) For ‘Key Pair Generation”, click “Generating new key pair” 9) For “Key Pair Info”, type in two path name for key pairs: C:\ certs\U2SoapServer\u2ssroot.prv C:\certs\U2SoapServer\u2ssroot.pub 10) For “Password”, type and confirm key password phrase “my password” 11) Click “Create”, a certificate request will be created. 12) Click “Finish” The following images demonstrate the UniAdmin tool:
![Page 4: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/4.jpg)
4
Generate a Certificate Request
Next
![Page 5: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/5.jpg)
5
C:\certs\U2SoapServer\u2ssroot.req SHA1 Next>
![Page 6: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/6.jpg)
6
C = US ST = Colorado L = Denver O = IBM Corp. OU = U2 Support Soap Server self signed root certificate CN = teklap4.usco.ibm.com Email = [email protected] Next >
![Page 7: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/7.jpg)
7
Key Pair Selection Check Generating new key pair Next >
![Page 8: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/8.jpg)
8
Key Pair Info Private Key File = C:\ certs\U2SoapServer\u2ssroot.pvt Public Key File = C:\ certs\U2SoapServer\u2ssdroot.pub Next >
![Page 9: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/9.jpg)
9
Password Password for Private Key = “my password” Confirm Password = “my password” Next >
OK
![Page 10: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/10.jpg)
10
Finish
![Page 11: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/11.jpg)
11
c. Create Certificate
If all the above steps succeeded, then: 1) From “SSL Configure” window, click “Certificate” tab 2) Click “Generate a Certificate” button. 3) For “Certificate File”, type in a path and for certificate file name: “c:\ certs\u2SoapServer\u2ssroot.cer” 4) Type “c:\ certs\U2SoapServer\u2ssroot.req” into “Certificate Request File” box. 5) Select or type 1826 (5 years) as value for “Validity period” 6) Check “Self Sign” for “Certificate Type”. 7) Type “C:\ certs\U2SoapServer\u2ssroot.pvt” for “Private Key File” 8) Type in “my password” for the private key (see step 10). 9) Click “Create”. If everything is supplied correctly, a self-signed root certificate will be created. The following images demonstrate the UniAdmin tool:
Certificate Generate a Certificate
![Page 12: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/12.jpg)
12
Next >
![Page 13: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/13.jpg)
13
c:\ certs\U2SoapServer\u2ssroot.cer Next >
![Page 14: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/14.jpg)
14
C:\certs\U2SoapServer\u2ssroot.req Next >
![Page 15: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/15.jpg)
15
Validity Period = 1826 Next >
![Page 16: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/16.jpg)
16
Self Sign Next >
![Page 17: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/17.jpg)
17
c:\ certs\U2SoapServer\u2ssroot.pvt Next >
![Page 18: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/18.jpg)
18
my password Create
![Page 19: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/19.jpg)
19
OK
Finish
![Page 20: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/20.jpg)
20
INFO: Below is a typical Certificate Request Site (IBM's is shown below)
![Page 21: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/21.jpg)
21
![Page 22: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/22.jpg)
22
![Page 23: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/23.jpg)
23
2. Create a U2 soap server Keystore “u2sskeystore”
The U2 soap server needs a keystore to store the soap servers root and leaf CA Certificate. We will be using our own Java Key Store called u2sskeystore (c:\certs\U2SoapServer\u2sskeystore), and the U2 soap server Java Runtime keystore called cacerts located in your U2 IBM install path (normally c:\ibm\unidk\jre\lib\security\cacerts). The Java keytool program is a very powerful utility. Documentation/examples on how to use this tool is available off the internet: “KeyTool User Guide-142.html” http://www.ibm.com/developerworks/java/jdk/security/142/secguides/keytoolDocs/KeyToolUserGuide-142.html
Assumptions: U2 soap server certificate and key store repository is c:\certs\U2SoapServer Key Store Alias is u2sskey Key password is “my password” Key Store password is “changeit” U2 soap server domain name is teklap4.usco.ibm.com
a. Creating u2sskeystore:
keytool -genkey -keyalg RSA -keysize 1024 -dname "CN=teklap4.usco.ibm.com, OU=IBM Corp., O=U2 Support soap server certificate keystore, L=Denver, S=Colorado, C=US" -alias u2sskey -keypass "my password" -keystore u2sskeystore -storepass "changeit"
![Page 24: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/24.jpg)
24
b. Create a U2 soap server Keystore Certificate Request
Assumptions: Key Store is u2sskeystore Certificate request is from alias u2sskey Key password is “my password” Key Store password is “changeit”
keytool -certreq -file u2soapserver.req -alias "u2sskey" -keypass "my password" -keystore u2sskeystore -storepass "changeit"
![Page 25: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/25.jpg)
25
c. Create a U2 soap server Keystore Certificate
1) Go back to UniAdmin->SSL Configure->Certificate->Generate a Certificate 2) For “Certificate File”, type a path name for certificate file “C:\certs\U2SoapServer\u2SoapServer.cer” 3) Type “C:\certs\U2SoapServer\u2SoapServer.req” into “Certificate Request File” box. 4) Highlight the default value 365 and type 1826 (5 years) as value for “Validity period” 5) Check “Leaf CA Sign” for “Certificate Type”. 6) In “X.509 v3 Certificate Extensions” screen, check “SubjectAltName” and click the edit icon on the right. In the bottom the screen, choose “DNS” for Type, and type “teklap4.usco.ibm.com”. 7) In “Signing Certificate and Private Key File” screen, type C:\certs\U2SoapServer\u2ssroot.cer for “CA Certificate File” and C:\certs\SoapServer\u2ssroot.pvt for “Private Key” 8) Type in “my password” for the private key. 9) Click “Create”. The following images demonstrate the UniAdmin tool: Certificate File C:\certs\U2SoapServer\u2SoapServer.cer Next >
![Page 26: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/26.jpg)
26
Certificate Request File C:\certs\U2SoapServer\u2SoapServer.req Next >
![Page 27: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/27.jpg)
27
Validity Period 1826 Next >
![Page 28: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/28.jpg)
28
Certificate Type Leaf CA Sign Next >
![Page 29: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/29.jpg)
29
SubjectAltName DNS:teklap4.usco.ibm.com Next >
![Page 30: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/30.jpg)
30
Signing Certificate and Private Key File CA Certificate File = C:\certs\U2SoapServer\u2ssroot.cer Private Key File = C:\certs\U2SoapServer\u2ssroot.pvt Next >
![Page 31: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/31.jpg)
31
Password for Private Key = my password Create
![Page 32: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/32.jpg)
32
OK
Finish
![Page 33: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/33.jpg)
33
3. Import Certificates into Key Store
a. Import Root Certificate into Java Keystore
Assumptions: Key Store is u2sskeystore U2 soap server Root Certificate tied to alias U2ssrootkey Key password is “my password” Key Store password is “changeit” keytool -import -file u2ssroot.cer -alias "U2ssrootkey" -keypass "my password" -keystore u2sskeystore -storepass "changeit" C:\certs\U2SoapServer>
![Page 34: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/34.jpg)
34
b. Import the soap server Certificate into Java Keystore
Assumptions: Key Store is u2sskeystore U2 soap server Certificate tied to alias u2sskey Key password is “my password” Key Store password is “changeit” keytool -import -file u2soapserver.cer -alias "u2sskey" -keypass "my password" -keystore u2sskeystore -storepass "changeit"
c. Import Root Certificate into Default JRE’s CA keystore
cd \IBM\UniDK\JRE2\jre\lib\security
Assumptions: Key Store is cacerts U2 soap server Certificate tied to alias U2ssrootkey Key password is “my password” Key Store password is “changeit”
![Page 35: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/35.jpg)
35
C:\IBM\UniDK\JRE2\jre\lib\security>
keytool -import -file c:\certs\U2SoapServer\u2ssroot.cer -alias U2ssrootkey -keypass "my password" -keystore cacerts -storepass "changeit"
![Page 36: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/36.jpg)
36
d. Import Root Certificate into Windows Certificate Store
Open an IE window From Tool Bar->Tools->Internet Options->Content
![Page 37: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/37.jpg)
37
Certificates
![Page 38: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/38.jpg)
38
Import
![Page 39: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/39.jpg)
39
Next
![Page 40: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/40.jpg)
40
For File name, specify the path for your soap server Root Certificate, e.g.,“C:\certs\U2SoapServer\u2ssroot.cer Next>
![Page 41: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/41.jpg)
41
Browse
![Page 42: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/42.jpg)
42
Select “Trusted Root Certification Authorities” OK Next
![Page 43: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/43.jpg)
43
The Wizard will ask you to confirm the content of the certificate Click Finish
![Page 44: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/44.jpg)
44
The Wizard should display “Do you want to install this certificate”, Click Yes
![Page 45: Securing U2 Soap Server](https://reader036.vdocument.in/reader036/viewer/2022071601/613d329b736caf36b75a7955/html5/thumbnails/45.jpg)
45
The Wizard should display a “success” message.
Find “Trusted Root Certificate Authorities” tab, click and verify that the Root Certificate is indeed installed. OK and close the IE windows.
Proceed to the “secure u2 soap server-v4 u2ss-u2db - document 2”