Broker 10.15 | webMethods Broker Documentation | Administering webMethods Broker | Managing Broker Security | Securing Broker Server Using SSL | Configuring SSL for Broker Server
 
Configuring SSL for Broker Server
 
Creating Keystores and Truststores
Loading Keystores and Truststores into My webMethods
Modifying Keystores and Truststores
Following is a high-level summary of the steps required to configure SSL for webMethods Broker. The detailed procedures for implementing the steps are covered in the sections after the high-level summary.
1. Create the keystores.
The Broker Server, Broker user interface, and each Broker Server client must have access to the digital certificates needed to authenticate their connections. The SSL certificates for each of these components resides in a keystore, a specially formatted files protected by a password. Keystores are located on the Broker Server Host, on the local machine hosting the browser that connects to the Broker user interface, and on machines where client applications reside.
The procedure for creating and configuring a keystore is covered in Creating Keystores and Truststores and Managing Certificate Files.
2. Create the truststores.
The Broker Server, Broker user interface, and each Broker Server client must have access to the trusted roots corresponding to the digital certificates needed to authenticate their connections. Trusted roots reside in truststores, and are located on the Broker Server Host, on the local machine hosting the browser that connects to the Broker user interface, and on machines where client applications reside.
The procedures for creating and configuring truststores are covered in Managing Certificate Files with OpenSSL.
You should evaluate how many truststores your Broker system needs. Keeping one truststore for all Broker components may suffice, but the increased security gained from having multiple truststore may better serve your needs.
3. Configure the Broker Server for SSL.
After you have configured a keystore and truststore entry for a Broker Server, you assign it an identity using My webMethods. This procedure is described in Configuring an SSL Identity for a Broker Server .
4. Configure the Broker user interface component for SSL.
For Broker SSL to work, the Broker Server must authenticate the SSL identity of the Broker user interface component. Thus, you need to assign the Broker user interface an identity.
This procedure is described in Configuring an SSL Identity for the Broker User Interface Component.
5. Configure each client to enable SSL.
You use certificate editing tools to create and manage the keystores and truststores for clients, and use the client applications to assign the SSL identities and perform any additional SSL configuration. These tools must work with the appropriate certificate format required for each Broker component (see Keystore File Formats and Truststore File Formats).
You do not use My webMethods or a webMethods command-line utility to configure clients for SSL. For additional information, see Configuring SSL for Clients.
Important:
The use of SSL authentication is determined by whether a client-side keystore is passed to the Broker Server upon connection. You do not configure SSL authentication through the Broker user interface.