Configuring Integration Server to Use Two-way SSL
To configure
Integration Server for two-way SSL authentication
1. Using OpenSSL, create a self-signed certificate (mediator.cer) with the following command:
openssl req -new -x509 -days 2000 -sha1 -newkey rsa:1024 -nodes
-keyout server.key -out server.crt -subj "/O=Company/OU=Unit/CN=localhost"
Whatever is specified in the CN section of the subject must match the hostname of the machine running the Mediator and is used to send requests to the Mediator.
2. Create at least one keystore mediatorkeystore.jks, in PKCS#12 or JKS format, containing an Integration Server key pair to use for SSL.
C:\deploykeystores\new>keytool -v -genkeypair -alias mediator
-keyalg RSA -validity 1000 -keystore mediatorkeystore.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
What is the name of your organizational unit?
What is the name of your organization?
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Enter key password for <mediator>
<RETURN if same as keystore password>:
[Storing mediatorkeystore.jks]
C:\deploykeystores\new>
3. Create at least one truststore mediatortruststore.jks, in the JKS format, in a desired location on the machine where CentraSite is running.
4. Export Mediator's self-signed certificate mediator.cer into the CentraSite's truststore.
5. Import CentraSite's self-signed certificate centrasite.cer in to the Mediator's truststore mediatortruststore.jks.
C:\deploykeystores\new>keytool -export -alias
centrasite -keystore centrasitekeystore.jks -rfc -file
centrasite.cer
Enter keystore password:
Certificate stored in file <centrasite.cer>
C:\deploykeystores\new>keytool -import -alias
mediator -keystore mediatortruststore.jks -file
centrasite.cer
Enter keystore password:
Re-enter new password:
Owner:
Issuer:
Serial number:
Valid from:
Certificate fingerprints:
Trust this certificate? [no]: yes
Certificate was added to keystore
C:\deploykeystores\new>
6. Create a keystore and truststore alias using the above created keystore (mediatorkeystore.jks) and truststore (mediatortruststore.jks) respectively. For more information on creating keystore and truststore aliases, see webMethods Integration Server Administrator’s Guide in the documentation set for webMethods Integration Server.
7. Configure an HTTPS port and specify the client authentication to any of the following:
Username/Password. The server prompts the client for a user ID and password.
Request Client Certificates. The server requests client certificates for all requests. If the client does not provide a certificate, the server prompts the client for a user ID and password. If the client provides a certificate:
The server checks whether the certificate exactly matches a client certificate on file and is signed by a trusted authority. If so, the client is logged in as the user to which the certificate is mapped in
Integration Server. If not, the client request fails, unless central user management is configured.
If central user management is configured, the server checks whether the certificate is mapped to a user in the central user database. If so, the server logs the client on as that user. If not, the client request fails.
Require Client Certificates. The server requires client certificates for all requests. The server behaves as described for
Request Client Certificates, except that the client must always provide a certificate.
8. On the Ports screen, click Edit to change the Access Mode. You may Set Access Mode to Allow by Default or Reset to default access settings.
9. If the selected client authentication as Require Client Certificates above, map the client certificate to any valid user in the Integration Server.
For more information on configuring ports and client authentication, see webMethods Integration Server Administrator’s Guide.
10. Restart the Integration Server.