Software AG Products 10.11 | Administering Integration Server | Configuring Integration Server for Secure Communications | Configuring SSL Information for the Integration Server JVM
 
Configuring SSL Information for the Integration Server JVM
 
Order of Precedence for the javax.net.ssl Properties
Third-party components in Integration Server such as databases and LDAP use JSSE to make outbound calls to external servers. In these cases, the third-party component uses JSSE directly to make the call. The third-party component does not use the default SSL settings configured for Integration Server. Instead, when a third-party component uses secure socket layers (SSL) with external servers, the Integration Server JVM uses the javax.net.ssl properties in the JVM for creating the SSL Context for the SSL handshake.
You can set the keystore location, truststore location, and password information using the javax.net.ssl properties for the JVM. However, these properties take String values which can result in storing password information in plain text somewhere on the file system. This represents a security vulnerability.
To address this security issue, Integration Server provides a way to specify the keystore and truststore locations and passwords for the JVM in a way in which the passwords are not stored in plain text. Specifically, Integration Server Administrator provides the JVM Keystore Alias and JVM Truststore Alias fields on the Security > Certificates page. Use these fields to specify the keystore and truststore aliases that the JVM uses establish the default SSL context. At start up, Integration Server sets the javax.net.ssl properties by obtaining the store locations and passwords from the aliases.
Note:
The JVM Keystore Alias and JVM Truststore Alias field values are stored in the watt.server.ssl.keyStoreAlias and the watt.server.ssl.trustStoreAlias server configuration parameters, respectively.
*To configure the SSL information for the Integration Server JVM
1. Use Integration Server Administrator to create a keystore alias for the keystore used for creating the default SSL context.
For more information about creating a keystore alias, see Creating Keystore Aliases.
2. If you do not want to use the DEFAULT_JVM_TRUSTSTORE truststore alias as the JVM Truststore Alias, use Integration Server Administrator to create a truststore alias for the truststore that contains the information needed to establish an SSL connection with SSL-enabled server.
For more information about creating a truststore alias, see Creating Truststore Aliases.
3. Open Integration Server Administrator and go to Security > Certificates.
4. Click Edit Certificates Settings.
5. Under JVM Settings, in the JVM Keystore Alias list, select the keystore alias created in step 1.
6. If you are using a truststore, in the JVM Truststore Alias list, select the truststore alias created in step 2.
7. Click Save Changes.
Upon save, Integration Server uses the value of the JVM Keystore Alias and JVM Truststore Alias to update the values of watt.server.ssl.keyStoreAlias and the watt.server.ssl.trustStoreAlias server configuration parameter.
8. Restart Integration Server. Changes will not take effect until Integration Server (and therefore the JVM) restarts.
Important:
If you change the value of JVM Keystore Alias or JVM Truststore Alias fields (or the related parameters watt.server.ssl.keyStoreAlias parameter or the watt.server.ssl.trustStoreAlias), you must restart Integration Server for changes to take effect. Additionally, if you change the contents of the keystore and/or truststore referenced by the field or parameters, you must restart Integration Server for changes to take effect.