Storing SSL Information for the Integration Server JVM in a Secure Manner
When using secure socket layers (SSL) with external servers, you need to configure JVM parameters for creating SSL Context for the SSL handshake. You can set the keystore location, truststore location, and password information using the javax.net.ssl properties for the JVM. However, these properties take String values which can result in storing password information in plain text somewhere on the file system. This represents a security vulnerability.
To address this security issue, Integration Server provides a way to specify the keystore and truststore locations and passwords in a way in which the passwords are not stored in plain text. Specifically, Integration Server provides server configuration parameters for which you specify the keystore and truststore aliases to be used to establish the default SSL context. At start up, Integration Server sets the javax.net.ssl properties by obtaining the store locations and passwords from the aliases and then creates the default SSL context.
The server configuration parameters are as follows:
watt.server.ssl.keyStoreAlias - Name of the keystore alias for the
Integration Server keystore that contains the information needed to establish an SSL connection with SSL-enabled servers.
watt.server.ssl.trustStoreAlias - Name of the truststore alias for the
Integration Server truststore that contains the information needed to establish an SSL connection with SSL-enabled servers.
To store the SSL information for the JVM used by
Integration Server in a secure manner
1. Create the keystore to use for creating the default SSL context.
Note: Software AG does not provide its own set of utilities for creating or managing keystore or truststore files.
2. If needed, create a truststore to use for creating the default SSL context.
3. Use Integration Server Administrator to create a keystore alias for the keystore created in step 1.
For more information about creating a keystore alias, see
Creating Keystore Aliases.
4. If necessary use Integration Server Administratorto create a truststore alias for the truststore created in step 2.
For more information about creating a truststore alias, see
Creating Truststore Aliases.
5. Use Integration Server Administrator to set the watt.server.ssl.keyStoreAlias parameter value to be the keystore alias created in step 3.
6. If you are using a truststore, use Integration Server Administrator to set the watt.server.ssl.trustStoreAlias parameter value to be the truststore alias created in step 4.
7. Restart Integration Server.