Runtime components : Service engine : How to use Service Engine? : How to enable HTTPS with a self-signed certificate?
  
How to enable HTTPS with a self-signed certificate?
The concepts of the SSL/TLS protocol for your reference:
Java™ Secure Socket Extension (JSSE) Reference Guide at
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html
Java Cryptography Architecture Standard Algorithm Name at
https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html
Service Engine supports authentication over HTTPS and it supports 3 trust levels (ALL, PUBLIC and PRIVATE) for the certificate depending on the settings at ServiceEngine.Configuration.Connection.CertificateTrustLevel:
ALL, trust any server certificate.
PUBLIC, trust the server certificates issued by well-known Certificate Authority (CA).
PRIVATE, trust the self-signed certificates.
You should use PRIVATE trust level to enable HTTPS with self-signed certificate; PRIVATE is the recommended mode in production environment.
In PRIVATE mode, the Service Engine can support both
client authentication (when KeyStore is specified)
and
server authentication (when TrustStore is specified)
The SSL/TLS/HTTPS is dependant on many factors:
Different Application Servers need different steps to set self-signed certificates.
Different JDK use different JSSE providers, such as SunJSSE for Oracle JDK, IbmJSSE2 for IBM JDK, and others.
The SSL/TLS protocol you preferred, e.g., TLS, SSLv2, and so on.
The Key Store type you chose, such as jks by default
The key and trust manager factory algorithms, such as PKIX, SunX509, IbmX509
The cipher suites you specified, such as SHA256 families
In general, you can follow these steps to enable HTTPS with self-signed certificate.
Generate the key store
You can do this with JDK, Application Server or 3rd party tools.
Here as an example we use JDK tool to generate the key store at /yourKeyStore.keystore:
$JAVA_HOME/bin/keytool -genkey -v -alias tomcat -keyalg RSA -validity 365 -keystore /temp/ myKeyStore.keystore
Please refer to the manual of JDK for the details about keytool.
Enable the self-signed certificate at Application Server
This step very depends on the Application Server, please refer to their official documents to do it.
Tomcat
Please refer to the document of Tomcat for details.
Here as example:
1 Copy the key store file to tomcat conf folder:
$ sudo copy /temp/myKeyStore.keystore $tomcat_home/conf/tomcat.keystore
2 Configure the Connector at server.xml of tomcat
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="true" sslProtocol="TLS"
    URIEncoding="UTF-8" keystoreFile="conf/tomcat.keystore"
    keystorePass="123456"
    truststoreFile="conf/tomcat.keystore" truststorePass="123456"
/>
WebSphere Application Server
Please refer to the document of WAS for details.
WebSphere Application Server Liberty profile
Please refer to the document of WAS Liberty for details.
Configurations
Configure the ServiceEngine at btt.xml to use the self-signed certificate.
Set https schema
Set the ServiceEngine.Configuration.ServiceURI to use the https schema, e.g.:
<field id="httpsHostA" value="https://hostName:securePort/RemoteUDTTAppContextRoot/openapi/short/" />
You can reference this host with the id “httpsHostA” later, such as,
ServiceEngine. getInstance().execServiceOperation(…,”httpsHostA”);
Change hostname, securePort and RemoteUDTTAppContextRoot as real case.
Here RemoteUDTTAppContextRoot is the context root of the remote UDTT application used as service provider.
Set certificate trust level to PRIVATE
ServiceEngine.Configuration.Connection.CertificateTrustLevel ="PRIVATE"
Set the HTTPS parameters
Set the HTTPS parameters under ServiceEngine.Configuration.Connection
SSLProtocol = "TLS"
EnabledCipherSuites = ""
KeyStoreType = "jks"
KeyStorePath = "/temp/myKeyStore.keystore"
KeyStorePassword" = "myKeyStorePassword"
KeyPassword = "myKeyPassword"
KeyManagerFactoryAlgorithm value= ""
TrustStorePath = "/temp/myKeyStore.keystore"
TrustStorePassword = "myTrustStorePassword "
TrustManagerFactoryAlgorithm = ""
Note  
These parameters are very depend on the user case, so set it carefully as need.
Read the description of the field for its meaning.
Leave the value EMPTY for the default value.
Use specified JSSE provider [optional]
In certain situations you might want to use a specified JSSE provider other than the default one.
In such a case you should add the dependency jars and change the JSSE provider at java.security accordingly.
As an example, supposing you want to use SHA256 and co-work with IBM WAS but use NON IBM JRE at client side, then you need do these steps:
Note IBM java use IBMJSEE2 to support SHA256 at JDK v8.
1 Copy IBMJSEE2.jar from WAS JDK to the client application class path.
2 Change the JSSE provider at $JAVA_HOME/security/lib/java.security file by adding these two lines at the first place of security providers:
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
3 Change the HTTPS parameters (under ServiceEngine.Configuration.Connection) accordingly
SSLProtocol = "SSL_TLSv2"
EnabledCipherSuites = "SSL_RSA_WITH_AES_128_GCM_SHA256"
KeyStoreType = "jks"
KeyStorePath = "/temp/myKeyStore.keystore"
KeyStorePassword" = "myKeyStorePassword"
KeyPassword = "myKeyPassword"
KeyManagerFactoryAlgorithm value= " IbmX509"
TrustStorePath = "/temp/myKeyStore.keystore"
TrustStorePassword = "myTrustStorePassword "
TrustManagerFactoryAlgorithm = "IbmX509"
Go up to
How to use Service Engine?