Friday, April 10, 2009

2-way SSL between two application servers (non-programmatic way)

I have two applications one a web application and the other a webservice application hosted on two app servers(WebSphere and Tomcat). I need 2-Way SSL between them. In this blog I explain how I achieved it.

Lets say the web application hosted on Tomcat is a client to the web service hosted on WebSphere.
1. Configuration at client side (Tomcat)

Use keytool available with JDK for the below operations.
1. Client keystore generation

keytool -genkey -keyalg RSA -alias client -keystore cleintkeystore.jks -storetype JKS -storepass changeit -keysize 1024 -validity 360


2. Client certificate request generation

keytool -certreq -v -alias client -keystore clientkeystore.jks -storepass changeit -file clientcertreq.csr

3. Submit the above certificate request to a CA and download the following from the CA response- Signed certificate, complete certificate chain and the root CA cert onto the file systems as clientcert.cer, clientcertchain.p7b and clientcacert.cer respectively.

4. Importing certificate chain into keystore

keytool -import -keystore clientkeystore.jks -storepass changeit -file clientcertchain.p7b -alias client

2. Configuration at Server side (WebSphere)

1. Configuring Keystore

Login into WebSphere adminconsole and navigate to

Security >> SSL certificate and key management >> Key stores and certificates >> NodeDefaultKeyStore

Click on NodeDefaultKeyStore >> select Personal Certificates >> Create a Self-Signed Certificate. Fill the form and click ok.

Select the just created certificate and click Extract. Extract the certificate to the file system as servercert.cer by providing the following: Certificate file name and Data type as Binary DER data.This is the certificate the server presents to client for verification. This certificate should be added to the client truststore(we will see later).

2. Configure Truststore

Navigate to
Security >> SSL certificate and key management >> Key stores and certificates >> NodeDefaultTrustStore

Click NodeDefautTrustStore >> select Signer Certificates >> Add

Add the cleintcacert.cer downloaded above by providing alias name, the file path and the data type as Binary DER data.

3. Configuring SSL Configuration

Navigate to

Security >> SSL certificate and key management >> SSL configurations >> NodeDefaultSSLSettings

Click on NodeDefaultSSLSettings. Change the default server certificate alias and Default client certficate alias to the latest self signed certficate alias just created.

Click on Quality of protection settings. Change the Client Authentication to Required from the drop down as shown

3.Client Side JVM Configuratons

1. Importing Server's Self signed certficate into Client JVM truststore.

Import the certficate servercert.cer extracted into client's JVM store as follows.

keytool -import -trustcacerts -alias servercert -file servercert.cer -keystore %JAVA_HOME%\jre\lib\security\cacerts


2. Setting client keystore and keystore password as JVM Options
Set the below JAVA_OPTS variable before starting the Tomcat.

set JAVA_OPTS = -Djavax.net.ssl.keyStore="" -Djavax.net.ssl.keyStorePassword=""


DONE