Start of change Content Platform Engine, Version 5.2       Application server:  WebSphere Application Server   Operating systems:  AIX, HP-UX, Linux, Linux on System z, Solaris

Enabling Configuration Manager to connect to WebSphere Application Server 8.0 when FIPS is enabled

If you installed Content Platform Engine on WebSphere® Application Server 8.0, and the application server is configured to adhere to Federal Information Processing Standards, you must enable Configuration Manager to connect to the application server.

To enable Configuration Manager to connect to FIPS-enabled WebSphere Application Server:

  1. Create the certificates to enable Federal Information Processing Standards (FIPS) support on an application server that is running WebSphere Application Server by completing the instructions in http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/topic/com.ibm.iea.was_v8/was/8.0.0.3/Security/WASV8003_SecurityCryptoSignatureAlgorithm.pdf
  2. Use the WebSphere administration console to convert the certificates to use the signature algorithm, SHA256withRSA, which is supported by the FIPS standard:
    1. Log on to the WebSphere administration console.
    2. Navigate to SSL certificate and key management > Manage FIPS > Convert certificates.
    3. In the General Properties section, click Strict, and choose SHA256withRSA from the list.
  3. Run the Java™ keytoolcommand twice, to import the certificates into two locations: one in WebSphere Application Server, and the other in Content Platform Engine. The keytool command syntax is as follows (see the Java documentation for the complete details on using keytool):
    keytool -import -alias certificate_alias_name 
-file certificate_location -keystore keystore_name 
-storepass keystore_password

    keytool is located in cpe_install_path/_cejvm/jre/bin (cpe_install_path is the installation path to Content Platform Engine).

    certificate_alias_name

    Can be any string, such as CECA or CE_Name_CA.

    certificate_location

    The path to the certificate location for Content Platform Engine is cpe_install_path/_cejvm/jre/lib/security/cacerts.
    The path to the certificate location for WebSphere Application Server is was_install_path/profiles/default/etc/DummyClientTrustFile.jks.

    cpe_install_path is the installation path to Content Platform Engine.
    was_install_path is the installation path to WebSphere Application Server.

    keystore_name

    The default keystore name on Content Platform Engine is cacerts.
    The default keystore name on WebSphere Application Server is DummyClientTrustFile.jks.

    keystore_password

    The default keystore password on Content Platform Engine is changeit.
    The default keystore password on WebSphere Application Server is WebAS.

  4. Edit the cpe_install_path/tools/configure/configmgr.ini file by adding the following lines (cpe_install_path is the installation path to Content Platform Engine): 
    -Dcom.ibm.security.useFIPS=true
-Dcom.ibm.websphere.security.FIPSLevel=SP800-131
-Dcom.ibm.ssl.protocol=TLSv1.2
  5. Edit the was_install_path/profiles/default/properties/wsadmin.properties file by adding the following lines (was_install_path is the installation path to WebSphere Application Server): 
    com.ibm.security.useFIPS=true
com.ibm.websphere.security.FIPSLevel=SP800-131
com.ibm.ssl.protocol=TLSv1.2
Parent topic: Configuring Content Platform Engine
Previous topic: Granting directory permissions to the Configuration Manager user
Next topic: Configuring Content Platform Engine instances

Feedback

Last updated: October 2013
p8pin341.htm

© Copyright IBM Corporation 2013, 2014.
This information center is powered by Eclipse technology. (http://www.eclipse.org) End of change