Configuring WebSphere Application Server for use with Cloudant

You must ensure that some SSL configuration in the WebSphere® Application Server recognizes the SSL certificate from https://username.cloudant.com. To do so, you can add the signer of this certificate either to the default SSL configuration, or to an SSL configuration of its own. The second option provides for higher security. Similar instructions apply if you use a Cloudant® Local server over HTTPS instead of cloudant.com.

To add this certificate to the default SSL configuration

  1. Open the WebSphere Application Server console.
  2. Go to Security > SSL Certificates and Key Management.
  3. In Related Items, click Key stores and certificates
  4. Select NodeDefaultTrustStore.
  5. Select Additional Properties > Signer certificates.
  6. Click Retrieve from port.
    1. Enter the Cloudant host name username.cloudant.com, where username is the user name of the Cloudant account, and the port, which is by default 443.
      Important: Do not enter the host name cloudant.com. This would not work, as it has a different signer certificate than username.cloudant.com.
    2. Select an alias, for example cloudant certificate signer.
    3. Click Retrieve signer information.
    4. Click OK.
  7. Click Save.

To add the certificate signer to a new SSL configuration

  1. First, create a truststore that contains only the signer of this certificate:
    1. Open the WebSphere Application Server console.
    2. Go to Security > SSL Certificates and Key Management.
    3. In Related Items, click Key stores and certificates.
    4. Set the Keystore usages combobox to SSL keystores.
    5. Click New, and enter the name CloudantTruststore, the path cloudanttruststore (this path is relative to ${CONFIG_ROOT}/etc), and a password.
    6. Click OK.
    7. Click Save.
    8. Select the CloudantTruststore keystore.
    9. Select Additional Properties > Signer certificates.
    10. Click Retrieve from port.
      1. Enter the Cloudant host name username.cloudant.com, where username is the user name of the Cloudant account, and the port, which is by default 443.
        Important: Do not enter the host name cloudant.com. This would not work, as it has a different signer certificate than username.cloudant.com.
      2. Select an alias, for example cloudant certificate signer.
      3. Click Retrieve signer information.
      4. Click OK.
    11. Click Save.
  2. If you are using WebSphere Application Server Network Deployment, copy the truststore file to all relevant nodes. In this case, the truststore file is ${CONFIG_ROOT}/etc/cloudanttruststore.
  3. Create an SSL configuration that uses this truststore:
    1. Open the WebSphere Application Server console.
    2. Go to Security > SSL Certificates and Key Management.
    3. In Related Items, click SSL configurations.
    4. Click New, and enter the name CloudantConfig, select as Trust store name the CloudantTruststore.
    5. Click OK.
    6. Click Save.
  4. There are two ways of using this configuration:
    • You can define the JNDI property mfp.db.cloudant.ssl.configuration in the MobileFirst Server administration and project WAR applications, later.
    • You can create a dynamic outbound configuration:
      1. Open the WebSphere Application Server console.
      2. Go to Security > SSL Certificates and Key Management.
      3. In Related Items, click Dynamic outbound endpoint SSL configurations.
      4. Click New, and enter the name MyCloudant and a description.
      5. Enter a connection information: HTTP, .cloudant.com, 443, and click Add >>.
      6. In the SSL configuration combination box, select CloudantConfig.
      7. Click OK.
      8. Click Save.

See also

Parent topic: Configuring WebSphere Application Server and WebSphere Application Server Network Deployment