Securing data that flows between eXtreme Scale and WebSphere Application Server with SSL encryption

WebSphere® eXtreme Scale uses the Secure Sockets Layer (SSL) configuration in WebSphere Application Server .

1. Configure WebSphere Application Server global security.
   For more information about configuring global security, see Global security settings.
2. Configure CSIv2 inbound security.
   In the WebSphere Application Server administrative console, click Security > Global Security > RMI/IIOP Security > CSIv2 inbound communications. Click SSL-Required.
3. Configure CSIv2 outbound security.
   In the WebSphere Application Server administrative console, click Security > Global Security > RMI/IIOP Security > CSIv2 inbound communications. CSIv2 outbound communications must be SSL-Supported or SSL-Required.
4. Configure the SSL certificate and key management in WebSphere Application Server.
   When running only a WebSphere eXtreme Scale client in a WebSphere Application Server instance and the eXtreme Scale data grid servers are stand-alone, you must ensure that the client truststore trusts the server certificate. When the standalone server certificate is self signed, as in the tutorial, or when the server certificate is issued by a local certificate authority, the certificate must be imported into the NodeDefaultTruststore of the node the application server is running in. For a catalog service domain, configured with remote server members, the standalone server certificate must also be imported into the CellDefaultTruststore to run the test connection command. For more information about creating keystore and truststore files, see Developing keystore files for data encryption.

   If the standalone WebSphere eXtreme Scale data grid server's SSL properties includes clientAuthentication=true, the WebSphere eXtreme Scale server's truststore files must also be updated to trust the certificate from the WebSphere server client. When client authentication is enabled, and a client requests a secure connection to a server, the server requests a certificate from the client to verify that the client is who it claims to be. The server will allow the connection if the client's certificate can be trusted. The clientAuthentication=true parameter is rarely used and is only supported when running with the IBM eXtremeIO (XIO) transport or when the client, catalog and container servers are all running in WebSphere Application Server.

   When the client, catalog and container servers are all running in WebSphere Application Server processes, they use the WebSphere Application Server security configuration for client-to-servers communication so that they do not require the server SSL properties that are configured in the WebSphere eXtreme Scale server properties file. It uses the WebSphere Application Server Common Secure Interoperability Protocol Version 2 (CSIv2) transport settings.

   However, when multiple catalog servers are configured and run in a WebSphere Application Server process, the catalog-to-catalog communication has its own proprietary transport paths that cannot be managed by the CSIV2 transport settings. Therefore, you must configure the security and SSL properties in the server properties file for each catalog server; for example:

   alias=default
   contextProvider=IBMJSSE2
   protocol=SSL
   keyStoreType=PKCS12
   keyStore=/<WAS_HOME>/IBM/WebSphere/AppServer/profiles/<DMGR_NAME>/config/
   cells/<CELL_NAME>/nodes/<NODE_NAME>/key.p12 
   keyStorePassword=WebAS
   trustStoreType=PKCS12
   trustStore=/<WAS_HOME>/IBM/WebSphere/AppServer/profiles/<DMGR_NAME>/config/
   cells/<CELL_NAME>/nodes/<NODE_NAME>/trust.p12
   trustStorePassword=WebAS
   clientAuthentication=false
   

   Configure the truststore, truststore type, and truststore password. It is not necessary to specify a keystore, keystore type, and key store password for the client. The alias, keystore, keystore password, and keystore type are not needed on the client unless the server SSL properties includes clientAuthentication=true. This value is rarely used.

   The client truststore must trust the server certificate. When the server certificate is self signed, as in the tutorial, that certificate must be imported into the client trust store. When the server certificate is issued by a local certificate authority, the signer certificate for that certificate authority must be imported into the client truststore. For more information about creating keystore and truststore files, see Developing keystore files for data encryption.

5. Optional: Enable TLS v1.2.

   You can configure the data grid to use TLS 1.2 for encrypted network communication. This version of the TLS protocol is required to support NIST standards, which ensure high protection of data as it is sent over the wire. Specify protocol=TLSv1.2 in both the client.properties file and in the server.properties file. This step applies to eXtremeIO (XIO) and ORB transport types.

   Restriction: Some web browser versions do not work with a TLS v1.2-enabled server. Current® versions of most browsers, including Mozilla Firefox, Microsoft Internet Explorer, and Google Chrome, do support communication with TLS v1.2-enabled servers. You might configure the browser to enable TLS. For more information, see the following table:

   Table 1. TLS v1.2 browser support

   Browser	Operating system	TLS 1.2
   Chrome 0-21	Android, iOS, Linux, Mac OS X	No
   Chrome 2-28	Windows (XP, Vista, 7, 8) Android, iOS, Linux, Mac OS X	No
   Chrome 29-current	Windows (XP, Vista, 7, 8) Android, iOS, Linux, Mac OS X	Yes
   Firefox 1-18	Linux, Mac OS X, Windows (XP, Vista, 7, 8)	No
   Firefox 19-current	Linux, Mac OS X, Windows (XP, Vista, 7, 8)	No
   Firefox 24 (Beta)	Linux, Mac OS X, Windows (XP, Vista, 7, 8)	Yes, disabled by default
   Internet Explorer 6	Windows (98, 2000, ME, XP)	No
   Internet Explorer 7-8	Windows (XP, Vista)	No
   Internet Explorer 8-9	Windows 7	Yes, disabled by default
   Internet Explorer 9	Windows Vista	No
   Internet Explorer 10	Windows (7,8)	Yes, disabled by default

6. Enable on-chip Advanced Encryption Standard (AES) encryption. If you are using IBM® SDK Java™ Technology Edition Version 7, Service Refresh 3 or later, and you are running on an Intel processor that supports the Advanced Encryption Standard (AES) New Instructions (AES-NI) instruction set, you can achieve performance improvement by taking advantage of on-chip AES encryption.
   Using these features, you can run AES encryption and decryption following hardware instructions without extra software.

   To enable AES-NI usage, add the following property to the JVM command line or jvm.options file:

   com.ibm.crypto.provider.doAESInHardware=trueAdd the following property to the JVM command line or the jvm.options file to verify that the processor supports AES-NI instruction set:
   com.ibm.crypto.provider.AESNITrace=true

   For more information, see Intel Advanced Encryption Standard New Instructions.