Chapter 7. Scenario: Data transformation and security 175
7.3 Preparing for security
All service operations between WebSphere Process Server and WebSphere
Message Broker are bound using HTTP under an SSL handshake protocol and
session.
7.3.1 Creating the keystore and truststore databases
To create a secure connection between the WebSphere Message Broker listener
and the WebSphere Process Server binding, a private key database (keystore)
and a public key database (truststore) must be created.
Several ways are available to construct a keystore and a truststore, that is
ikeyman. We use the most common ones of the keytool and openssl
commands. The openssl command is part of the OpenSSL distribution, and
keytool is part of the Java runtime environment (JRE™) installation. The
OpenSSL run time comes as a source-code package, and as in UNIX-based
platforms, Windows machines must also compile and create the binaries.
For more information about OpenSSL, refer to the Web site at:
http://www.openssl.org
We use the following steps to create a public and private key database (using the
keytool and openssl commands) and import them into the HTTPSListener of the
broker and the bindings of WebSphere Process Server:
1. Define a private key and certificate for your own certificate authority (CA):
# openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout
ca.key -config openssl.cnf
2. Define a self-signed certificate (ca.cer) that is valid for one year:
# openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr
-out ca.cer
Self-signed certificates: In this scenario, we only use self-signed certificates
that are extracted from the keystore and are imported to the truststore.
Recommendation: Several pre-compiled keystore and truststore versions on
the Internet can be used to run this case. However, for a real implementation,
we recommend that you create the files on the desired platform, either
Windows 2003 Server or AIX® 5L™.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.