Enabling the Restricted Configuration Access Proxy for secured communication

Edit online

Enable the Restricted Configuration Access Proxy to use the HTTPS protocol when passing requests and responses between a service and the IBM® Content Collector configuration store.

About this task

Communication via HTTPS connections requires sending a certificate for authentication. To enable HTTPS communication between the Restricted Configuration Access Proxy and the embedded web application server, you must install this certificate to the trust store of the embedded web application server and to the computer's certificate store. The certificate can either be a self-signed certificate or a certificate that is signed by a trusted certificate authority (CA). In a production environment, however, you should work with certificates signed by a CA to enable a secure and trusted environment. See the topic about replacing certificates for the embedded web application server for details.

After you installed the certificate, you must bind it to the port that the Configuration Access Proxy uses for communication.

All steps of the following procedure must be performed on the computer on which IBM Content Collector Server is installed; you must be logged on as local administrator.

Procedure

To enable secured communication:

  1. Export the certificate from the key store of the embedded web application server.
    1. Open the administrative console of the web application server.
      Open a web browser and, in the address field of the browser, type the following URL:
      https://server:11043/ibm/console/login.do
      server is the host name of the server on which the embedded web application server runs.
    2. Expand Security and click SSL certificate and key management.
    3. Under Related Items, click Key stores and certificates.
    4. Click NodeDefaultKeyStore.
    5. Under Additional Properties, click Personal certificates.
    6. Select the certificate that you want to use, usually the default server certificate, and click Extract.
    7. Specify the fully qualified name of the file that is to contain the extracted certificate, select Binary DER data as the data type, and click OK.
  2. Import the certificate into the trust store of the embedded web application server.
    1. Return to Key stores and certificates and click NodeDefaultTrustStore.
    2. On the Signer certificates page of the NodeDefaultTrustStore keystore, click Add.
    3. Specify an alias for the certificate and enter the path to the exported certificate.
      The data type must be Binary DER data. Click Apply.
    4. Click Save and restart the web application server.
  3. Import the key store of the embedded web application server into the certificate store of the local computer.
    1. Open the Microsoft Management Console (MMC).
      In a command prompt, type mmc and press Enter.
    2. Click File > Add/Remove Snap-in.
    3. Under Available snap-ins, select Certificates and click Add.
    4. In the Certificates snap-in window, select Computer account and click Next.
    5. In the Select computer window, leave Local computer selected and click Finish.
    6. Click OK in the Add/Remove Snap-in window.
    7. Expand Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates in the console tree.
    8. Right-click Certificates and select All Tasks > Import.
      In the Certificate Import Wizard, click Next.
    9. Browse to the key.p12 file that is used by your embedded web application server instance and click Next.
    10. Enter the password, accept the default settings, and click Next.
      The default password is WebAS. Note that the password is case sensitive. In a production environment, however, you should configure a different password to protect your security configuration.
    11. Accept the default setting on the next window and click Next.
    12. In the summary window, click Finish.
      You should get confirmation that the import was successful. Click OK.
    13. Add the certificate to the personal certificates.
      Copy the certificate and paste it to Certificates (Local Computer) > Personal > Certificates. The friendly name of the certificate is usually default.

      Alternatively, you can repeat steps 3.h to 3.l for the personal certificates category.

  4. Retrieve the certificate hash.
    1. Double-click the certificate entry to view certificate details.
    2. On the Details tab, scroll to the field Thumbprint, which contains the certificate hash.
      Write down the value for later use. Then, close the Certificate window.
    3. Select File > Exit to close MMC.
  5. Bind the certificate to the port that the Configuration Access Proxy uses for HTTPS communication.
    The default port number is 10001. At a command prompt, issue the following command:
    netsh http add sslcert ipport=0.0.0.0:port certhash=hash 
appid={df8c8073-5a4b-4810-b469-5975a9c95230}

    Replace port with the appropriate port number, and replace hash with the certificate hash that you wrote down, omitting the spaces. Specify the appid value exactly as indicated; this is the identifier for the Configuration Access Proxy.

    The command should look like this example:

    netsh
http add sslcert ipport=0.0.0.0:10001 certhash=f686affc5bba1e340933a8c0c9640f5c1bda44ca

appid={df8c8073-5a4b-4810-b469-5975a9c95230}
    Remember: If you change the Configuration Access Proxy port later, you must unbind the previously used port and bind the new port. To unbind a port, issue the following command at a command prompt:
    netsh
http delete sslcert ipport=0.0.0.0:port
    Then, bind the new port as described.