Configuring Security Settings

About this task

By default, the endpoints available on the ports of the following services are publicly available inside the domain, where no access control is enforced.

IBM® AD File Service
IBM AD Search Service
IBM AD Mainframe Projects Service
IBM AD Cross Applications Service
IBM AD Manual Resolutions Service
IBM AD WebSphere® Liberty Profile Service
IBM AD Authentication Server (DEX)

You can enable the Hypertext transfer protocol secure (HTTPS) as a default connection protocol as follows.

Procedure

Access Start Menu > IBM Application Discovery and Delivery Intelligence > Launch IBM Application Discovery Configuration Service Admin, and go to Configure > Environments > "Your environment" > Servers and security > Security. The Security settings page is displayed.
Select a protocol type. Starting with IBM AD 6.1.3, if you select HTTPS as a connection protocol, both TLS 1.2 and TLS 1.3 are supported.

Important: This step implies the use of certificates. If you want to set the communication to be secured, make sure that a certificate authority issues a signed certificate (.crt), a non-encrypted private key for the certificate (.key), and the keystore file that needs to have one of the following extensions: .jks, .keystore, .pfx, .p12, or .ks.

Restriction: There is a limitation in supporting TLS 1.3. When Java™ Semeru 8 was used, Db2® for LUW cannot be connected successfully.
Select one of the options to secure the communications between servers and services.
- If you have prepared certificate files, you can select Custom certificate files. This option is recommended for production environments.
  1. Drag and drop the three required files or click to browse.
  2. After all files are successfully uploaded, enter the Keystore Password.
  3. Click Save.
- Select the Self signed certificate files. This option will show the default certificate that is used in WebSphere Liberty profile service and Authentication server (DEX) and will configure all other IBM AD services to use the same certificate.
  1. If the certificate is expired or a new Fully Qualified Domain Name (FQDN) has been defined on the machine, you can regenerate the certificate by checking the Generate new self signed certificate files option.
  2. Once the option is selected, a new field is displayed to enter the new keystore password reveal.
  3. Click Save.
Click OK when a confirmation dialog is displayed. The saving process takes several minutes.
After the process is completed, an alert dialog might be displayed to indicate that a browser might need to be restarted. It is because that the browser does not know about or trust the new certificate and shows an untrusted certificate page that blocks the access to all page within the IBM Application Discovery Configuration Service Admin.

What to do next

You can set up a secure communication for:

IBM AD Batch Server and IBM AD Graph Database Server
For more information, see STEP 9. Configuring IBM AD Batch Server.
IBM AD Analyze Client
For more information, see Enabling encryption channel between IBM AD Analyze Client and IBM AD ZooKeeper.