Enabling SSL connections with external servers

To enable secure communications with an external entity over the Secure Sockets Layer (SSL) protocol, add the entity's root CA certificate (or certificate chain) to Impact's trust store.

Before you begin

The certificate chain represents the list of certificates required to authenticate an external entity. The chain starts with the entity certificate and each certificate is signed by the next certificate in the chain (intermediate certificates). This signed chain terminates with the certificate of the root certificate authority (CA).

When establishing a SSL connection, Impact will verify the remote server's SSL certificate by searching its trust store for a matching certificate chain. To authenticate an entity certificate, you must have either the root CA certificate or the full certificate chain in the trust store. If no match is found, the connection attempt will fail with either a javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated or unable to find valid certification path to requested target error.

Use your web browser, or a tool such as openssl, to download the SSL certificate(s). For signed certificates, you only need to install the root CA certificate. For a self-signed certificate, the entity certificate itself is sufficient.

Note: The trust store does not support certificates generated using deprecated algorithms such as MD2, MD5 or RSA with key lengths smaller than 1024 bits. See Disabled and restricted cryptographic algorithms.

Importing the certificate chain into the trust store

Use the keytool command to import the certificate chain:

IMPACT_HOME/sdk/bin/keytool -importcert -alias aliasname -file certfile -keystore keystorefile -storepass storepass

Where:

-alias aliasname is the alias under which the certificate is to be stored. Each alias should be unique.

-file certfile is the path to the X509 certificate file.

-keystore keystorefile is the key ring into which the certificate is to be imported. The trust store for Impact can be found under IMPACT_HOME/wlp/usr/servers/<instance>/resources/security/trust.jks

-storepass password is the password used to protect the trust store. This password should match the impact administrator's password.

Repeat this command for each certificate your want to trust. Restart the Impact server after importing the certificate(s).

Example

Using the keytool command to import a certificate:

/opt/IBM/tivoli/impact/sdk/bin/keytool -importcert -alias test1 -file ./test.crt -keystore /opt/IBM/tivoli/impact/wlp/usr/servers/NCI/resources/security/trust.jks -storepass password
Tip: Importing the root certificate only can be sufficient to establish a trusted certificate chain. Impact will also treat each certificate next in the chain as trusted.

Displaying the list of certificates in the trust store

Use the keytool command with the -list option to display the certificates in a trust store. You can also use the -v option for more verbose output.

IMPACT_HOME/sdk/bin/keytool -list -v -keystore keystorefile -storepass storepass

Where:

-keystore keystorefile is the key ring into which the certificate is to be imported. The trust store for Impact can be found under IMPACT_HOME/wlp/usr/servers/<instance>/resources/security/trust.jks

-storepass password is the password used to protect the trust store. This password should match the impact administrator's password.

Example

Using the keytool command to import a certificate:

/opt/IBM/tivoli/impact/sdk/bin/keytool -list -v -keystore /opt/IBM/tivoli/impact/wlp/usr/servers/NCI/resources/security/trust.jks -storepass password