This article is an overview of the general concepts of inbound and outbound SSL configurations for WebSphere Application Server. It applies to the recommended approach by IBM to use IHS for inbound SSL and to configure the appropriate scopes key and trust stores.

Read it through, it reads great, but there is a more to it than meets the eye. After reading the Inbound communications and Outbound communications please read through my comments after to get an idea of the type of level my training material covers on the topic of WebSphere SSL..

BEGIN: Excerpt from IBM Information Centre

Inbound communications

Most Web applications transmit sensitive data, for example, a user name and password during login or personal data during the interaction with the application. To make this data safe during transfer, we use SSL. In the WebSphere environment, we recommend that you access application

servers through a Web server, for example, IBM HTTP Server (IHS). If client certificate authentication is not required, perform the following steps to configure SSL communication:


  1. Configure the Web server for SSL
    1. Create the key database file and certificates required for the Web server to participate in an SSL connection. The certificate must be signed by a well known CA.
    2. Enable the directives in the Web server configuration for SSL, pointing to the new key database. This step allows SSL connections to be established between Web browsers and the Web server.
  2. Configure the HTTP Plug-in for SSL
    1. Add the Web server definition to WebSphere (which is usually done as a part of the HTTP plug-in configuration process).When a Web server definition is created, it is associated with a keystore that contains all of the signers for the cell and the chained certificate for the Web server node.
    2. Copy the Web server keystore and stash files for the plug-in to the Web server plug-in location.

If client certificate authentication is required, configuration is more complex. In addition to the previous steps, you have to configure the Web server to require client certificates and configure mutual trust between the plug-in and the application server.


Outbound communications

Applications might need to communicate with external services. These external services usually require encryption and often certificate authentication also. We recommend that you create separate SSL configurations for each external service to provide flexibility and isolation. Depending on your requirements, the number of external services, and the topology, you can select a specific SSL configuration selection method.


The following steps describe how to prepare SSL configuration for external



  1. Create a keystore at the appropriate scope. Choose a scope that will allow access to the keystore for all servers that have to connect to the external service.
  2. Obtain the certificate from the external service server.
  3. Import the certificate into the keystore as a signer certificate.
  4. If client certificate authentication is required:
    1. If the service provider provides you with a client certificate, import it as a personal certificate into the keystore.
    2. Otherwise:
      1. Generate a new self-signed personal certificate or chained certificate.
      2. Extract the public part of the certificate or root signer certificate.
      3. Send the extracted certificate to the service provider where it must be

            added as a trusted certificate to allow a connection to be established.

  1. Create a new SSL configuration at the same scope. Select the new keystore as both the keystore and the truststore.
  2. Ensure that the SSL configuration will be used.

END: Excerpt from IBM Information Centre

How to implement the above??

Nice description above, but how do we do all this?

  • What about the scenario when you do not want IBM HTTP Server for inbound SSL and you want to access WAS directly via SSL?
  • Maybe you want WAS to communicate to a service hosted in another technology and you need WAS to be the client?
  • Maybe you do not want WAS to present the default self –signed certificate in this type of conversation. Instead present singed certs from one of your company’s root certificates?

IHS (IBM HTTP Server) SSL configuration is covered in my SSL module [Part 1].
You can purchase this module from me, contact me for details.
My SSL module [Part 2] will discuss the ability to allow a client service to connect to WebSphere Application Server directly using SSL.
You can purchase this module from me, please contact me for details.


Leave a Reply