How to import SSL certificates into webMethods Integration Server

In this article I described how you can generate a self-signed SSL certificate to enable HTTPS in webMethods Integration Server: How to create a self-signed SSL certificate for webMethods Integration Server with OpenSSL. Now it’s time to import a real certificate.

If you have received the signed certificate from your Certificate Authority, you can follow these steps to import it into Integration Server. I’m using OpenSSL on a Linux machine and Java’s keytool on my Windows workstation for the command line work.

Prepare the certificate

  • The private key has to be in PEM format and needs to be BASE64 encoded. At least in my case OpenSSL wasn’t able to handle it otherwise.
  • First of all, you need to protect your private key with a password, if you haven’t already done so.

    openssl rsa -des3 -in integrationserver.key -out integrationserver.key
    
  • If the certificate is in format DER (in my case it was and the file had the ending cer), it has to be converted to PEM:

    openssl x509 -in integrationserver.cer -inform DER -out integrationserver.crt -outform PEM
    
  • Now the keystore for Integration Server can be created:

    openssl pkcs12 -export -des3 -in integrationserver.crt -inkey integrationserver.key -out integrationserver.p12
    
  • Now we need to create a Truststore containing the issuing certificates of our certificate. You need to download the required certificates for the whole certificate chain and add them to a Truststore:

    keytool -import -alias rootCA -keystore integrationserver.jks -file rootCA.crt
    

    You need to repeat this command for each certificate of the chain with a unique alias.

Import the certificate into Integration Server

  • Create a Truststore Alias under Security -> Keystore -> Create Truststore Alias.
    Create a Truststore Alias in webMethods Integration Server
  • Create a Keystore Alias under Security -> Keystore -> Create Keystore Alias.
    Create a Keystore Alias in webMethods Integration Server
  • Create an HTTPS Port Security -> Ports -> Add Port.
    Create an HTTPS Port in webMethods Integration Server
  • Enable access through the new port.
    Enable access through an HTTPS Port in webMethods Integration Server
  • Test your new HTTPS connection in a browser:
    https://YOUR-SERVERNAME:5443/

Links

How to create a self-signed SSL certificate for webMethods Integration Server with OpenSSL

Here’s a short step-by-step guide on how to create and install a self-signed SSL certificate for testing purposes in webMethods Integration Server. You can test secure HTTPS connections from clients to Integration Server with this certificate.

Create a certificate

You can easily create the certificate using OpenSSL on a Linux system.

  • Create a private key.

    openssl genrsa -des3 -out integrationserver.key 1024
    
    Generating RSA private key, 1024 bit long modulus
    ........................++++++
    .++++++
    e is 65537 (0x10001)
    Enter pass phrase for integrationserver.key:
    Verifying - Enter pass phrase for integrationserver.key:
    
  • Create a certificate signing request (CSR).

    openssl req -new -key integrationserver.key -out integrationserver.csr
    
    Enter pass phrase for integrationserver.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:DE
    State or Province Name (full name) [Some-State]:Lower-Saxony
    Locality Name (eg, city) []:Vechta
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Macke IT
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:localhost
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:IntegrationServer
    An optional company name []:
    
  • Sign the CSR yourself and create a certificate.

    openssl x509 -req -days 365 -in integrationserver.csr -signkey integrationserver.key -out integrationserver.crt
    
    Signature ok
    subject=/C=DE/ST=Lower-Saxony/L=Vechta/O=Macke IT/CN=localhost
    Getting Private key
    Enter pass phrase for integrationserver.key:
    
  • Convert the certificate to DER (which Integration Server needs).

    openssl x509 -in integrationserver.crt -inform PEM -out integrationserver_der.crt -outform DER
    
  • Create a keystore containing the private key and the certificate in format PKCS12 (which Integration Server needs).

    openssl pkcs12 -export -des3 -in integrationserver.crt -inkey integrationserver.key -out integrationserver.pkcs12
    
    Enter pass phrase for integrationserver.key:
    Enter Export Password:
    Verifying - Enter Export Password:
    
  • Take a look at all the generated files and copy them over to a directory where IS can access them.

    ls -la
    
    -rw-r--r--  1 root root  818 10. Jan 18:32 integrationserver.crt
    -rw-r--r--  1 root root  680 10. Jan 18:32 integrationserver.csr
    -rw-r--r--  1 root root  563 10. Jan 18:34 integrationserver_der.crt
    -rw-r--r--  1 root root  963 10. Jan 18:29 integrationserver.key
    -rw-r--r--  1 root root 1581 10. Jan 18:34 integrationserver.pkcs12
    

Install the certificate in Integration Server

  • Install the keystore via Security -> Keystore -> Create Keystore Alias on IS’s web frontend.
    Add a Keystore Alias in webMethods Integration Server
    Add a Keystore Alias in webMethods Integration Server
    The new Keystore should now be listed.
    List the Keystore Aliases in webMethods Integration Server
  • Install the certificate via Security -> Certificates -> Edit Certificates Settings.
    Add a certificate in webMethods Integration Server

Add an HTTPS Port in Integration Server

  • Security -> Ports -> Add Port
    Add an HTTPS Port in webMethods Integration Server
    Add an HTTPS Port in webMethods Integration Server
  • You may need to configure the Access Mode of the new port, so that folders and services will be available via HTTPS. Simply click on the link in column Access Mode and configure the settings (Security -> Ports -> Edit Access Mode).
  • Test the HTTPS connection by navigating to https://localhost:5443. The certificate error is ok, because we self-signed our certificate. Add the certificate to the list of trusted certificates and move on. If you use a “real” certificate later, the error will go away.
    Certificate error in webMethods Integration Server

Recommended reading

Links