techdoc

configuring TLS on Openliberty

created onJanuary 21, 2022

create keystore file for certs and the server key

Create a PKCS12 keystore file, containing the server’s key, the server’s cert and the intermediate CA’s cert:

openssl pkcs12 -export \ -name "base.lan cert" \ -out /path/to/pkcs12/file.p12 \ -inkey /path/to/server/key.pem \ -in /path/to/server.crt \ -certfile /path/to/intermediate_CA.crt

OpenSSL will request a password for the PKCS12 file that it is about to create, provide and verify the password, note it.

Copy the resulting PKCS12 file to src/main/Liberty/config/resources/security

configure TLS in server.xml

in the feature manager section, enable the feature Transport Security. this will also enable ssl-1.0:

<featureManager> <!-- some other features --> <feature>transportSecurity-1.0</feature> <!-- some other features --> </featureManager>

encrypt the password for the PKCS12 file with the securityUtility

$(find target -name securityUtility) encode --encoding=aes Enter text: Re-enter text: {aes}AEKVY1lsgycJ3HhcmHb2hfqC4CzRW6c8jnhKuUA0ID1i

configure the keystore created before with a keystore element and configure TLS (aka SSL) with a ssl element that refers to the configured keystore:

<keyStore id="defaultKeyStore" type="PKCS12" location="${wlp.install.dir}/usr/servers/defaultServer/resources/security/keystore.p12" password="{aes}AEKVY1lsgycJ3HhcmHb2hfqC4CzRW6c8jnhKuUA0ID1i" /> <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="TLSv1.3" />

Make shure that the httpEndpoint element contains the httpsPort definition. If the httpEndPoint element contains a reference to a ssl element, make sure that reference points to the ssl element with the right id.

import the root CA cert

Import the root CA cert to the JDKs trusted certs keystore file cacerts.

File cacerts resides in

  • /lib/security for Java 11 and later
  • /jre/lib/security for Java 8

The default password after an installation of a JDK / JSDK is ‘changeit’

keytool -import -alias baseLanCert -keystore ./cacerts -file /opt/intra/ca/base.lan/root-ca.crt

If at any time later the cert is no more needed, the cert can be deleted from the truststore with:

keytool -delete -alias aliasToRemove -keystore ./cacerts

reference

Oracle JVM documentation Installing a Root Certificate in the Trust Store
Open Liberty docs Transport Security 1.0

configuring TLS on Openliberty

© 2022 – 2024 Rudolf Held