Configuring Two-Way SSL

In two-way SSL, the Tomcat server additionally tries to establish trust with the connecting client by requesting a certificate from the client, and either accepting or rejecting it based on its own trust settings.

Follow the applicable instructions later in the section, to enable two way SSL in your Silver Fabric component.

Procedure

  1. If a VirtualRouter instance is forwarding requests to this enabler, ensure it has SSL enabled.
  2. On the Silver Fabric Administration Tool, go to Stacks > Components.
  3. Select the Edit Component action for to your component.
  4. Select Add/Edit Component Features.
  5. Select the HTTP Support feature and click Edit.
  6. Select the HTTPS Enabled option and clear the HTTP Enabled option to create a pure SSL configuration.
  7. Click OK, then click Menu.
  8. Select Add/Override/Edit Enabler and Component-Specific Runtime Context Variables.
  9. Select Add From Enabler.
  10. Select TWO_WAY_SSL_ENABLED from the list and click OK.
  11. Click TWO_WAY_SSL_ENABLED, click Edit, change the value to true and click OK.
  12. The server uses the demo keystore bundled with Tomcat by default. If this is sufficient for your needs, click Finish and you are done.
  13. Configure the following environment variables as necessary to configure a custom certificate:
    • SERVER_KEY_STORE_FILE : Server keystore file location for incoming SSL connections.
    • SERVER_KEY_STORE_PASSWORD : Password for the server keystore.
    • SERVER_TRUST_STORE_FILE : Server trust store file location for outgoing SSL connections.
    • SERVER_TRUST_STORE_PASSWORD : Password for the server trust store.
    • CLIENT_KEY_STORE_FILE : Client keystore file used when connecting to the JMX server when TWO_WAY_SSL_ENABLED is true.
    • CLIENT_TRUST_STORE_FILE: Trust store file used when connecting to the JMX server.
    • CLIENT_KEY_STORE_PASSWORD : Client keystore password used when connecting to the JMX server when TWO_WAY_SSL_ENABLED is true.

    In the definitions, you can use the variable ${CATALINA_HOME}, which expands to the Tomcat application server home directory for the enabler at run time.

    Click OK when finished. You can now upload your keystore file.

  14. Select Add/Override/Customize Enabler and Component-Specific Content Files.
  15. Click Upload.
    The Add File screen is displayed.
  16. Complete the screen as follows:
    1. Enter a name for your server keystore file in the Name field.
    2. Enter the path you used for SERVER_KEY_STORE_FILE above in the Relative Path field.
    3. Enter your server keystore file in the File field.
    4. Click OK.
  17. Repeat the previous two steps to upload SERVER_TRUST_STORE_FILE, CLIENT_TRUST_STORE_FILE, and CLIENT_KEY_STORE_FILE.
  18. Click Finish.
  19. Select the Publish Changes action.