Configuring Liberty for TLS
To secure the connections between Open Liberty and the components of i2 Analyze, you must configure Liberty for TLS. This topic describes how to update the i2 Analyze configuration with the location of a keystore and truststore to use, and how to provide the passwords for accessing the certificates that the stores contain.
Before you begin
Before you can configure i2 Analyze, you must have a keystore and truststore for Liberty that contain the required certificates. For more information about the required certificates, see Keystores, truststores, and certificates for i2 Analyze.
About this task
Configuring Liberty to use TLS involves modifying the i2 Analyze topology.xml file to specify that a secure connection must be used with the application server. You must also update the credentials.properties file to specify the password for the Liberty keystore and truststore files.
By default, secure connections between i2 Analyze and its clients use TLS v1.2. To change this setting without affecting the other connections, you can edit the environment-advanced.properties file.
When configuration is complete, it is only possible to connect to Liberty through the HTTPS protocol, on the secure port that is defined in the port definition properties file. The non-secure port cannot be used.
Procedure
In an XML editor, open the toolkit\configuration\environment\topology.xml file.
In the <application> element for the application server to secure, add the secure-connection attribute with the value of true.
For example:
<application name="opal-server" host-name="hostname" secure-connection="true">Note: The host-name attribute value must match the common name that is associated with the certificate for the application server.
Add the <key-stores> element as a child of the <application> element. Then, add child <key-store> elements.
For your keystore, specify type as key-store, and file as the full path to your keystore. For your truststore, specify type as trust-store, and file as the full path to your truststore.
For example:
<application name="opal-server" host-name="hostname" secure-connection="true"> ... <key-stores> <key-store type="key-store" file="C:/i2/i2analyze/i2-liberty-keystore.p12"/> <key-store type="trust-store" file="C:/i2/i2analyze/i2-liberty-truststore.p12"/> </key-stores> ... </application>
Specify the keystore passwords in the credentials file.
In a text editor, open the toolkit\configuration\environment\credentials.properties file.
Enter the password for the keystore and truststore that you specified in the topology.xml file.
ssl.keystore.password=password ssl.truststore.password=password
(Optional) Change or add to the list of supported TLS protocols for connections from clients to Liberty.
In a text editor, open the toolkit\configuration\environment\environment-advanced.properties file.
Follow the guidance in that file to set the value of the wlp.sslProtocol property.
For example, to enable TLS v1.3 as well as TLS v1.2, set the value to TLSv1.2,TLSv1.3.
Update the application with your configuration changes. For more information, see Redeploying Liberty.