Outbound Secured Communication¶
IFS Cloud might need to communicate securely over HTTPS to an external host e.g. a webservice. To do this IFS Middleware server needs to trust the Certificate that the other side suggests to use. IFS Middleware uses the standard java truststore to validate Certificates in outbound communication.
IFS Installer automatically imports certificates located in <ifs_home>/instance/<instance>/security/certs/import during one of the installer phases to its own truststore. It imports custom certificates into this truststore and merge it with the java standard truststore (cacerts). The truststores are protected with the IFS Middleware Server administration user password.
Certificates (*.cer) placed in this folder will be imported during a reconfigure. The certificate will first be added to the ifs_cacerts in <ifs_home>/instance/<instance>/security after that it will be merged to the mws java's security folder and its cacert file in <ifs_home>\mw_home\java\jre\lib\security\cacerts. That way the active cacerts truststore will always be up to date even when a new Java version is installed.
Fetching a certificate¶
If you need to import certificates from third party web services they need to be fetched first. It is possible to use the Internet browser for this purpose by pointing out the third party web service and accepting the certificate in the browser. Most of browsers offer possibility for exporting the downloaded certificates (started in Administrator mode).
But it is also possible to use command line tools for fetching the certificate: openssl and sed. Both those tools are typically preinstalled on Linux but have to be downloaded and installed on Windows.
The command looks as follows:
openssl s_client -connect <hostname>:<port> < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <certificate.crt>
openssl s_client -connect <hostname>:<port> < NUL | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <certificate.crt>