Security Certificates

Jan 20, 2011 at 5:33 PM
Hi, We are in the process of preparing our application integration and staging environments. I had a quick question from the infrastructure team about the way certificates need to be configured. Currently, I am uploading the "cacerts" to WebSphere application server. We are in the process of obtaining certificates from external sources like Verisign. I was asked if these certificates can go to the WebServer instance instead of the application server and can they be offloaded to the Netscalers? Also, is there a more secure way to manage the public-private key certificates besides including the certificates in the application JAR/EAR files ? Hope you can get back to me on this soon. Thanks Shyam
Coordinator
Jan 21, 2011 at 3:11 PM
Edited Jan 24, 2011 at 10:46 PM

Hi Shyam,

I'm not sure I follow all of your questions but I'll try to tackle what I think you are asking.

1.  Your Application's Private Key

The private key is obtained by the sdk through an interface: PrivateKeyStore.  The only implementation in the sdk, DefaultPrivateKeyStore, uses a java keystore.  If you want to retrieve your private key from elsewhere, create a class which implements PrivateKeyStore to retrieve the key however you like and inject it into the Authenticator object.  Everything is assembled in the ConnectionFactory class.

2.  cacerts -- HealthVault's SSL public certs

The machine making outbound requests to HealthVault must be able to authenticate HealthVault.  HealthVault requires requests be sent over SSL. The HealthVault site's certificates are signed with GTE CyberTrust Global Root as the trusted root certificate authority. This public key is shipped with Sun’s java runtime in a file located at java.home/lib/security/cacerts. The alias for this key is "gtecybertrustglobalca". Depending on your JRE or environment, this public key may not be installed in your trusted store. This is a known issue with WebSphere. See Getting Started for more info.

3.  Your Application's SSL certificates

You can configure your SSL public/private keys for inbound HTTPS however you like.  They need to be installed wherever you are terminating SSL.  You can offload them to appliances like Netscaler.

--Rob