SSL ISSUE

,
1

Hi community,

Please i need your feedback and recommendations about installing certificats in all webMethods components(Integration Server, MyWebMthodServer, ComanCentral, Mashzone, Centrasite, Terracotta …).
IS it necessary to configure SSL communication between all this componenet even if our all component are in local network and there is no firewall?
IF yes what are the main component that should use SSL communication.

Regards,

Nezha

2

Hi Nezha,

which version of wM are you on?

Most of the components support a PKCS#12/JKS combination for KeyStore (PKCS#12) and TrustStore (JKS).
Some of them might require a combined KeyStore/TrustStore-File which is usually a JKS-type.

Refer to the corresponding Admin-Guides for details.

At least IntegrationServer and MyWebMethodsServer should be accessible via HTTPS (at least in addition to the standard HTTP-Port) as they are usually accessed from outside their datacenter network (i.e. by Admins).

Speaking more generally, everything which is accessed from outside the local network of where the components are runnig should have an additional HTTPS-Port for the communication coming from there. Note that bigger companies even separate parts of the network from other parts via firewalls and the above scenario eases the setup of firewall rules.

Unfortunately each product uses its own way how and where to configure the certificates and the ART-based Adapters might use a completely different approach based on the system type they are connecting to (i.e SAP, IBM Websphere MQSeries, JDBC (depends on database vendor)).

Regards,
Holger

3

I would strongly recommend installing SSL Certs on the Broker\UM as well. Even though the servers are within the local network you need to have some kind of authentication to access Broker from IS or MWS. I personally think Broker should have come up with its own username\password settings while setting up connections, at the least if not certs.

If you have a developer writing a Java.NET client program to connect to Broker over JMS using an already setup Client group then there is nothing stopping him from using the WM Broker API to capture,delete and drain messages in destinations.