Configure Web Service Client for HTTPS
To enable a Web service client for HTTPS, do the following:
-
Get the certification authority (CA) root certificate used by the Web server with which PPM is integrated.
-
Perform one of the following options to import the certificate into the key store.
-
Create a custom key store at the client side to import the CA root certificate into it as trusted CA certificate, and specify the key store for the Web service client.
-
Or, directly import the CA certificate into the JDK's default key store. In this option, you do not need to specify the key store for the Web service client.
-
Custom Key Store
After you obtain the CA root certificate used by the web server with which PPM is integrated, you can run the following command to import the certificate into your new key store.
keytool -import -keystore {keystore file} -alias {entryAlias} -file {certfile}
Notify the Web service client of the location of the certificate by using system property "javax.net.ssl.trustStore" as shown in the following example:
java -Dclient.repository.dir=%WSCLIENT_HOME% -classpath %CPATH%
-Djavax.net.ssl.trustStore="C:/toolkit/java/conf/client.jks" examples.pm.ProjectServiceClient https://localhost:8443/itg/ ppmservices/ProjectService "kevin8"
Or, you can use code inside your program as shown in the following example:
system.setProperty("javax.net.ssl.trustStore","full-path-of-keystore-file" );
If Secure Sockets Layer (SSL)-client authentication is required by the Web server, the javax.net.ssl.keyStore system property should be set to a key store file that contains the client's personal certificate.
Example:
java -Dclient.repository.dir=%WSCLIENT_HOME% -classpath %CPATH% -Djavax.net.ssl.trustStore="C:/toolkit/java/conf/client.jks" -Djavax.net.ssl.keyStore="C:/toolkit/java/conf/client.jks" examples.pm.ProjectServiceClient https://localhost:8443/itg/ ppmservices/ProjectService "kevin8"
The personal key store and the trust key store can point to the same key store file or a different one.
JDK Default Key Store
Another place to keep the trusted CA certificate is in the JDK's default key store, which can be found at $JRE_HOME/lib/security/cacerts
. The default password to the JDK key store is 'changeit'.
Use the following command to import the certificate into the JDK default key store:
keytool -import -trustcacerts -keystore {$JRE_HOME/lib/ security/cacerts} -alias {entryAlias} -file {certfile}
Make sure you are updating the right version of JDK on your machine if multiple JDKs are installed.
Java Virtual Machine (JVM) will load this key store when the program starts, so no additional Web service client configuration is needed if the CA certificate is loaded into the key store.