Integration Server 11.1 | Configuring On-Premise Integration Servers for webMethods Cloud | Configuring a Tenant Connection | Setting Up Two-Way SSL Communication
 
Setting Up Two-Way SSL Communication
Integration Server supports one-way or two-way SSL communication between the on-premises Integration Server and IBM webMethods Cloud.
Integration Server supports one-way SSL communication in which the on-premises Integration Server acts as a client and validates the certificate issued by the IBM webMethods Cloud that acts as a server.
If you do not specify a truststore alias on the webMethods Cloud > Tenant connections > Create tenant connections page, Integration Server relies on the certificates in the JVM truststore for one-way SSL communication . The certificate issued by IBM webMethods Cloud uses CAs that are trusted by the JVM and are part of the JVM truststore. You might need to create a truststore if you connect to IBM webMethods Cloud using an intermediate proxy or other internal endpoints and the intermediaries use CA certificates that are signed by private CAs.
Note:
If you override the JVM truststore with your own truststore, make sure to update your truststore to include the required CAs from the JVM truststore.
In two-way SSL communication, both the on-premises Integration Server and IBM webMethods Cloud validate each other’s certificate using private keys. If you want more secure communication between two business applications, you can set up two-way SSL communication.
Before you set up a two-way SSL communication, you need to download the IBM webMethods Cloud signed certificate and generate a keystore file. Then, use the keystore file to generate a keystore alias on the on-premises Integration Server. When you set up a tenant connection alias to IBM webMethods Cloud, you configure these keystore alias details so that Integration Server can establish the two-way SSL connection withIBM webMethods Cloud.
*To set up two-way SSL communication between the on-premises Integration Server and IBM webMethods Cloud:
1. Go to the IBM webMethods Cloud Certificates page and download the IBM webMethods signed certificate file in JKS or p12 format. This file contains the private key and the certificate. You can also upload your own CA signed certificate. Integration Server does not support using keystores with self-signed certificates for making a two-way SSL connection to IBM webMethods Cloud.
Note:
You can either directly generate the JKS file or use JKS tools or utilities to generate the JKS file from the p12 file.
2. In Integration Server Administrator, create a keystore alias for the keystore obtained in step 1 using the Security > Keystore > Create Keystore Alias page.
3. If the connection to IBM webMethods Cloud goes through intermediate endpoints or proxies that use private CAs, create a truststore with these certificates and the IBM webMethods Cloud CAs which are part of the JVM truststore.
This step is required for two-way SSL if the connection to IBM webMethods Cloud goes through intermediate endpoints that use private CAs.
4. In Integration Server Administrator, create a truststore alias for the truststore created in step 3 using the Security > Keystore > Create Truststore Alias page.
5. Go to webMethods Cloud > Tenant connections page in Integration Server Administrator and specify the details. See step 5 under Creating Tenants.
For detailed information on how two-way SSL communication works, see the documentation of the respective IBM webMethods Cloud products.