Page tree
Skip to end of metadata
Go to start of metadata

By default WebSphere is setup to only trust connections to itself. This is a problem because the link validation service and enhanced media embed service can not make connections to the external servers that they must interact with.

To fix this you must ensure WebSphere has the proper SSL configuration - including certificate authority root certificates for verifying SSL connections in its trust store - for all potential targets of secure (SSL) connections. Targets usually include in-house servers potentially secured by an in-house certificate authority as well as servers on the public Internet secured by public certificate authorities.

SSL security can be configured in the WebSphere console under:

Security > SSL certificate and key management Services will honor dynamic outbound endpoint SSL configurations based on hostname and port number, if configured. 


One way of creating a simple, adequate WebSphere SSL configuration would be to create a new keystore entry under "SSL certificate and key management > Key stores and certificates" and point the path to the trust store of WebSphere's JVM, usually something like /opt/IBM/WebSphere/AppServer/java/8.0/jre/lib/security/cacerts, with password "changeit", and the type to "JKS".

Root certificates of in-house certificate authorities could then be added to this trust store, and the trust store then selected as the trust store of the default SSL configuration. No extra WebSphere related configuration settings are needed in this case.

Advanced SSL configuration Services can be configured to use a particular named SSL configuration, instead of using the default WebSphere configuration,  by setting ephox.http.websphere.ssl-config-name to the name of the SSL configuration in WebSphere.

E.g. after creating an SSL configuration named "TbioServices", configure ephox.http.websphere.ssl-config-name=TbioServices

All of WebSphere's SSL security configuration - including trust stores and certificates but also protocol, cipher settings etc. - can optionally be bypassed and the JVM's SSL configuration - including the JVM trust store with its certificates - be used instead by configuring ephox.http.websphere.use-ssl-config=false

Simple setup for testing or pre-production environments

For use in evaluation or pre-production environments, all SSL security can be bypassed by both configuring ephox.http.websphere.use-ssl-config=false and

This is not recommended for production environments.

  • No labels