Textbox.io for IBM WCM : 4. Import Certificates for External Servers

Please contact IBM if you require support.

By default, WebSphere only trusts connections to itself. This poses a problem since the link validation service, image proxy service and enhanced media embed service require connections to the external servers with which they must interact.

Therefore, you must ensure WebSphere has the proper SSL configuration - including certificate authority root certificates for verifying SSL connections in its trust store - for all potential targets of secure (SSL) connections. Targets usually include in-house servers potentially secured by an in-house certificate authority as well as servers on the public Internet secured by public certificate authorities.

SSL security can be configured in the WebSphere console under:

Security > SSL certificate and key management

Textbox.io Services will honor dynamic outbound endpoint SSL configurations based on hostname and port number, if configured. 


One way of creating a simple, adequate WebSphere SSL configuration would be to create a new keystore entry under "SSL certificate and key management > Key stores and certificates" and point the path to the trust store of WebSphere's JVM, usually something like /opt/IBM/WebSphere/AppServer/java/8.0/jre/lib/security/cacerts, with password "changeit", and the type to "JKS".

Root certificates of in-house certificate authorities could then be added to this trust store, and the trust store then selected as the trust store of the default SSL configuration. No extra WebSphere related Textbox.io configuration settings are needed in this case.

Advanced Textbox.io SSL configuration

Textbox.io Services can be configured to use a particular named SSL configuration, instead of using the default WebSphere configuration,  by setting ephox.http.websphere.ssl-config-name to the name of the SSL configuration in WebSphere.

E.g. after creating an SSL configuration named "TbioServices", configure ephox.http.websphere.ssl-config-name=TbioServices

All of WebSphere's SSL security configuration - including trust stores and certificates but also protocol, cipher settings etc. - can optionally be bypassed and the JVM's SSL configuration - including the JVM trust store with its certificates - be used instead by configuring ephox.http.websphere.use-ssl-config=false

Simple setup for testing or pre-production environments

For use in evaluation or pre-production environments, all SSL security can be bypassed by both configuring ephox.http.websphere.use-ssl-config=false and ephox.http.trust-all-cert=true.

Bypassing all SSL security is not recommended for production environments.