Configuring server authentication with iKeyman

You configure server authentication by creating a client keyring, importing the server's signer certificate, creating a server keyring and certificate, and exporting the server's signer certificate.

For information about configuring server authentication from the command line, see Configuring your SSL server.

Creating a server keyring

The key ring contains your server certificate, with its associated private key, and several signer certificates. SSL uses the certificate to identify the server to connecting clients.

  1. Start iKeyMan.
  2. Select Key Database File —> New.
  3. From Key Database Type, select JKS.
  4. In File name type a name for your key ring, such as MyServerkeyring.jks.
  5. In Location, type a suitable location to store your server key ring.
  6. Select OK.
  7. Type a password for the key ring file.

    iKeyMan gives you an indication of the "strength" of your password. You might use a mixture of letters and numbers for your password which makes the password more resistant to "brute force" dictionary attacks.

  8. Select OK.
The generated file MyServerkeyring.jks contains, by default, a selection of popular signer certificates as follows:
VeriSign Class 3 Public Primary Certificate Authority
VeriSign Class 2 Public Primary Certificate Authority
VeriSign Class 1 Public Primary Certificate Authority
RSA Secure Server Certificate Authority
Thawte Personal Basic CA
VeriSign Test CA Root Certificate
Thawte Personal Premium CA
Thawte Premium Server CA
Thawte Server CA
Thawte Personal Freemail CA
The server can verify clients with the VeriSign Class 1 through 3 Public Primary Certificate Authority signer certificates.

Creating a server certificate

Now you are ready to create the self-signed Server Certificate and store it along with its private key in your server key ring:
  1. In iKeyMan, select Create-> New Self-Signed Certificate
  2. Complete the certificate request. Some fields are optional, but you must fill in at least the following (examples are shown):
    Key Label
    exampleServerCert
    Version
    select X509 V3
    Key Size
    select 1024
    Common Name
    This defaults to the name of the machine you are using
    Validity Period
    The default is 365 days
  3. Select OK.

    iKeyMan generates a public/private key pair.

  4. The self-signed Server Certificate appears in the Personal Certificates window. The certificate has the name you typed in the Key Label field, in this example exampleServerCert.
  5. With exampleServerCert highlighted, select View/Edit.

    Notice that the information in the issued to (certificate requester) textbox is the same as that in the issued by (signer) textbox. To establish SSL connections with a server presenting this certificate, the client must trust the signer. To do this the client key repository must contain the signer certificate of the server presenting exampleServerCert.

Exporting the server's signer certificate

  1. With exampleServerCert highlighted, select Extract Certificate...
  2. In the Data type pull-down menu, select Base64-encoded ASCII.
  3. Type the name and location of the text file containing your Server Certificate data. Our example uses exampleServercert.arm
  4. Select OK.

Store the exported certificate in a safe place. Import it into any client repository that needs to communicate with this SSL server.

Creating a client keyring

A client key ring contains as a minimum, the signer certificate of the SSL server, and a client x.509 certificate, if client authentication is required. The process for creating a client key ring is similar to that for a server:
  1. Start iKeyMan
  2. Select Key Database File —> New
  3. From Key Database Type, select JKS
  4. In File name type a name for your key ring, such as MyClientkeyring.jks
  5. In Location, type a suitable location to store your client key ring
  6. Select OK
  7. Type a password for the key ring file.
  8. Select OK
Like the server key ring, the client key ring contains a default selection of popular signer certificates.

Importing the server's signer certificate

  1. In iKeyMan select Signer Certificates.
  2. Select Add.
  3. Locate the stored Server Base64-encoded ASCII certificate file. In our example, this is exampleServercert.arm.
  4. Give this signer certificate a unique label, for example, My Self-Signed Server Authority.
  5. Select OK.

    This new signer certificate is added to the list of default signers.


Information Information

Feedback


Timestamp icon Last updated: Tuesday, 19 November 2013


https://ut-ilnx-r4.hursley.ibm.com/tg_latest/help/topic/com.ibm.cics.tg.doc//ctgunx/sslserv_jsse_ss.html