Configuring SSL server authentication

To complete this task you use ikeyman to create a server keyring and a server certificate. You then use ikeyman to export the certificate, create a client keyring, and import the server certificate into the keyring.

ikeyman is installed in the <install_path>/jvm17/bin directory.

For information about the benefits of using SSL see Why use SSL?.

UNIX and Linux commands are case-sensitive; on these platforms when starting the ikeyman tool, issue the command like this: ikeyman.

Create a server keyring

The keyring contains your server certificate and its associated private key. SSL uses the certificate to identify the server to connecting clients.This keyring must be used exclusively on the server and must be kept secure.

  1. Start ikeyman.
  2. On the ikeyman main menu, click Key database file > New.
  3. On the Key database type menu, select JKS.
  4. In the File name field, type a name for your keyring, for example MyServer.jks.
  5. In the Location field, type the path where you want to store the server keyring.
  6. Click OK.
  7. Type the password for accessing the keyring file. This scenario uses the password MyPassword.
  8. Click OK.

Create a server certificate

Now you are ready to create the self-signed server certificate and store it with its private key in the server keyring:
  1. On the ikeyman main menu, click Create > New Self-Signed Certificate.
  2. In the New self-signed certificate window, complete the following steps:
    1. In the Key label field type exampleservercert.
    2. On the Version menu, select X509 V3.
    3. On the Key size menu, select 1024.

      The common name defaults to the name of your machine, and the validity period defaults to 365 days.

  3. Click OK.

    ikeyman now generates a public/private key pair, and an entry for the exampleservercert certificate you have just created appears in the Personal Certificates window.

  4. Select the exampleservercert certificate and click View/Edit.

    The Key information window for the certificate opens. The information in the Issued to (certificate requester) and Issued by (signer) text boxes is identical.

    To establish an SSL connection with a server that presents this certificate, the client must trust the signer. To do this the client key repository must contain the signer certificate of the server that presents the exampleservercert certificate.

Export the server signer certificate

  1. Select the exampleservercert certificate and click Extract Certificate.
  2. On the Data type menu, select Base64-encoded ASCII.
  3. In the Certificate file name field, type the name of the text file that contains your server certificate data exampleservercert.arm.
  4. In the Location field, type the type the path where you want to store the certificate file.
  5. Click OK.

The exported certificate is a signer certificate generated from the personal certificate in the keyring, it does not contain the private key. Import the certificate into the keyring of any client that needs to communicate with this SSL server. The certificate allows the client to verify the identity of the server.

Create a client keyring

A client keyring must contain, as a minimum, the signer certificate of the SSL server keyring. This keyring is used by the client application, to verify the identity of the server. If client authentication is required it must also contain a client personal certificate, used to prove its own identity. For more information see Configuring SSL client authentication.

To create a client keyring:
  1. Start ikeyman.
  2. On the ikeyman main menu click Key Database File > New.
  3. On the Key Database Type menu, select JKS.
  4. In the File name field, type the client keyring file name, for example MyClient.jks.
  5. In the Location field, type the path where you want to store the client keyring.
  6. Click OK.
  7. Type a password for accessing the keyring. This scenario uses the password MyPassword.
  8. Click OK.

Import the server signer certificate

  1. In the Signer certificates list, click Add.
  2. Select the certificate name exampleservercert.arm.
  3. Click OK.
  4. In the Certificate file name field type a unique, recognizable name, for example, my self-signed server authority.
  5. Click OK.

    The new signer certificate is added to the Signer Certificates list and can be used by the client application to verify the identity of the server.

You have now configured SSL server authentication.


Information Information

Feedback


Timestamp icon Last updated: Tuesday, 19 November 2013


https://ut-ilnx-r4.hursley.ibm.com/tg_latest/help/topic/com.ibm.cics.tg.doc//ctgunx/sc06_conf_serv.html