InfoCenter Home >
5: Securing applications -- special topics >
5.5: Tools for managing keys >
5.5.6: Tools for managing certificates and keys >
5.5.6.2: The IBM Key Management tool >
5.5.6.2.1: Creating a self-signed test certificate >
5.5.6.2.1.1 Creating a server keyring
5.5.6.2.1.1 Creating a server keyring
The first step in creating a self-signed test certificate is to create a server
keyring. It contains a private key for the server for which the test certificate is being
requested and a public key for certificate requests. To create a server keyring, complete
the following steps:
- Start the IBM Key Management tool. See article 5.5.6.2, The IBM
Key Management tool, for instructions.
- Create a server keyring file.
- Create a new self-signed personal certificate.
- Export the public key from the server keyring file. This key is
required by the client keyring file.
The rest of this article describes how to complete these steps.
To create a server keyring file, do the following:
- Open a new key database file by selecting Key Database File --> New from the
menu bar. The New dialog box is displayed.
- Set Key Database Type to JKS.
- Enter the name and location of the server keyring file. In this example, the file name
is ServerKeyring.jks and the location is product_installation_root/etc
- Click the OK button to continue. The Password Prompt dialog box is displayed.
- Enter a password to restrict access to the key database. In this example, the password
is WebAS.
The server keyring password is stored in the administrative console. The client keyring
password is stored in the sas.client.props file using the property
com.ibm.CORBA.SSLClientKeyRingPassword. You need to set the keyring-password properties to
this password so that the keyring file can be opened by iKeyman during runtime. See article 5.5.6.2.5, Making client and server keyrings accessible,
for details.
Do not set an expiration date on the
password or save the password to a file. You must then reset the password when it expires
or protect the password file. This password is used only to release the information stored
by iKeyman during runtime.
- Click the OK button to continue. The tool now displays all of the available
default signer certificates. These are the public keys of the most common CAs. You can
add, view or delete signer certificates from this screen.
Creating a self-signed personal certificate creates a private key and public key within
the server keyring file. A server keyring file contains both a private and public key. A
client keyring file only contains the public key of the self-signed certificate, but as a
trusted signer.
To create a self-signed certificate, do the following:
- Click the New Self-Signed... button on the tool bar or select Create -->
New Self-Signed Certificate... from the menu. The Create New Self-Signed Certificate
form is displayed.
- Enter the appropriate information for your self-signed certificate.
- Key Label
- Give the certificate a key label, which is used to uniquely identify the certificate
within the keyring. If you have only one certificate in each keyring, you can assign any
value to the label, but it is good practice to use a unique label, related to the server
name.
- Common Name
- Enter the server's common name. This is the primary, universal identity for the
certificate; it should uniquely identify the principal that it represents. In a WebSphere
environment, certificates frequently represent server principals, and the common
convention is to use CNs of the form <host_name>/<server_name>.
- Organization
- Enter the name of your organization.
- Other X.500 fields
- Enter the organization unit (a department or division), location (city), state/province
(if applicable), zipcode (if applicable), and select the two-letter identifier of the
country in which the server belongs.
For a self-signed certificate, these fields are optional. Commercial CAs may require them.
- Validity period
- Specify the lifetime of the certificate in days, or accept the default.
- Click the OK button to continue. The ServerKeyring.jks file now contains a
self-signed personal certificate. You must copy the keyring file to the designated
directory on the server's host.
If you have only one personal
certificate, it is set as the default certificate for the database. If you have more than
one, you must select one as the default certificate. You can change the default
certificate as follows:
- Highlight the certificate
- Click the View/Edit... button
- Check the box on the resulting screen to make the chosen certificate the default
- Click the OK button
-
The client keyring file needs to reference the public certificate created for the
self-signed personal certificate. To enable the client keyring file to use the public
certificate, export the public certificate from the server keyring file as follows:
- Click Extract Certificate.
- Under Data type, select Base64-encoded ASCII data.
- Enter the certificate file name and location. In this case, the name is cert.arm and the
location is product_installation_root/etc.
- Click OK to export the public certificate
|
|