InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.6: Tools for managing certificates and keys >
5.5.6.2: The IBM Key Management tool >
5.5.6.2.1: Creating a self-signed test certificate >
5.5.6.2.1.1 Creating a server key store

5.5.6.2.1.1 Creating a server key store

The first step in creating a self-signed test certificate is to create a server key store file. It contains a private key for the server for which the test certificate is being requested and a public key for certificate requests. You can optionally create a trust store file which contains additional trusted signers. To create a server key store, complete the following steps:

  1. Start the IBM Key Management tool. See article 5.5.6.2, The IBM Key Management tool, for instructions.
  2. Create a server key store file.
  3. Create a new self-signed personal certificate.
  4. Export the public key from the server key store file. This key is required by the client trust store file.

The rest of this article describes how to complete these steps.

Create a server keyring file

To create a server key store file, do the following:

  1. Open a new key database file by selecting Key Database File --> New from the menu bar. The New dialog box is displayed.
  2. Set Key Database Type to JKS.
  3. Enter the name and location of the server key store file. In this example, the file name is ServerKeyStoreFile.jks and the location is product_installation_root/etc
  4. Click the OK button to continue. The Password Prompt dialog box is displayed.
  5. Enter a password to restrict access to the key database. In this example, the password is WebAS.
    The server keyring password is stored in the administrative console. The client keyring password is stored in the sas.client.props file using the property com.ibm.CORBA.SSLClientKeyRingPassword. You need to set the keyring-password properties to this password so that the keyring file can be opened by iKeyman during runtime. See article 5.5.6.2.5, Making client and server key store and trust store files accessible, for details.
    Note   Do not set an expiration date on the password or save the password to a file. You must then reset the password when it expires or protect the password file. This password is used only to release the information stored by iKeyman during runtime.
  6. Click the OK button to continue. The tool now displays all of the available default signer certificates. These are the public keys of the most common CAs. You can add, view or delete signer certificates from this screen.

Create a new self-signed personal certificate

Creating a self-signed personal certificate creates a private key and public key within the server key store file. A server key store file contains both a private and public key. A client trust store file only contains the public key of the self-signed certificate, but as a trusted signer. A client key store file is optional. It is usually only necessary when client authentication is used. WebSphere Application Server does not support SSL mutual authentication.

To create a self-signed certificate, do the following:

  1. Click the New Self-Signed... button on the tool bar or select Create --> New Self-Signed Certificate... from the menu. The Create New Self-Signed Certificate form is displayed.
  2. Enter the appropriate information for your self-signed certificate.
    Key Label
    Give the certificate a key label, which is used to uniquely identify the certificate within the key store. If you have only one certificate in each key store, you can assign any value to the label. However, it is good practice to use a unique label related to the server name.
    Common Name
    Enter the server's common name. This is the primary, universal identity for the certificate; it should uniquely identify the principal that it represents. In a WebSphere environment, certificates frequently represent server principals, and the common convention is to use CNs of the form host_name/server_name.
    Organization
    Enter the name of your organization.
    Other X.500 fields
    Enter the organization unit (a department or division), location (city), state/province (if applicable), zipcode (if applicable), and select the two-letter identifier of the country in which the server belongs.
    For a self-signed certificate, these fields are optional. Commercial CAs may require them.
    Validity period
    Specify the lifetime of the certificate in days, or accept the default.
  3. Click the OK button to continue. The ServerKeyStoreFile.jks file now contains a self-signed personal certificate. You must copy the key store file to the designated directory on the server's host.
Note   If you have only one personal certificate, it is automatically set as the default certificate for the database. If you have more than one, you must select one as the default certificate. You can change the default certificate as follows:
  1. Highlight the certificate
  2. Click the View/Edit... button
  3. Check the box on the resulting screen to make the chosen certificate the default
  4. Click the OK button

Export the public certificate

The client trust store file needs to reference the public certificate created for the self-signed personal certificate. To enable the client trust store file to use the public certificate, export the public certificate from the server key store file as follows:

  1. Click Extract Certificate.
  2. Under Data type, select Base64-encoded ASCII data.
  3. Enter the certificate file name and location. In this case, the name is cert.arm and the location is product_installation_root/etc.
  4. Click OK to export the public certificate
Go to previous article: iKeyman: test certificates Go to next article: iKeyman: Creating a client trust store

 

 
Go to previous article: iKeyman: test certificates Go to next article: iKeyman: Creating a client trust store