InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.6: Tools for managing certificates and keys >
5.5.6.2: The IBM Key Management tool >
5.5.6.2.1: Creating a self-signed test certificate >
5.5.6.2.1.2 Creating a client trust store
5.5.6.2.1.2 Creating a client trust store
The second step in creating a self-signed test certificate is to
create a client trust store file. It is a trusted signer to the public
key for the self-signed test certificate. You can optionally create
a client key store file if client authorization is desired. Key store
files store private keys and personal certificates; trust store files
contain public keys.
To create a client trust store file, complete the following steps:
- Start the IBM Key Management tool if you have not already done so. See article 5.5.6.2, The IBM Key Management
tool, for instructions.
- Create a client keyring file.
- Import the public key that was exported
from the server keyring file.
- Set the certificate as a trusted root.
- Exit the IBM Key Management tool.
The rest of this article describes how to complete these steps.
To create a client keyring file, do the following:
- Open a new key database file by selecting Key Database File
--> New from the menu bar. The New dialog box is
displayed.
- Set Key Database Type to JKS.
- Enter the name and location of the client keyring file. In this
example, the file name is ClientTrustStoreFile.jks and the location is product_installation_root/etc
- Click the OK button to continue. The Password Prompt dialog
box is displayed.
- Enter a password to restrict access to the key database. In this
example, the password is WebAS.
The server key store password is stored in the administrative
console. The client trust store password is stored in the
sas.client.props file using the property
com.ibm.CORBA.trustStorePassword. You need to set the trust store
password properties to this password so that the trust store file can
be opened by iKeyman during runtime. See article 5.5.6.2.5, Making client and server key
store and trust store files accessible, for details.
Do not set an
expiration date on the password or save the password to a file. You
must then reset the password when it expires or protect the password
file. This password is used only to release the information stored by
iKeyman during runtime.
- Click the OK button to continue. The tool now displays
all of the available default signer certificates. These are the public
keys of the most common CAs. You can add, view or delete signer
certificates from this screen.
Next, you need to import the public key certificate that was
exported from the server keyring. (See article 5.5.6.2.1.1, Creating a server
key store.) To import the public key, do the following:
- Choose Signer Certificates -->Add.
- Specify the data type of the exported key. In this case, the
data type is Base64-encoded ASCII data.
- Specify the name and location of the public key that was
exported from the server keyring. In this case, the key name is
cert.arm and the location is product_installation_root/etc.
- Click OK.
- Enter a unique label for the key. In this example, the label is
Server CA.
- Click OK. The certificate label appears in the list of
certificates.
The client certificate must be a trusted root of the public key
certificate that you just created. To verify this, do the following:
- Select the name of the certificate you just created. In this
case, the certificate name is Server CA.
- Select View-->Edit. The Key information dialog
box appears.
- Make sure that the box beside Set the certificate as a
trusted root is checked.
- Click OK.
Exit the Ikeyman tool by closing the IBM Key Management window.
|
|