InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.6: Tools for managing certificates and keys >
5.5.6.2: The IBM Key Management tool >
5.5.6.2.5: Making client and server keystore and trust store files accessible
After you have created key store and trust store files and inserted
the necessary certificates, you need to make the key store and trust
store files accessible to the client and server programs.
To use created server and client key store and trust store files in
your WebSphere environment, you must first copy them to the client and
server machines.
- Copy the client trust store file (ClientTrustStoreFile.jks) to the
following location on the client machine:
product_installation_root/etc/ClientTrustStore.jks
- Optionally, copy the client key store file
(ClientKeyStoreFile.jks) to the following location on the client machine:
product_installation_root/etc/ClientKeyStore.jks
- Copy the server key store file (ServerKeyStoreFile.jks) to the
following location on the server
machine:
product_installation_root/etc/ServerKeyStoreFile.jks
- Copy the server trust store file (ServerTrustStoreFile.jks) to the
following location on the server
machine:
product_installation_root/etc/ServerTrustStoreFile.jks
Managing the server SSL key store and trust store files
The administrative model in WebSphere Application Server allows the
SSL settings for each WebSphere component to be centrally and
individually managed. SSL settings are centrally managed in the
administrative console through the default SSL Settings panel. In
addition, any of the default settings can be overridden for an
individual component by using the HTTPS, ORB, and LDAPS SSL settings
panels. See article 6.6.18, Securing
applications, for more detailed information about using the
administrative console to configure WebSphere security.
Always use the
administrative console to manage the server key store and trust store
files. Changes made in the console overwrite any manual changes to
the sas.server.props file. Client key store and trust store files are
managed in the sas.client.props file because clients can be located on
a remote machine.
The Default SSL Settings panel can be used to configure WebSphere
Application Server components using SSL. Parameters that are set
through the ORB SSL Settings panel override the default SSL settings
for the ORB. Regardless of which settings are in effect, the ORB uses
these settings as follows. (Additionally, the ORB requires the SAS
properties files on the client and server to be configured as
described below.)
- Key file name
- The path of the SSL key file used by server connections. For the
server key store file generated in this document, add the following to
this field:
product_installation_root/etc/ServerKeyStoreFile.jks
- Key file password
- The password for the SSL key file for server connections.
On the server, the key file password is configured in the
administrative console.
- Key file format
- The key file formats supported by the ORB are JKS,
PKCS12, and JCEK.
JKS is the default key file format. The client and
server key file format is set through the
com.ibm.ssl.keyStoreType property.
- Trust file name
- The path of the SSL trust file used by clients. On the server,
the trust file name is configured in the administrative console. For
the client keyring file generated in this document, add the following
to this field:
product_installation_root/etc/ClientTrustStoreFile.jks
- Trust file password
- The password for the SSL trust file. On the server, the trust
file password is configured in the administrative console.
- Client Authentication
- The WebSphere AEs ORB does not currently support SSL client
authentication using digital certificates.
Managing the client SSL key store and trust store files
You need to modify the sas.client.props file, which is located in
the product installation root/properties
directory. If you used WebAS as the password when you
generated the client and server keyrings, you need to make the
following changes to the sas.client.props file:
You can now start your WebSphere application using the newly
created key store and trust store files.
|
|