InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.7: Introduction: Setting up an LDAP connection over SSL >
5.5.7.4: Example: Generating key andtrust store files for SSL

5.5.7.4: Example: Generating key and trust store files for SSL

This procedure describes how to create key and trust store files that permit SSL communications between WebSphere Application Server and an LDAP server. This require the creation of key and trust files, one set for the server and one set for the client. The server's key store file contains the public and private keys for the server. The server's trust store file contains the certificate authority's certificate. The client's key store file contains public and private key of the client (if client authentication is desired). The client's trust store file stores the server's public key and the CA's root certificate.

  1. Download the external public certificate for the root certificate authority (root CA) and save it to a file. In this example, the file is called caroot.arm.
  2. Generate the server-side key store and trust store files.
    1. Request a certificate for the server, if it doesn't already have one.
      1. Generate a certificate request from within the key store file and save it to a file. In this example, the file is called certreq.arm.
      2. Submit the request to the certificate authority.
      3. Save the newly obtained certificate to a file. In this example, the file is called newcert.arm.
    2. Place the certificate into a key store file. This can be done using either the keytool command-line tool or the graphical IBM Key Managment (Ikeyman) tool. For example, if you are using the Ikeyman tool, you must:
      1. Create a new key store file. In this example, the file is called ServerKeyStore.jks.
      2. Specify the the certificate in the newcert.arm file as the certificate to be received into the keyring file. This is done on the Personal Certificates panel in the Ikeyman tool.
      3. The client also needs access to the server's certificate, so extract the certificate and save it to a file. In this example, the file is called websphere.arm.
      4. Add the certificate of the signing CA (saved in the file caroot.arm) to the key store file. This is done on the Signer Certificates panel in the Ikeyman tool.
  3. Generate the client-side key and trust store files. This can be done using either the keytool command-line tool or the graphical IBM Key Managment (Ikeyman) tool. For example, if you are using the Ikeyman tool, you must:
    1. Create a new trust store file. In this example, the file is called ClientTrustStoreI.
    2. Add the certificate of the signing CA, saved in the file caroot.arm, to the trust store file. This is done on the Signer Certificates panel in the Ikeyman tool.
    3. Add the certificate of the server, saved in the file websphere.arm, to the key sore file. This is also done on the Signer Certificates panel in the Ikeyman tool.
    4. Optionally, if client authentication is desired, create a new client key store file called ClientKeyStoreFile.jks. You can then request a certificate from a CA, submit the certificate request to the CA, and add the certificate to the client key store file.
  4. Install the new keyring files into the WebSphere Application Server environment. Place all key and trust store files (ServerKeyStoreFile.jks, ServerTrustStoreFile.jks, ClientKeyStoreFile.jks and ClientTrustStoreFile.jks) on the server in the product_installation_root/etc directory.
  5. Configure the server properties as follows:
    1. Start the administrative console.
    2. Open the Security Center.
    3. Select Default SSL Configuration.
    4. Modify the following SSL properties:
      • Key File Name: product_installation_root/etc/ServerKeyStoreFile.jks
      • Key file password: WebAS
      • Confirm password: WebAS
      • Key file format: JKS
      • Trust file name: product_installation_root/etc/ServerTrustStoreFile.jks
      • Trust file password: WebAS
      • Confirm password: WebAS
      • Security level: high (128 bit encryption)

      If you use the same file for key and trust stores, you can specify the same file name for both properties:

      If you only specify a key file name, the trust file name is automatically set to the same name as the key file name.

  6. The client side requires only the ClientKeyStoreFile.jks and ClientTrustStoreFile.jks files. Modify the following lines in the sas.client.props file:
    com.ibm.ssl.trustStore=ClientTrustStoreFile.jks
    com.ibm.ssl.trustStorePassword=WebAS
    com.ibm.ssl.trustStoreType=JKS
    com.ibm.ssl.keyStore=ClientKeyStoreFile.jks
    com.ibm.ssl.keyStorePassword=WebAS
    com.ibm.ssl.keyStoreType=JKS
    com.ibm.ssl.protocol=SSLv3
    com.ibm.CORBA.standardPerformQOPModels=high (128 bit encryption)
    
Go to previous article: Enabling SSL connections between WebSphere and LDAP Go to next article: Establishing trust association with a reverse proxy server

 

 
Go to previous article: Enabling SSL connections between WebSphere and LDAP Go to next article: Establishing trust association with a reverse proxy server