InfoCenter Home >
5: Securing applications -- special topics >
5.7: The Secure Association Service (SAS) >
5.7.3: ORB SSL Configuration

5.7.3: ORB SSL Configuration

The SSL implementation used by the application server is the IBM JSSE (Java Secure Sockets Extension). Configuring JSSE is very similar to configuring most other SSL implementations (e.g. GSKit); however, a couple of differences are worth noting.

JSSE allows both signer and personal certificates to be stored in a SSL key file, but it also allows a separate file, called a trust file, to be specified. A trust file can contain only signer certificates. Therefore, you could put all of your personal certificates in an SSL key file and your signer certificates in a trust file. This can be desirable, for example, if an inexpensive hardware device that is used as the key file has only enough memory to hold a single personal certificate. All of the signer certificates are then held in a trust file on disk.

JSSE does not recognize the proprietary SSL key file format that is used by the plug-in (i.e. .kdb files); instead, it recognizes standard file formats such as JKS (Java Key Store). As such, SSL key files cannot be shared between the plug-in and application server, and a different implementation of the key management utility (IKeyMan) must be used in order to manage application server key and trust files. IKeyMan can be started on Windows from the WebSphere Start menu.

Configuring SSL through an SSL Settings panel

The administrative model in WebSphere Application Server allows the SSL settings for each of the WebSphere components to be both centrally or individually managed. SSL settings are centrally managed through the default SSL Settings panel. Furthermore, any of the default settings can be overridden for an individual component by using the HTTPS, ORB, or LDAPS SSL settings panels.

The location of each of these SSL settings panels is as follows:

  • Default SSL settings Expand "Security", then select "Default SSL Settings"
  • HTTPS SSL settings Expand "Nodes --> the name of the host --> Application Servers --> Default Server --> Web Container --> HTTP Transports --> *.9443". Then select "SSL".
  • ORB SSL Settings Expand "Nodes --> the name of the host --> Application Servers --> Default Server --> ORB Settings". Then select "Secure Socket Layer Settings".
  • LDAPS SSL Settings

As mentioned, the Default SSL Settings can be used to configure the various different components using SSL. ORB SSL Settings can be specified, in addition, to override the Default SSL Settings specifically for the ORB. Regardless of which settings are in effect, the ORB uses these settings in the following way. Additionally, the ORB requires some configuration in the SAS properties files on the client and server. These are described in the following topics.

Key file name

The path of the SSL key file used by server connections. Any server connection (that is, listener ports) uses this key file, which should contain the server's private key. A default key file, DummyKeyring.jks is configured by default and is located in the $(WAS_ROOT)/etc directory. This file is included to simplify test and development. After a system is ready for production usage, a new keyring file should be generated by using the ikeyman.bat located in the $(WAS_ROOT)/bin directory. A self-signed cerficate can be generated, or a CA can be used to create a personal certificate trusted by most clients. The DummyKeyring contains most of the standard CA signer certficates.

On the server, the key file name is configured in the Administrative Console and stored in the server-cfg.xml file. On a pure client, the key file name is configured in the sas.client.props file under the property com.ibm.CORBA.SSLServerKeyRing.

Key file password

The password for the SSL key file for server connections.

On the server, the key file password is configured in the Administrative Console and stored in the server-cfg.xml file. On a pure client, the key file password is configured in the sas.client.props file under the property com.ibm.CORBA.SSLServerKeyRingPassword.

Key file format

The only key file format currently supported by the Single-Server Orb is "JKS". The first refresh will introduce a property (mentioned in 2.4.1 above) to specify other key file formats.

Trust file name

The path of the SSL trust file used by clients. This trust file should contain signer certificates used to determine if it should trust the signer of the server's certificate. The Single-Server Orb does not support SSL client authentication. Instead, it performs client authentication using Basic Auth credentials (i.e., prompting for a userid and password). Support for mutual SSL authentication using digital certificates is planned for a future release.

On the server, the trust file name is configured in the Administrative Console and stored in the server-cfg.xml file. On a pure client, the trust file name is configured in the sas.client.props file under the property com.ibm.CORBA.SSLKeyRing.

Trust file password

The password for the SSL trust file for client connections.

On the server, the trust file password is configured in the Administrative Console and stored in the server-cfg.xml file. On a pure client, the trust file password is configured in the sas.client.props file under the property com.ibm.CORBA.SSLKeyRingPassword.

Client Authentication

The Single-Server Orb does not currently support SSL client authentication using digital certificates. It does however support basic auth client authentication where the user is prompted for a userid and password. Any protected method accessed will require Basic Auth credentials from the user before attempting to be invoked at the server. These credentials are sent over to the server where they are authenticated using the Local OS user registry.

Quality of Protection (Security Level)

In previous releases, the Orb had a different mechanism for specifying the "quality of protection" for SSL connections. There are two properties which must be configured for SSL to determine the strength of the connection. These two properties must be specified in the sas.server.props file for the server and in the sas.client.props file for the client.

For clients (including servers acting as clients), the property to specify the security level or quality of protection is:

com.ibm.CORBA.standardPerformQOPModels=authenticity -or- integrity -or- confidentiality
The default is confidentiality.

One of these three values can be chosen. In the first Single-Server refresh, these will be converted to low, medium, and high to be consistent with the JSSE implementation of other WebSphere components. Authenticity will be equivalent to Low, Integrity to Medium, and Confidentiality to High. The cipher suites mentioned above, associated with Low, Medium, and High will map to Authenticity, Integrity, and Confidentiality, respectively.

For servers, the property to specify the security level or quality of protection is:

com.ibm.CORBA.standardClaimQOPModels=authenticity -or- integrity -or- confidentiality
The default is confidentiality.

In the current implementation, regardless of the values specified on standardPerformQOPModels, clients will always make a connection at least as strong as the value specified on the server for standardClaimQOPModels. If the client standardPerformQOPModels is stronger than the server standardClaimQOPModels, that higher value will be honored.

If the security level is confidentiality (high) and either a server or client SSL configuration, the enabled cipher suites are:

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_ RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
If the security level is integrity (medium) and either a server or client SSL configuration, the enabled cipher suites are:
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
If the security level is authenticity (low) and a server SSL configuration, the enabled cipher suites are:
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
If the security level is authenticity (low) and a client SSL configuration, the enabled cipher suites are:
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA

Enable Crypto Token Support

Crypto tokens are not supported by the Single-Server Orb in the initial release. The first refresh will introduce support for crypto tokens.

Dynamic Properties

Dynamic properties simply allow the configuration of some less frequently used JSSE properties. The name, possible values, default value, and a brief description of each property follows.

  1. com.ibm.ssl.protocol
  2. In the initial release, the only supported value for this property is "SSL". The first release will allow all of these settings to be configurable.

  3. com.ibm.ssl.keyStoreProvider
  4. In the initial release, the only supported value for this property is "IBMJCE".

  5. com.ibm.ssl.keyManager
  6. In the initial release, the only supported value for this property is "IbmX509".

  7. com.ibm.ssl.trustStoreProvider
  8. In the initial release, the only supported value for this property is "IBMJCE".

  9. com.ibm.ssl.trustManager
  10. In the initial release, the only supported value for this property is "IbmX509".

  11. com.ibm.ssl.trustStoreType
  12. In the initial release, the only supported value for this property is "JKS".

  13. com.ibm.ssl.enabledCipherSuites
  14. In the initial release, this property is not supported. This will be configurable after the first refresh of the WebSphere Single-Server Edition.

Other Orb SSL Properties

There are a few other Orb SSL properties which determine whether SSL connections are supported incoming or outgoing on a particular server or client. These properties are com.ibm.CORBA.SSLTypeIClientAssocationEnabled and com.ibm.CORBA.SSLTypeIServerAssociationEnabled. Both of these are set to true by default indicating that both incoming and outgoing SSL connections are supported. These properties are specified in both the sas.client.props file (for pure clients) and the sas.server.props file (for servers).

com.ibm.CORBA.SSLTypeIClientAssociationEnabled=true
com.ibm.CORBA.SSLTypeIServerAssociationEnabled=true

At times, you may wish for an application server to only accept TCP connections incoming. However, any outgoing connections (client connections) may need to be SSL connections to other servers that require it. To accomplish this, set these two properties in the sas.server.props the following way:

com.ibm.CORBA.SSLTypeIClientAssociationEnabled=false
com.ibm.CORBA.SSLTypeIServerAssociationEnabled=true
Go to previous article: SAS on the server side Go to next article: SAS Trace

 

 
Go to previous article: SAS on the server side Go to next article: SAS Trace