InfoCenter Home >
5: Securing applications -- special topics >
5.5: Tools for managing keys >
5.5.6: Tools for managing certificates and keys >
5.5.6.2: The IBM Key Management tool >
5.5.6.2.1: Creating a self-signed test certificate >
5.5.6.2.1.2 Creating a client keyring

5.5.6.2.1.2 Creating a client keyring

The second step in creating a self-signed test certificate is to create a client keyring. It is a trusted signer to the public key for the self-signed test certificate. To create a client keyring, complete the following steps:

  1. Start the IBM Key Management tool if you have not already done so. See article 5.5.6.2, The IBM Key Management tool, for instructions.
  2. Create a client keyring file.
  3. Import the public key that was exported from the server keyring file.
  4. Set the certificate as a trusted root.
  5. Exit the IBM Key Management tool.

The rest of this article describes how to complete these steps.

Create a client keyring file

To create a client keyring file, do the following:

  1. Open a new key database file by selecting Key Database File --> New from the menu bar. The New dialog box is displayed.
  2. Set Key Database Type to JKS.
  3. Enter the name and location of the client keyring file. In this example, the file name is ClientKeyring.jks and the location is product_installation_root/etc
  4. Click the OK button to continue. The Password Prompt dialog box is displayed.
  5. Enter a password to restrict access to the key database. In this example, the password is WebAS.
    The server keyring password is stored in the administrative console. The client keyring password is stored in the sas.client.props file using the property com.ibm.CORBA.SSLClientKeyRingPassword. You need to set the keyring-password properties to this password so that the keyring file can be opened by iKeyman during runtime. See article 5.5.6.2.5, Making client and server keyrings accessible, for details.
    Note   Do not set an expiration date on the password or save the password to a file. You must then reset the password when it expires or protect the password file. This password is used only to release the information stored by iKeyman during runtime.
  6. Click the OK button to continue. The tool now displays all of the available default signer certificates. These are the public keys of the most common CAs. You can add, view or delete signer certificates from this screen.

Import the public key from the server keyring

Next, you need to import the public key certificate that was exported from the server keyring. (See article 5.5.6.2.1.1, Creating a server keyring.) To import the public key, do the following:

  1. Choose Signer Certificates -->Add.
  2. Specify the data type of the exported key. In this case, the data type is Base64-encoded ASCII data.
  3. Specify the name and location of the public key that was exported from the server keyring. In this case, the key name is cert.arm and the location is product_installation_root/etc.
  4. Click OK.
  5. Enter a unique label for the key. In this example, the label is Server CA.
  6. Click OK. The certificate label appears in the list of certificates.

Verify that the certificate is a trusted root

The client certificate must be a trusted root of the public key certificate that you just created. To verify this, do the following:

  1. Select the name of the certificate you just created. In this case, the certificate name is Server CA.
  2. Select View-->Edit. The Key information dialog box appears.
  3. Make sure that the box beside Set the certificate as a truster root is checked.
  4. Click OK.

Exit the IBM Key Management tool

Exit the Ikeyman tool by closing the IBM Key Management window.

Go to previous article: iKeyman: Creating a server keyring Go to next article: iKeyman: Certification requests

 

 
Go to previous article: iKeyman: Creating a server keyring Go to next article: iKeyman: Certification requests