Use this page to configure Secure Sockets Layer (SSL) or Java Secure Sockets Extension (JSSE) settings for the server. To configure SSL, you need to define an SSL configuration repertoire. A repertoire contains the details necessary for building an SSL connection, such as the location of the key files, their type and the available ciphers. WebSphere Application Server provides a default repertoire called DefaultSSLSettings.
To view this administrative console page, click Security > SSL > alias_name.
Specifies the name of the specific SSL setting
Data type: | String |
This field is used
on the System SSL Repertoire and Java Secure Sockets Extension (JSSE) Repertoire
panels.
Specifies the fully qualified path to the SSL key file that contains public keys and might contain private keys.
On z/OS, there
are two types of Secure Sockets Layer (SSL): Java Secure Socket Extension
(JSSE) SSL and System SSL. For Java Secure Socket Extension (JSSE) SSL, the
key file name specifies the fully qualified path to the SSL key file that
contains public keys and private keys. For System SSL, the key file name specifies
the name of the System Authorization Facility (SAF) key ring. The key file
name might also be the name of the SAF key ring that contains public and private
keys.
For JSSE SSL, the
key file specifies the keystore file. The key file might also specify
the System Authorization Facility (SAF) Key ring that contains certificates
and keys. You can create a JSSE SSL keystore file by using the keytool utility
found in the WebSphere bin directory. The key file contains certificates
and keys.
For System SSL
or JSSE, you can create an SSL key ring by using the Resource Access Control
Facility (RACF) command, RACDCERT. Issue this command in your MVS environment,
such as TSO READY or ISPF option 6. The key ring contains the private certificate
of this server and certificates of trusted certificate authorities. The certificates
for the trusted certificate authorities validate the client certificates and
other server certificates that are exchanged with this server during the SSL
handshake. The repertoires that you define for a server require identical
key file names.
You can create an SSL key file with the key management
utility, or this file can correspond to a hardware device if one is available.
In either case, this option indicates the source for personal certificates
and for signer certificates unless a trust file is specified. The default
SSL key files, DummyClientKeyFile.jks and DummyServerKeyFile.jks,
contains a self-signed personal test certificate expiring on March 17, 2005.
The test certificate is only intended for use in a test environment. The default
SSL key files should never be used in a production environment because the
private keys are the same on all the WebSphere Application Server installations.
Refer to the Managing certificates article for information about creating
and managing digital certificates for your WebSphere Application Server domain.
Data type: | String |
This field is used
on the System SSL Repertoire and JSSE Repertoire panels.
Specifies whether to request a certificate from the client for authentication purposes when making a connection.
This attribute is only valid when it is used by
the Web container HTTP transport.
When performing client authentication with the Internet InterORB Protocol (IIOP) for EJB requests, click Security > Global security. Under Authentication, click Authentication protocol > CSIv2 inbound authentication or Authentication protocol > CSIv2 outbound authentication. Select the appropriate option under Client certificate authentication.
Default: | Disabled |
Range: | Enabled or Disabled |
This field is used
on the System SSL Repertoire and JSSE Repertoire panels.
Specifies whether the server selects from a pre-configured set of security levels.
Data type: | Valid values include Low, Medium or High.
To specify all ciphers or any particular range, you can set the com.ibm.ssl.enabledCipherSuites property. See the SSL documentation for more information. |
Default: | High |
Range: | Low, Medium, or High |
This field is used
on the System SSL Repertoire and JSSE Repertoire panels.
Specifies the length of time that a browser can reuse a System SSL Version 3 session ID without renegotiating encryption keys with the server.
The repertoires that you define for a server require the same V3 timeout value.
Data type | integer |
Default | 100 |
Range | 1 to 86400 |
This field is used
on the System SSL Repertoire panel.
Specifies a list of supported cipher suites that can be selected during the SSL handshake. If you select cipher suites individually here, you override the cipher suites set in the Security Level field.
Data type: | String |
Default: | None |
This field is used
on the System SSL Repertoire and JSSE Repertoire panels.
Refers to a package that implements a subset of the Java security application programming interface (API) cryptography aspects.
If you select Predefined JSSE provider, select a provider from the menu.
WebSphere Application
Server has the IBMJSSE predefined provider.
WebSphere Application Server has the IBMJSSE, IBMJSSE2,
and the IBMJSSEFIPS predefined providers. When you select the Use Federal
Information Processing Standard (FIPS) option on the Global security panel,
IBMJSSE2 uses the IBMJCEFIPS provider that is Federal Information Processing
Standard (FIPS) certified. If you select Custom JSSE provider, enter
a custom provider. For a custom provider, you first must enter the cipher
suites through Custom properties under Additional Properties. Cipher
suites and protocol values depend upon the provider.
The name for the Cipher suite property is com.ibm.ssl.enabledCiphersuites. The name for the protocol property is com.ibm.ssl.protocol.
This field is used
on the JSSE Repertoire panel.
Specifies which SSL protocol to use.
If you are using a FIPS-approved custom JSSE provider,
you must select a TLS protocol. However, because the FIPS-approved JSSE providers
are not backwards-compatible, a server that uses the TLS protocol cannot communicate
with a client that uses an SSL protocol.
Default | SSL |
Range | SSL_TLS, SSL, SSLv2, SSLv3, TLS, TLSv1 |
This field is used
on the JSSE Repertoire panel.
Specifies the password for accessing the SSL key file.
Data type: | String |
This field is used
on the JSSE Repertoire panel.
Specifies the format of the SSL key file.
You can choose from the following key file formats: JKS, JCEK, PKCS12, JCERACFKS (z/OS only). The JKS format does not store a shared key. For more secure key files, use the JCEK format. PKCS12 is the standard file format.
You can choose from the following key file formats: JKS, JCEK, PKCS12, JCERACFKS (z/OS only) and JCE4758RACFKS (z/OS only). The JKS format does not store a shared key. For more secure key files, use the JCEK format. PKCS12 is the standard file format.
Data type: | String |
Default: | JKS |
Range: | JKS, JCEK, PKCS12, JCERACFKS (z/OS only), and JCE4758RACFKS (z/OS only) |
Data type: | String |
Default: | JKS |
Range: | JKS, JCEK, PKCS12, JCERACFKS (z/OS only) |
This field is used
on the JSSE Repertoire panel.
Specifies the fully qualified path to a trust file containing the public keys.
You can create
a trust file by using the keytool utility located in the WebSphere bin directory.
You can create a trust file with the key management
utility included in the WebSphere bin directory. Using the key management
utility from Global Security Kit (GSKit), another SSL implementation, does
not work with the Java Secure Socket Extension (JSSE) implementation.
The test certificates are only intended for use in a test environment.
If a trust file is not specified but the SSL key file is specified, then the SSL key file is used for retrieval of signer certificates as well as personal certificates.
Data type: | String |
This field is used
on the JSSE Repertoire panel.
Specifies the password for accessing the SSL trust file.
Data type: | String |
This field is used
on the JSSE Repertoire panel.
Specifies the format of the SSL trust file.
You can choose from the following trust file formats: JKS, JCEK, PKCS12, JCERACFKS (z/OS only). The JKS format does not store a shared key. For more secure key files, use the JCEK format. PKCS12 is the standard file format.
You can choose from the following trust file formats: JKS, JCEK, PKCS12, JCERACFKS (z/OS only) and JCE4758RACFKS (z/OS only). The JKS format does not store a shared key. For more secure key files, use the JCEK format. PKCS12 is the standard file format.
Data type: | String |
Default: | JKS |
Range: | JKS, JCEK, PKCS12, JCERACFKS (z/OS only) |
Data type: | String |
Default: | JKS |
Range: | JKS, JCEK, PKCS12, JCERACFKS (z/OS only) and JCE4758RACFKS (z/OS only) |
This field is used
on the JSSE Repertoire panel.