The following steps describe how to generate a new Java Secure
Socket Extension (JSSE) repertoire alias. Using the JSSE repertoire, you can
pick one of the JSSE repertoire settings defined here from any location within
the administrative console.
- Click Security > SSL to open the SSL Configuration Repertoires
panel.
- To create a new JSSE repertoire, click New JSSE repertoire near
the top of the panel. The JSSE Repertoire panel appears.
- Enter the alias name in the Alias field.
- Optional: Select the Client
authentication option for your authentication protocol. This
option enables client authentication to occur if this repertoire is selected
for HTTPS. However, the value is ignored if you use using Common Secure Interoperability
Version 2 (CSIv2) or z/OS Secure Authentication Services (z/SAS).
To enable
client authentication for CSIv2, click Security > Global security.
Under Authentication, click Authentication protocol > CSIv2 inbound authentication.
Select the appropriate option for Client certificate authentication.
To
enable client authentication for z/SAS, click Security > Global security.
Under Authentication, click Authentication protocol > z/SAS authentication.
Select the Client certificate option.
Optional: Select the Client
authentication option for your authentication protocol. This
option enables client authentication to occur if this repertoire is selected
for HTTPS. However, the value is ignored if you use using Common Secure Interoperability
Version 2 (CSIv2) or z/OS Secure Authentication Services (z/SAS). To enable
client authentication for CSIv2, click Security > Secure administration,
applications, and infrastructure. Under Authentication, expand RMI/IIOP,
then click CSIv2 inbound authentication. Select the appropriate option
for Client certificate authentication.
To enable client authentication
for z/SAS, click
Security > Secure administration, applications, and infrastructure.
Under Authentication, expand RMI/IIOP, then click
z/SAS authentication.
Select the
Client certificate option.
Important:
- Select High, Medium, or Low from the Security
level menu to specify the high, medium, or low set of cipher suites.
If you add specific cipher suites on this panel, those cipher suites
take precedence over the high, medium, or low specification. If a cipher list
is specified, WebSphere Application Server uses the list. If the cipher list
is empty, WebSphere Application Server uses the high, medium, or low specification.
The following list is an explanation of the high, medium, and low specifications:
- High
- 128-bit cipher suites with digital signature
- Medium
- 40-bit cipher suites with digital signature
- Low
- No encryption is used, but digital signature is used
- Select the cipher suites that you want to add from the Cipher
suites menu. By default, this is not set. The set of cipher
suites available is determined by the value of the Security Level (High, Medium,
or Low). A cipher suite is a combination of cryptographic algorithms
used for an SSL connection.
- Select the Cryptographic token option if hardware or software
cryptographic support is available.
- Indicate which JSSE provider that you are using by selecting either Predefined
JSSE provider or Custom JSSE provider in the Provider field.
WebSphere Application Server comes with the IBMJSSE provider
predefined.
If you are not using the IBMJSSE provider,
configure a custom provider by selecting Custom JSSE provider. Under
Additional properties, click Custom Properties > New. After specifying
the custom provider, return to the JSSE repertoire panel.
- Select a Secure Sockets Layer (SSL) or Transport Layer Security
(TLS) protocol version.
Note: The protocol chosen for the server
must match the protocol chosen for the client. Also, for two servers to interoperate,
they must use the same protocol.
- Specify the name of the key file in the Key file name field.
Specify the fully qualified path to the Secure Sockets Layer (SSL) key
file that contains public keys and private keys. Type safkeyring:/// if
you are using a RACF key ring for the key file.
- Specify the password needed to access the key file in the Key
file password field. Type password if you are using
a RACF key ring for the key store.
- Select the format of the key file from the Key file format menu.
- Click OK when you have made all your selections.