A keystore contains both public keys and private keys. Public keys
are stored as signer certificates, while private keys are stored as personal
certificates. In WebSphere Application Server, adding keystore files to the
configuration is different between client and server. For the client, a keystore
file is added to a file, like the sas.client.props property file.
For the server, a keystore file is added through the WebSphere Application
Server administrative console.
Before you begin
Before you add the keystore file to your configuration, consider the
following questions:
- Is a self-signed or a certificate authority (CA)-signed personal certificate
created in the keystore file?
- If you configure client authentication using digital certificates, is
the public key of the signed personal certificate imported as a signer certificate
into the server truststore file?
Procedure
- Add a keystore file into a client configuration
by editing the sas.client.props file and by setting the following
properties:
- com.ibm.ssl.keyStoreType for the keystore format. Range: JKS (default),
PKCS12, JCEK.
Additionally, JCERACFKS and JCE4758RACFKS are
available for z/OS platforms. One of these types much be used for a SAF key
ring.
- com.ibm.ssl.keyStore for a fully qualified path to the keystore
file. The keystore file contains private keys and sometimes also contains
public keys.
For
SAF key rings, set com.ibm.ssl.keyStore to safkeyring:///your_keyring_name.
- com.ibm.ssl.keyStorePassword for the password to access the keystore
file.
For
SAF key rings, set the com.ibm.ssl.keyStorePassword property to password,
and set the com.ibm.ssl.keyStoreType property to JCERACFKS. Please note that
for the com.ibm.ssl.keyStorePassword property, password is not an
actual password used to access the key ring, but a dummy value used by the
dialog.
- Add a keystore file into a server configuration:
- Start the administrative console by specifying: http://server_hostname:port_number/ibm/console.
Click Security > SSL.
Optional:
Click New JSSE repertoire to create a new Java Secure Sockets
Extension (JSSE) repertoire.
Optional:
Click New SSL repertoire to create a new Secure Sockets Layer
(SSL) setting alias if one does not exist or click New JSSE repertoire to
create a new Java Secure Sockets Extension (JSSE) repertoire.
- Select the alias where the keystore file should be added.
- Type the key file name for the path of the keystore file.
Type safkeyring:///your_keyring_name if
you want to use certificates and keys that are contained in a SAF key ring.
- Type the key file password for the password to access the keystore
file.
Type
password if you are using a SAF key ring.
- Select the key file format for the keystore type. Range: JKS
(default), PKCS12, JCEK or JCERACFKS (z/OS only).
- Click OK and Save to save the configuration.
Results
The SSL configuration alias now has a valid keystore file for an SSL
connection.
Note: If the Cryptographic token field is selected and you want to use
only cryptographic tokens for your keystore file, leave the Key file name
field and the Key file password field blank.
Example
- SSL connection for Internet Inter-ORB Protocol (IIOP)
- SSL connection for Lightweight Directory Access Protocol (LDAP)
- SSL connection for Hypertext Transfer Protocol (HTTP)