Repertoire settings

Use this page to configure Secure Sockets Layer (SSL) or Java Secure Sockets Extension (JSSE) settings for the server. To configure SSL, you need to define an SSL configuration repertoire. A repertoire contains the details necessary for building an SSL connection, such as the location of the key files, their type and the available ciphers. WebSphere Application Server provides a default repertoire called DefaultSSLSettings.

To view this administrative console page, click Security > SSL > alias_name.

Configuration tab

Alias

Specifies the name of the specific SSL setting

Data type: String

This field is used on the System SSL Repertoire and Java Secure Sockets Extension (JSSE) Repertoire panels.

Note: If you create a new SSL alias using the administrative console, the alias name is automatically created in the node_name/alias_name format. However, if you create a new SSL alias using wsadmin, you must create the SSL alias and specify both the node name and alias name in the node_name/alias_name format.

Key file name

Specifies the fully qualified path to the SSL key file that contains public keys and might contain private keys.

On z/OS, there are two types of Secure Sockets Layer (SSL): Java Secure Socket Extension (JSSE) SSL and System SSL. For Java Secure Socket Extension (JSSE) SSL, the key file name specifies the fully qualified path to the SSL key file that contains public keys and private keys. For System SSL, the key file name specifies the name of the System Authorization Facility (SAF) key ring. The key file name might also be the name of the SAF key ring that contains public and private keys.

For JSSE SSL, the key file specifies the keystore file. The key file might also specify the System Authorization Facility (SAF) Key ring that contains certificates and keys. You can create a JSSE SSL keystore file by using the keytool utility found in the WebSphere bin directory. The key file contains certificates and keys.

For System SSL or JSSE, you can create an SSL key ring by using the Resource Access Control Facility (RACF) command, RACDCERT. Issue this command in your MVS environment, such as TSO READY or ISPF option 6. The key ring contains the private certificate of this server and certificates of trusted certificate authorities. The certificates for the trusted certificate authorities validate the client certificates and other server certificates that are exchanged with this server during the SSL handshake. The repertoires that you define for a server require identical key file names.

Data type: String

This field is used on the System SSL Repertoire and JSSE Repertoire panels.

Client authentication

Specifies whether to request a certificate from the client for authentication purposes when making a connection.

When performing client authentication with the Internet InterORB Protocol (IIOP) for EJB requests, click Security > Global security. Under Authentication, click Authentication protocol > CSIv2 inbound authentication or Authentication protocol > CSIv2 outbound authentication. Select the appropriate option under Client certificate authentication.

Default: Disabled
Range: Enabled or Disabled

This field is used on the System SSL Repertoire and JSSE Repertoire panels.

Security level

Specifies whether the server selects from a pre-configured set of security levels.

Data type: Valid values include Low, Medium or High.
  • Low specifies digital signing ciphers only without encryption.
  • Medium specifies 40-bit ciphers only including digital signing.
  • High specifies 56-bit and higher ciphers, including digital signing.

To specify all ciphers or any particular range, you can set the com.ibm.ssl.enabledCipherSuites property.

See the SSL documentation for more information.

Default: High
Range: Low, Medium, or High
Note: The SOAP connector does not use security level.

This field is used on the System SSL Repertoire and JSSE Repertoire panels.

V3 timeout

Specifies the length of time that a browser can reuse a System SSL Version 3 session ID without renegotiating encryption keys with the server.

The repertoires that you define for a server require the same V3 timeout value.

Data type integer
Default 100
Range 1 to 86400

This field is used on the System SSL Repertoire panel.

Cipher suites

Specifies a list of supported cipher suites that can be selected during the SSL handshake. If you select cipher suites individually here, you override the cipher suites set in the Security Level field.

Data type: String
Default: None
Note: The SOAP connector does not use cipher suites.

This field is used on the System SSL Repertoire and JSSE Repertoire panels.

Provider

Refers to a package that implements a subset of the Java security application programming interface (API) cryptography aspects.

If you select Predefined JSSE provider, select a provider from the menu.

WebSphere Application Server has the IBMJSSE predefined provider.

The name for the Cipher suite property is com.ibm.ssl.enabledCiphersuites. The name for the protocol property is com.ibm.ssl.protocol.

This field is used on the JSSE Repertoire panel.

Protocol

Specifies which SSL protocol to use.

Default SSL
Range SSL_TLS, SSL, SSLv2, SSLv3, TLS, TLSv1

This field is used on the JSSE Repertoire panel.

Key file password

Specifies the password for accessing the SSL key file.

Data type: String

This field is used on the JSSE Repertoire panel.

Key file format

Specifies the format of the SSL key file.

You can choose from the following key file formats: JKS, JCEK, PKCS12, JCERACFKS (z/OS only). The JKS format does not store a shared key. For more secure key files, use the JCEK format. PKCS12 is the standard file format.

[Version 6.0.2] You can choose from the following key file formats: JKS, JCEK, PKCS12, JCERACFKS (z/OS only) and JCE4758RACFKS (z/OS only). The JKS format does not store a shared key. For more secure key files, use the JCEK format. PKCS12 is the standard file format.

[Version 6.0.2]
Data type: String
Default: JKS
Range: JKS, JCEK, PKCS12, JCERACFKS (z/OS only), and JCE4758RACFKS (z/OS only)
Data type: String
Default: JKS
Range: JKS, JCEK, PKCS12, JCERACFKS (z/OS only)

This field is used on the JSSE Repertoire panel.

Trust file name

Specifies the fully qualified path to a trust file containing the public keys.

You can create a trust file by using the keytool utility located in the WebSphere bin directory.

Unlike the SSL key file, no personal certificates are referenced; only signer certificates are retrieved. The default SSL trust files, DummyClientTrustFile.jks and DummyServerTrustFile.jks, contain multiple test public keys as signer certificates that can expire. The following public keys expire on October 13, 2021:
  • WebSphere Application Server Version 4.x test certificates
  • WebSphere Application Server Version 5.x test certificates
  • WebSphere Application Server CORBA C++ client
  • WebSphere Application Server Version 6.0.x test certificates

The test certificates are only intended for use in a test environment.

If a trust file is not specified but the SSL key file is specified, then the SSL key file is used for retrieval of signer certificates as well as personal certificates.

Data type: String

This field is used on the JSSE Repertoire panel.

Trust file password

Specifies the password for accessing the SSL trust file.

Data type: String

This field is used on the JSSE Repertoire panel.

Trust file format

Specifies the format of the SSL trust file.

You can choose from the following trust file formats: JKS, JCEK, PKCS12, JCERACFKS (z/OS only). The JKS format does not store a shared key. For more secure key files, use the JCEK format. PKCS12 is the standard file format.

[Version 6.0.2] You can choose from the following trust file formats: JKS, JCEK, PKCS12, JCERACFKS (z/OS only) and JCE4758RACFKS (z/OS only). The JKS format does not store a shared key. For more secure key files, use the JCEK format. PKCS12 is the standard file format.

Data type: String
Default: JKS
Range: JKS, JCEK, PKCS12, JCERACFKS (z/OS only)
[Version 6.0.2]
Data type: String
Default: JKS
Range: JKS, JCEK, PKCS12, JCERACFKS (z/OS only) and JCE4758RACFKS (z/OS only)

This field is used on the JSSE Repertoire panel.




Related tasks
Defining Secure Sockets Layer connections
Related reference
Secure Sockets Layer settings for custom properties
Reference topic    

Terms of Use | Feedback

Last updated: Sep 20, 2010 10:03:57 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-zos&topic=usecssl
File name: usec_ssl.html