With Secure Sockets Layer (SSL) configuration repertoire, administrators
can define any number of SSL settings that can be used to make HyperText Transport
Protocol SSL (HTTPS), Internet Inter-ORB Protocol SSL (IIOPS) or Lightweight
Directory Access Protocol SSL (LDAPS) connections. You can reuse many of these
SSL configurations by simply specifying an alias in multiple places.
Before you begin
You must start the administrative console.
About this task
Using the SSL configuration repertoire, you can pick one of the SSL
settings defined here from any location within the administrative
console that allows SSL connections. This simplifies the SSL configuration
process because you can reuse many of these SSL configurations by simply specifying
the alias in multiple places.
Procedure
- Click Security > SSL certificate and key management > SSL configuration to
open the SSL configuration panel.
- To create a new SSL alias, click New.
- Type the alias name in the Alias field.
- Specify the SSL Resource Access Control Facility
(RACF) key ring in the Key file name field. All repertoires
used by the same server (such as HTTPS, CSIV2, z/SAS) must have the same
keyring name. If the keyring names are not the same, the HTTPS keyring name
is used to initialize the server. If you specify the wrong RACF key ring,
the server gets an error message at runtime.
- Optional: Select the Client
authentication option for your authentication protocol. Client
authentication occurs if this repertoire is selected for HTTPS. However, the
value is ignored if you use using Common Secure Interoperability Version 2
(CSIv2) or z/OS Secure Authentication Services (z/SAS).
To enable client
authentication for CSIv2, click Security > Global security. Under Authentication,
click Authentication protocol > CSIv2 inbound authentication. Select
the appropriate option for Client certificate authentication.
To
enable client authentication for z/SAS, click Security > Global security.
Under Authentication, click Authentication protocol > z/SAS authentication.
Select the Client certificate option.
- Select High, Medium, or Low from the Security
level menu to specify the high, medium, or low set of cipher suites.
If you add specific cipher suites on this panel, those cipher suites
take precedence over the high, medium, or low specification. If a cipher list
is specified, WebSphere Application Server uses the list. If the cipher list
is empty, WebSphere Application Server uses the high, medium, low specification.
The following list explains these specifications:
- High
- 128-bit cipher suites with digital signature
- Medium
- 40-bit cipher suites with digital signature
- Low
- No encryption is used, but digital signature is used
- Specify the SSL V3 timeout value in the V3 timeout field.
This value is the length of time, in seconds, that the system holds session
keys. The range is 0-86400 (1 day). The default is 600 seconds.
- Select the cipher suites that you want to add from the Cipher
suites menu. By default, this is not set, and the cipher suites
available are determined by the value of the Security Level (High, Medium,
or Low). A cipher suite is a combination of cryptographic algorithms
used for an SSL connection.
- Click OK when you have made all your selections.