[Updated in February 2012] [z/OS]

File-based key stores

A Secure Sockets Layer (SSL) configuration references keystore configurations during WebSphere Application Server runtime. You use keystore configurations to define how the runtime for WebSphere Application Server loads and manages keystore types for Secure Sockets Layer (SSL) configurations. You can use file-based key stores instead of RACF.

Using file-based key stores is an alternative to using a SAF keyring in RACF.

SSL communication between server and client

The server passes the signed certificate to prove its identity to the client. The client must possess the CA certificate from the same certificate authority that issued the server's certificate. The client uses the CA certificate to verify that the server's certificate is authentic. After the certificate is verified, the client can be sure that messages are truly coming from that server, not someone else.

Client setup

Personal/Signed certificates contain a private key and a public key. You can extract the public key, called the signer certificate, to a file, then import the certificate into another keystore. The client requires the signer portion of a personal certificate for Security Socket Layer (SSL) communication.

For clients, you must create a key ring and attach to it the CA certificate from the certificate authority that issued the server's certificate. For a z/OS client, you must use RACF to create a client key ring and to attach the CA certificate to that key ring.

Why use file-based key stores on WebSphere Application Server for zOS

Below are some of the instances where you could use the file based keystore. Please note all of the below situations can be successfully resolved by using SAF Keyring in RACF.
  • For any z/OS client , to establish a SSL connection with the WebSphere Application Server z/OS.
  • For any WebSphere Application Server z/OS, to establish a SSL connection with the WebSphere Application Server z/OS on a remote system/lpar.
  • It is often necessary to export certificates created in RACF and import them into a distributed WebSphere Application Server to prepare a distributed WebSphere Application Server for federation into an ND cell on z/OS. OR that you are using RACF as the certificate authority (CA) to issue certificates used by the distributed WebSphere Application Server cell.
  • To establish a SSL connection between WebSphere Application Server on distributed platform/s with WebSphere Application Server on z/OS and vice versa.
  • To establish a SSL connection between WebSphere Application Server on distributed platform/s with WebSphere Application Server on z/OS and vice versa.
  • When a client from a previous release tries to use the addNode command to federate to a Version 6.1 deployment manager, the client must first obtain signers for a successful handshake
  • In cases where you want to avoid using OR involving RACF to create, extract and connect the certificate in RACF. Since, each z/OS client using SSL security must have a unique RACF keyring. The Certificate Authority's public certificate for all servers’ it connects to using SSL must be connected to the client's keyring.

z/OS keystores

WebSphere Application Server supports IBMJCE file-based key stores, Java Cryptography Extension Key Stores (JCEKS), Java Key Stores (JKS), and Public Key Cryptography Standards 12 (PKCS12), and z/OS-specific RACF (JCERACFKS) key stores. The IBMJCE file-based keystore support on z/OS is fully compatible with and similar to the support on the distributed platform. The JCERACFKS keystore uses keys and certificates that are stored and managed in RACF.




Related concepts
Keystore configurations
Related tasks
Configuring file-based key stores in WebSphere Application Server z/OS
Configuring file-based key stores in WebSphere Application Server for z/OS cell
Concept topic Concept topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 2:56:59 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=csec_fb_keystores
File name: csec_fb_keystores.html


[Updated in February 2012]
feb2012