A Secure Sockets Layer (SSL) configuration references keystore
configurations during WebSphere Application Server runtime. Here are
the steps involved in exporting a RACF certificate, storing into an
file-based keystore and configure the file based keystore configuration
for a SSL client to make a connection using Java Secure Socket Extension.
Before you begin
A RACF certificate must already exist.
About this task
The following steps involve exporting a RACF certificate,
storing into a file-based keystore and configuring the file-based
keystore configuration for a SSL client to make a connection suing
Java Secure Socket Extension. The Java "keytool" is used to import
the RACF into the key stores. Keystore type of PKCS12 is used. Similar
steps can be used for keystore type of JKS.Performm the following
steps using the administrative console.
Procedure
- Click Security > SSL certificate and key management .
- Under Related Items, click Key stores and certificates,
then click CellDefaultTrustStore.
- Under Additional Properties, click Signer certificates
- Select the WebSphereCA certificate you want by checking
the checking box This certificate is the WebSphereCA certificate
to extract into the HFS from the administrative console.
- Click the Extract button. The certificate
General Properties panel for the WebSphereCA certificate appears.
- Supply the path and a file name with data type (Binary
DER data) where you want the certificate stored.
For
example, /WebSphere/V6R1/DeploymentManager/profiles/default/etc
- Click Apply/OK The administrative console
message indicates the signer certificate, WebSphereCA, is successfully
extracted to the file: /WebSphere/V6R1/DeploymentManager/profiles/default/etc/WebSphereCA.
The following example shows a "before" and "after" of this extract
process.
Before
/WebSphere/V6R1/DeploymentManager/profiles/default/etc:>ls -lart
total 128
drwxrwxr-x 3 WSADMIN CBCFG1 8192 Jun 12 11:04 ws-security
-rwxrwxr-x 1 WSADMIN CBCFG1 727 Jun 12 11:04 serverCert.arm
-rwxrwxr-x 1 WSADMIN CBCFG1 727 Jun 12 11:04 clientCert.arm
-rwxrwxr-x 1 WSADMIN CBCFG1 6696 Jun 12 11:04 DummyServerTrustFile.jks
-rwxrwxr-x 1 WSADMIN CBCFG1 2337 Jun 12 11:04 DummyServerKeyFile.jks
-rwxrwxr-x 1 WSADMIN CBCFG1 2334 Jun 12 11:04 DummyClientKeyFile.jks
-rwxrwxr-x 1 WSADMIN CBCFG1 834 Jun 12 11:05 trust.p12
-rwxrwxr-x 1 WSADMIN CBCFG1 1538 Jun 12 11:05 key.p12
-rwxrwxr-x 1 WSADMIN CBCFG1 7267 Jun 12 11:05 DummyClientTrustFile.jks
drwxrwxr-x 3 WSADMIN CBCFG1 8192 Jun 12 11:05 .
drwxrwxr-x 17 WSADMIN CBCFG1 8192 Oct 15 11:06 ..
{
After
/WebSphere/V6R1/DeploymentManager/profiles/default/etc:>ls -lart
total 136
drwxrwxr-x 3 WSADMIN CBCFG1 8192 Jun 12 11:04 ws-security
-rwxrwxr-x 1 WSADMIN CBCFG1 727 Jun 12 11:04 serverCert.arm
-rwxrwxr-x 1 WSADMIN CBCFG1 727 Jun 12 11:04 clientCert.arm
-rwxrwxr-x 1 WSADMIN CBCFG1 6696 Jun 12 11:04 DummyServerTrustFile.jks
-rwxrwxr-x 1 WSADMIN CBCFG1 2337 Jun 12 11:04 DummyServerKeyFile.jks
-rwxrwxr-x 1 WSADMIN CBCFG1 2334 Jun 12 11:04 DummyClientKeyFile.jks
-rwxrwxr-x 1 WSADMIN CBCFG1 834 Jun 12 11:05 trust.p12
-rwxrwxr-x 1 WSADMIN CBCFG1 1538 Jun 12 11:05 key.p12
-rwxrwxr-x 1 WSADMIN CBCFG1 7267 Jun 12 11:05 DummyClientTrustFile.jks
drwxrwxr-x 17 WSADMIN CBCFG1 8192 Oct 15 11:06 ..
-rw-rw---- 1 DMSR1 CBCFG1 625 Oct 15 11:53 WebSphereCA
drwxrwxr-x 3 WSADMIN CBCFG1 8192 Oct 15 11:54 .
- Set up the z/OS client environment. Under Telnet
/ USS, Set the $PATH to access the WebSphere and Java binaries:
export PATH=$PATH:/WebSphere/V6R1/DeploymentManager/bin:.
export PATH=$PATH:/WebSphere/V6R1/DeploymentManager/java/bin:.
- Add the certificate authority (CA) to the file-based PKCS12
type truststore using the Java keytool utility
/WebSphere/V6R1/DeploymentManager/profiles/default/etc:>keytool -import
-file WebsphereCA -keystore trust.p12 -storetype PKCS12 -storepass WebAS
Owner: CN=WAS CertAuth for Security Domain, OU=SY1
Issuer: CN=WAS CertAuth for Security Domain, OU=SY1
Serial number: 0
Valid from: 6/12/09 1:00 AM until: 12/31/10 11:59 PM
Certificate fingerprints:
MD5: 40:EF:C7:6F:36:47:47:4B:BD:8F:CE:21:67:DA:DD:F5
SHA1: EC:4E:24:BD:20:D1:74:55:F1:82:38:13:48:90:F2:19:32:79:C0:1B
Trust this certificate? [no]: yes
Certificate was added to keystore
- List and verify that the CA certificate was added to the
truststore.
/WebSphere/V6R1/DeploymentManager/profiles/default/etc:>keytool -list
-keystore trust.p12 -storetype PKCS12 -storepass WebAS
Keystore type: PKCS12
Keystore provider: IBMJCE
Your keystore contains 2 entries
cn=was certauth for security domain, ou=sy1, Dec 31, 1969,
trustedCertEntry,
Certificate fingerprint (MD5):
40:EF:C7:6F:36:47:47:4B:BD:8F:CE:21:67:DA:DD:F5
default_signer, Dec 31, 1969, trustedCertEntry,
Certificate fingerprint (MD5):
4B:49:9B:8D:17:99:3D:2D:A2:D2:54:D1:8E:0C:43:1E
- Configure the z/OS Client to use the file based key stores
- Update the ssl.client.props file to point to the key.p12,
trust.p12 as the keystores.
/WebSphere/V6R1/DeploymentManager/profiles/default/properties/ssl.client.props
# KeyStore information
com.ibm.ssl.keyStoreName=ClientDefaultKeyStore
#com.ibm.ssl.keyStore=safkeyring:///WASKeyring.PLEX1
#com.ibm.ssl.keyStorePassword={xor}Lz4sLCgwLTs=
#com.ibm.ssl.keyStoreType=JCERACFKS
#com.ibm.ssl.keyStoreProvider=IBMJCE
#com.ibm.ssl.keyStoreFileBased=false
com.ibm.ssl.keyStore=/WebSphere/V6R1/DeploymentManager/profiles/default/etc/key.p12
com.ibm.ssl.keyStorePassword=WebAS
com.ibm.ssl.keyStoreType=PKCS12
com.ibm.ssl.keyStoreProvider=IBMJCE
com.ibm.ssl.keyStoreFileBased=true
:
# Truststore information
com.ibm.ssl.trustStoreName=ClientDefaultTrustStore
#com.ibm.ssl.trustStore=safkeyring:///WASKeyring.PLEX1
#com.ibm.ssl.trustStorePassword={xor}Lz4sLCgwLTs=
#com.ibm.ssl.trustStoreType=JCERACFKS
#com.ibm.ssl.trustStoreProvider=IBMJCE
#com.ibm.ssl.trustStoreFileBased=false
com.ibm.ssl.trustStore=/WebSphere/V6R1/DeploymentManager/profiles/default/etc/trust.p12
com.ibm.ssl.trustStorePassword=WebAS
com.ibm.ssl.trustStoreType=PKCS12
com.ibm.ssl.trustStoreProvider=IBMJCE
com.ibm.ssl.trustStoreFileBased=true
- Perform password encoding using PropFilePasswordEncoder
utility This will create the backup and also convert to
ascii:
/WebSphere/V6R1/DeploymentManager/profiles/default/properties:>PropFilePasswo
rdEncoder.sh ssl.client.props com.ibm.ssl.keyStorePassword
Create a backup file of the original properties file which contains unencoded
passwords? (y/n): y
NOTE: Backup file
/WebSphere/V6R1/DeploymentManager/profiles/default/properties/ssl.client.prop
s.bak contains unencoded passwords/WebSphere/V6R1/DeploymentManager/profiles/default/properties:>PropFilePasswo
rdEncoder.sh ssl.client.props com.ibm.ssl.trustStorePassword
Create a backup file of the original properties file which contains unencoded
passwords? (y/n): y
NOTE: Backup file
/WebSphere/V6R1/DeploymentManager/profiles/default/properties/ssl.client.prop
s.bak contains unencoded passwords
- Verify if ssl.client.props is in ascii / ebcdic
/WebSphere/V6R1/DeploymentManager/profiles/default/properties:>file
ssl.client.props*
ssl.client.props: binary data
ssl.client.props.bak: text
The password for the keystore/s in the
ssl.client.propsfile
is now encoded as below.
com.ibm.ssl.keyStorePassword={xor}CDo9Hgw=
com.ibm.ssl.trustStorePassword={xor}CDo9Hgw=
The
ssl.client.props file looks
like this:
com.ibm.ssl.keyStore=/WebSphere/V6R1/DeploymentManager/profiles/default/etc/key.p12
com.ibm.ssl.keyStorePassword={xor}CDo9Hgw=
com.ibm.ssl.keyStoreType=PKCS12
com.ibm.ssl.keyStoreFileBased=true
...
com.ibm.ssl.trustStore=/WebSphere/V6R1/DeploymentManager/profiles/default/etc/trust.p12
com.ibm.ssl.trustStorePassword={xor}CDo9Hgw=
com.ibm.ssl.trustStoreType=PKCS12
com.ibm.ssl.trustStoreFileBased=true
- Using retrieveSigners utility instead of Administrative
Console to list the key stores of both Client, Server.
/WebSphere/V6R1/DeploymentManager/profiles/default/bin:>retrieveSigners.sh
-listLocalKeyStoreNames
CWPKI0307I: The following local keystores exist on the client:
ClientDefaultKeyStore, ClientDefaultTrustStore
/WebSphere/V6R1/DeploymentManager/profiles/default/bin:>retrieveSigners.sh
-listRemoteKeyStoreNames
CWPKI0306I: The following remote keystores exist on the specified server:
CellDefaultKeyStore, CellLTPAKeys, LEX1Manager/DefaultIIOPSSL_key,
SY1/DefaultIIOPSSL_trust, PLEX1Manager/DefaultIIOPSSL_trust,
SY1/DefaultIIOPSSL_key, CellDefaultTrustStore
- Import the SAF Keyring certificates to the file based
keystore, truststore
/WebSphere/V6R1/DeploymentManager/profiles/default/bin:>retrieveSigners.sh
CellDefaultTrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner
CWPKI0308I: Adding signer alias "CN=BOSSXXXX.PLEX1.L2.IBM.COM, OU=PLEX1, O=IBM"
to local keystore "ClientDefaultTrustStore" with the following SHA
digest: EC:4E:24:BD:20:D1:74:55:F1:82:38:13:48:90:F2:19:32:79:C0:1B
CWPKI0308I: Adding signer alias "CN=WAS CertAuth for Security Domain, OU=SY1"
to local keystore "ClientDefaultTrustStore" with the following SHA
digest: EC:4E:24:BD:20:D1:74:55:F1:82:38:13:48:90:F2:19:32:79:C0:1B
CWPKI0309I: All signers from remote keystore already exist in local keystore.
/WebSphere/V6R1/DeploymentManager/profiles/default/bin:>retrieveSigners.sh
CellDefaultKeyStore ClientDefaultKeyStore -autoAcceptBootstrapSigners
CWPKI0308I: Adding signer alias "websphereca" to local keystore
"ClientDefaultKeyStore" with the following SHA digest:
EC:4E:24:BD:20:D1:74:55:F1:82:38:13:48:90:F2:19:32:79:C0:1B
- Establish a SOAP Connection from a client using the
key stores
Note: The WebSphere Server cell configuration
is using the SAF Keyring.
/:>wsadmin.sh -conntype SOAP -host boss0232.plex1.l2.ibm.com -port 8879
-user ibmuser -password ibmuser
WASX7209I: Connected to process "dmgr" on node PLEX1Manager using SOAP
connector; The type of process is: DeploymentManager
WASX7029I: For help, enter: "$Help help"wsadmin>
Results
You have successfully extracted the signer certificate as
a certificate file and have stored it into /WebSphere/V6R1/DeploymentManager/profiles/default/etc with
the given name (WebSphereCA) and set up the z/OS client environment
so that the z/OS client can use file-based key stores.
What to do next
Your z/OS client can now use file-based key stores.