A Secure Sockets Layer (SSL) configuration references keystore configurations during WebSphere Application Server runtime. You use keystore configurations to define how the runtime for WebSphere Application Server loads and manages keystore types for Secure Sockets Layer (SSL) configurations. You can use file-based key stores instead of RACF.
Using file-based key stores is an alternative to using a SAF keyring in RACF.
The server passes the signed certificate to prove its identity to the client. The client must possess the CA certificate from the same certificate authority that issued the server's certificate. The client uses the CA certificate to verify that the server's certificate is authentic. After the certificate is verified, the client can be sure that messages are truly coming from that server, not someone else.
Personal/Signed certificates contain a private key and a public key. You can extract the public key, called the signer certificate, to a file, then import the certificate into another keystore. The client requires the signer portion of a personal certificate for Security Socket Layer (SSL) communication.
For clients, you must create a key ring and attach to it the CA certificate from the certificate authority that issued the server's certificate. For a z/OS client, you must use RACF to create a client key ring and to attach the CA certificate to that key ring.
WebSphere Application Server supports IBMJCE file-based key stores, Java Cryptography Extension Key Stores (JCEKS), Java Key Stores (JKS), and Public Key Cryptography Standards 12 (PKCS12), and z/OS-specific RACF (JCERACFKS) key stores. The IBMJCE file-based keystore support on z/OS is fully compatible with and similar to the support on the distributed platform. The JCERACFKS keystore uses keys and certificates that are stored and managed in RACF.