During the SSL authentication process, WebSphere® Application Server considers a certificate that connects as a PERSONAL certificate as a KeyEntry. You can use the certificate as an end-user certificate in a Secure Sockets Layer (SSL) handshake because the private key is available.
WebSphere Application Server considers a certificate that connects as a CERTAUTH certificate as a TrustedCertEntry and treats the certificate as a Certificate Authority (CA). Keyrings require certificates that connect as PERSONAL and CA certificates that connect as CERTAUTH. Certificates that connect as SITE are not supported in this release.
Certificate Label Name Cert Owner USAGE DEFAULT ---------------------- ---------- -------- ------- PersonalEndUserCert ID(USERID) PERSONAL YES PersonalEndUserCACert CERTAUTH CERTAUTH NO
security.provider.X=com.ibm.security.cert.IBMCertPath
If one of the RACF certificates fails to load, the keystore is not loaded. You must remove any unwanted certificates from the keyring.
The RACFInputStream contains three parameters:import com.ibm.crypto.provider.RACFInputStream; String ksfname; char[] storePass = null; RACFInputStream riStream = new RACFInputStream(System.getProperty("user.name"), ksfname, storePass); KeyStore racfKeyStore = KeyStore.getInstance("JCERACFKS"); racfKeyStore.load(riStream, storePass); riStream.close();In the above example, the system property user.name is referenced to provide the userID that WebSphere Application Server passes to RACF. This example is not typical.
For more information about running the RACFInputStream script, see the document z/OS® Unique Considerations for the Java 2 SDK, Standard Edition, v 6.0. A link to this z/OS document is provided in the Related Links section of this topic.
-Djava.protocol.handler.pkgsIf you are using the IBM® Java Cryptography Extension (IBMJCE) provider to provide cryptographic support, set the property to the following value:
-Djava.protocol.handler.pkgs=com.ibm.crypto.providerIf you are using the IBMJCE4758 provider to provide cryptographic support, set the property to the following value:
-Djava.protocol.handler.pkgs=com.ibm.crypto.hdwrCCA.providerYou can use a URL to specify a stream handler in the java.policy file. The jarsigner utility also accepts a URL for the -keystore parameter. When certificates from a RACF keyring verify signed jar files, you can specify that WebSphere Application Server must use the keyring as an input stream to the keystore in the java.policy file, as shown in the following example code:
keystore "safkeyring://myracfid/my_key_ring", " JCERACFKS";In this example,
jarsigner -keystore safkeyring://myracfid/my_key_ring -signedjar ibmjceproviders.jar ibmjceprovider.jar ibmprovider -storetype JCERACFKS