This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.

Enabling SSL communication in Liberty

To enable SSL communication in Liberty, there is a minimal set of SSL configuration options. It assumes most of the SSL options require some keystore configuration information.

About this task

SSL client authentication occurs during the connection handshake by using SSL certificates. The SSL handshake is a series of messages that are exchanged over the SSL protocol to negotiate for connection-specific protection. During the handshake, the secure server requests that the client send back a certificate or certificate chain for the authentication. To enable SSL in Liberty, you add the ssl-1.0 Liberty feature to the configuration root document file, server.xml, along with code of the keystore information for authentication.

[Updated in May 2014]By default, the path and file name for the configuration root document file is path_to_liberty/wlp/usr/servers/server_name/server.xml. path_to_liberty is the location that you installed Liberty on your operating system, and server_name is the name of your server. However, you can change the path. See Customizing the Liberty environment.[Updated in May 2014]

Procedure

  1. Enable the ssl-1.0 Liberty feature in the server.xml file.
    <featureManager>
        <feature>ssl-1.0</feature>
    </featureManager>
    Note: If application security is required and security information is redirected to a secure port, you must add the appSecurity-2.0 Liberty feature to the server.xml file.
  2. Add the keystore service object entry to the server.xml file. The keyStore element is called defaultKeyStore and contains the keystore password. The password can be entered in clear text or encoded. The securityUtility encode option can be used to encode the password.
    <keyStore id="defaultKeyStore" password="yourPassword" />

    This configuration is the minimum that is needed to create an SSL configuration. In this configuration, the server creates the keystore and certificate if it does not exist during SSL initialization. The password that is provided must be at least 6 characters long. The keystore is assumed to be a JKS keystore that is called key.jks in the server home/resources/security directory. If the file does not exist the server creates it for you. If the server creates the keystore file, it also creates the certificate inside of it. The certificate is a self-signed certificate with a validity period of 365 days, the CN value of the certificate's subjectDN is the host name of the machine where the server is running, and has a signature algorithm of SHA256withRSA.

    Note: When the use of a collective controller is not practical, perhaps there is only one or two Liberty servers, a self-signed certificate can be used to restrict the number of clients that can connect to the Liberty member server. It is suggested that an IHS server is used in front of the Liberty servers, where an appropriate CA signed certificate can be used, along with CN whitelisting to control which clients can connect to HIS. A trusted channel between IHS and the Liberty member server can be maintained by using the self signed certificate.

    An example of a SAF keyring in the minimal configuration:

    <keyStore id="defaultKeyStore" location="safkeyring:///WASKeyring" 
              type="JCERACFKS" password="password" fileBased="false" 
              readOnly="true" />

    RACF® keyring needs to be set up before you configure them for use by the Liberty server. The server does not create certificates and add them to RACF.

    The single keystore entry for a minimal SSL configuration can be extended to include the location and type as well.
    <keyStore id="defaultKeyStore" location="myKeyStore.p12" password="yourPassword" type="PKCS12"/>

    The location parameter can be an absolute path to the keystore file. If it is an absolute path, then the keystore file is assumed to have been already created. Keystore of other types can also be specified in the minimal SSL configuration if the keystore file is already created. When the minimal SSL configuration is used, the SSL configuration defaults are used to create the SSL context for an SSL handshake. The configuration protocol is SSL_TLS by default. The HIGH ciphers, 128 bit, and higher cipher suites can be used.


Icon that indicates the type of topic Task topic



Timestamp icon Last updated: Tuesday, 12 December 2017
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-libcore-mp&topic=twlp_sec_ssl
File name: twlp_sec_ssl.html