SSL
This section discusses the how the connector implements
an SSL capability. For background information, see your SSL documentation.
This section assumes a familiarity with SSL technology.
JSSE
The connector uses JSSE to provide support for HTTPS and
SSL. IBM JSSE is shipped with the connector. To enable this capability,
make sure you have the following entry in the java.security file that is among the files installed with the connector:
security.provider.5=com.ibm.jsse.IBMJSSEProvider
Note that java.security is located in the $ProductDir\lib\security directory of your connector installation.
The connector uses the value of the JavaProtocolHandlerPackages
connector property to set the system property java.protocol.handler.pkgs.
Note that for the IBM JSSE that is shipped with the connector, the
value of this property should be set to com.ibm.net.ssl.internal.www.protocol.
The JavaProtocolHandlerPackages configuration property defaults
to this value. However, if your system has a java.protocol.handler.pkgs
system property with a non-empty value, the connector would overwrite
it only if the JavaProtocolHandlerPackages connector property is
also set.
During initialization, the connector disables all anonymous cipher
suites supported by JSSE.
KeyStore and TrustStore
To use SSL with the connector, you must set up keystores
and truststores. No tool is provided to set up keystores, certificates,
and key generation. You must use third party software tools to complete
these tasks.
SSL Properties
You can specify the following SSL connector-specific properties:
- SSLVersion
- SSLDebug
- KeyStore
- KeyStoreAlias
- KeyStorePassword
- TrustStore
- TrustStorePassword
Note that these properties apply to a connector instance. The same
set of SSL property values are used by all of the HTTPS protocol
listeners plugged into the connector and by the HTTP-HTTPS protocol
handler for each connector instance. For further information on
HTTPS/SSL setup, see Appendix D. Configuring
HTTPS/SSL.
SSL and the HTTPS protocol listener
To use the HTTPS protocol listener, you must specify
SSL connector-specific properties. The values you assign to these
properties should reflect your SSL requirements:
- SSLVersion Make sure that the SSLVersion
you want to use is supported by JSSE.
- KeyStore Because the HTTPS protocol listener
acts as a server in SSL communications, you must specify the keystore.
The listener uses the keystore specified in the SSL->KeyStore
configuration property. The value of this property must be the complete
path to your keystore file. Make sure that the keystore has key
pair (private key and public key) for the connector. The alias of
the private key should be specified as the SSL->KeyStoreAlias
property. You must specify the password required to access the keystore
as the SSL-> KeyStorePassword property. Also make sure
that the password required to access keystore and the private key
(in the keystore) are same. Finally, you must distribute the digital certificate
of the connector to your clients so that they can authenticate the connector.
- TrustStore If you want the HTTPS protocol
listener to authenticate clients, you must activate client authentication.
You do this by setting the SSL ->UseClientAuth property
to true. You must also specify:
- the location of your truststore as the value of the SSL->TrustStore configuration
property
- the password required to access the truststore as the value
of the SSL-> TrustStorePassword property
Make sure that your truststore contains the digital certificate
of your clients. Digital certificates used by your clients may be
self-signed or issued by CA. Note that if your truststore trusts
the root certificate of the CA, JSSE will authenticate all the digital
certificates issued by that CA.
For further information on HTTPS/SSL setup, see Appendix D. Configuring
HTTPS/SSL.
SSL and the HTTP-HTTPS protocol handler
If you are using SSL with the HTTP-HTTPS protocol handler,
you must specify SSL connector-specific properties. The values you
assign to these properties should reflect the HTTPS/SSL requirements
of your HTTP provider:
- SSLVersion Make sure that the SSLVersion
you want to use is supported by your provider and by JSSE.
- TrustStore Because the HTTP-HTTPS protocol
handler acts as a client in SSL communications, you must set up
a truststore. The handler uses the truststore specified in the SSL
-> Truststore configuration property. The value of this property
must be the complete path to your truststore file. You must specify
the password required to access the truststore in the SSL -> TrustStorePassword property.
Make sure that your truststore contains the digital certificate
of your provider. Digital certificates used by your provider may
be self-signed or they may be issued by CA. Note that if your truststore
trusts the root certificate of the CA, JSSE will authenticate all
the digital certificates issued by that CA.
- KeyStore If your HTTP service provider requires
client authentication, you must set up a keystore. The HTTP-HTTPS
protocol handler uses the keystore specified in the SSL->KeyStore
configuration property. This value must be the complete path to
your keystore file. Make sure that keystore has a key pair (private
key and public key) configured for the connector. The alias of the
private key must be specified in the SSL->KeyStoreAlias
property. The password required to access the keystore must be specified
in the SSL-> KeyStorePassword property. Finally, make sure
that the password required to access the keystore and the private
key (in the keystore) are the same. You must distribute the connector's
digital certificate to your HTTP service provider for authentication.
For further information on HTTPS/SSL setup, see Appendix D. Configuring
HTTPS/SSL.
