To enable SSL communication in Liberty, there is a minimal set of SSL configuration
options. It assumes most of the SSL options requires some keystore configuration
information.
About this task
SSL client authentication occurs during the connection handshake by using SSL certificates. The
SSL handshake is a series of messages that are exchanged over the SSL protocol to negotiate for
connection-specific protection. During the handshake, the secure server requests that the client
send back a certificate or certificate chain for the authentication. To enable SSL in Liberty, you
add the ssl-1.0 Liberty feature to the configuration root document file,
server.xml, along with code of the keystore information for authentication.
By default, the path and file name for the configuration root document file is path_to_liberty/wlp/usr/servers/server_name/server.xml. path_to_liberty is
the location you installed Liberty on your operating system, and server_name is
the name of your server. However, you can change the path. See Customizing the Liberty environment.
- Enable the ssl-1.0 Liberty feature in
the server.xml file.
<featureManager>
<feature>ssl-1.0</feature>
</featureManager>
Note: If application security is
required and security information is redirected to a secure port,
you must add the appSecurity-2.0 Liberty
feature to the server.xml file.
- Add the keystore service object entry to the server.xml file.
The keyStore element is called defaultKeyStore and
contains the keystore password. The password can be entered in clear
text or encoded. The securityUtility
encode option can be used to encode the password.
<keyStore id="defaultKeyStore" password="yourPassword" />
An
example of a SAF keyring in the minimal configuration: <keyStore id="defaultKeyStore" location="safkeyring:///WASKeyring"
type="JCERACFKS" password="password" fileBased="false"
readOnly="true" />
RACF® keyring needs to be set up before configuring
them for use by the Liberty server. The server will not create certificates
and add them to RACF.
The
single keystore entry for a minimal SSL configuration can be extended
to include the location and type as well.
<keyStore id="defaultKeyStore" location="myKeyStore.p12" password="yourPassword" type="PKCS12"/>
This
configuration is the minimum that is needed to create an SSL configuration.
In this configuration the server creates the keystore and certificate
if it does not exist during SSL initialization. The password that
is provided must be at least 6 characters long. The keystore is assumed
to be a JKS keystore that is called key.jks in the server home/resources/security
directory. If the file does not exist the server creates it for you.
If the server creates the keystore file, it also creates the certificate
inside of it. The certificate is a self-signed certificate with a
validity period of 365 days, the CN value of the certificate's subjectDN
is the host name of the machine where the server is running, and has
a signature algorithm of SHA256withRSA.
Note: The
certificates that are created by the Liberty server are not intended
for production use. They are created as a developer convienience.
Certificates that are used in production must be a properly chained
certificate that is issued or signed by a trusted certificate authority.
If you want to use self-signed certificates with a longer duration
or customized subjectDN, one can be created by using the securityUtility
createSSLCertificate task.
The location parameter
can be an absolute path to the keystore file. If it is an absolute
path, then the keystore file is assumed to have been already created.
Keystore of other types can also be specified in the minimal SSL configuration
if the keystore file is already created. When the minimal SSL configuration
is used, the SSL configuration defaults are used to create the SSL
context for an SSL handshake. The configuration protocol is SSL_TLS by
default. The HIGH ciphers, 128 bit, and higher cipher suites can be
used.