|
| Problem | The following are steps to creating a WebSphere keyring file that has a CA certificate which can communicate with the Netscape LDAP server over SSL. It consists of using two keyring files: a server keyring and a client keyring. The server keyring will store the private key from the certificate request, the public key, and the CA's root certificate. The client keyring will store the public key, the CA's root certificate and the Netscape LDAP server's public key (all as signer certs). | | | | Solution | Preform the following Steps:
Save External Public Certificates (LDAP and CA Root)
1. Export the public key from the LDAP server to a file called "ldap.arm".
2. Download the CA's root certificate to a file called "caroot.arm".Generate the Server Keyring File from the WAS IKeyMan (See WAS 3.5 InfoCenter section 5.5.6.2):
3. Create a new keyring class file called ServerKeyring.class.
4. Generate a certificate request and save it as "certreq.arm".
5. Go to the CA's Web Site to request the cert. Get the cert and save it as "newcert.arm".
6. Go to the Personal Certificates section of IKeyMan and select "Receive". Enter the filename "newcert.arm".
7. Select "Extract Certificate" and save it as "websphere.arm".
8. Go to the Signer Certificates section of IKeyMan and select "Add". Enter the filename "caroot.arm".Generate the Client Keyring File from the WAS IKeyMan:
9. Create a new keyring class file called ClientKeyring.class.
10. Go to the Signer Certificates section of IKeyMan and select "Add". Enter the filename "ldap.arm".
11. Go to the Signer Certificates section of IKeyMan and select "Add". Enter the filename "caroot.arm".
12. Go to the Signer Certificates section of IKeyMan and select "Add". Enter the filename "websphere.arm".You are now ready to install these in WebSphere:
13. Edit the SAS.SERVER.PROPS file. For WAS AE 4.0.x, use the Security Center to set these. Both the ServerKeyring and ClientKeyring files need to be on the server. Modify the following lines:com.ibm.CORBA.KeyRingFile=ServerKeyring
com.ibm.CORBA.KeyRingPassword=WebAS
com.ibm.CORBA.SSLClientKeyRingPassword=WebAS
com.ibm.CORBA.SSLClientKeyRing=ClientKeyring
14. Edit the SAS.CLIENT.PROPS file. Only the ClientKeyring file needs to be on the client. Modify the following lines:com.ibm.CORBA.SSLKeyRing=ClientKeyring
com.ibm.CORBA.SSLKeyRingPassword=WebAS
com.ibm.CORBA.SSLServerKeyRing=ClientKeyring
com.ibm.CORBA.SSLServerKeyRingPassword=WebAS | |
| |
| |
|
Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, Security Operating system(s): Multi-Platform Software version: 3.5, 4.0 Software edition: All Editions Reference #: 1045807 IBM Group: Software Group Modified date: 2004-07-28
(C) Copyright IBM Corporation 2000, 2004. All Rights Reserved.
|