InfoCenter Home >
5: Securing applications -- special topics >
5.5: Tools for managing keys >
5.5.6: Tools for managing certificates and keys >
5.5.6.2: The IBM Key Management tool >
5.5.6.2.5: Making client and server keyrings accessible
After you have created keyring classes and inserted the necessary certificates, you
need to make the keyring classes accessible to the client and server programs.
To use created server and client keyrings in your WebSphere environment, you must
specify them in a number of files:
- admin.config
- adminserver.bat
- adminclient.bat
- sas.server.props
- sas.client.props
If you created client and server keyrings called testclient.class and testserver.class
respectively, and you used "WebAS" as the password when you generated them, you
need to make the following changes:
- In the admin.config file: Add the directory holding the keyring classes to the front of
the com.ibm.ejs.sm.adminserver.classpath variable.
- In the adminclient.bat and adminserver.bat files: Add the directory holding the keyring
classes to the front of the %WAS_CP% variable.
- In the sas.client.props file, set the following properties:
- com.ibm.CORBA.SSLKeyRing=testclient
- com.ibm.CORBA.SSLKeyRingPassword=WebAS
- com.ibm.CORBA.SSLServerKeyRing=testserver
- com.ibm.CORBA.SSLServerKeyRingPassword=WebAS
- In the sas.server.props file, set the following properties:
- com.ibm.CORBA.SSLKeyRing=testserver
- com.ibm.CORBA.SSLKeyRingPassword=WebAS
- com.ibm.CORBA.SSLClientKeyRing=testclient
- com.ibm.CORBA.SSLClientKeyRingPassword=WebAS
Managing the Server SSL Keyring Files
The administrative model in WebSphere Application Server allows the
SSL settings for each WebSphere component to be centrally and
individually managed. SSL settings are centrally managed in the
administrative console through the default SSL Settings panel. In
addition, any of the default settings can be overridden for an
individual component by using the HTTPS, ORB, and LDAPS SSL settings
panels. See article 6.6.18, Securing
applications, for more detailed information about using the
administrative console to configure WebSphere security.
Always use the
administrative console to manage the server keyring files as changes
made in the console overwrite any manual changes to the
sas.server.props file. Client keyring files are managed in the
sas.client.props file because clients can be located on a remote
machine.
The Default SSL Settings panel can be used to configure WebSphere
Application Server components using SSL. Parameters that are set
through the ORB SSL Settings panel override the default SSL settings
for the ORB. Regardless of which settings are in effect, the ORB uses
these settings as follows. (Additionally, the ORB requires the SAS
properties files on the client and server to be configured as
described below.)
- Key file name
- The path of the SSL key file used by server connections. For the server keyring file
generated in this document, add the following to this field: product_installation_root/etc/ServerKeyring.jks
- Key file password
- The password for the SSL key file for server connections. On the server, the key
file password is configured in the administrative console and stored in the server-cfg.xml
file.
- Key file format
- The only key file format currently supported by the AEs ORB is JKS.
- Trust file name
- The path of the SSL trust file used by clients. On the server, the trust file name is
configured in the administrative console and stored in the server-cfg.xml file. For the
client keyring file generated in this document, add the following to this field:
product_installation_root/etc/ClientKeyring.jks
- Trust file password
- The password for the SSL trust file for client connections. On the server, the trust
file password is configured in the administrative console and stored in the server-cfg.xml
file.
- Client Authentication
- The WebSphere AEs ORB does not currently support SSL client authentication using digital
certificates. Editing this value will have no effect.
Managing the Client SSL Keyring Files
You need to modify the sas.client.props file, which is located in the product installation root/properties directory. If you used
"WebAS" as the password when you generated the client and server keyrings, you
need to make the following changes to the sas.client.props file:
You can now start your WebSphere application using the newly created keyring classes.
|
|