InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.7: Introduction: Setting up an LDAP connection over SSL >
5.5.7.4: Example: Generating keyring files for SSL
This procedure describes how to create keyring files that permit
SSL communications between WebSphere Application Server and an
LDAP server. This require the creation of two keyring files,
one for the server and one for the client. The server's keyring stores
the public and private key of the server, and the certificate authority's
certificate. The client's keyring stores the server's public key and the CA's
root certificate.
- Download the external public certificate for the root certificate
authority (root CA) and save it to a file. In this example,
the file is called caroot.arm.
- Generate the server-side keyring file.
- Request a certificate for the server, if it doesn't already
have one.
- Generate a certificate request and save it to a file.
In this example, the file is called certreq.arm.
- Submit the request to the certificate authority.
- Save the newly obtained certificate to a file. In this
example, the file is called newcert.arm.
- Place the certificate into a keyring file. This can be
done using either the keytool command-line tool or the
graphical IBM Key Managment (Ikeyman) tool. For example,
if you are using the Ikeyman tool, you must:
- Create a new keyring-class file. In this example, the
file is called ServerKeyring.class.
- Specify the the certificate in the newcert.arm file
as the certificate to be received into the keyring file.
This is done on the Personal Certificates panel in
the Ikeyman tool.
-
- The client will also need access to the server's
certificate, so extract the certificate and save it
to a file. In this example, the file is called
websphere.arm.
- Add the certificate of the signing CA, saved in the
file caroot.arm, to the keyring file. This is done
on the Signer Certificates panel in the Ikeyman tool.
- Generate the client-side keyring file. This can be
done using either the keytool command-line tool or the
graphical IBM Key Managment (Ikeyman) tool. For example,
if you are using the Ikeyman tool, you must:
- Create a new keyring-class file. In this example, the
file is called ClientKeyring.class.
- Add the certificate of the signing CA, saved in the
file caroot.arm, to the keyring file. This is done
on the Signer Certificates panel in the Ikeyman tool.
- Add the certificate of the server, saved in the file
websphere.arm, to the keyring file. This is also done
on the Signer Certificates panel in the Ikeyman tool.
- Install the new keyring files into the WebSphere Application
Server environment:
- Both the ServerKeyring.class and ClientKeyring.class files
must be placed on the server. Modify the following lines
in the sas.server.props file:
com.ibm.CORBA.KeyRingFile=ServerKeyring
com.ibm.CORBA.KeyRingPassword=WebAS
com.ibm.CORBA.SSLClientKeyRingPassword=WebAS
com.ibm.CORBA.SSLClientKeyRing=ClientKeyring
- The client side requires only the ClientKeyring.class
file. Modify the following lines in the sas.client.props file:
com.ibm.CORBA.SSLKeyRing=ClientKeyring
com.ibm.CORBA.SSLKeyRingPassword=WebAS
com.ibm.CORBA.SSLServerKeyRing=ClientKeyring
com.ibm.CORBA.SSLServerKeyRingPassword=WebAS
|
|