InfoCenter Home >
5: Securing applications -- special topics >
5.5: Tools for managing keys >
5.5.7: Introduction: Setting up an LDAP connection over SSL >
5.5.7.3: Example: Generating and using a test keyring

5.5.7.3: Example: Generating and using a test keyring

The following sequence of commands illustrates the steps used in creating a keyring for a test server and adding a certificate for an LDAP server so that the WebSphere-to-LDAP communication can occur over an SSL connection.

Until the addition of the LDAP certificate to the vault, this example is structurally identical to the example for generating and using test certificates, with one exception: that example exports the vault to the DummyKeyring class, and this one creates an application-specific TestKeyring class.

Setting the classpath

To use the certificate-management tools, you must put the files cfwk.zip and cfwk-tools.zip at the front of your classpath. These files are located in the AppServer/lib directory of the WebSphere installation. For example, on Windows NT, set the CLASSPATH variable as shown:

set classpath=<WS-install>\AppServer\lib\cfwk.zip;<WS-install>\AppServer\lib\cfwk-tools.zip;%CLASSPATH%

Creating the keys, certificates, and files

Create pairs of keys for TestServer and TestCA.

% java com.ibm.cfwk.tools.KeyGenTool --forge "RSA/512/F4" myTestServ.key
% java com.ibm.cfwk.tools.KeyGenTool --forge "RSA/512/F4" myTestCA.key

Create a self-signed certificate for the TestCA.

% java com.ibm.cfwk.tools.MakeCertTool --serial 0 --for 2y
--issuer "cn=myTestCA"
--sign-alg "MD5 with RSA"
--sign-key myTestCA.key
--cert-file myTestCA.cert

Create a certificate for the TestServer.

% java com.ibm.cfwk.tools.MakeCertTool --serial 0 --for 2y
--issuer "cn=myTestCA"
--subject "cn=myTestServer"
--sign-alg "MD5 with RSA"
--sign-key myTestCA.key
--subject-key myTestServ.key
--cert-file myTestServ.cert

Add TestServer's private key to the vault.

% java com.ibm.cfwk.tools.VaultTool --password "vltpwd" myVault.vlt
add private key myTestServer 00-hex myTestServ.key

Add the chain of certificates for TestServer to the vault.

% java com.ibm.cfwk.tools.VaultTool --password "vltpwd" myVault.vlt
add public chain myTestServer 00-hex myTestServ.cert myTestCA.cert

Add the TestCA's self-signed certificate to the vault.

% java com.ibm.cfwk.tools.VaultTool --password "vltpwd" myVault.vlt
add public cert myTestCA 00-hex myTestCA.cert

Export the information for TestServer and TestCA to the TestKeying file.

% java com.ibm.cfwk.tools.VaultTool --password "vltpwd" myVault.vlt
container -p "ringpwd" com.ibm.websphere.TestKeyring myTestServer myTestCA

After establishing the WebSphere-to-LDAP connection, you need to add the LDAP server's CA certificate to the keyring. With this in place, the WebSphere-to-LDAP communication can take place over SSL.

To add this certificate to the keyring, you must add it to the vault and then regenerate the keyring file.

First, add the LDAP CA's certificate to the vault.

% java com.ibm.cfwk.tools.VaultTool --password "vltpwd" myVault.vlt
add public cert LDAPCA 00-hex myLDAPCA.cert

Second, generate a new version of the keyring class, including the LDAP CA's label in the set of information to export.

% java com.ibm.cfwk.tools.VaultTool --password "vltpwd" myVault.vlt
container -p "ringpwd" com.ibm.websphere.TestKeyring
myTestServer myTestCA LDAPCA

Note   The keyring class is written to the current directory, regardless of the specified Java package name. You must copy it to a location corresponding to the Java package. This is true each time you regenerate the keyring file.

Go to previous article: Enabling SSL connections between WebSphere and LDAP Go to next article: Example: Generating keyring files for SSL

 

 
Go to previous article: Enabling SSL connections between WebSphere and LDAP Go to next article: Example: Generating keyring files for SSL