InfoCenter Home >
5: Securing applications -- special topics >
5.5: Tools for managing keys >
5.5.7: Introduction: Setting up an LDAP connection over SSL >
5.5.7.4: Example: Generating keyring files for SSL

5.5.7.4: Example: Generating keyring files for SSL

This procedure describes how to create keyring files that permit SSL communications between WebSphere Application Server and an LDAP server. This require the creation of two keyring files, one for the server and one for the client. The server's keyring stores the public and private key of the server, and the certificate authority's certificate. The client's keyring stores the server's public key and the CA's root certificate.

  1. Download the external public certificate for the root certificate authority (root CA) and save it to a file. In this example, the file is called caroot.arm.
  2. Generate the server-side keyring file.
    1. Request a certificate for the server, if it doesn't already have one.
      1. Generate a certificate request and save it to a file. In this example, the file is called certreq.arm.
      2. Submit the request to the certificate authority.
      3. Save the newly obtained certificate to a file. In this example, the file is called newcert.arm.
    2. Place the certificate into a keyring file. This can be done using either the keytool command-line tool or the graphical IBM Key Managment (Ikeyman) tool. For example, if you are using the Ikeyman tool, you must:
      1. Create a new keyring-class file. In this example, the file is called ServerKeyring.class.
      2. Specify the the certificate in the newcert.arm file as the certificate to be received into the keyring file. This is done on the Personal Certificates panel in the Ikeyman tool.
      3. The client will also need access to the server's certificate, so extract the certificate and save it to a file. In this example, the file is called websphere.arm.
      4. Add the certificate of the signing CA, saved in the file caroot.arm, to the keyring file. This is done on the Signer Certificates panel in the Ikeyman tool.
  3. Generate the client-side keyring file. This can be done using either the keytool command-line tool or the graphical IBM Key Managment (Ikeyman) tool. For example, if you are using the Ikeyman tool, you must:
    1. Create a new keyring-class file. In this example, the file is called ClientKeyring.class.
    2. Add the certificate of the signing CA, saved in the file caroot.arm, to the keyring file. This is done on the Signer Certificates panel in the Ikeyman tool.
    3. Add the certificate of the server, saved in the file websphere.arm, to the keyring file. This is also done on the Signer Certificates panel in the Ikeyman tool.
  4. Install the new keyring files into the WebSphere Application Server environment:
    • Both the ServerKeyring.class and ClientKeyring.class files must be placed on the server. Modify the following lines in the sas.server.props file:
      com.ibm.CORBA.KeyRingFile=ServerKeyring
      com.ibm.CORBA.KeyRingPassword=WebAS
      com.ibm.CORBA.SSLClientKeyRingPassword=WebAS
      com.ibm.CORBA.SSLClientKeyRing=ClientKeyring
      
    • The client side requires only the ClientKeyring.class file. Modify the following lines in the sas.client.props file:
      com.ibm.CORBA.SSLKeyRing=ClientKeyring
      com.ibm.CORBA.SSLKeyRingPassword=WebAS
      com.ibm.CORBA.SSLServerKeyRing=ClientKeyring
      com.ibm.CORBA.SSLServerKeyRingPassword=WebAS
      
Go to previous article: Example: Generating and using a test keyring Go to next article: Establishing trust association with a reverse proxy server

 

 
Go to previous article: Example: Generating and using a test keyring Go to next article: Establishing trust association with a reverse proxy server