Getting background information on SSL/JSSE
What type of SSL connection are you trying to create? This effects the key
and trust store used by WebSphere, and where the files to be used are set.
- Enabling security - Nodeagent to Deployment Manager SSL
communication:
SSL Repertoire is set in the Administrative Console under
SystemAdministration -> dmgr -> JMX Connectors -> SOAPConnector
-> Custom Properties -> sslConfig
- SSL Between WebSphere and LDAP server
SSL Repertoire is set in the Administrative Console under Security
-> User Registries -> LDAP
- SSL Between Java Client and WebSphere Server
SSL Repertoire is set in the Administrative console under Security
-> Authentication Protocol -> CSIv2 Inbound/Outbound Transport
If Java client uses SAS to connect to WebSphere, in the same area there is
a SAS Inbound/Outbound Transport Area.
- SSL Request from Web Client (Browser) to WebSphere
Server
SSL Repertoire is set in Admniistrative Console under Servers ->
Application Servers -> <servername> -> Web Container ->
HTTP Transports. Each transport with SSL enabled will have its own SSL
Repertoire to set.
- SSL outbound connection from an application running in
WebSphere Application Server to another server.
Unless the javax.net.ssl.keystore and javax.net.ssl.truststore
properties are set by your application, the default keystore and
truststore file is <WAS_HOME>/java/jre/lib/security/cacerts. There
is no WebSphere SSL Repertoire to set for this type of connection.
Other information on SSL:
- SSL and Public-Key Overviews
http://developer.mozilla.org/en/docs/Introduction_to_Public-Key_Cryptography
http://developer.mozilla.org/en/docs/Introduction_to_SSL
- SSL Repertoires in WebSphere
http://publib.boulder.ibm.com/infocenter/ws51help/topic/com.ibm.websphere.base.doc/info/aes/ae/tsec_sslrep.html
http://publib.boulder.ibm.com/infocenter/ws51help/topic/com.ibm.websphere.base.doc/info/aes/ae/tsec_ssldap.html
http://publib.boulder.ibm.com/infocenter/ws51help/topic/com.ibm.websphere.base.doc/info/aes/ae/tsec_rwsplug.html
Secure Sockets Layer provides the following…
- Server can authenticate itself to a client
- Client can authenticate itself to a server
- An encrypted connection between the server and client
Public-Key Encryption
- Uses a public key/private key to decrypt data
- Is used during authentication of the server/client in
SSL
- Not used for data transfer due to the amount of
computation needed
Symmetric-Key Encryption
- Uses the same key on both the server and client
- Key must be kept secret
- Allows for two-way encryption/decryption
TroubleShooting steps to help resolve SSL/JSSE problems
- Are you trying to replace the Dummy Key and Trust Files
with your own certificates?
Yes - refer to Creating
Custom Secure Socket Layer (SSL) Key Files for V5.0 using Self-Signed
Certificates (GSK 5)
No - Move to next question
- Are you receiving an 'unknown certificate'
error?
Yes - refer to Outbound
JSSE (SSL) calls fail in Network Deployment environment with Global
Security enabled
Yes - Assure that your signer certificate is loaded in your
trust file or cacerts.
No - Move to next question
- Are you receiving an 'expired certificate'
error?
Yes - refer to Expired
Verisign Certificates in "cacerts" File for WebSphere Application Server
V5.1
Yes - Open all key files, remove any expired certificates
No - Move to next question
- Are you receiving a 'no certificate' error?
Yes - Make sure 'client authentication' is unckecked in the
administrative console for the SSL Repertoire.
What to do Next?
If the above steps did not solve your problem, please see the MustGather
for SSL/JSSE problems to continue investigation.
|