Use this page to configure the repertoire settings for the server.
To view this administrative console page, click Security > SSL > alias_name.
Configuration tab
Data type: | String |
Note: If you create a new SSL alias using the administrative console, the alias name is automatically of the format <nodeName>/alias. However, if creating a new SSL alias using wsadmin, you must manually create the SSL alias name using that format.
You can create an SSL key file with the key management utility, or this file can correspond to a hardware device if one is available. In either case, this option indicates the source for personal certificates and for signer certificates unless a trust file is specified. The default SSL key files, DummyClientKeyFile.jks and DummyServerKeyFile.jks, contains a self-signed personal test certificate expiring on March 17, 2005. The test certificate is only intended for use in a test environment. The default SSL key files should never be used in a production environment because the private keys are the same on all the WebSphere Application Server installations. Refer to the Managing certificates article for information about creating and managing digital certificates for your WebSphere Application Server domain.
An example of a read-only keystore file type is JCERACFKS. This type is read-only from the WebSphere certificate management standpoint, but you can also update it using the keystore management facility for RACF. JCERACFKS is not currently supported in the administrative console.
Note: If you want to use a JCERACFKS keystore type, choose JKS in the drop-down list. WebSphere Application Server dynamically changes the keystore type to JCERACFKS if a safkeyring:///... is specified in the keystore name field.
Data type: | String |
Data type: | String |
Data type: | String |
Default: | JKS |
Range: | JKS, JCEK, PKCS12, JCERACFKS (z/OS only), JCE4758RACFKS (z/OS only) |
You can create a trust file with the key management utility included in the WebSphere bin directory. Using the key management utility from Global Security Kit (GSKit) (another SSL implementation) does not work with the Java Secure Socket Extension (JSSE) implementation.
Unlike the SSL key file, no personal certificates are referenced; only signer certificates are retrieved. The default SSL trust files, DummyClientTrustFile.jks and DummyServerTrustFile.jks, contain multiple test public keys as signer certificates that can expire. The public key for the WebSphere Application Server Version 4.x test certificates expires on January 15, 2004, and the public key for the WebSphere Application Server Version 5 test certificates and WebSphere Application Server CORBA C++ client expires on March 17, 2005. The test certificate is only intended for use in a test environment.
To obtain the updated test certificates apply the following APARs:
If a trust file is not specified but the SSL key file is specified, then the SSL key file is used for retrieval of signer certificates as well as personal certificates.
Data type: | String |
Data type: | String |
Data type: | String |
Default: | JKS |
Range: | JKS, JCEK, PKCS12, JCERACFKS (z/OS only), JCE4758RACFKS (z/OS only) |
This attribute is only valid when used by the Web container HTTP transport.
When performing client authentication with the Internet InterORB Protocol (IIOP) for EJB requests, click Security > Authentication Protocol > CSIv2 Inbound or Outbound Authentication from the left navigation pane of the administrative console. Click SSL Client Certificate Authentication to enable it for these requests.
Data type: | Boolean |
Default: | Disabled |
Range: | Enabled or Disabled |
Data type: | Valid values include Low, Medium or High.
To specify all ciphers or any particular range, you can set the com.ibm.ssl.enabledCipherSuites property. See the SSL documentation for more information. |
Default: | High |
Range: | Low, Medium, or High |
Data type: | |
Default: | |
Range: |
Data type: | Boolean |
Default: | Disabled |
Range: | Enabled or Disabled |
If you select the first button, select a provider from the menu.
WebSphere Application Server has the IBMJSSE predefined provider and the IBMJSSEFIPS predefined provider. IBMJSSEFIPS is a version of the IBMJSSE provider that is Federal Information Processing Standard (FIPS) certified. If you select the second option, enter a custom provider. For a custom provider, you first must enter the cipher suites through Custom Properties under Additional Properties, Cipher suites and protocol values depend on the Provider.
The name for the Cipher suite property is com.ibm.ssl.enabledCiphersuites. The name for the protocol property is com.ibm.ssl.protocol.
Data type | integer |
Default | 100 |
Range | 1 to 86400 |
If you are using a FIPS-approved JSSE such as IBMJSSEFIPS, you must select a TLS protocol. Because the FIPS-approved JSSE providers are not backwards-compatible, a server that uses the TLS protocol cannot communicate with a client that uses an SSL protocol.