[Version 5.0.2 and later]Repertoire settings

Use this page to configure the repertoire settings for the server.

To view this administrative console page, click Security > SSL > alias_name.

Configuration tab

Alias
Specifies the name of the specific SSL setting
Data type: String

Note: If you create a new SSL alias using the administrative console, the alias name is automatically of the format <nodeName>/alias. However, if creating a new SSL alias using wsadmin, you must manually create the SSL alias name using that format.

Key File Name
Specifies the fully qualified path to the SSL key file that contains public keys and private keys.

You can create an SSL key file with the key management utility, or this file can correspond to a hardware device if one is available. In either case, this option indicates the source for personal certificates and for signer certificates unless a trust file is specified. The default SSL key files, DummyClientKeyFile.jks and DummyServerKeyFile.jks, contains a self-signed personal test certificate expiring on March 17, 2005. The test certificate is only intended for use in a test environment. The default SSL key files should never be used in a production environment because the private keys are the same on all the WebSphere Application Server installations. Refer to the Managing certificates article for information about creating and managing digital certificates for your WebSphere Application Server domain.

An example of a read-only keystore file type is JCERACFKS. This type is read-only from the WebSphere certificate management standpoint, but you can also update it using the keystore management facility for RACF. JCERACFKS is not currently supported in the administrative console.

Note: If you want to use a JCERACFKS keystore type, choose JKS in the drop-down list. WebSphere Application Server dynamically changes the keystore type to JCERACFKS if a safkeyring:///... is specified in the keystore name field.

Data type: String
Key File Password
Specifies the password for accessing the SSL key file.
Data type: String
Key File Format
Specifies the format of the SSL key file.
Data type: String
Default: JKS
Range: JKS, JCEK, PKCS12, JCERACFKS (z/OS only), JCE4758RACFKS (z/OS only)
Trust File Name
Specifies the fully qualified path to a trust file containing the public keys.

You can create a trust file with the key management utility included in the WebSphere bin directory. Using the key management utility from Global Security Kit (GSKit) (another SSL implementation) does not work with the Java Secure Socket Extension (JSSE) implementation.

Unlike the SSL key file, no personal certificates are referenced; only signer certificates are retrieved. The default SSL trust files, DummyClientTrustFile.jks and DummyServerTrustFile.jks, contain multiple test public keys as signer certificates that can expire. The public key for the WebSphere Application Server Version 4.x test certificates expires on January 15, 2004, and the public key for the WebSphere Application Server Version 5 test certificates and WebSphere Application Server CORBA C++ client expires on March 17, 2005. The test certificate is only intended for use in a test environment.

To obtain the updated test certificates apply the following APARs:

WebSphere Application Server Version 4.x
PQ77261
WebSphere Application Server Version 5.x
PQ77264

If a trust file is not specified but the SSL key file is specified, then the SSL key file is used for retrieval of signer certificates as well as personal certificates.

Data type: String
Trust File Password
Specifies the password for accessing the SSL trust file.
Data type: String
Trust File Format
Specifies the format of the SSL trust file.
Data type: String
Default: JKS
Range: JKS, JCEK, PKCS12, JCERACFKS (z/OS only), JCE4758RACFKS (z/OS only)
Client Authentication
Specifies whether to request a certificate from the client for authentication purposes when making a connection.

This attribute is only valid when used by the Web container HTTP transport.

When performing client authentication with the Internet InterORB Protocol (IIOP) for EJB requests, click Security > Authentication Protocol > CSIv2 Inbound or Outbound Authentication from the left navigation pane of the administrative console. Click SSL Client Certificate Authentication to enable it for these requests.

Data type: Boolean
Default: Disabled
Range: Enabled or Disabled
Security Level
Specifies whether the server selects from a preconfigured set of security levels.
Data type: Valid values include Low, Medium or High.
  • Low specifies only digital signing ciphers (no encryption)
  • Medium specifies only 40-bit ciphers (including digital signing)
  • High specifies 56-bit and higher ciphers, including digital signing.

To specify all ciphers or any particular range, you can set the com.ibm.ssl.enabledCipherSuites property.

See the SSL documentation for more information.

Default: High
Range: Low, Medium, or High
Cipher Suites
Specifies a list of supported cipher suites that can be selected during the SSL handshake. If you select cipher suites individually here, you override the cipher suites set in the Security Level field.
Data type:
Default:
Range:
Cryptographic Token
Specifies whether the server enables or disables cryptographic hardware and software support. The SOAP connector does not use hardware cryptography.
Data type: Boolean
Default: Disabled
Range: Enabled or Disabled
Provider   [Version 5.0.2 and later]
Refers to a package that supplies a concrete implementation of a subset of the cryptography aspects of the Java Security API.

If you select the first button, select a provider from the menu.

WebSphere Application Server has the IBMJSSE predefined provider and the IBMJSSEFIPS predefined provider. IBMJSSEFIPS is a version of the IBMJSSE provider that is Federal Information Processing Standard (FIPS) certified. If you select the second option, enter a custom provider. For a custom provider, you first must enter the cipher suites through Custom Properties under Additional Properties, Cipher suites and protocol values depend on the Provider.

The name for the Cipher suite property is com.ibm.ssl.enabledCiphersuites. The name for the protocol property is com.ibm.ssl.protocol.

Data type integer
Default 100
Range 1 to 86400
Protocol   [Version 5.0.2 and later]
Specifies the SSL protocol that is used.

If you are using a FIPS-approved JSSE such as IBMJSSEFIPS, you must select a TLS protocol. Because the FIPS-approved JSSE providers are not backwards-compatible, a server that uses the TLS protocol cannot communicate with a client that uses an SSL protocol.


Related reference
Administrative console buttons
Administrative console page features
Administrative console scope settings
Administrative console filter settings
Administrative console preference settings
Secure Sockets Layer settings for custom properties



Searchable topic ID:   usecssl
Last updated: Jun 21, 2007 4:55:42 PM CDT    WebSphere Application Server Network Deployment, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/usec_ssl.html

Library | Support | Terms of Use | Feedback