Use this page to configure the repertoire settings for the server.
To view this administrative console page, click Security > SSL > alias_name.
Configuration tab
Data type: | String |
This field is used on the System SSL Repertoire and Java Secure Sockets Extension (JSSE) Repertoire panels.
Note: If you create a new SSL alias using the administrative console, the alias name is automatically of the format <nodeName>/alias. However, if creating a new SSL alias using wsadmin, you must manually create the SSL alias name using that format.
For JSSE SSL, the key file specifies the keystore file. The key file might also specify the System Authorization Facility (SAF) Key ring that contains certificates and keys. You can create a JSSE SSL keystore file by using the keytool utility found in the WebSphere bin directory. The key file contains certificates and keys.
For System SSL or JSSE, you can create an SSL key ring by using the Resource Access Control Facility (RACF) command, RACDCERT. Issue this command in your MVS environment, such as TSO READY or ISPF option 6. The key ring contains the private certificate of this server and certificates of trusted certificate authorities. The certificates for the trusted certificate authorities validate the client certificates and other server certificates that are exchanged with this server during the SSL handshake. The repertoires that you define for a server require identical key file names.
An example of a read-only keystore file type is JCERACFKS. This type is read-only from the WebSphere certificate management standpoint, but you can also update it using the keystore management facility for RACF. JCERACFKS is not currently supported in the administrative console.
Note: If you want to use a JCERACFKS keystore type, choose JKS in the drop-down list. WebSphere Application Server dynamically changes the keystore type to JCERACFKS if a safkeyring:///... is specified in the keystore name field.
Data type: | String |
Data type: | String |
This field is used on the JSSE Repertoire panel.
Data type: | String |
Default: | JKS |
Range: | JKS, JCEK, PKCS12, JCERACFKS (z/OS only), JCE4758RACFKS (z/OS only) |
This field is used on the JSSE Repertoire panel.
You can create a trust file by using the keytool utility located in the WebSphere bin directory.
Unlike the SSL key file, no personal certificates are referenced; only signer certificates are retrieved. The default SSL trust files, DummyClientTrustFile.jks and DummyServerTrustFile.jks, contain multiple test public keys as signer certificates that can expire. The public key for the WebSphere Application Server Version 4.x test certificates expires on January 15, 2004, and the public key for the WebSphere Application Server Version 5 test certificates and WebSphere Application Server CORBA C++ client expires on March 17, 2005. The test certificate is only intended for use in a test environment.
To obtain the updated test certificates apply the following APARs:
If a trust file is not specified but the SSL key file is specified, then the SSL key file is used for retrieval of signer certificates as well as personal certificates.
Data type: | String |
This field is used on the JSSE Repertoire panel.
Data type: | String |
This field is used on the JSSE Repertoire panel.
Data type: | String |
Default: | JKS |
Range: | JKS, JCEK, PKCS12, JCERACFKS (z/OS only), JCE4758RACFKS (z/OS only) |
This field is used on the JSSE Repertoire panel.
When performing client authentication with the Internet InterORB Protocol (IIOP) for EJB requests, click Security > Authentication Protocol > CSIv2 Inbound or Outbound Authentication from the left navigation pane of the administrative console. Click SSL Client Certificate Authentication to enable it for these requests.
Data type: | Boolean |
Default: | Disabled |
Range: | Enabled or Disabled |
This field is used on the System SSL Repertoire and JSSE Repertoire panels.
Data type: | Valid values include Low, Medium or High.
To specify all ciphers or any particular range, you can set the com.ibm.ssl.enabledCipherSuites property. See the SSL documentation for more information. |
Default: | High |
Range: | Low, Medium, or High |
Note: The SOAP connector does not use security level.
This field is used on the System SSL Repertoire and Java Secure Sockets Extension (JSSE) Repertoire panels.
Data type: | String |
Default: | None |
Note: The SOAP connector does not use cipher suites.
This field is used on the Java Secure Sockets Extension (JSSE) Repertoire panel.
Data type: | Boolean |
Default: | Disabled |
Range: | Enabled or Disabled |
This field is used on the Java Secure Sockets Extension (JSSE) Repertoire panel.
The repertoires that you define for a server require the same V3 timeout value.
Data type | integer |
Default | 100 |
Range | 1 to 86400 |
This field is used on the System SSL Repertoire panel.
If you select the first button, select a provider from the menu.
The name for the Cipher suite property is com.ibm.ssl.enabledCiphersuites. The name for the protocol property is com.ibm.ssl.protocol.
Data type | integer |
Default | 100 |
Range | 1 to 86400 |
This field is used on the Java Secure Sockets Extension (JSSE) Repertoire panel.
This field is used on the Java Secure Sockets Extension (JSSE) Repertoire panel.