[Version 5.0.2 and later]Configuring Secure Sockets Layer

Why and when to perform this task

Secure Sockets Layer (SSL) is used by multiple components within WebSphere Application Server to provide trust and privacy. These components are the built-in HTTP Transport, the Object Request Broker (ORB) (for client and Internet InterORB Protocol (IIOP)) and the secure Lightweight Directory Access Protocol (LDAP) client. Configuring SSL is different between client and server with WebSphere Application Server and for JSSE and System SSL.

Steps for this task

  1. Configure the client (JSSE).
    Use the sas.client.props file located in the ${install_root}/properties directory. The sas.client.props file is a configuration file that contains lists of property-value pairs, using the syntax <property> = <value>. The property names are case sensitive, but the values are not; the values are converted to lowercase when the file is read. By default, the sas.client.props file is located in the properties directory under the install_root of your WebSphere Application Server installation. Specify the following properties for an SSL connection:
    • com.ibm.ssl.protocol
    • com.ibm.ssl.keyStoreType
    • com.ibm.ssl.keyStore
    • com.ibm.ssl.keyStorePassword
    • com.ibm.ssl.trustStoreType
    • com.ibm.ssl.trustStore
    • com.ibm.ssl.trustStorePassword
    • com.ibm.ssl.enabledCipherSuites
    • com.ibm.ssl.contextProvider
    • com.ibm.ssl.keyStoreServerAlias
    • com.ibm.ssl.keyStoreClientAlias
  2. Configure the client (System SSL).

    Configurations using System SSL are differentiated by z/OS Secure Authentication Services (z/SAS) and CSIv2 protocols. z/SAS protocols use renamed legacy environment variables provided by z/OS for WebSphere Application Server Version 4.x. The z/SAS protocol can be used by C++ and Java clients. CSIv2 uses a new properties file specified by a Java property and can be used by Java clients only.

    • z/SAS:
      1. Create an environment file for the client such as current.env. Set the variables in the file as listed.
      2. Specify the SSL key ring through the security_sslKeyring variable to a key ring that was created for the client.
      3. Specify a user ID and password if using z/SAS basic authentication through the client_protocol_user and the client_protocol_password variables.
      4. Point to the environment file using the fully qualified path name through the environment variable WAS_CONFIG_FILE. For example, in the test shell script test.sh, export WAS_CONFIG_FILE=/WebSphere/V5R0M0/AppServer/bin/current.env.
    • CSIv2: CSIv2 only supports Java clients and the Java com.ibm.CORBA.ConfigURL property must be specified to point to a properties file in the Hierarchical File System (HFS). You can specify a file only and the Web address must use the file: prefix (see the example below) There is no default. You can also specify individual properties on the Java invocation.
      1. Create or update the CSIv2 properties file with the properties
      2. Specify the SSL key ring using com.ibm.CSI.performSSL.Keyring
      3. If using the Generic Security Service username/password (GSSUP) authentication mechanism, specify the user ID and password using the com.ibm.CSI.Rem.Userid and com.ibm.CSI.Rem.Password property. Specify GSSUP using com.ibm.CSI.performClientAuthenticationType=SAFUSERIDPASSWORD, com.ibm.CSI.performClientAuthenticationRequired, com.ibm.CSI.performClientAuthenticationRequired and com.ibm.CSI.performTransportAssocSSLTLSSupported.
      4. If client certificate authentication is desired, specify: com.ibm.CSI.performTLClientAuthenticationRequired and com.ibm.CSI.performTLClientAuthenticationSupported.
      5. Specify the fully qualified path name of the properties file on the Java invocation. -Dcom.ibm.CORBA.ConfigURL=file:/WebSphere/V5R0M0/AppServer/bin/CSI.properties

  3. Configure the server.
    Use the administrative console to configure an application server that makes SSL connections. To start the administrative console, specify the following Web address: http://server_hostname:9090/admin.
  4. Create a System SSL or JSSE repertoire.
    The type of repertoire depends on what function is being configured. In general, you need to create both kinds of repertoires. System SSL repertoires are required to use SSL over HTTP and IIOP. A Java Secure Socket Extension (JSSE) repertoire is used to connect Simple Object Access Protocol (SOAP) connectors.

Related concepts
Secure Sockets Layer
Digital certificates
Authentication protocol for EJB security
Related tasks
Enabling JMS applications to use client mode with SSL and RACF
Related reference
Secure Sockets Layer configuration repertoire settings



Searchable topic ID:   tsecssl
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/tsec_ssl.html

Library | Support | Terms of Use | Feedback