Before you begin
WebSphere Application Server for z/OS running at maintenance levels before W502000 stored digital certificate information in two different places because of JDK restrictions:Why and when to perform this task
WebSphere Application Server for z/OS customers running server W50100x or later, with Java Development Kit 1.3 level SR20 or later, can modify their WebSphere Application Server systems to use SAF for JSSE as well as SSL (eliminating the need to maintain duplicate certificates in the HFS). The instructions below describe how to enable this support.Note: Systems customized at maintenance levels at or after W502000 use the single (SAF) digital certificate repository by default, and do not need the modifications described below.
To use SAF certificates with JSSE:
Steps for this task
The soap.client.props file is used by the wsadmin.sh script.
Changes to wsadmin client SAF keyrings require updates to the soap.client.props file and the creation of a keyring for administrators. Specify the following values:
com.ibm.ssl.protocol=SSL com.ibm.ssl.keyStoreType=JCERACFKS com.ibm.ssl.keyStore=safkeyring:///yourkeyringName com.ibm.ssl.keyStorePassword=password com.ibm.ssl.trustStoreType=JCERACFKS com.ibm.ssl.trustStore=safkeyring:///yourKeyringName com.ibm.ssl.trustStorePassword=password
The password value specified does not represent a real password because you can use any string. Replace the string yourKeyringName with your administrative SAF keyring. The keyring name used by all WebSphere administrators and the administrative started task user ID (default WSADMSH) must be the same. Additionally, a keyring must be created for each user that uses the wsadmin.sh file with the SOAP connector when using SAF keyrings and security is enabled. (A keyring is created by the customization process for your initial administrative user ID, such as WSADMIN.)
A description of how to create keyrings for administrative users in SAF is described in SSL considerations for WebSphere Application Server administrators.