[Version 5.0.2 and later]Repertoire settings

Use this page to configure the repertoire settings for the server.

To view this administrative console page, click Security > SSL > alias_name.

Configuration tab

Alias
Specifies the name of the specific SSL setting
Data type: String

This field is used on the System SSL Repertoire and Java Secure Sockets Extension (JSSE) Repertoire panels.

Note: If you create a new SSL alias using the administrative console, the alias name is automatically of the format <nodeName>/alias. However, if creating a new SSL alias using wsadmin, you must manually create the SSL alias name using that format.

Key File Name
Specifies the fully qualified path to the SSL key file that contains public keys and private keys.

For JSSE SSL, the key file specifies the keystore file. The key file might also specify the System Authorization Facility (SAF) Key ring that contains certificates and keys. You can create a JSSE SSL keystore file by using the keytool utility found in the WebSphere bin directory. The key file contains certificates and keys.

For System SSL or JSSE, you can create an SSL key ring by using the Resource Access Control Facility (RACF) command, RACDCERT. Issue this command in your MVS environment, such as TSO READY or ISPF option 6. The key ring contains the private certificate of this server and certificates of trusted certificate authorities. The certificates for the trusted certificate authorities validate the client certificates and other server certificates that are exchanged with this server during the SSL handshake. The repertoires that you define for a server require identical key file names.

An example of a read-only keystore file type is JCERACFKS. This type is read-only from the WebSphere certificate management standpoint, but you can also update it using the keystore management facility for RACF. JCERACFKS is not currently supported in the administrative console.

Note: If you want to use a JCERACFKS keystore type, choose JKS in the drop-down list. WebSphere Application Server dynamically changes the keystore type to JCERACFKS if a safkeyring:///... is specified in the keystore name field.

Data type: String
Key File Password
Specifies the password for accessing the SSL key file.
Data type: String

This field is used on the JSSE Repertoire panel.

Key File Format
Specifies the format of the SSL key file.
Data type: String
Default: JKS
Range: JKS, JCEK, PKCS12, JCERACFKS (z/OS only), JCE4758RACFKS (z/OS only)

This field is used on the JSSE Repertoire panel.

Trust File Name
Specifies the fully qualified path to a trust file containing the public keys.

You can create a trust file by using the keytool utility located in the WebSphere bin directory.

Unlike the SSL key file, no personal certificates are referenced; only signer certificates are retrieved. The default SSL trust files, DummyClientTrustFile.jks and DummyServerTrustFile.jks, contain multiple test public keys as signer certificates that can expire. The public key for the WebSphere Application Server Version 4.x test certificates expires on January 15, 2004, and the public key for the WebSphere Application Server Version 5 test certificates and WebSphere Application Server CORBA C++ client expires on March 17, 2005. The test certificate is only intended for use in a test environment.

To obtain the updated test certificates apply the following APARs:

WebSphere Application Server Version 4.x
PQ77261
WebSphere Application Server Version 5.x
PQ77264

If a trust file is not specified but the SSL key file is specified, then the SSL key file is used for retrieval of signer certificates as well as personal certificates.

Data type: String

This field is used on the JSSE Repertoire panel.

Trust File Password
Specifies the password for accessing the SSL trust file.
Data type: String

This field is used on the JSSE Repertoire panel.

Trust File Format
Specifies the format of the SSL trust file.
Data type: String
Default: JKS
Range: JKS, JCEK, PKCS12, JCERACFKS (z/OS only), JCE4758RACFKS (z/OS only)

This field is used on the JSSE Repertoire panel.

Client Authentication
Specifies whether to request a certificate from the client for authentication purposes when making a connection.

When performing client authentication with the Internet InterORB Protocol (IIOP) for EJB requests, click Security > Authentication Protocol > CSIv2 Inbound or Outbound Authentication from the left navigation pane of the administrative console. Click SSL Client Certificate Authentication to enable it for these requests.

Data type: Boolean
Default: Disabled
Range: Enabled or Disabled

This field is used on the System SSL Repertoire and JSSE Repertoire panels.

Security Level
Specifies whether the server selects from a preconfigured set of security levels.
Data type: Valid values include Low, Medium or High.
  • Low specifies only digital signing ciphers (no encryption)
  • Medium specifies only 40-bit ciphers (including digital signing)
  • High specifies 56-bit and higher ciphers, including digital signing.

To specify all ciphers or any particular range, you can set the com.ibm.ssl.enabledCipherSuites property.

See the SSL documentation for more information.

Default: High
Range: Low, Medium, or High

Note: The SOAP connector does not use security level.

This field is used on the System SSL Repertoire and Java Secure Sockets Extension (JSSE) Repertoire panels.

Cipher Suites
Specifies a list of supported cipher suites that can be selected during the SSL handshake. If you select cipher suites individually here, you override the cipher suites set in the Security Level field.
Data type: String
Default: None

Note: The SOAP connector does not use cipher suites.

This field is used on the Java Secure Sockets Extension (JSSE) Repertoire panel.

Cryptographic Token
Specifies whether the server enables or disables cryptographic hardware and software support. The SOAP connector does not use hardware cryptography.
Data type: Boolean
Default: Disabled
Range: Enabled or Disabled

This field is used on the Java Secure Sockets Extension (JSSE) Repertoire panel.

V3 Timeout  
Specifies the length of time that a browser can reuse a System SSL Version 3 session ID without renegotiating encryption keys with the server.

The repertoires that you define for a server require the same V3 timeout value.

Data type integer
Default 100
Range 1 to 86400

This field is used on the System SSL Repertoire panel.

Provider   [Version 5.0.2 and later]
Refers to a package that supplies a concrete implementation of a subset of the cryptography aspects of the Java Security API.

If you select the first button, select a provider from the menu.

The name for the Cipher suite property is com.ibm.ssl.enabledCiphersuites. The name for the protocol property is com.ibm.ssl.protocol.

Data type integer
Default 100
Range 1 to 86400

This field is used on the Java Secure Sockets Extension (JSSE) Repertoire panel.

Protocol   [Version 5.0.2 and later]
Specifies the SSL protocol that is used.

This field is used on the Java Secure Sockets Extension (JSSE) Repertoire panel.


Related reference
Administrative console buttons
Administrative console page features
Administrative console scope settings
Administrative console filter settings
Administrative console preference settings
Secure Sockets Layer settings for custom properties



Searchable topic ID:   usecssl
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/usec_ssl.html

Library | Support | Terms of Use | Feedback