[Version 5.0.2 and later]Using System Authorization Facility keyrings with Java Secure Sockets Extension

Before you begin

WebSphere Application Server for z/OS running at maintenance levels before W502000 stored digital certificate information in two different places because of JDK restrictions: Systems customized at W502000 or above use the single (SAF) digital certificate repository by default, and do not need the modifications described below.

Why and when to perform this task

WebSphere Application Server for z/OS customers running server W50100x or later, with Java Development Kit 1.3 level SR20 or later, can modify their WebSphere Application Server systems to use SAF for JSSE as well as SSL (eliminating the need to maintain duplicate certificates in the HFS). The instructions below describe how to enable this support.

Note: Systems customized at maintenance levels at or after W502000 use the single (SAF) digital certificate repository by default, and do not need the modifications described below.

To use SAF certificates with JSSE:

Steps for this task

  1. Update the Java Management Extensions (JMX) connector settings to indicate the SAF keyring names.
    1. Log in to the administrative console using an identity with administrator authority. Click Servers. Then click Application_Servers.
      On the Application Servers page, a list of the application servers is displayed in your cell. Click the first application server name.
    2. On the server page under Additional Properties, scroll down and click Administration Services. Complete these additional steps:
      1. On the Administration Services page under Additional Properties, click JMX Connectors.
      2. On the JMX Connectors page, click Soap Connector.
      3. On the Soap Connector page, under Additional Properties, click Custom Properties.
      4. On the Custom Properties page, click sslConfig.
      5. On the sslConfig page, look at the Value field. Verify that this field says nodename/DefaultSOAPSSLSettings, where nodename represents the node name where the application server resides. Record the node name for the next step.
      6. Select nodename/RACFJSSESettings from the list next to the Value field, where nodename is the same as the node name that you previously recorded.
      7. Click OK. The Custom Properties page appears with a message indicating that changes are made to your local configuration. Do not click Save because additional changes are required.
    3. Click Application Servers, and repeat the previous substeps for each of the other application servers in the cell.
    4. Click System Administration. Complete these additional steps:
      1. Under System Administration, click Deployment_Manager.
      2. On the deployment manager page under Additional Properties, click Administration Services.
      3. On the Administration Services page under Additional Properties, click JMX Connectors.
      4. On the JMX Connectors page, click Soap Connector.
      5. On the Soap Connector page under Additional Properties, click Custom Properties.
      6. On the Custom Properties page, click sslConfig.
      7. On the sslConfig page, look at the Value field. This field displays dmnode/DefaultSOAPSSLSettings, where dmnode represents the deployment manager node name. Record the node name for the next step.
      8. Select dmnode/RACFJSSESettings from the list next to the Value field, where dmnode represents the Deployment Manager node name. Click OK. After a short time the Custom Properties page appears with a message at the top indicating that changes have been made to your local configuration. Do not click Save at this point because there are additional changes are required.
    5. Under System Administration, click Node_Agents. Then complete these additional steps:
      1. On the Node Agents page, click the first node agent in the list. Record the node agent name for the next step.
      2. On the Node Agents page under Additional Properties, click Administration Services.
      3. On the Administration Services page under Additional Properties, click JMX Connectors.
      4. On the JMX Connectors page, click Soap Connector.
      5. On the Soap Connector page under Additional Properties, click Custom Properties.
      6. On the Custom Properties page, click sslConfig.
      7. On the sslConfig page, look at the Value field. This field displays nodename/DefaultSOAPSSLSettings, where nodename is the node name where the node agent resides. Record the node name for the next step.
      8. Select nodename/RACFJSSESettings from the list next to the Value field, where nodename is the node name that you previously recorded. Click OK. The Custom Properties page is displayed with a message indicating that changes have been made to the local configuration. Do not click Save at this point because additional changes are required.
    6. Click Node Agents, and repeat the previous substeps for each of the other node agents servers in the cell.
      When you complete updating the last node agent on the Custom Properties, click Save when the message "Changes have been made to your local configuration. Click Save to apply changes to the master configuration" is displayed.
    7. On the Save page, click Synchronize changes with Nodes. Then click Save.
      Once the changes are saved, the administrative console returns to the home page.
  2. Update the soap.client.props file to indicate the SAF keyring names.
    The soap.client.props file is used by the wsadmin.sh script and is located in the application server or deployment manager (user.install.root)/properties file. The purpose of the soap.client.props file is to specify the values used by Simple Object Access Protocol (SOAP) clients such as wsadmin.sh. In a cell configured before WebSphere Application Server for z/OS maintenance level W502000, the soap.client.props file indicates the names of the Java key stores used by JSSE. Once your cell is using SAF keyrings for JSSE administration, verify that SAF keyrings are being used for SOAP clients.

    The soap.client.props file is used by the wsadmin.sh script.

    Changes to wsadmin client SAF keyrings require updates to the soap.client.props file and the creation of a keyring for administrators. Specify the following values:

    com.ibm.ssl.protocol=SSL
    com.ibm.ssl.keyStoreType=JCERACFKS
    com.ibm.ssl.keyStore=safkeyring:///yourkeyringName
    com.ibm.ssl.keyStorePassword=password
    com.ibm.ssl.trustStoreType=JCERACFKS
    com.ibm.ssl.trustStore=safkeyring:///yourKeyringName
    com.ibm.ssl.trustStorePassword=password
    

    The password value specified does not represent a real password because you can use any string. Replace the string yourKeyringName with your administrative SAF keyring. The keyring name used by all WebSphere administrators and the administrative started task user ID (default WSADMSH) must be the same. Additionally, a keyring must be created for each user that uses the wsadmin.sh file with the SOAP connector when using SAF keyrings and security is enabled. (A keyring is created by the customization process for your initial administrative user ID, such as WSADMIN.)

    A description of how to create keyrings for administrative users in SAF is described in SSL considerations for WebSphere Application Server administrators.

  3. Recycle the cell.

Related concepts
Global security and server security



Searchable topic ID:   tsecracfjssekeyringzos
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/tsec_racfjssekeyringzos.html

Library | Support | Terms of Use | Feedback