InfoCenter Home >
6: Administer applications >
6.6: Tools and resources quick reference >
6.6.18: Securing applications >
6.6.18.0: General security properties >
6.6.18.0.1: Properties for configuring Secure Socket Layer (SSL) support

6.6.18.0.1: Properties for configuring Secure Socket Layer (SSL) support

Key:
Property name in the Java-based administrative console Applies to Java administrative console of Advanced Edition Version 4.0
Property name in the Web-based administrative console Applies to Web administrative console of Advanced Single Server Edition Version 4.0
Property name in the application client resource configuration tool Applies to Application Client Resource Configuration Tool

For Advanced Edition (non-Single Server), see Configuring SSL support instructions.
Client Authentication or Enable Client Authentication  Property name in the Java-based administrative console
Whether the server and client should prove their identities through an exchange of keys

The SSL server is always authenticated to the client. If client authentication is enabled, the SSL client is also authenticated to the server. By default, client authentication is disabled.

Confirm Password  Property name in the Java-based administrative console  Property name in the Web-based administrative console
Type the password again, to confirm the correct spelling
Dynamic Properties  Property name in the Java-based administrative console  Property name in the Web-based administrative console
Name-value pairs that you can use to configure additional SSL settings beyond those available in the administrative interface
com.ibm.ssl.protocol
This is the SSL protocol to be used (including its version). The possible values are SSL, SSLv2, SSLv3, TLS, or TLSv1. The default value, SSL, is backward-compatible with the other SSL protocols.
com.ibm.ssl.keyStoreProvider
The name of the key store provider to use. Specify one of the security providers listed in your java.security file which has a key store implementation. The default value is IBMJCE.
com.ibm.ssl.keyManager
The name of the key management algorithm to use. Specify any key management algorithm that is implemented by one of the security providers listed in your java.security file. The default value is IbmX509.
com.ibm.ssl.trustStoreProvider
The name of the trust store provider to use. Specify one of the security providers listed in your java.security file which has a trust store implementation. The default value is IBMJCE.
com.ibm.ssl.trustManager
The name of the trust management algorithm to use. Specify any trust management algorithm that is implemented by one of the security providers listed in your java.security file. The default value is IbmX509.
com.ibm.ssl.trustStoreType
The type or format of the trust store. The possible values are JKS, PKCS12, JCEK. The default value is JKS.
com.ibm.ssl.enabledCipherSuites
The list of cipher suites to enable. By default, this is not set and the set of cipher suites used are determined by the value of the SecurityLevel (HIGH, MEDIUM, or LOW). A cipher suite is a combination of cryptographic algorithms used for an SSL connection.

Enter a space-separated list of any of the following cipher suites:

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
Enable Client Authentication  Property name in the Java-based administrative console  Property name in the Web-based administrative console
See Client Authentication
Enable Crypto Token Support  Property name in the Java-based administrative console  Property name in the Web-based administrative console
Whether cryptographic token support is enabled. If this is selected, then the values on the Crypto Token panel are used. After enabling Crypto Token support, stop your application server and start it again for the change to take effect.

A crypto token is a hardware or software device which has a built-in key store implementation. The exact values for the following fields should be documented in the documentation of the supported cryptographic device.

Enable SSL  Property name in the Java-based administrative console  Property name in the Web-based administrative console
Whether to enable SSL support
Key File Format  Property name in the Java-based administrative console  Property name in the Web-based administrative console
The format of the key file. Possible values are JKS, PKCS12, and JCEK
Key File Name  Property name in the Java-based administrative console  Property name in the Web-based administrative console
The fully qualified path to the key file that contains public keys and perhaps private keys. See below for a note about the name.

An SSL key file can be created with the IKeyMan key management utility, or it may correspond to a hardware device if one is available. In either case, this specifies the source for personal certificates, as well as for signer certificates unless a trust file is specified.

  The default Key File and the default Trust File contains a test certificate, and is only intended for use in a test environment. The default key files should never be used in a production environment because the private keys are same on all the WebSphere installations. Please refer to the the introduction to security certificates for information about creating and managing digital certificates for your WebSphere domain.

Key File Password  Property name in the Java-based administrative console  Property name in the Web-based administrative console
The password for accessing the key file
Library File  Property name in the Java-based administrative console  Property name in the Web-based administrative console
The DLL or shared object which implements the interface to the cryptographic device
Password  Property name in the Java-based administrative console  Property name in the Web-based administrative console
The password for the cryptographic device
Security Level  Property name in the Java-based administrative console  Property name in the Web-based administrative console
The security level can be HIGH, MEDIUM, or LOW and is a user-friendly way of enabling a certain set of cipher suites. The Security Level can be overridden by giving an explicit value to the dynamic property named com.ibm.ssl.EnabledCipherSuites (a Dynamic Property described previously). The mapping of security level to enabled cipher suites is as follows.
If the security level is HIGH, the enabled cipher suites are:
    SSL_RSA_WITH_RC4_128_MD5
    SSL_RSA_WITH_RC4_128_SHA
    SSL_RSA_WITH_DES_CBC_SHA
    SSL_ RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_RSA_WITH_DES_CBC_SHA
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_DSS_WITH_DES_CBC_SHA
    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
If the security level is MEDIUM, the enabled cipher suites are:
    SSL_RSA_EXPORT_WITH_RC4_40_MD5
    SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
    SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
If the security level is LOW and a server SSL configuration, the enabled cipher suites are:
    SSL_RSA_WITH_NULL_MD5
    SSL_RSA_WITH_NULL_SHA
    SSL_DH_anon_WITH_RC4_128_MD5
    SSL_DH_anon_WITH_DES_CBC_SHA
    SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
    SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
    SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
If the security level is LOW and a client SSL configuration, the enabled cipher suites are:
    SSL_RSA_WITH_NULL_MD5
    SSL_RSA_WITH_NULL_SHA
Token Type  Property name in the Java-based administrative console  Property name in the Web-based administrative console
The type of token, such as PKCS#11
Trust File Format  Property name in the Java-based administrative console  Property name in the Web-based administrative console
The format of the specified trust file
Trust File Name  Property name in the Java-based administrative console  Property name in the Web-based administrative console
The fully qualified path to a trust file containing the public keys. See below for a note about the name.

As with the SSL key file, this can be created with the IKeyMan utility, or it may correspond to a hardware device. Unlike the SSL key file, no personal certificates are referenced; only signer certificates are retrieved. If a trust file is not specified but the key file is specified, then the SSL key file is used for retrieval of signer certificates as well as personal certificates.

Trust File Password  Property name in the Java-based administrative console  Property name in the Web-based administrative console
A password for accessing the trust file

Note about key and trust file names: The Default SSL configuration data and the LDAP SSL configuration data managed by the WebSphere Application Server Security Center are shared by multiple nodes in the same security domain. Machines in the same security domain can host different operating systems, such as AIX and Windows 2000. Moreover, WebSphere Application Server installation path can be different on different host machines.

Hence it is not always possible to use absolute file path when specifying the location of the key store and the trust store. IBM WebSphere Application Server uses a symbolic link WAS_HOME (which equates to product_installation_root) to locate key store and trust store. For example, the key file name can be defined by

${WAS_HOME}/etc/ServerKeyFile.jks

The ServerKeyFile.jks must exist on all the host machine under the "etc" subdirectory of the product_installation_root. The contents in the key files can be different on different nodes, but the file names should match.

Go to previous article: General security properties Go to next article: Properties for configuring security using local operating system

 

 
Go to previous article: General security properties Go to next article: Properties for configuring security using local operating system