InfoCenter Home >
5: Securing applications -- special topics >
5.5: Tools for managing keys >
5.5.6: Tools for managing certificates and keys >
5.5.6.2: The IBM Key Management tool >
5.5.6.2.1: Creating a self-signed test certificate >
5.5.6.2.1.2 Creating a client keyring
5.5.6.2.1.2 Creating a client keyring
The second step in creating a self-signed test certificate is to create a client
keyring. It is a trusted signer to the public key for the self-signed test certificate. To
create a client keyring, complete the following steps:
- Start the IBM Key Management tool if you have not already done so. See article 5.5.6.2, The IBM Key Management tool, for instructions.
- Create a client keyring file.
- Import the public key that was exported from the server keyring
file.
- Set the certificate as a trusted root.
- Exit the IBM Key Management tool.
The rest of this article describes how to complete these steps.
To create a client keyring file, do the following:
- Open a new key database file by selecting Key Database File --> New from the
menu bar. The New dialog box is displayed.
- Set Key Database Type to JKS.
- Enter the name and location of the client keyring file. In this example, the file name
is ClientKeyring.jks and the location is product_installation_root/etc
- Click the OK button to continue. The Password Prompt dialog box is displayed.
- Enter a password to restrict access to the key database. In this example, the password
is WebAS.
The server keyring password is stored in the administrative console. The client keyring
password is stored in the sas.client.props file using the property
com.ibm.CORBA.SSLClientKeyRingPassword. You need to set the keyring-password properties to
this password so that the keyring file can be opened by iKeyman during runtime. See article 5.5.6.2.5, Making client and server keyrings accessible,
for details.
Do not set an expiration date on the
password or save the password to a file. You must then reset the password when it expires
or protect the password file. This password is used only to release the information stored
by iKeyman during runtime.
- Click the OK button to continue. The tool now displays all of the available
default signer certificates. These are the public keys of the most common CAs. You can
add, view or delete signer certificates from this screen.
Next, you need to import the public key certificate that was exported from the server
keyring. (See article 5.5.6.2.1.1, Creating a server keyring.)
To import the public key, do the following:
- Choose Signer Certificates -->Add.
- Specify the data type of the exported key. In this case, the data type is Base64-encoded
ASCII data.
- Specify the name and location of the public key that was exported from the server
keyring. In this case, the key name is cert.arm and the location is product_installation_root/etc.
- Click OK.
- Enter a unique label for the key. In this example, the label is Server CA.
- Click OK. The certificate label appears in the list of certificates.
The client certificate must be a trusted root of the public key certificate that you
just created. To verify this, do the following:
- Select the name of the certificate you just created. In this case, the certificate name
is Server CA.
- Select View-->Edit. The Key information dialog box appears.
- Make sure that the box beside Set the certificate as a truster root is checked.
- Click OK.
Exit the Ikeyman tool by closing the IBM Key Management window.
|
|