InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.7: Introduction: Setting up an LDAP connection over SSL >
5.5.7.4: Example: Generating key andtrust store files for SSL
This procedure describes how to create key and trust store files
that permit SSL communications between WebSphere Application Server
and an LDAP server. This require the creation of key and trust files,
one set for the server and one set for the client. The server's key
store file contains the public and private keys for the server. The
server's trust store file contains the certificate authority's
certificate. The client's key store file contains public and private
key of the client (if client authentication is desired). The client's
trust store file stores the server's public key and the CA's root
certificate.
- Download the external public certificate for the root certificate
authority (root CA) and save it to a file. In this example,
the file is called caroot.arm.
- Generate the server-side key store and trust store files.
- Request a certificate for the server, if it doesn't already
have one.
- Generate a certificate request from within the
key store file and save it to a file.
In this example, the file is called certreq.arm.
- Submit the request to the certificate authority.
- Save the newly obtained certificate to a file. In this
example, the file is called newcert.arm.
- Place the certificate into a key store file. This can be
done using either the keytool command-line tool or the
graphical IBM Key Managment (Ikeyman) tool. For example,
if you are using the Ikeyman tool, you must:
- Create a new key store file. In this example, the
file is called ServerKeyStore.jks.
- Specify the the certificate in the newcert.arm file
as the certificate to be received into the keyring file.
This is done on the Personal Certificates panel in
the Ikeyman tool.
- The client also needs access to the server's
certificate, so extract the certificate and save it
to a file. In this example, the file is called
websphere.arm.
- Add the certificate of the signing CA (saved in the
file caroot.arm) to the key store file. This is done
on the Signer Certificates panel in the Ikeyman tool.
- Generate the client-side key and trust store files. This can be
done using either the keytool command-line tool or the
graphical IBM Key Managment (Ikeyman) tool. For example,
if you are using the Ikeyman tool, you must:
- Create a new trust store file. In this example, the
file is called ClientTrustStoreI.
- Add the certificate of the signing CA, saved in the
file caroot.arm, to the trust store file. This is done
on the Signer Certificates panel in the Ikeyman tool.
- Add the certificate of the server, saved in the file
websphere.arm, to the key sore file. This is also done
on the Signer Certificates panel in the Ikeyman tool.
- Optionally, if client authentication is desired, create
a new client key store file called
ClientKeyStoreFile.jks. You can then request a
certificate from a CA, submit the certificate request to
the CA, and add the certificate to the client key
store file.
- Install the new keyring files into the WebSphere Application
Server environment. Place all key and trust store files
(ServerKeyStoreFile.jks, ServerTrustStoreFile.jks,
ClientKeyStoreFile.jks and ClientTrustStoreFile.jks) on the
server in the
product_installation_root/etc directory.
- Configure the server properties as follows:
- Start the administrative console.
- Open the Security Center.
- Select Default SSL Configuration.
- Modify the following SSL properties:
- Key File Name: product_installation_root/etc/ServerKeyStoreFile.jks
- Key file password: WebAS
- Confirm password: WebAS
- Key file format: JKS
- Trust file name: product_installation_root/etc/ServerTrustStoreFile.jks
- Trust file password: WebAS
- Confirm password: WebAS
- Security level: high (128 bit encryption)
If you use the same file for key and trust stores, you
can specify the same file name for both properties:
If you only specify a key file name, the trust file
name is automatically set to the same name as the key file
name.
- The client side requires only the ClientKeyStoreFile.jks
and ClientTrustStoreFile.jks
files. Modify the following lines in the sas.client.props file:
com.ibm.ssl.trustStore=ClientTrustStoreFile.jks
com.ibm.ssl.trustStorePassword=WebAS
com.ibm.ssl.trustStoreType=JKS
com.ibm.ssl.keyStore=ClientKeyStoreFile.jks
com.ibm.ssl.keyStorePassword=WebAS
com.ibm.ssl.keyStoreType=JKS
com.ibm.ssl.protocol=SSLv3
com.ibm.CORBA.standardPerformQOPModels=high (128 bit encryption)
|
|