InfoCenter Home >
6: Administer applications >
6.6: Tools and resources quick reference >
6.6.18: Securing applications >
6.6.18.0: General security properties >
6.6.18.0.1: Properties for configuring Secure Socket Layer (SSL) support
Key:
Applies to Java administrative console of Advanced Edition Version 4.0
Applies to Web administrative console of Advanced Single Server Edition Version 4.0
Applies to Application Client Resource Configuration Tool
For Advanced Edition (non-Single Server), see
Configuring SSL support instructions.
-
Client Authentication
or Enable Client Authentication
- Whether the server and client should prove their identities
through an exchange of keys
The SSL server is always authenticated to the client. If client authentication
is enabled, the SSL client is also authenticated to the server. By default, client
authentication is disabled.
-
Confirm Password
- Type the password again, to confirm the correct spelling
-
Dynamic Properties
- Name-value pairs that you can use to configure additional SSL settings beyond
those available in the administrative interface
- com.ibm.ssl.protocol
- This is the SSL protocol to be used (including its version). The possible values are
SSL, SSLv2, SSLv3, TLS, or TLSv1. The default value, SSL, is backward-compatible with the other
SSL protocols.
- com.ibm.ssl.keyStoreProvider
- The name of the key store provider to use. Specify one of the security providers
listed in your java.security file which has a key store implementation. The default value is
IBMJCE.
- com.ibm.ssl.keyManager
- The name of the key management algorithm to use. Specify any key management algorithm
that is implemented by one of the security providers listed in your java.security file. The
default value is IbmX509.
- com.ibm.ssl.trustStoreProvider
- The name of the trust store provider to use. Specify one of the security providers listed
in your java.security file which has a trust store implementation. The default value is IBMJCE.
- com.ibm.ssl.trustManager
- The name of the trust management algorithm to use. Specify any trust management algorithm
that is implemented by one of the security providers listed in your java.security file. The
default value is IbmX509.
- com.ibm.ssl.trustStoreType
- The type or format of the trust store. The possible values are JKS, PKCS12, JCEK. The
default value is JKS.
- com.ibm.ssl.enabledCipherSuites
- The list of cipher suites to enable. By default, this is not set and the set of cipher
suites used are determined by the value of the SecurityLevel (HIGH, MEDIUM, or LOW). A cipher
suite is a combination of cryptographic algorithms used for an SSL connection.
Enter a space-separated list of any of the following cipher suites:
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
-
Enable Client Authentication
- See Client Authentication
-
Enable Crypto Token Support
- Whether cryptographic token support is enabled. If this is selected,
then the values on the Crypto Token
panel are used. After enabling Crypto Token support, stop your application server
and start it again for the change to take effect.
A crypto token is a hardware or software device which has a built-in key store
implementation. The exact values for the following fields should be documented
in the documentation of the supported cryptographic device.
-
Enable SSL
- Whether to enable SSL support
-
Key File Format
- The format of the key file. Possible values are JKS, PKCS12, and JCEK
-
Key File Name
- The fully qualified path to the key file that contains public keys and perhaps private keys. See below
for a note about the name.
An SSL key file can be created with the IKeyMan key management utility, or it may correspond to a hardware
device if one is available.
In either case, this specifies the source for personal certificates, as well as for
signer certificates unless a trust file is specified.
The default Key File and the default Trust File contains
a test certificate, and is only intended for use in a test environment. The default key files should
never be used in a production environment because the private keys are same on all the WebSphere installations.
Please refer to the the introduction to security certificates for information about
creating and managing digital certificates for your WebSphere domain.
-
Key File Password
- The password for accessing the key file
-
Library File
- The DLL or shared object which implements the interface to the cryptographic device
-
Password
- The password for the cryptographic device
-
Security Level
- The security level can be HIGH, MEDIUM, or LOW and is a user-friendly way of enabling a certain set of cipher
suites. The Security Level can be overridden by giving an explicit value to the dynamic property named
com.ibm.ssl.EnabledCipherSuites (a Dynamic Property described previously). The mapping of security level to enabled cipher
suites is as follows.
If the security level is HIGH, the enabled cipher suites are:
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_ RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
If the security level is MEDIUM, the enabled cipher suites are:
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
If the security level is LOW and a server SSL configuration, the enabled cipher suites are:
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
If the security level is LOW and a client SSL configuration, the enabled cipher suites are:
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
-
Token Type
- The type of token, such as PKCS#11
-
Trust File Format
- The format of the specified trust file
-
Trust File Name
- The fully qualified path to a trust file containing the public keys. See below
for a note about the name.
As with the SSL key file, this can be created
with the IKeyMan utility, or it may correspond to a hardware device. Unlike the
SSL key file, no personal certificates are referenced; only signer certificates
are retrieved. If a trust file is not specified but the key file is specified,
then the SSL key file is used for retrieval of signer certificates as well as
personal certificates.
-
Trust File Password
- A password for accessing the trust file
Note about key and trust file names:
The Default SSL configuration data and the LDAP SSL configuration data managed by the WebSphere
Application Server Security Center are shared by multiple nodes in the same security domain.
Machines in the same security domain can host different operating systems, such as AIX and Windows 2000.
Moreover, WebSphere Application Server installation path can be different on different host machines.
Hence it is not always possible to use absolute file path when specifying the location of the key store
and the trust store. IBM WebSphere Application Server uses a symbolic link WAS_HOME
(which equates to product_installation_root) to locate key store
and trust store. For example, the key file name can be defined by
${WAS_HOME}/etc/ServerKeyFile.jks
The ServerKeyFile.jks must exist on all the host machine under
the "etc" subdirectory of the product_installation_root. The contents in the
key files can be different on different nodes, but the file names should match.
|
|