InfoCenter Home >
5: Securing applications -- special topics >
5.5: Tools for managing keys >
5.5.6: Tools for managing certificates and keys >
5.5.6.2: The IBM Key Management tool >
5.5.6.2.5: Making client and server keyrings accessible

5.5.6.2.5: Making client and server keyrings accessible

After you have created keyring classes and inserted the necessary certificates, you need to make the keyring classes accessible to the client and server programs.

To use created server and client keyrings in your WebSphere environment, you must first copy them to the client and server machines.

  • Copy the client keyring file (ClientKeyring.jks) to the following location on the client machine:
    product_installation_root/etc/ClientKeyring.jks
  • Copy the server keyring file (ServerKeyring.jks) to the following location on the server machine:
    product_installation_root/etc/ServerKeyring.jks

Managing the Server SSL Keyring Files

The administrative model in WebSphere Application Server allows the SSL settings for each WebSphere component to be centrally and individually managed. SSL settings are centrally managed in the administrative console through the default SSL Settings panel. In addition, any of the default settings can be overridden for an individual component by using the HTTPS, ORB, and LDAPS SSL settings panels.  See article 6.6.18,  Securing applications, for more detailed information about using the administrative console to configure WebSphere security.

Note   Always use the administrative console to manage the server keyring files as changes made in the console overwrite any manual changes to the sas.server.props file. Client keyring files are managed in the sas.client.props file because clients can be located on a remote machine.

The Default SSL Settings panel can be used to configure WebSphere Application Server components using SSL. Parameters that are set through the ORB SSL Settings panel override the default SSL settings for the ORB. Regardless of which settings are in effect, the ORB uses these settings as follows. (Additionally, the ORB requires the SAS properties files on the client and server to be configured as described below.)

Key file name
The path of the SSL key file used by server connections. For the server keyring file generated in this document, add the following to this field: product_installation_root/etc/ServerKeyring.jks
Key file password
The password for the SSL key file for server connections.  On the server, the key file password is configured in the administrative console and stored in the server-cfg.xml file.
Key file format
The only key file format currently supported by the AEs ORB is JKS.  
Trust file name
The path of the SSL trust file used by clients. On the server, the trust file name is configured in the administrative console and stored in the server-cfg.xml file. For the client keyring file generated in this document, add the following to this field:
product_installation_root/etc/ClientKeyring.jks 
Trust file password
The password for the SSL trust file for client connections. On the server, the trust file password is configured in the administrative console and stored in the server-cfg.xml file.
Client Authentication
The WebSphere AEs ORB does not currently support SSL client authentication using digital certificates. Editing this value will have no effect. 

Managing the Client SSL Keyring Files

You need to modify the sas.client.props file, which is located in the product installation root/properties directory. If you used "WebAS" as the password when you generated the client and server keyrings, you need to make the following changes to the sas.client.props file:

You can now start your WebSphere application using the newly created keyring classes.

Go to previous article: Placing a signed digital certificate into a keyring Go to next article: Using the Keytool utility

 

 
Go to previous article: Placing a signed digital certificate into a keyring Go to next article: Using the Keytool utility