Configuring Secure Sockets Layer (SSL)

Secure Sockets Layer (SSL) is used by multiple components within WebSphere Application Server to provide trust and privacy.

About this task

The following contains these components:

[AIX HP-UX Linux Solaris Windows] Configuring SSL is different between the client and server with WebSphere Application Server.

[z/OS] Configuring SSL is different between the client and server with WebSphere Application Server and for Java Secure Socket Extension (JSSE) and System SSL.

Procedure

  1. [AIX HP-UX Linux Solaris Windows] [z/OS] Configure the client (JSSE). Use the sas.client.props file that is located, by default, in the profile_root/properties directory. The sas.client.props file is a configuration file that contains lists of property-value pairs, using the property = value syntax. The property names are case sensitive, but the values are not; the values are converted to lowercase when the file is read. Specify the following properties for an SSL connection:
    • com.ibm.ssl.protocol
    • com.ibm.ssl.keyStoreType
    • com.ibm.ssl.keyStore
    • com.ibm.ssl.keyStorePassword
    • com.ibm.ssl.trustStoreType
    • com.ibm.ssl.trustStore
    • com.ibm.ssl.trustStorePassword
    • com.ibm.ssl.enabledCipherSuites
    • com.ibm.ssl.contextProvider
    • com.ibm.ssl.keyStoreServerAlias
    • com.ibm.ssl.keyStoreClientAlias
    • [AIX HP-UX Linux Solaris Windows] For the Secure Authentication Services (SAS) authentication protocol only: com.ibm.CORBA.standardPerformQOPModels
    • [AIX HP-UX Linux Solaris Windows] [This information applies to Version 6.0.x and previous servers only that are federated in a Version 6.1 cell.] For the Secure Authentication Services (SAS) authentication protocol only: com.ibm.CORBA.standardPerformQOPModels
    • [AIX HP-UX Linux Solaris Windows] For the cryptographic token device:
      • com.ibm.ssl.tokenType
      • com.ibm.ssl.tokenLibraryFile
      • com.ibm.ssl.tokenPassword
      • com.ibm.ssl.tokenSlot (added as a custom property)
  2. [z/OS] Configure the client (System SSL).
    Configurations using System SSL are differentiated by z/OS Secure Authentication Services (z/SAS) and Common Secure Interoperability Version 2 (CSIv2) protocols. The z/SAS protocols use renamed legacy environment variables that are provided by WebSphere Application Server for z/OS ,Version 6. CSIv2 uses a new properties file that is specified by a Java property and can be used by Java clients only.
    • z/SAS:
      Deprecation: z/SAS is deprecated in WebSphere Application Server Version 6.
      1. Create an environment file for the client. Set the variables in the file as listed.
      2. Specify the SSL key ring through the security_sslKeyring variable to a key ring that is created for the client.
      3. Specify a user ID and password if using z/SAS basic authentication through the client_protocol_user and the client_protocol_password variables.
      4. Point to the environment file using the fully qualified path name through the WAS_CONFIG_FILE environment variable. For example, in the test.sh test shell script, export WAS_CONFIG_FILE=/WebSphere/V5R0M0/AppServer/bin/current.env.
    • CSIv2: CSIv2 only supports Java clients and the Java com.ibm.CORBA.ConfigURL property must be specified to point to a properties file. You can specify individual properties on the Java invocation.
      1. Create or update the CSIv2 properties file with the properties.
      2. Specify the SSL key ring using com.ibm.CSI.performSSL.Keyring property.
      3. If using the Generic Security Service Username Password(GSSUP) authentication mechanism, specify the user ID and password using the com.ibm.CSI.Rem.Userid and the com.ibm.CSI.Rem.Password property. Specify GSSUP using com.ibm.COBRA.authenticationTarget=BasicAuth, com.ibm.CSI.performClientAuthenticationRequired, com.ibm.CSI.performClientAuthenticationRequired and com.ibm.CSI.performTransportAssocSSLTLSSupported.
      4. If you want client certificate authentication, specify: com.ibm.CSI.performTLClientAuthenticationRequired and com.ibm.CSI.performTLClientAuthenticationSupported.
      5. Specify the fully qualified path name of the properties file on the Java invocation. -Dcom.ibm.CORBA.ConfigURL=file:/WebSphere/V5R0M0/AppServer/bin/CSI.properties
    [This information applies to Version 6.0.x and previous servers only that are federated in a Version 6.1 cell.]
    • z/SAS:
      Deprecation: z/SAS is deprecated in WebSphere Application Server Version 6.

      Configurations using System SSL are differentiated by z/OS Secure Authentication Services (z/SAS) and Common Secure Interoperability Version 2 (CSIv2) protocols. The z/SAS protocols use renamed legacy environment variables that are provided by WebSphere Application Server for z/OS ,Version 6. CSIv2 uses a new properties file that is specified by a Java property and can be used by Java clients only.

      1. Create an environment file for the client. Set the variables in the file as listed.
      2. Specify the SSL key ring through the security_sslKeyring variable to a key ring that is created for the client.
      3. Specify a user ID and password if using z/SAS basic authentication through the client_protocol_user and the client_protocol_password variables.
      4. Point to the environment file using the fully qualified path name through the WAS_CONFIG_FILE environment variable. For example, in the test.sh test shell script, export WAS_CONFIG_FILE=/WebSphere/V5R0M0/AppServer/bin/current.env.
    • CSIv2: CSIv2 only supports Java clients and the Java com.ibm.CORBA.ConfigURL property must be specified to point to a properties file. You can specify individual properties on the Java invocation.
      1. Create or update the CSIv2 properties file with the properties.
      2. Specify the SSL key ring using com.ibm.CSI.performSSL.Keyring property.
      3. If using the Generic Security Service Username Password(GSSUP) authentication mechanism, specify the user ID and password using the com.ibm.CSI.Rem.Userid and the com.ibm.CSI.Rem.Password property. Specify GSSUP using com.ibm.COBRA.authenticationTarget=BasicAuth, com.ibm.CSI.performClientAuthenticationRequired, com.ibm.CSI.performClientAuthenticationRequired and com.ibm.CSI.performTransportAssocSSLTLSSupported.
      4. If you want client certificate authentication, specify: com.ibm.CSI.performTLClientAuthenticationRequired and com.ibm.CSI.performTLClientAuthenticationSupported.
      5. Specify the fully qualified path name of the properties file on the Java invocation. -Dcom.ibm.CORBA.ConfigURL=file:/WebSphere/V5R0M0/AppServer/bin/CSI.properties
  3. Configure the server. Use the administrative console to configure an application server that makes SSL connections. To start the administrative console, specify the following Web address: http://server_hostname:port_number/ibm/console.
  4. [z/OS] Create a System SSL or JSSE repertoire. The type of repertoire depends on which function is configured. In general, you need to create both kinds of repertoires. System SSL repertoires are required to use SSL over HTTP and IIOP. A Java Secure Socket Extension (JSSE) repertoire is used to connect Simple Object Access Protocol (SOAP) connectors.
  5. [AIX HP-UX Linux Solaris Windows] Refer to Defining Secure Sockets Layer connections. You can select the alias later when a component is configured for SSL support. An SSL configuration repertoire entry contains the following fields:
    • Typical configuration settings:
      • Alias
      • Key file name
      • Key file password
      • Key file format
      • Trust file name
      • Trust file password
      • Trust file format
      • Client authentication
      • Security level
      • Cipher suites
    • For the cryptographic token device:
      • Cryptographic token (Create the alias first so you can configure these fields).
        • Token type
        • Library file
        • Password
    • For additional Java properties:
      • Custom properties (Create the alias first so you can configure these fields).
        • com.ibm.ssl.contextProvider
        • com.ibm.ssl.protocol
        • com.ibm.ssl.tokenSlot (for crypto slot)
        • com.ibm.ssl.keyStoreClientAlias (alias selection for client authentication to servers)
        • com.ibm.ssl.keyStoreServerAlias (alias selection for server authentication to clients)
    [AIX HP-UX Linux Solaris Windows] Note: WebSphere Application Server contains IBM Developer Kit for Java Technology Edition Version 1.4.2 , which includes changes from IBM Developer Kit for Java Technology Edition Version 1.3.

    [AIX HP-UX Linux Solaris Windows] For more information, see Changes to IBM Developer Kit for Java Technology Edition Version 1.4.x.

  6. Enable SSL for a component. Navigate to a component, and configure it according to the SSL configuration repertoire process in the previous step.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 10:43:27 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=v602web&product=was-nd-mp&topic=tsecssl
File name: tsec_ssl.html