Use this page to configure Secure Sockets Layer (SSL) or Java Secure Sockets Extension (JSSE) settings for the server. To configure SSL, you need to define an SSL configuration repertoire. A repertoire contains the details necessary for building an SSL connection, such as the location of the key files, their type and the available ciphers. WebSphere Application Server provides a default repertoire called DefaultSSLSettings.
To view this administrative console page, click Security > SSL > alias_name.
Specifies the name of the specific SSL setting
Data type: | String |
This field is used on the System SSL Repertoire and Java Secure Sockets Extension (JSSE) Repertoire panels.
Specifies the fully qualified path to the SSL key file that contains public keys and might contain private keys.
On z/OS, there are two types of Secure Sockets Layer (SSL): Java Secure Socket Extension (JSSE) SSL and System SSL. For Java Secure Socket Extension (JSSE) SSL, the key file name specifies the fully qualified path to the SSL key file that contains public keys and private keys. For System SSL, the key file name specifies the name of the System Authorization Facility (SAF) key ring. The key file name might also be the name of the SAF key ring that contains public and private keys.
For JSSE SSL, the key file specifies the keystore file. The key file might also specify the System Authorization Facility (SAF) Key ring that contains certificates and keys. You can create a JSSE SSL keystore file by using the keytool utility found in the WebSphere bin directory. The key file contains certificates and keys.
For System SSL or JSSE, you can create an SSL key ring by using the Resource Access Control Facility (RACF) command, RACDCERT. Issue this command in your MVS environment, such as TSO READY or ISPF option 6. The key ring contains the private certificate of this server and certificates of trusted certificate authorities. The certificates for the trusted certificate authorities validate the client certificates and other server certificates that are exchanged with this server during the SSL handshake. The repertoires that you define for a server require identical key file names.
Data type: | String |
This field is used on the System SSL Repertoire and JSSE Repertoire panels.
Specifies whether to request a certificate from the client for authentication purposes when making a connection.
When performing client authentication with the Internet InterORB Protocol (IIOP) for EJB requests, click Security > Global security. Under Authentication, click Authentication protocol > CSIv2 inbound authentication or Authentication protocol > CSIv2 outbound authentication. Select the appropriate option under Client certificate authentication.
Default: | Disabled |
Range: | Enabled or Disabled |
This field is used on the System SSL Repertoire and JSSE Repertoire panels.
Specifies whether the server selects from a pre-configured set of security levels.
Data type: | Valid values include Low, Medium or High.
To specify all ciphers or any particular range, you can set the com.ibm.ssl.enabledCipherSuites property. See the SSL documentation for more information. |
Default: | High |
Range: | Low, Medium, or High |
This field is used on the System SSL Repertoire and JSSE Repertoire panels.
Specifies the length of time that a browser can reuse a System SSL Version 3 session ID without renegotiating encryption keys with the server.
The repertoires that you define for a server require the same V3 timeout value.
Data type | integer |
Default | 100 |
Range | 1 to 86400 |
This field is used on the System SSL Repertoire panel.
Specifies a list of supported cipher suites that can be selected during the SSL handshake. If you select cipher suites individually here, you override the cipher suites set in the Security Level field.
Data type: | String |
Default: | None |
This field is used on the System SSL Repertoire and JSSE Repertoire panels.
Refers to a package that implements a subset of the Java security application programming interface (API) cryptography aspects.
If you select Predefined JSSE provider, select a provider from the menu.
WebSphere Application Server has the IBMJSSE predefined provider.
The name for the Cipher suite property is com.ibm.ssl.enabledCiphersuites. The name for the protocol property is com.ibm.ssl.protocol.
This field is used on the JSSE Repertoire panel.
Specifies which SSL protocol to use.
Default | SSL |
Range | SSL_TLS, SSL, SSLv2, SSLv3, TLS, TLSv1 |
This field is used on the JSSE Repertoire panel.
Specifies the password for accessing the SSL key file.
Data type: | String |
This field is used on the JSSE Repertoire panel.
Specifies the format of the SSL key file.
You can choose from the following key file formats: JKS, JCEK, PKCS12, JCERACFKS (z/OS only). The JKS format does not store a shared key. For more secure key files, use the JCEK format. PKCS12 is the standard file format.
You can choose from the following key file formats:
JKS, JCEK, PKCS12, JCERACFKS (z/OS only) and JCE4758RACFKS (z/OS only). The
JKS format does not store a shared key. For more secure key files, use the
JCEK format. PKCS12 is the standard file format.
Data type: | String |
Default: | JKS |
Range: | JKS, JCEK, PKCS12, JCERACFKS (z/OS only), and JCE4758RACFKS (z/OS only) |
Data type: | String |
Default: | JKS |
Range: | JKS, JCEK, PKCS12, JCERACFKS (z/OS only) |
This field is used on the JSSE Repertoire panel.
Specifies the fully qualified path to a trust file containing the public keys.
You can create a trust file by using the keytool utility located in the WebSphere bin directory.
The test certificates are only intended for use in a test environment.
If a trust file is not specified but the SSL key file is specified, then the SSL key file is used for retrieval of signer certificates as well as personal certificates.
Data type: | String |
This field is used on the JSSE Repertoire panel.
Specifies the password for accessing the SSL trust file.
Data type: | String |
This field is used on the JSSE Repertoire panel.
Specifies the format of the SSL trust file.
You can choose from the following trust file formats: JKS, JCEK, PKCS12, JCERACFKS (z/OS only). The JKS format does not store a shared key. For more secure key files, use the JCEK format. PKCS12 is the standard file format.
You can choose from the following trust file formats:
JKS, JCEK, PKCS12, JCERACFKS (z/OS only) and JCE4758RACFKS (z/OS only). The
JKS format does not store a shared key. For more secure key files, use the
JCEK format. PKCS12 is the standard file format.
Data type: | String |
Default: | JKS |
Range: | JKS, JCEK, PKCS12, JCERACFKS (z/OS only) |
Data type: | String |
Default: | JKS |
Range: | JKS, JCEK, PKCS12, JCERACFKS (z/OS only) and JCE4758RACFKS (z/OS only) |
This field is used on the JSSE Repertoire panel.