[Updated in February 2012] [z/OS]

Configuring file-based key stores in WebSphere Application Server z/OS

A Secure Sockets Layer (SSL) configuration references keystore configurations during WebSphere Application Server runtime. Here are the steps involved in exporting a RACF certificate, storing into an file-based keystore and configure the file based keystore configuration for a SSL client to make a connection using Java Secure Socket Extension.

Before you begin

A RACF certificate must already exist.

About this task

The following steps involve exporting a RACF certificate, storing into a file-based keystore and configuring the file-based keystore configuration for a SSL client to make a connection suing Java Secure Socket Extension. The Java "keytool" is used to import the RACF into the key stores. Keystore type of PKCS12 is used. Similar steps can be used for keystore type of JKS.Performm the following steps using the administrative console.

Procedure

  1. Click Security > SSL certificate and key management .
  2. Under Related Items, click Key stores and certificates, then click CellDefaultTrustStore.
  3. Under Additional Properties, click Signer certificates
  4. Select the WebSphereCA certificate you want by checking the checking box This certificate is the WebSphereCA certificate to extract into the HFS from the administrative console.
  5. Click the Extract button. The certificate General Properties panel for the WebSphereCA certificate appears.
  6. Supply the path and a file name with data type (Binary DER data) where you want the certificate stored.

    For example, /WebSphere/V6R1/DeploymentManager/profiles/default/etc

  7. Click Apply/OK The administrative console message indicates the signer certificate, WebSphereCA, is successfully extracted to the file: /WebSphere/V6R1/DeploymentManager/profiles/default/etc/WebSphereCA. The following example shows a "before" and "after" of this extract process.

    Before

    /WebSphere/V6R1/DeploymentManager/profiles/default/etc:>ls -lart
    total 128
    drwxrwxr-x 3 WSADMIN CBCFG1 8192 Jun 12 11:04 ws-security
    -rwxrwxr-x 1 WSADMIN CBCFG1 727 Jun 12 11:04 serverCert.arm
    -rwxrwxr-x 1 WSADMIN CBCFG1 727 Jun 12 11:04 clientCert.arm
    -rwxrwxr-x 1 WSADMIN CBCFG1 6696 Jun 12 11:04 DummyServerTrustFile.jks
    -rwxrwxr-x 1 WSADMIN CBCFG1 2337 Jun 12 11:04 DummyServerKeyFile.jks
    -rwxrwxr-x 1 WSADMIN CBCFG1 2334 Jun 12 11:04 DummyClientKeyFile.jks
    -rwxrwxr-x 1 WSADMIN CBCFG1 834 Jun 12 11:05 trust.p12
    -rwxrwxr-x 1 WSADMIN CBCFG1 1538 Jun 12 11:05 key.p12
    -rwxrwxr-x 1 WSADMIN CBCFG1 7267 Jun 12 11:05 DummyClientTrustFile.jks
    drwxrwxr-x 3 WSADMIN CBCFG1 8192 Jun 12 11:05 .
    drwxrwxr-x 17 WSADMIN CBCFG1 8192 Oct 15 11:06 ..
    {

    After

    /WebSphere/V6R1/DeploymentManager/profiles/default/etc:>ls -lart
    total 136
    drwxrwxr-x 3 WSADMIN CBCFG1 8192 Jun 12 11:04 ws-security
    -rwxrwxr-x 1 WSADMIN CBCFG1 727 Jun 12 11:04 serverCert.arm
    -rwxrwxr-x 1 WSADMIN CBCFG1 727 Jun 12 11:04 clientCert.arm
    -rwxrwxr-x 1 WSADMIN CBCFG1 6696 Jun 12 11:04 DummyServerTrustFile.jks
    -rwxrwxr-x 1 WSADMIN CBCFG1 2337 Jun 12 11:04 DummyServerKeyFile.jks
    -rwxrwxr-x 1 WSADMIN CBCFG1 2334 Jun 12 11:04 DummyClientKeyFile.jks
    -rwxrwxr-x 1 WSADMIN CBCFG1 834 Jun 12 11:05 trust.p12
    -rwxrwxr-x 1 WSADMIN CBCFG1 1538 Jun 12 11:05 key.p12
    -rwxrwxr-x 1 WSADMIN CBCFG1 7267 Jun 12 11:05 DummyClientTrustFile.jks
    drwxrwxr-x 17 WSADMIN CBCFG1 8192 Oct 15 11:06 ..
    -rw-rw---- 1 DMSR1 CBCFG1 625 Oct 15 11:53 WebSphereCA
    drwxrwxr-x 3 WSADMIN CBCFG1 8192 Oct 15 11:54 .
  8. Set up the z/OS client environment. Under Telnet / USS, Set the $PATH to access the WebSphere and Java binaries:
    export PATH=$PATH:/WebSphere/V6R1/DeploymentManager/bin:.
    export PATH=$PATH:/WebSphere/V6R1/DeploymentManager/java/bin:.
  9. Add the certificate authority (CA) to the file-based PKCS12 type truststore using the Java keytool utility
    /WebSphere/V6R1/DeploymentManager/profiles/default/etc:>keytool -import
    -file WebsphereCA -keystore trust.p12 -storetype PKCS12 -storepass WebAS
    Owner: CN=WAS CertAuth for Security Domain, OU=SY1
    Issuer: CN=WAS CertAuth for Security Domain, OU=SY1
    Serial number: 0
    Valid from: 6/12/09 1:00 AM until: 12/31/10 11:59 PM
    Certificate fingerprints:
    MD5: 40:EF:C7:6F:36:47:47:4B:BD:8F:CE:21:67:DA:DD:F5
    SHA1: EC:4E:24:BD:20:D1:74:55:F1:82:38:13:48:90:F2:19:32:79:C0:1B
    Trust this certificate? [no]: yes
    Certificate was added to keystore
  10. List and verify that the CA certificate was added to the truststore.
    /WebSphere/V6R1/DeploymentManager/profiles/default/etc:>keytool -list
    -keystore trust.p12 -storetype PKCS12 -storepass WebAS
    Keystore type: PKCS12
    Keystore provider: IBMJCE
    Your keystore contains 2 entries
    cn=was certauth for security domain, ou=sy1, Dec 31, 1969,
    trustedCertEntry,
    Certificate fingerprint (MD5):
    40:EF:C7:6F:36:47:47:4B:BD:8F:CE:21:67:DA:DD:F5
    default_signer, Dec 31, 1969, trustedCertEntry,
    Certificate fingerprint (MD5):
    4B:49:9B:8D:17:99:3D:2D:A2:D2:54:D1:8E:0C:43:1E
  11. Configure the z/OS Client to use the file based key stores
    1. Update the ssl.client.props file to point to the key.p12, trust.p12 as the keystores.
      /WebSphere/V6R1/DeploymentManager/profiles/default/properties/ssl.client.props
      # KeyStore information
      com.ibm.ssl.keyStoreName=ClientDefaultKeyStore
      #com.ibm.ssl.keyStore=safkeyring:///WASKeyring.PLEX1
      #com.ibm.ssl.keyStorePassword={xor}Lz4sLCgwLTs=
      #com.ibm.ssl.keyStoreType=JCERACFKS
      #com.ibm.ssl.keyStoreProvider=IBMJCE
      #com.ibm.ssl.keyStoreFileBased=false
      com.ibm.ssl.keyStore=/WebSphere/V6R1/DeploymentManager/profiles/default/etc/key.p12
      com.ibm.ssl.keyStorePassword=WebAS
      com.ibm.ssl.keyStoreType=PKCS12
      com.ibm.ssl.keyStoreProvider=IBMJCE
      com.ibm.ssl.keyStoreFileBased=true
      :
      # Truststore information
      com.ibm.ssl.trustStoreName=ClientDefaultTrustStore
      #com.ibm.ssl.trustStore=safkeyring:///WASKeyring.PLEX1
      #com.ibm.ssl.trustStorePassword={xor}Lz4sLCgwLTs=
      #com.ibm.ssl.trustStoreType=JCERACFKS
      #com.ibm.ssl.trustStoreProvider=IBMJCE
      #com.ibm.ssl.trustStoreFileBased=false
      com.ibm.ssl.trustStore=/WebSphere/V6R1/DeploymentManager/profiles/default/etc/trust.p12
      com.ibm.ssl.trustStorePassword=WebAS
      com.ibm.ssl.trustStoreType=PKCS12
      com.ibm.ssl.trustStoreProvider=IBMJCE
      com.ibm.ssl.trustStoreFileBased=true
      
    2. Perform password encoding using PropFilePasswordEncoder utility This will create the backup and also convert to ascii:
      /WebSphere/V6R1/DeploymentManager/profiles/default/properties:>PropFilePasswo
      rdEncoder.sh ssl.client.props com.ibm.ssl.keyStorePassword
      Create a backup file of the original properties file which contains unencoded
      passwords? (y/n): y
      NOTE: Backup file
      /WebSphere/V6R1/DeploymentManager/profiles/default/properties/ssl.client.prop
      s.bak contains unencoded passwords/WebSphere/V6R1/DeploymentManager/profiles/default/properties:>PropFilePasswo
      rdEncoder.sh ssl.client.props com.ibm.ssl.trustStorePassword
      Create a backup file of the original properties file which contains unencoded
      passwords? (y/n): y
      NOTE: Backup file
      /WebSphere/V6R1/DeploymentManager/profiles/default/properties/ssl.client.prop
      s.bak contains unencoded passwords
    3. Verify if ssl.client.props is in ascii / ebcdic
      /WebSphere/V6R1/DeploymentManager/profiles/default/properties:>file
      ssl.client.props*
      ssl.client.props: binary data
      ssl.client.props.bak: text
      
      The password for the keystore/s in the ssl.client.propsfile is now encoded as below.
      com.ibm.ssl.keyStorePassword={xor}CDo9Hgw=
      com.ibm.ssl.trustStorePassword={xor}CDo9Hgw=
      
      The ssl.client.props file looks like this:
      com.ibm.ssl.keyStore=/WebSphere/V6R1/DeploymentManager/profiles/default/etc/key.p12
      com.ibm.ssl.keyStorePassword={xor}CDo9Hgw=
      com.ibm.ssl.keyStoreType=PKCS12
      com.ibm.ssl.keyStoreFileBased=true
      ...
      com.ibm.ssl.trustStore=/WebSphere/V6R1/DeploymentManager/profiles/default/etc/trust.p12
      com.ibm.ssl.trustStorePassword={xor}CDo9Hgw=
      com.ibm.ssl.trustStoreType=PKCS12
      com.ibm.ssl.trustStoreFileBased=true
    4. Using retrieveSigners utility instead of Administrative Console to list the key stores of both Client, Server.
      /WebSphere/V6R1/DeploymentManager/profiles/default/bin:>retrieveSigners.sh
      -listLocalKeyStoreNames
      
      CWPKI0307I: The following local keystores exist on the client:
      ClientDefaultKeyStore, ClientDefaultTrustStore
      
      /WebSphere/V6R1/DeploymentManager/profiles/default/bin:>retrieveSigners.sh
      -listRemoteKeyStoreNames
      
      CWPKI0306I: The following remote keystores exist on the specified server:
      CellDefaultKeyStore, CellLTPAKeys, LEX1Manager/DefaultIIOPSSL_key,
      SY1/DefaultIIOPSSL_trust, PLEX1Manager/DefaultIIOPSSL_trust,
      SY1/DefaultIIOPSSL_key, CellDefaultTrustStore
    5. Import the SAF Keyring certificates to the file based keystore, truststore
      /WebSphere/V6R1/DeploymentManager/profiles/default/bin:>retrieveSigners.sh
      CellDefaultTrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner
      CWPKI0308I: Adding signer alias "CN=BOSSXXXX.PLEX1.L2.IBM.COM, OU=PLEX1, O=IBM"
      to local keystore "ClientDefaultTrustStore" with the following SHA
      digest: EC:4E:24:BD:20:D1:74:55:F1:82:38:13:48:90:F2:19:32:79:C0:1B
      CWPKI0308I: Adding signer alias "CN=WAS CertAuth for Security Domain, OU=SY1"
      to local keystore "ClientDefaultTrustStore" with the following SHA
      digest: EC:4E:24:BD:20:D1:74:55:F1:82:38:13:48:90:F2:19:32:79:C0:1B
      CWPKI0309I: All signers from remote keystore already exist in local keystore.
      /WebSphere/V6R1/DeploymentManager/profiles/default/bin:>retrieveSigners.sh
      CellDefaultKeyStore ClientDefaultKeyStore -autoAcceptBootstrapSigners
      CWPKI0308I: Adding signer alias "websphereca" to local keystore
      "ClientDefaultKeyStore" with the following SHA digest:
      EC:4E:24:BD:20:D1:74:55:F1:82:38:13:48:90:F2:19:32:79:C0:1B
    6. Establish a SOAP Connection from a client using the key stores
      Note: The WebSphere Server cell configuration is using the SAF Keyring.
      /:>wsadmin.sh -conntype SOAP -host boss0232.plex1.l2.ibm.com -port 8879
      -user ibmuser -password ibmuser
      WASX7209I: Connected to process "dmgr" on node PLEX1Manager using SOAP
      connector; The type of process is: DeploymentManager
      WASX7029I: For help, enter: "$Help help"wsadmin>

Results

You have successfully extracted the signer certificate as a certificate file and have stored it into /WebSphere/V6R1/DeploymentManager/profiles/default/etc with the given name (WebSphereCA) and set up the z/OS client environment so that the z/OS client can use file-based key stores.

What to do next

Your z/OS client can now use file-based key stores.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 4:28:44 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-mp&topic=tsec_config_fb_zos
File name: tsec_config_fb_zos.html


[Updated in February 2012]
feb2012