With Secure Sockets Layer (SSL) configuration repertoire,
administrators can define any number of SSL settings that can be used
to make HyperText Transport Protocol SSL (HTTPS), Internet Inter-ORB
Protocol SSL (IIOPS) or Lightweight Directory Access Protocol SSL
(LDAPS) connections. You can reuse many of these SSL configurations
by simply specifying an alias in multiple places.
Before you begin
You must start the administrative console.
About this task
Using the SSL configuration repertoire, you can pick one
of the SSL settings defined here from any location within the administrative
console that allows SSL connections. This simplifies the SSL configuration
process because you can reuse many of these SSL configurations by
simply specifying the alias in multiple places.
Procedure
- Click Security > SSL certificate and key management >
SSL configuration to open the SSL configuration panel.
- To create a new SSL alias, click New SSSL Configuration.
- Type the alias name in the Alias field.
- Specify the SSL Resource Access Control Facility (RACF®)
key ring in the Key file name field. All repertoires
used by the same server (such as HTTPS, CSIV2, z/SAS) must have the
same keyring name. If the keyring names are not the same, the HTTPS
keyring name is used to initialize the server. If you specify the
wrong RACF key ring, the server gets an error message
at runtime.
Important: z/SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.
- Optional: Select the Client authentication option
for your authentication protocol. Client authentication
occurs if this repertoire is selected for HTTPS. However, the value
is ignored if you use using Common Secure Interoperability Version
2 (CSIv2) or z/OS® Secure Authentication Services (z/SAS).
To
enable client authentication for CSIv2, click Security > Global
security. Under Authentication, expand RMI/IIOP, then click CSIv2
inbound authentication. Select the appropriate option for Client
certificate authentication.
To enable client authentication
for z/SAS, click Security > Global security. Under Authentication,
expand RMI/IIOP, then click z/SAS authentication. Select the Client
certificate option.
- Select Strong, Medium, or Weak from
the Security level menu to specify the strong, medium, or weak
set of cipher suites. If you add specific cipher suites
on this panel, those cipher suites take precedence over the strong,
medium, or weak specification. If a cipher list is specified, WebSphere® Application Server uses the list.
If the cipher list is empty, WebSphere Application Server
uses the strong, medium, weak specification. The following list explains
these specifications:
- Strong
- 128-bit cipher suites with digital signature
- Medium
- 40-bit cipher suites with digital signature
- Weak
- No encryption is used, but digital signature is used
- Specify the SSL V3 timeout value in the V3 timeout field.
This value is the length of time, in seconds, that the system holds
session keys. The range is 0-86400 (1 day). The default
is 600 seconds.
- Select the cipher suites that you want to
add from the Cipher suites menu. By default, this
is not set, and the cipher suites available are determined by the
value of the Security Level (Strong, Medium, or Weak).
A cipher suite is a combination of cryptographic algorithms used for
an SSL connection.
- Click OK when you have made all your selections.