The following steps describe how to generate a new Java Secure Socket Extension (JSSE) repertoire
alias. Using the JSSE repertoire, you can pick one of the JSSE repertoire
settings defined here from any location within the administrative
console.
About this task
This simplifies the JSSE repertoire configuration process
because you can reuse many of these JSSE configurations by specifying
the alias in multiple places.
Procedure
- Click Security > SSL to open the SSL Configuration
Repertoires panel.
- To create a new JSSE repertoire, click New JSSE repertoire near
the top of the panel. The JSSE Repertoire panel appears.
- Enter the alias name in the Alias field.
- Optional: Select the Client authentication option
for your authentication protocol. This option enables client
authentication to occur if this repertoire is selected for HTTPS.
However, the value is ignored if you use using Common Secure Interoperability
Version 2 (CSIv2) or z/OS® Secure Authentication Services
(z/SAS).
To enable client authentication for CSIv2, click Security >
Global security. Under Authentication, expand RMI/IIOP, then click CSIv2
inbound authentication. Select the appropriate option for Client
certificate authentication.
To enable client authentication
for z/SAS, click
Security > Global security. Under Authentication,
expand RMI/IIOP, then click
z/SAS authentication. Select the
Client
certificate option.
Important: z/SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.
- Select Strong, Medium, or Weak from
the Security level menu to specify the strong, medium, or weak
set of cipher suites. If you add specific cipher suites
on this panel, those cipher suites take precedence over the strong,
medium, or weak specification. If a cipher list is specified, WebSphere® Application Server uses the list.
If the cipher list is empty, WebSphere Application Server
uses the strong, medium, or weak specification. The following list
is an explanation of the high, medium, and low specifications:
- Strong
- 128-bit cipher suites with digital signature
- Medium
- 40-bit cipher suites with digital signature
- Weak
- No encryption is used, but digital signature is used
- Select the cipher suites that you want to add from the Cipher
suites menu. By default, this is not set. The set of
cipher suites available is determined by the value of the Security
Level (Strong, Medium, or Weak). A cipher suite
is a combination of cryptographic algorithms used for an SSL connection.
- Select the Cryptographic token option if hardware
or software cryptographic support is available.
- Indicate which JSSE provider that you are using by selecting
either Predefined JSSE provider or Custom JSSE provider in
the Provider field. WebSphere Application
Server comes with the IBMJSSE2
provider predefined.
If you are not using the IBMJSSE2
provider, configure a custom provider by selecting Custom JSSE
provider. Under Additional properties, click Custom Properties >
New. After specifying the custom provider, return to the JSSE
repertoire panel.
- Select a Secure Sockets Layer (SSL) or Transport Layer
Security (TLS) protocol version.
Note: The protocol chosen
for the server must match the protocol chosen for the client. Also,
for two servers to interoperate, they must use the same protocol.
- Specify the name of the key file in the Key file name field. Specify the fully qualified path to the Secure Sockets Layer
(SSL) key file that contains public keys and private keys. Type safkeyring:/// if
you are using a RACF® key ring for the key file.
- Specify the password needed to access the key file in the Key
file password field. Type password if you
are using a RACF key ring for the key store.
- Select the format of the key file from the Key file
format menu.
- Click OK when you have made all your selections.