[z/OS]

Creating a new System SSL repertoire alias

With Secure Sockets Layer (SSL) configuration repertoire, administrators can define any number of SSL settings that can be used to make HyperText Transport Protocol SSL (HTTPS), Internet Inter-ORB Protocol SSL (IIOPS) or Lightweight Directory Access Protocol SSL (LDAPS) connections. You can reuse many of these SSL configurations by simply specifying an alias in multiple places.

Before you begin

You must start the administrative console.

About this task

Using the SSL configuration repertoire, you can pick one of the SSL settings defined here from any location within the administrative console that allows SSL connections. This simplifies the SSL configuration process because you can reuse many of these SSL configurations by simply specifying the alias in multiple places.

Procedure

  1. Click Security > SSL certificate and key management > SSL configuration to open the SSL configuration panel.
  2. To create a new SSL alias, click New SSSL Configuration.
  3. Type the alias name in the Alias field.
  4. Specify the SSL Resource Access Control Facility (RACF®) key ring in the Key file name field. All repertoires used by the same server (such as HTTPS, CSIV2, z/SAS) must have the same keyring name. If the keyring names are not the same, the HTTPS keyring name is used to initialize the server. If you specify the wrong RACF key ring, the server gets an error message at runtime.
    Important: z/SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.
  5. Optional: Select the Client authentication option for your authentication protocol. Client authentication occurs if this repertoire is selected for HTTPS. However, the value is ignored if you use using Common Secure Interoperability Version 2 (CSIv2) or z/OS® Secure Authentication Services (z/SAS).

    To enable client authentication for CSIv2, click Security > Global security. Under Authentication, expand RMI/IIOP, then click CSIv2 inbound authentication. Select the appropriate option for Client certificate authentication.

    To enable client authentication for z/SAS, click Security > Global security. Under Authentication, expand RMI/IIOP, then click z/SAS authentication. Select the Client certificate option.

  6. Select Strong, Medium, or Weak from the Security level menu to specify the high, medium, or low set of cipher suites. If you add specific cipher suites on this panel, those cipher suites take precedence over the strong, medium, or weak specification. If a cipher list is specified, WebSphere® Application Server uses the list. If the cipher list is empty, WebSphere Application Server uses the strong, medium, weak specification. The following list explains these specifications:
    Strong
    128-bit cipher suites with digital signature
    Medium
    40-bit cipher suites with digital signature
    Weak
    No encryption is used, but digital signature is used
  7. Specify the SSL V3 timeout value in the V3 timeout field. This value is the length of time, in seconds, that the system holds session keys. The range is 0-86400 (1 day). The default is 600 seconds.
  8. Select the cipher suites that you want to add from the Cipher suites menu. By default, this is not set, and the cipher suites available are determined by the value of the Security Level (Strong, Medium, or Weak). A cipher suite is a combination of cryptographic algorithms used for an SSL connection.
  9. Click OK when you have made all your selections.
Task topic    

Terms and conditions for information centers | Feedback

Last updated: April 20, 2014 08:46 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-mp&topic=tsecconfigrepset
File name: tsec_configrepset.html