Liberty profile: Keystores

Support for a particular type of keystore in the Liberty profile can depend on what is supported by the underlying Java Runtime Environment (JRE). The following are the different keystore types in the Liberty profile.

For more information on configuration attributes of the keystore element, see Liberty profile: SSL configuration attributes.

JKS and JCEKS

Java Keystore (JKS) and Java Cryptography Extensions Keystore (JCEKS) are common between the IBM JRE and the Oracle JRE, and can be configured the same using either JRE. JKS is the default keystore type in the Liberty profile. If no keystore type is specified in the configuration, JKS is used.

An example of JKS keystore configuration is as follows:
     <keyStore id="sampleJKSKeyStore"
      location="MyKeyStoreFile.jks"
      type="JKS" password="myPassword" />
An example of JCEKS keystore configuration is as follows:
    <keyStore id="sampleJCEKSKeyStore"
     location="MyKeyStoreFile.jceks"
     type="JCEKS" password="myPassword" />

PKCS12 keystore

Public Key Cryptography Standards #12 (PKCS12) keystore can be used when using the IBM JRE. An example of PKCS12 keystore configuration is as follows:
    <keyStore id="samplePKCS12KeyStore"
     location="MyKeyStoreFile.p12"
     type="PKCS12" password="myPassword" />

CMS keystore

CMS keystore can be configured when using the IBM JRE but some special configuration is required. The CMS provider is not available by default on the IBM JRE, therefore it must be added to the provider list in the java.security file of the IBM JRE. In the following example, the com.ibm.security.cmskeystore.CMSProvider class is added to the end of the list. Ensure that the provider number is correct in the provider list. The Liberty profile does not use the CMS keystore stash file to gain access to the keystore.
    security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.2=com.ibm.crypto.provider.IBMJCE
    security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.4=com.ibm.security.cert.IBMCertPath
    security.provider.5=com.ibm.security.sasl.IBMSASL
    security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
    security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
    security.provider.8=org.apache.harmony.security.provider.PolicyProvider
    security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
    security.provider.10=com.ibm.security.cmskeystore.CMSProvider
To use the CMS keystore, the configuration in the server.xml file is as follows:
    <keyStore id="sampleCMSKeyStore" 
     password="myPassword"
     location="MyKeyStoreFile.kdb"
     provider="IBMCMSProvider"
     type="CMSKS"/>
For z/OS platforms

RACF keyring types

RACF keyrings can be used as keystores on z/OS. The two keyring types available are JCERACFKS and JCEHYBRIDRACFKS.

JCERACFKS keystore
JCERACFKS is a RACF keyring type. You must set up RACF before the Liberty profile can use it. Supply a URL to the keyring in the location attribute, and set the fileBased attribute to false.
An example of using the JCERACFKS keystore is as follows:
<keyStore id="sampleKeyring" location="safkeyring:///Keyring" 
 type="JCERACFKS" password="password" fileBased="false"
 readOnly="true" />
JCEHYBRIDRACFKS keystore
JCEHYBRIDRACFKS is a special keyring that checks whether a hardware keystore type is configured. If the JCEHYBRIDRACFKS keystore is not configured, the RACF keyring is used. It is supported on IBM Java 7 SR3 and later. You must edit the java.security file and add the com.ibm.crypto.ibmjcehybrid.provider.IBMJCEHYBRID class to the top of the provider list. Ensure that the provider numbers are adjusted for the new entry.
An example of using the JCEHYBRIDRACFKS keystore is as follows:
<keyStore id="sampleHybridKeyring" location="safkeyringhybrid:///HybridKeyring" 
 type="JCEHYBRIDRACFKS" password="{xor}Lz4sLCgwLTs=" fileBased="false" 
 readOnly="true" /> 

Icon that indicates the type of topic Reference topic

Terms and conditions for information centers | Feedback


Timestamp icon Last updated: Monday, 21 April 2014
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-mp&topic=rwlp_sec_keystores
File name: rwlp_sec_keystores.html