During the SSL authentication process, WebSphere® Application Server considers a certificate that connects as a PERSONAL certificate as a KeyEntry. You can use the certificate as an end-user certificate in a Secure Sockets Layer (SSL) handshake because the private key is available.
WebSphere Application Server considers a certificate that connects as a CERTAUTH certificate as a TrustedCertEntry and treats the certificate as a Certificate Authority (CA). Keyrings require certificates that connect as PERSONAL and CA certificates that connect as CERTAUTH. Certificates that connect as SITE are not supported in this release.
Certificate Label Name Cert Owner USAGE DEFAULT
---------------------- ---------- -------- -------
PersonalEndUserCert ID(USERID) PERSONAL YES
PersonalEndUserCACert CERTAUTH CERTAUTH NO
security.provider.X=com.ibm.security.cert.IBMCertPath
If one of the RACF certificates fails to load, the keystore is not loaded. You must remove any unwanted certificates from the keyring.
The RACFInputStream contains three parameters:import com.ibm.crypto.provider.RACFInputStream;
String ksfname;
char[] storePass = null;
RACFInputStream riStream = new RACFInputStream(System.getProperty("user.name"),
ksfname,
storePass);
KeyStore racfKeyStore = KeyStore.getInstance("JCERACFKS");
racfKeyStore.load(riStream, storePass);
riStream.close();
In the above example, the system property user.name is
referenced to provide the userID that WebSphere Application Server passes to RACF. This example is not typical. For more information about running the RACFInputStream script, see the document z/OS Unique Considerations for the Java 2 SDK, Standard Edition, v 6.0. A link to this z/OS® document is provided in the Related Links section of this topic.
-Djava.protocol.handler.pkgs
If
you are using the IBM® Java Cryptography Extension (IBMJCE)
provider to provide cryptographic support, set the property to the
following value:-Djava.protocol.handler.pkgs=com.ibm.crypto.provider
If
you are using the IBMJCE4758 provider to provide cryptographic support,
set the property to the following value:-Djava.protocol.handler.pkgs=com.ibm.crypto.hdwrCCA.provider
You
can use a URL to specify a stream handler in the java.policy file.
The jarsigner utility also accepts a URL for the -keystore parameter.
When certificates from a RACF keyring
verify signed jar files, you can specify that WebSphere Application Server must use the
keyring as an input stream to the keystore in the java.policy file,
as shown in the following example code: keystore "safkeyring://myracfid/my_key_ring", " JCERACFKS";
In
this example, jarsigner -keystore safkeyring://myracfid/my_key_ring -signedjar
ibmjceproviders.jar ibmjceprovider.jar ibmprovider -storetype JCERACFKS