維護通訊安全
WebSphere® Application Server 提供數種方法來維護伺服器和用戶端之間通訊的安全。
關於這項作業
註: WebSphere Application Server 提供數種方法來維護伺服器和用戶端之間通訊的安全。本版提供新功能,可確保伺服器與用戶端之間的通訊安全。這些功能著重在憑證管理、鑑別,以及確保應用程式伺服器、管理代理程式和工作管理程式之間彼此信任。新功能包括:
這一節包含下列主題:- 建立和使用憑證管理中心 (CA) 用戶端,讓 CA 可以申請、查詢和撤銷憑證。
- 建立和使用鏈結式個人憑證,容許所簽署的憑證具有較長的有效期限。
- 建立和撤銷憑證管理中心 (CA) 憑證,以確保 CA 用戶端與 CA 伺服器之間的通訊安全。
容許 WebSphere Application Server 管理者將「開放加密服務機能 (OCSF)」資料程式庫功能用於「系統授權機能 (SAF)」金鑰環,來建立、配置和啟用 SAF 金鑰環。
程序
- 使用 Secure Socket Layer 的安全通訊
- 建立 SSL 配置
- 建立金鑰儲存庫配置
- 建立憑證管理中心 (CA) 用戶端
- 刪除憑證管理中心 (CA) 用戶端
- 檢視或修改憑證管理中心 (CA) 用戶端
- 建立既存金鑰儲存庫檔的金鑰儲存庫配置
- 建立自簽憑證
- 建立憑證管理中心申請
建立可寫入的 SAF 金鑰環
使用可寫入的 SAF 金鑰環
- 從個人憑證擷取簽章者憑證
- 從遠端 SSL 埠擷取簽章者
- 將簽章者憑證新增至金鑰儲存庫
- 將簽章者憑證新增至預設簽章者金鑰儲存庫
- 在金鑰儲存庫中交換簽章者憑證
- 配置憑證有效期限監視
- 加密使用的金鑰管理
- 建立金鑰組配置
- 建立金鑰組群組配置
配置 Web 伺服器外掛程式使用 Secure Sockets Layer
次主題
Secure communications using Secure Sockets Layer (SSL)
The Secure Sockets Layer (SSL) protocol provides transport layer security including authenticity, data signing, and data encryption to ensure a secure connection between a client and server that uses WebSphere Application Server. The foundation technology for SSL is public key cryptography, which guarantees that when an entity encrypts data using its public key, only entities with the corresponding private key can decrypt that data.Creating a Secure Sockets Layer configuration
Secure Sockets Layer (SSL) configurations contain the attributes that you need to control the behavior of client and server SSL endpoints. You create SSL configurations with unique names within specific management scopes on the inbound and outbound tree in the configuration topology. This task shows you how to define SSL configurations, including quality of protection and trust and key manager settings.Creating a CA client in SSL
A plug point is provided to allow users to connect to a certificate authority (CA) to request, query, and revoke certificates. A security configuration object, called a CAClient, must be created for WebSphere to communicate with the CA. The CAClient object must contain a WSPKIClient() implementation, and it will handle the connection and communicate with the CA server. Users can also create there own implementation.Deleting a CA client in SSL
You can delete the CAClient object from the security configuration if a connection to a certificate authority (CA) is no longer needed.Viewing or modifying a CA client in SSL
You can view or modify the CAClient object settings in the security configuration. The CAClient object contains all the information needed to connect and communicate with a certificate authority (CA). A connection to a Certificate Authority is used to request a certificate, query a certificate, or revoke a certificate.Creating a keystore configuration for a preexisting keystore file
A Secure Sockets Layer (SSL) configuration references keystore configurations during security processing. If another keystone tool is used to create a keystore file, or the keystone file was saved from a previous configuration, you must create a new keystone configuration object that references the preexisting keystone file. The server then uses this new keystone configuration object to obtain information from the preexisting keystone file.Creating a self-signed certificate
You can create a self-signed certificate. WebSphere Application Server uses the certificate at runtime during the handshake protocol. Self-signed certificates are located in the default keystore.Creating a certificate authority request
To ensure Secure Sockets Layer (SSL) communication, servers require a personal certificate that is either self-signed, chained or signed by an external certificate authority (CA). You must first create a personal certificate request to obtain a certificate that is signed by a CA.Using writable SAF keyrings
WebSphere Application Server provides the function to allow a WebSphere Application Server administrator to perform certificate management operations on System Authorization Facility (SAF) keyrings by using the (Open Cryptographic Services Facility) OCSF Data library functions for SAF keyrings.Adding the correct SSL Signer certificates to the plug-in keystore
Personal certificates contain a private key and a public key. You can extract the public key, called the signer certificate, to a file, then import the certificate into another keystore. During a Security Socket Layer (SSL) connection, the server sends it's personal certificate to the client. The client must have the correct signer certificate to match it.Retrieving signers from a remote SSL port
To perform Secure Sockets Layer (SSL) communication with a server, WebSphere Application Server must retrieve a signer certificate from a secure remote SSL port during the handshake. After the signer certificate is retrieved, you can add the signer certificate to a truststore.Adding a signer certificate to a keystore
Signer certificates establish the trust relationship in SSL communication. You can extract the signer part of a personal certificate from a keystore, and then you can add the signer certificate to other keystores.Adding a signer certificate to the default signers keystore
Signer certificates are added to a keystore on the client side of an SSL communication to establish trust with the server. There is common practice for keystores to have trust established when they are created. The DmgrDefaultSignersStore on a deployment manager and the NodeDefaultSignersStore on a stand alone application server are created to hold signer certificates used to establish trust by default in newly create keystores.Exchanging signer certificates
To establish trust relationships, you can exchange signer certificates between keystores. When you exchange signer certificates, you are extracting a personal certificate from one keystore and adding it to another keystore as a signer certificate.Configuring certificate expiration monitoring
When certificates expire, they can no longer be used by the system. WebSphere Application Server provides a utility to monitor certificates that are close to expiration or have already expired. You can schedule certificate monitoring, or you can request certificate monitoring on demand. You can also configure options for deleting expired certificates and for recreating certificates.Key management for cryptographic uses
WebSphere Application Server provides a framework for managing keys (secret keys or key pairs) that applications use to perform cryptographic operations on data. The key management framework provides an application programming interface (API) for retrieving these keys. Keys are managed in keystores so the keystore type can be supported by WebSphere Application Server, provided that the keystores can store the referenced key type. You can configure keys and scope keystores so that they are visible only to particular processes, nodes, clusters, and so on.Creating a key set configuration
You can use key sets to manage multiple instances of cryptographic keys. WebSphere Application Server uses keys to encrypt or sign outbound data, and decrypt or verify inbound data during cryptographic operations.Creating a key set group configuration
A key set group manages one or more key sets. WebSphere Application Server uses key set groups to automatically generate cryptographic keys or multiple synchronized key sets.Using the java.security file in Java 8
Starting with Java™ 8, WebSphere uses the IBMJDK java.security file.配置 Web 伺服器外掛程式使用 Secure Sockets Layer
這個主題說明必須如何配置,才能將 Web 伺服器外掛程式與應用程式伺服器 Web 儲存器中的內部 HTTP 傳輸之間的安全連線實例化。


http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=tsec_securecomm
檔名:tsec_securecomm.html