Security configuration modifications that might be required but are not done by the automatic migration tool
 Technote (FAQ)
 
Problem
WebSphere Application Server 4.0.x uses IBM JSSE for secure communication. The IKeyMan key management tool that is packaged with WebSphere Application Server 4.0.x supports standard key and trust file formats such as Java Key Store (JKS) PKCS12 and JCEK. JKS is the default. The IKeyMan tool in WebSphere Application Server 4.0.x does not recognize the IBM proprietary key file formats used by WebSphere Application Server 3.5 and IBM HTTP Server such as CMS (.kdb) and class files. Some of the key files you used with the 3.5 product need to be recreated when you migrate to WebSphere Application Server 4.0.x. There is no tool to convert those key files to the new format.
 
Solution
Creating key and trust files

Follow the steps described in the InfoCenter to create the key and trust files that use the WebSphere Application Server 4.0.x IKeyMan. Configure SSL using the administrative console for ORB LDAP and the WebSphere Application Server internal HTTP server. WebSphere Application Server 4.0.x still uses the sas.server.props properties file which contains global security configuration SSL configuration and Security Association Services (SAS) trace properties. However
the global security settings and SSL configurations are managed by the administrative server and should only be modified using the administrative console. Manual editing of those properties in the sas.server.props file will not have any effect. You still can modify the tracing properties in sas.server.props to enable trace of the SAS code. Rules for using the properties are documented in the WebSphere Application Server 4.0.x sas.server.props file.

Note that besides the key and trust file format WebSphere Application Server 4.0.x uses SSL properties names that try to match JSSE terminology. Hence you should not use sas.server.props and sas.client.props files of WebSphere Application Server 3.5.x products with 4.0.x products. A partial list of properties that have different names follows:

sas.server.props file in version 3.5.x:

com.ibm.CORBA.SSLKeyRing=com.ibm.websphere.DummyKeyring
com.ibm.CORBA.SSLKeyRingPassword=WebAS
com.ibm.CORBA.SSLClientKeyRing=com.ibm.websphere.DummyKeyring
com.ibm.CORBA.SSLClientKeyRingPassword=WebAS

sas.server.props file in version 4.0.x:

com.ibm.ssl.protocol=SSLv3
com.ibm.ssl.keyStoreType=JKS
com.ibm.ssl.keyStore=C:/WebSphere/AppServer/etc/DummyServerKeyFile.jks
com.ibm.ssl.keyStorePassword={xor}CDo9Hgw\=
com.ibm.ssl.trustStoreType=JKS
com.ibm.ssl.trustStore=C:/WebSphere/AppServer/etc/DummyServerTrustFile.jks
com.ibm.ssl.trustStorePassword={xor}CDo9Hgw\=

sas.client.props file in version 3.5.x:

com.ibm.CORBA.SSLKeyRing=com.ibm.websphere.DummyKeyring
com.ibm.CORBA.SSLKeyRingPassword=WebAS
com.ibm.CORBA.SSLServerKeyRing=com.ibm.websphere.DummyKeyring
com.ibm.CORBA.SSLServerKeyRingPassword=WebAS

sas.client.props file in version 4.0.x:

com.ibm.ssl.keyStore=C:/WebSphere/AppServer/etc/DummyClientKeyFile.jks
com.ibm.ssl.keyStorePassword=WebAS
com.ibm.ssl.trustStore=C:/WebSphere/AppServer/etc/DummyClientTrustFile.jks
com.ibm.ssl.trustStorePassword=WebAS

Migrating settings for the web trust association

If you have enabled the web trust association in WebSphere Application Server 3.5.x products the settings in WebSphere_main_directory/properties/trustedservers.properties will not automatically migrate to WebSphere Application Server 4.0.x. You must manually edit the version 4.0.x trustedservers.properties file. Note that in version 3.5.x the web trust association is enabled by setting com.ibm.websphere.security.trustassociation.enabled=true in the trustedservers.properties file.

This property is not in the version 4.0.x trustedservers.properties file. To enable the web trust association you must use the Security Center (accessible from the administrative console) and
enable the trust association flag.

If you are using the IBM Tivoli WebSeal server note that its trust association interceptor class name is different in version 4.0.x than from version 3.5.x. For version 3.5.x the class name was--

com.ibm.websphere.security.trustassociation.webseal36.interceptor=com.ibm.ejs.security.web.WebSealTrustAssociationInterceptor

For version 4.0.x the class name is--

com.ibm.websphere.security.trustassociation.webseal36.interceptor=com.ibm.ws.security.web.WebSealTrustAssociationInterceptor
 
 
Historical Number
110510
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Migration
Operating system(s): HP-UX
Software version: 4.0.1
Software edition:
Reference #: 1048828
IBM Group: Software Group
Modified date: Feb 4, 2002