|
Problem |
WebSphere Application Server 4.0.x uses IBM JSSE for
secure communication. The IKeyMan key management tool that is packaged
with WebSphere Application Server 4.0.x supports standard key and trust
file formats such as Java Key Store (JKS) PKCS12 and JCEK. JKS is the
default. The IKeyMan tool in WebSphere Application Server 4.0.x does not
recognize the IBM proprietary key file formats used by WebSphere
Application Server 3.5 and IBM HTTP Server such as CMS (.kdb) and class
files. Some of the key files you used with the 3.5 product need to be
recreated when you migrate to WebSphere Application Server 4.0.x. There is
no tool to convert those key files to the new format. |
|
Solution |
Creating key and trust files
Follow the steps described in the InfoCenter to create the key and trust
files that use the WebSphere Application Server 4.0.x IKeyMan. Configure
SSL using the administrative console for ORB LDAP and the WebSphere
Application Server internal HTTP server. WebSphere Application Server
4.0.x still uses the sas.server.props properties file which contains
global security configuration SSL configuration and Security Association
Services (SAS) trace properties. However
the global security settings and SSL configurations are managed by the
administrative server and should only be modified using the administrative
console. Manual editing of those properties in the sas.server.props file
will not have any effect. You still can modify the tracing properties in
sas.server.props to enable trace of the SAS code. Rules for using the
properties are documented in the WebSphere Application Server 4.0.x
sas.server.props file.
Note that besides the key and trust file format WebSphere Application
Server 4.0.x uses SSL properties names that try to match JSSE terminology.
Hence you should not use sas.server.props and sas.client.props files of
WebSphere Application Server 3.5.x products with 4.0.x products. A partial
list of properties that have different names follows:
sas.server.props file in version 3.5.x:
com.ibm.CORBA.SSLKeyRing=com.ibm.websphere.DummyKeyring
com.ibm.CORBA.SSLKeyRingPassword=WebAS
com.ibm.CORBA.SSLClientKeyRing=com.ibm.websphere.DummyKeyring
com.ibm.CORBA.SSLClientKeyRingPassword=WebAS
sas.server.props file in version 4.0.x:
com.ibm.ssl.protocol=SSLv3
com.ibm.ssl.keyStoreType=JKS
com.ibm.ssl.keyStore=C:/WebSphere/AppServer/etc/DummyServerKeyFile.jks
com.ibm.ssl.keyStorePassword={xor}CDo9Hgw\=
com.ibm.ssl.trustStoreType=JKS
com.ibm.ssl.trustStore=C:/WebSphere/AppServer/etc/DummyServerTrustFile.jks
com.ibm.ssl.trustStorePassword={xor}CDo9Hgw\=
sas.client.props file in version 3.5.x:
com.ibm.CORBA.SSLKeyRing=com.ibm.websphere.DummyKeyring
com.ibm.CORBA.SSLKeyRingPassword=WebAS
com.ibm.CORBA.SSLServerKeyRing=com.ibm.websphere.DummyKeyring
com.ibm.CORBA.SSLServerKeyRingPassword=WebAS
sas.client.props file in version 4.0.x:
com.ibm.ssl.keyStore=C:/WebSphere/AppServer/etc/DummyClientKeyFile.jks
com.ibm.ssl.keyStorePassword=WebAS
com.ibm.ssl.trustStore=C:/WebSphere/AppServer/etc/DummyClientTrustFile.jks
com.ibm.ssl.trustStorePassword=WebAS
Migrating settings for the web trust association
If you have enabled the web trust association in WebSphere Application
Server 3.5.x products the settings in
WebSphere_main_directory/properties/trustedservers.properties will not
automatically migrate to WebSphere Application Server 4.0.x. You must
manually edit the version 4.0.x trustedservers.properties file. Note that
in version 3.5.x the web trust association is enabled by setting
com.ibm.websphere.security.trustassociation.enabled=true in the
trustedservers.properties file.
This property is not in the version 4.0.x trustedservers.properties file.
To enable the web trust association you must use the Security Center
(accessible from the administrative console) and
enable the trust association flag.
If you are using the IBM Tivoli WebSeal server note that its trust
association interceptor class name is different in version 4.0.x than from
version 3.5.x. For version 3.5.x the class name was--
com.ibm.websphere.security.trustassociation.webseal36.interceptor=com.ibm.ejs.security.web.WebSealTrustAssociationInterceptor
For version 4.0.x the class name is--
com.ibm.websphere.security.trustassociation.webseal36.interceptor=com.ibm.ws.security.web.WebSealTrustAssociationInterceptor |
|
|
|
|
|
|
|