Keystores
The Liberty profile can create only a keystore type of Java Keystore (JKS). Support for other types of keystore in the Liberty profile can depend on what is supported by the underlying Java Runtime Environment (JRE). The following are the different keystore types in the Liberty profile.
For more information on configuration attributes of the keystore element, see SSL configuration attributes.
JKS and JCEKS
Java Keystore (JKS) and Java Cryptography Extensions Keystore (JCEKS) are common between the IBM JRE and the Oracle JRE, and can be configured the same using either JRE. JKS is the default keystore type in the Liberty profile, and the only type of keystore the Liberty profile can create. If no keystore type is specified in the configuration, JKS is used.
An example of JKS keystore configuration is as follows:
<keyStore id="sampleJKSKeyStore" location="MyKeyStoreFile.jks" type="JKS" password="myPassword" />An example of JCEKS keystore configuration is as follows:
<keyStore id="sampleJCEKSKeyStore" location="MyKeyStoreFile.jceks" type="JCEKS" password="myPassword" />
PKCS12 keystore
Public Key Cryptography Standards #12 (PKCS12) keystore can be used, but not created by the Liberty profile, when we use the IBM JRE. An example of PKCS12 keystore configuration is as follows:
<keyStore id="samplePKCS12KeyStore" location="MyKeyStoreFile.p12" type="PKCS12" password="myPassword" />
CMS keystore
CMS keystore can be configured, but not created by the Liberty profile, when we use the IBM JRE. However, some special configuration is required. The CMS provider is not available by default on the IBM JRE, therefore it must be added to the provider list in the java.security file of the IBM JRE. In the following example, the com.ibm.security.cmskeystore.CMSProvider class is added to the end of the list. Ensure that the provider number is correct in the provider list. The Liberty profile does not use the CMS keystore stash file to gain access to the keystore.
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2 security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.security.sasl.IBMSASL security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider security.provider.8=org.apache.harmony.security.provider.PolicyProvider security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.10=com.ibm.security.cmskeystore.CMSProviderTo use the CMS keystore, the configuration in server.xml is as follows:
<keyStore id="sampleCMSKeyStore" password="myPassword" location="MyKeyStoreFile.kdb" provider="IBMCMSProvider" type="CMSKS"/>
Parent topic: Enable SSL communicationReference:
SSL configuration attributes