Enable SSL communication for the Liberty profile

We can enable SSL for Liberty profile with a minimal set of SSL configuration options by configuring the keystore, and assuming defaults for everything else. During the connection handshake, the secure server requests the client send back a certificate, or certificate chain, for the authentication.

1. Edit...
   /wlp/usr/servers/myServer/server.xml

   ...and enable ssl-1.0...

   <featureManager>
       <feature>ssl-1.0</feature>
   </featureManager>

   Enable appSecurity-2.0 if application security is required, and security information is redirected to a secure port.

2. Add the keystore service object entry to server.xml...
   <keyStore id="defaultKeyStore"
                     password="myPassword" />

   By defaultKeyStore references keystore file...

   server/resources/security/key.jks

   If the keystore file does not exist the server creates it for you, and also creates a self-signed certificate inside it with...

   • A validity period of 365 days
   • The CN value of the certificate's subjectDN set to host name of the machine where the server is running
   • Signature algorithm of SHA1withRSA

   The keystore password can be entered in clear text or encoded using securityUtility. The password provided must be at least 6 characters long.

   This configuration is the minimum needed to create an SSL configuration.

   The certificates created by the Liberty server are not intended for production use. They are created as a developer convenience. Certificates that are used in production should be a properly chained certificate issued or signed by a trusted certificate authority.

   To use self-signed certificates with a longer duration, or customized subjectDN...

   securityUtility createSSLCertificate

   An example of a SAF keyring in the minimal configuration:

   <keyStore 
               id="defaultKeyStore" 
               location="safkeyring:///WASKeyring" 
               type="JCERACFKS" 
               password="password" 
               fileBased="false" 
               readOnly="true" />
   

   RACF keyrings need to be set up before configuring them for use by the Liberty server. The server will not create certificates and add them to RACF.

   The single keystore entry for a minimal SSL configuration can be extended to include the location and type as well.

   <keyStore id="defaultKeyStore" location="myKeyStore.p12" password="myPassword" type="PKCS12"/>

   The location parameter can be an absolute path to the keystore file. If it is an absolute path, then the keystore file is assumed to have been already created. Keystore of other types can also be specified in the minimal SSL configuration if the keystore file is already created. When the minimal SSL configuration is used, the SSL configuration defaults are used to create the SSL context for an SSL handshake. The configuration protocol is SSL_TLS by default. The HIGH ciphers, 128 bit, and higher cipher suites can be used.

Subtopics

• SSL configuration attributes
• Keystores
• Enable the IBM JCE Hybrid Provider

Parent topic: Secure communications with the Liberty profile

Concepts: The limits to protection through password encryption
Set up a Liberty profile to run in SP800-131a
Configure an OpenID Connect Provider
Configure an OpenID Connect Client
Configure an OpenID Connect Provider to use the RSA-SHA256 algorithm for signing of ID tokens