Create a SSL repertoire configuration entryThe first step in configuring SSL is to define an SSL configuration repertoire. A repertoire contains the details necessary for building an SSL connection, such as the location of the key files, their type and the available ciphers. WAS provides a default repertoire called DefaultSSLSettings. To view this page in the administrative console, click Security > SSL to see the list of SSL repertoire settings. The appropriate repertoire is referenced during the configuration of a service that sends and receives requests encrypted using SSL, such as the Web and enterprise beans containers. If an SSL configuration alias is referenced elsewhere, but the alias is deleted from the SSL Configuration Repertoires panel, the SSL connection fails if the deleted alias is accessed.
With the SSL configuration repertoire, administrators can define SSL settings to use for making Hypertext Transfer Protocol with SSL (HTTPS), Internet InterORB Protocol with SSL (IIOPS) or LDAP with SSL (LDAPS) connections. You can pick one of the SSL settings defined here from any location within the administrative console, which supports SSL connections. This selection simplifies the SSL configuration process because you can reuse many of these SSL configurations by specifying the alias in multiple places.
- From the SSL Configuration Repertoire window, click New.
- Enter the information needed to access the key file.
- Type the name of the key file, which must include the fully qualified path to the key file, in the Key File Name field. Type safkeyring:/// if you are using a RACF key ring for the key file.
- Type the password needed to access the key file in the Key File Password field. Type password if you are using a RACF key ring for the key store.
- Select the format of the key file from the Key File Format menu.
- Enter the information needed to access the trust file.
- Type the name of the trust file, which must include the fully qualified path to the trust file, in the Trust File Name field. Type safkeyring:/// if you are using a RACF key ring as the trust store.
- Type the password needed to access the trust file in the Trust File Password field. Type password if you are using a RACF key ring as the trust store.
- Select the format of the trust file from the Trust File Format menu.
- Select the Client Authentication check box if this configuration supports client authentication.This selection only affects HTTP and LDAP requests.
- Select the appropriate security level from the Security Level menu. Valid values are low, medium, and high. Low specifies digital signing ciphers only (no encryption), medium specifies 40-bit ciphers only (including digital signing), high specifies 128-bit ciphers only (including digital signing). If you are using a FIPS-supported JSSE, select High from the Security Level menu.
- Select a cipher suite from the Cipher Suites menu.Manually add the cipher suite if the preset security level does not define the required cipher. Select the Cryptographic Token check box if the RACF key ring contains keys or certificates that were created using the RACDCERT command with the ICSF keyword specified.
- Select the Cryptographic Token check box if hardware or software cryptographic support is available. See Configuring to use cryptographic tokens for details regarding cryptographic support.
- Indicate which JSSE provider you are using by either selecting IBMJSSE or IBMJSSEFIPS from the menu, or by typing the name of the provider. WebSphere Application Server includes the IBMJSSE JSSE provider and the IBMJSSEFIPS JSSE provider.
Note that The IBMJSSEFIPS JSSE provider is undergoing FIPS 140-2 certification. Use IBMJSSEFIPS only if you are using the Transport Layer Security (TLS) protocol and not the Secure Sockets Layer (SSL) protocol. See Configuring Federal Information Processing Standard Java Secure Socket Extension files for more information. If you are not using the predefined providers, configure the custom provider by clicking Apply, then Custom Properties > New in the Additional Properties section. After the custom provider is configured, return to the SSL Configuration Repertoires window and continue with these instructions.
- Select an SSL or TLS protocol version.If you are using a FIPS-approved JSSE, select a TLS protocol version.
- Click Apply to apply the changes.
- If no errors occur, save the changes to the master configuration and restart the WAS. For more information on the FIPS certification process and to check the status of the IBM submission, see Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List Web site.
You included additional SSL configuration repertoires with the default DefaultSSLSettings repertoire.
For the changes to take effect, restart the server after saving the configuration.
Managing digital certificates
Configuring Federal Information Processing Standard Java Secure Socket Extension files
SSL configuration repertoire settings
Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List