Create a Secure Sockets Layer repertoire configuration entry

 

Overview

The first step in configuring Secure Sockets Layer (SSL) is to define an SSL configuration repertoire. A repertoire contains the details necessary for building an SSL connection, such as the location of the key files, their type and the available ciphers. WebSphere Application Server provides a default repertoire called DefaultSSLSettings. To view this page in the administrative console, click Security > SSL to see the list of SSL repertoire settings.

 

Overview

The appropriate repertoire is referenced during the configuration of a service that sends and receives requests encrypted using SSL, such as the Web and enterprise beans containers. If an SSL configuration alias is referenced elsewhere, but the alias is deleted from the SSL Configuration Repertoires panel, the SSL connection fails if the deleted alias is accessed.

With the SSL configuration repertoire, administrators can define SSL settings to use for making Hypertext Transfer Protocol with SSL (HTTPS), Internet InterORB Protocol with SSL (IIOPS) or Lightweight Directory Access Protocol with SSL (LDAPS) connections. You can pick one of the SSL settings defined here from any location within the administrative console, which supports SSL connections. This selection simplifies the SSL configuration process because you can reuse many of these SSL configurations by specifying the alias in multiple places.

  1. From the SSL Configuration Repertoire window, click New.

  2. Enter the information needed to access the key file.

    1. Type the name of the key file, which must include the fully qualified path to the key file, in the Key File Name field.

    2. Type the password needed to access the key file in the Key File Password field.

    3. Select the format of the key file from the Key File Format menu.

  3. Enter the information needed to access the trust file.

    1. Type the name of the trust file, which must include the fully qualified path to the trust file, in the Trust File Name field.

    2. Type the password needed to access the trust file in the Trust File Password field.

    3. Select the format of the trust file from the Trust File Format menu.

  4. Select the Client Authentication option if this configuration supports client authentication.This selection only affects HTTP and LDAP requests.

  5. Select the appropriate security level from the Security Level menu. Valid values are low, medium, and high. Low specifies digital signing ciphers only (no encryption), medium specifies 40-bit ciphers only (including digital signing), high specifies 128-bit ciphers only (including digital signing).

    If you are using a Federal Information Processing Standards (FIPS)-supported Java Secure Socket Extension (JSSE), select High from the Security Level menu.

  6. Select a cipher suite from the Cipher Suites menu.If you chose a cipher suite, WebSphere Application Server uses this selection to override the security level setting.

  7. Select the Cryptographic Token check box if hardware or software cryptographic support is available. See Configuring to use cryptographic tokens for details regarding cryptographic support.

  8. Indicate which JSSE provider you are using by either selecting IBMJSSE or IBMJSSEFIPS from the menu, or by typing the name of the provider. WebSphere Application Server includes the IBMJSSE JSSE provider and the IBMJSSEFIPS JSSE provider.

    Use IBMJSSEFIPS only if you are using the Transport Layer Security (TLS) protocol and not the Secure Sockets Layer (SSL) protocol. See Configuring Federal Information Processing Standard Java Secure Socket Extension files for more information

    On the HP-UX platform, WebSphere Application Server uses the Sun JSSE framework and provider. The Sun JSSE framework is not pluggable for export control reasons. The lack of pluggability within the Sun JSSE framework prohibits WebSphere Application Server from using the IBMJSSE or the IBMJSSEFIPS provider. The Sun JSSE framework is part of the core IBM Developer Kit for HP-UX, Java Technology Edition, V1.4.x, which is located in the java/jre/lib/jsse.jar file.

    If you are not using the predefined providers, a custom provider might require additional properties to be configured, which are determined by the provider. If so, click Apply, then Custom Properties > New in the Additional Properties section. After the custom provider is configured, return to the SSL Configuration Repertoires window and continue with these instructions.

  9. Select an SSL or TLS protocol version.If you are using a FIPS-approved JSSE, select a TLS protocol version.

  10. Click Apply to apply the changes.

  11. If no errors occur, save the changes to the master configuration and restart the WebSphere Application Server. For more information on the FIPS certification process and to check the status of the IBM submission, see the Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List Web site.

 

Results

You included additional SSL configuration repertoires with the default DefaultSSLSettings repertoire.

 

Example

 

What to do next

For the changes to take effect, restart the server after saving the configuration.


Related concepts
Secure Sockets Layer
Related tasks
Configuring Secure Sockets Layer
Managing digital certificates
Configuring Federal Information Processing Standard Java Secure Socket Extension files
Related topics
Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List