Create a Secure Sockets Layer repertoire configuration entry
Before you begin
The first step in configuring SSL is to define an SSL configuration repertoire. A repertoire contains the details necessary for building an SSL connection, such as the location of the key files, their type and the available ciphers. WAS provides a default repertoire called DefaultSSLSettings. To view this page in the administrative console, click...
Security | SSL...to see the list of SSL repertoire settings.
Overview
The appropriate repertoire is referenced during the configuration of a service that sends and receives requests encrypted using SSL, such as the Web and enterprise beans containers. If an SSL configuration alias is referenced elsewhere, but the alias is deleted from the SSL Configuration Repertoires panel, the SSL connection fails if the deleted alias is accessed.
With the SSL configuration repertoire, administrators can define SSL settings to use for making HTTPS, IIOPS or LDAPS connections. We can pick one of the SSL settings defined here from any location within the administrative console, which supports SSL connections. This selection simplifies the SSL configuration process because one can reuse many of these SSL configurations by specifying the alias in multiple places.
Procedure
- From the SSL Configuration Repertoire window, click New.
- Enter the information needed to access the key file.
- Type the name of the key file, which must include the fully qualified path to the key file, in the Key File Name field.
- Type the password needed to access the key file in the Key File Password field.
- Select the format of the key file from the Key File Format menu.
- Enter the information needed to access the trust file.
- Type the name of the trust file, which must include the fully qualified path to the trust file, in the Trust File Name field.
- Type the password needed to access the trust file in the Trust File Password field.
- Select the format of the trust file from the Trust File Format menu.
- Select the Client Authentication option if this configuration supports client authentication. This selection only affects HTTP and LDAP requests.
- Select the appropriate security level from the Security Level menu. Valid values are low, medium, and high. Low specifies digital signing ciphers only (no encryption), medium specifies 40-bit ciphers only (including digital signing), high specifies 128-bit ciphers only (including digital signing).
If you are using a FIPS-supported JSSE, select High from the Security Level menu.
- Select a cipher suite from the Cipher Suites menu. Manually add the cipher suite if the preset security level does not define the required cipher.
- Select the Cryptographic Token option if hardware or software cryptographic support is available.
- Indicate which JSSE provider you are using by either selecting IBMJSSE, IBMJSSE2 (recommended) or IBMJSSEFIPS from the menu, or by typing the name of the provider. WAS includes the IBMJSSE, IBMJSSE2 and IBMJSSEFIPS JSSE providers.
Configuring FIPS JSSE files for more information. When you use an IBM FIPS-approved JSSE, WAS automatically selects IBMJSSE2 as your provider.
If you are not using the predefined providers, a custom provider might require additional properties to be configured, which are determined by the provider. If so, click...
Apply | Custom Properties | NewAfter the custom provider is configured, return to the SSL Configuration Repertoires window and continue with these instructions.
- Select an SSL or TLS protocol version.
If you are using an IBM FIPS-approved JSSE, WAS automatically selects the TLS protocol. If you use a custom FIPS-approved JSSE, select the TLS protocol.
- Click Apply to apply the changes.
- If no errors occur, save the changes to the master configuration and restart the WAS.
For more information on the FIPS certification process and to check the status of the IBM submission, see the Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List Web site. For more information on FIPS 140-2 cryptographic services, refer to Configuring FIPS JSSE files.
Result
You included additional SSL configuration repertoires with the default DefaultSSLSettings repertoire.
Example
What to do next
For the changes to take effect, restart the server after saving the configuration.
See Also
Secure Sockets Layer
Related Tasks
Manage digital certificates
Configuring Federal Information Processing Standard Java Secure Socket Extension files
Related Information
Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List