Repertoire settings

 

+

Search Tips   |   Advanced Search

 

Use this page to configure SSL or JSSE settings. To configure SSL, define an SSL configuration repertoire, which contains the details necessary for building an SSL connection, such as the location of the key files, their type and the available ciphers. WAS provides a default repertoire called DefaultSSLSettings.

To view this administrative console page, click...

Security | SSL | alias_name

Provider

Refers to a package that implements a subset of the Java security API cryptography aspects. WAS has the following predefined providers.

  • IBMJSSE
  • IBMJSSE2
  • IBMJSSEFIPS

If you select the Use FIPS option on the global security panel, IBMJSSE2 uses the IBMJCEFIPS provider that is FIPS certified.

If you select Custom JSSE provider, enter a custom provider. For a custom provider, you first must enter the cipher suites through Custom properties under Additional Properties. Cipher suites and protocol values depend upon the provider.

The name for the Cipher suite property is...

com.ibm.ssl.enabledCiphersuites

The name for the protocol property is...

com.ibm.ssl.protocol

Note: You can only specify the IBMJSSE2 provider for transports using the channel framework, including HTTP and JMS. Any other provider specified causes the server to fail initialization.

Protocol

Specifies which SSL protocol to use.

If you are using a FIPS-approved custom JSSE provider, select a TLS protocol. However, because the FIPS-approved JSSE providers are not backwards-compatible, a server that uses the TLS protocol cannot communicate with a client that uses an SSL protocol.

Default SSLv3
Range SSL, SSLv2, SSLv3, TLS, TLSv1

 

Configuration tab

Alias

Name of the specific SSL setting

Data type: String

Key file name

Specifies the fully qualified path to the SSL key file that contains public keys and might contain private keys.

You can create an SSL key file with the key management utility, or this file can correspond to a hardware device if one is available. In either case, this option indicates the source for personal certificates and for signer certificates unless a trust file is specified.

The default SSL key files, DummyClientKeyFile.jks and DummyServerKeyFile.jks, contains a self-signed personal test certificate expiring on March 17, 2005. The test certificate is only intended for use in a test environment. The default SSL key files should never be used in a production environment because the private keys are the same on all the WAS installations.

Data type: String

Client authentication

Specifies whether to request a certificate from the client for authentication purposes when making a connection.

This attribute is only valid when it is used by the Web container HTTP transport.

When performing client authentication with the Internet InterORB Protocol (IIOP) for EJB requests, click Security > Global security. Under Authentication, click Authentication protocol > CSIv2 inbound authentication or Authentication protocol > CSIv2 outbound authentication. Select the appropriate option under Client certificate authentication.

Default: Disabled
Range: Enabled or Disabled

Security level

Specifies whether the server selects from a preconfigured set of security levels.

Data type: Valid values include Low, Medium or High.

  • Low specifies digital signing ciphers only without encryption.

  • Medium specifies 40-bit ciphers only including digital signing.

  • High specifies 128-bit ciphers only including digital signing.

To specify all ciphers or any particular range, one can set the com.ibm.ssl.enabledCipherSuites property.

See the SSL documentation for more information.

Default: High
Range: Low, Medium, or High

Cipher suites

Specifies a list of supported cipher suites that can be selected during the SSL handshake. If you select cipher suites individually here, you override the cipher suites set in the Security Level field.

Key file password

Specifies the password for accessing the SSL key file.

Data type: String

Key file format

Specifies the format of the SSL key file.

You can choose from the following key file formats: JKS, JCEK, PKCS12. The JKS format does not store a shared key. For more secure key files, use the JCEK format. PKCS12 is the standard file format.

Data type: String
Default: JKS
Range: JKS, PKCS12, JCEK

Trust file name

Specifies the fully qualified path to a trust file containing the public keys.

You can create a trust file with the key management utility included in the WebSphere bin directory. Using the key management utility from Global Security Kit (GSKit) (another SSL implementation) does not work with the Java Secure Socket Extension (JSSE) implementation.

Unlike the SSL key file, no personal certificates are referenced; only signer certificates are retrieved. The default SSL trust files, DummyClientTrustFile.jks and DummyServerTrustFile.jks, contain multiple test public keys as signer certificates that can expire. The following public keys expire on October 13, 2021:

The test certificates are only intended for use in a test environment.

If a trust file is not specified but the SSL key file is specified, then the SSL key file is used for retrieval of signer certificates as well as personal certificates.

Data type: String

Trust file password

Specifies the password for accessing the SSL trust file.

Data type: String

Trust file format

Specifies the format of the SSL trust file.

You can choose from the following trust file formats: JKS, JCEK, PKCS12. The JKS format does not store a shared key. For more secure key files, use the JCEK format. PKCS12 is the standard file format.

Data type: String
Default: JKS
Range: JKS, JCEK, PKCS12


 

Related Tasks


Configuring FIPS JSSE files

 



 

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.