ssl.client.props client configuration file

ssl.client.props client configuration file

+
Search Tips | Advanced Search

Use the ssl.client.props file to configure SSL for clients.
In previous releases of WAS, SSL properties were specified in the sas.client.props or soap.client.props files or as system properties. By consolidating the configurations, WAS enables you to manage security in a manner that is comparable to server-side configuration management. You can configure the ssl.client.props file with multiple SSL configurations.

Setting up the SSL configuration for clients

Client runtimes are dependent on the WAS ssl.client.props configurations. Use the setupCmdLine.bat or setupCmdLine.sh script on the command line to specify the property...
com.ibm.SSL.ConfigURL system

-Dcom.ibm.SSL.ConfigURL=file:/usr/IBM/WAS61/AppServer/profiles/default/properties/ssl.client.props

The com.ibm.SSL.ConfigURL property references a file URL that points to the ssl.client.props file. You can reference the CLIENTSSL variable on the command line of any script that uses the setupCmdLine.bat or setupCmdLine.sh file. When you specify the com.ibm.SSL.ConfigURL system property, the SSL configuration is available to all protocols that use SSL. SSL configurations, which are referenced in the ssl.client.props file, also have aliases that you can reference. In the following sample code from the sas.client.props file, all of the SSL properties are replaced with a property that points to an SSL configuration in the ssl.client.props file:
com.ibm.ssl.alias=DefaultSSLSettings

The following sample code shows a property in the soap.client.props file that is similar to the com.ibm.SSL.ConfigURL property. This property references a different SSL configuration on the client side:
com.ibm.ssl.alias=DefaultSSLSettings

In the ssl.client.props file, you can change the administrative SSL configuration to avoid modifying the soap.client.props file.
In WAS V6.1, support for SSL properties is still specified in the sas.client.props and soap.client.props files. However, consider moving the SSL configurations to the ssl.client.props file, because this file is the new configuration model for client SSL.

Properties of the ssl.client.props file

This section describes the default ssl.client.props file properties in detail, by sections within the file.
Global properties
Global SSL properties are process-specific properties that include Federal Information Processing Standard (FIPS) enablement, the default SSL alias, the user.root property for specifying the root location of the key and truststore paths, and so on.

Property Default Description

com.ibm.ssl.defaultAlias DefaultSSLSettings Specifies the default alias that is used whenever an alias is not specified by the protocol that calls the JSSEHelper API to retrieve an SSL configuration. This property is the final arbiter on the client side for determining which SSL configuration to use.
com.ibm.ssl.validationEnabled false When set to true, this property validates each SSL configuration as it is loaded. Use this property for debug purposes only, to avoid unnecessary performance overhead during production.
com.ibm.ssl.performURLHostNameVerification false When set to true, this property enforces URL host name verification. When HTTP URL connections are made to target servers, the common name (CN) from the server certificate must match the target host name. Without a match, the host name verifier rejects the connection. The default value of false omits this check. As a global property, it sets the default host name verifier. Any javax.net.ssl.HttpsURLConnection object can choose to enable host name verification for that specific instance by calling the setHostnameVerifier method with its own HostnameVerifier instance.
com.ibm.security.useFIPS false When set to true, FIPS-compliant algorithms are used for SSL and other Java Cryptography Extension (JCE)-specific applications. This property is typically not enabled unless the property is required by the operating environment.
user.root /WebSphere/AppServer/profiles/default Used by key and truststore location properties as a single property for specifying the root path to the key and truststores. Typically, this property is the profile root. However, you can modify this property to any root directory on the local machine that has the proper read and potentially write authority to that directory.
profile_root of the profile /WebSphere/AppServer/profiles/default Key and truststore location properties can use this property as a single property for specifying the root path to the key and truststores. You can modify this property to any root directory on the local machine that has the proper read (and potentially write) authority to that directory.

Certificate creation properties Use certificate creation properties to specify the default self-signed certificate values for the major attributes of a certificate. You can define the distinguished name (DN), expiration date, key size, and alias that are stored in the keystore.

Property Default Description

com.ibm.ssl.defaultCertReqAlias default_alias Default alias to use to reference the self-signed certificate that is created in the keystore. If the alias already exists with that name, the default alias is appended with _#, where the number sign (#) is an integer that starts with 1 and increments until it finds a unique alias.
com.ibm.ssl.defaultCertReqSubjectDN cn=${hostname}, o=IBM,c=US Distinguished name (DN) that you set for the certificate when it is created. The ${hostname} variable is expanded to the host name on which it resides. You can use correctly formed DNs as specified by the X.509 certificate.
com.ibm.ssl.defaultCertReqDays 365 Validity period for the certificate and can be as small as 1 day and as large as the maximum number of days that a certificate can be set, which is approximately 20 years.
com.ibm.ssl.defaultCertReqKeySize 1024 This property is the default key size. The valid values depend upon the JVM security policy files that are installed. By default, the product JVMs ship with the export policy file that limits the key size to 1024. To get a large key size such as 2048, you can download the restricted policy files from the Web site.

SSL configuration properties Use the SSL configuration properties section to set multiple SSL configurations. For a new SSL configuration specification, set the com.ibm.ssl.alias property because the parser starts a new SSL configuration with this alias name. The SSL configuration is referenced by using the alias property from another file, such as sas.client.props or soap.client.props, through the default alias property. The properties that are specified in the following table enable you to create a javax.net.ssl.SSLContext, among other SSL objects.

Property Default Description

com.ibm.ssl.alias DefaultSSLSettings Name of this SSL configuration and must be the first property for an SSL configuration because it references the SSL configuration. If you change the name of this property after it is referenced elsewhere in the configuration, the runtime defaults to the com.ibm.ssl.defaultAlias property whenever the reference is not found. The error trust file is null or key file is null might display when you start an application using an SSL reference that is no longer valid.
com.ibm.ssl.protocol SSL_TLS SSL handshake protocol that is used for this SSL configuration. This property attempts Transport Layer Security (TLS) first, but accepts any remote handshake protocol, including SSLv3 and TLS. Valid values for this property include SSLv2 (client side only), SSLv3, SSL, TLS, TLSv1, and SSL_TLS.
com.ibm.ssl.securityLevel HIGH Cipher group that is used for the SSL handshake. The typical selection is HIGH, which specifies 128-bit or higher ciphers. The MEDIUM selection provides 40-bit ciphers. The LOW selection provides ciphers that do not perform encryption, but do perform signing for data integrity. If you specify your own cipher list selection, uncomment the property com.ibm.ssl.enabledCipherSuites.
com.ibm.ssl.trustManager IbmX509 Default trust manager that use to validate the certificate sent by the target server. This trust manager does not perform certificate revocation list (CRL) checking. You can choose to change this to IbmPKIX for CRL checking using CRL distribution lists in the certificate, which is a standard way to perform CRL checking. When you want to perform custom CRL checking, implement a custom trust manager and specify the trust manager in the com.ibm.ssl.customTrustManagers property. The IbmPKIX option might affect performance because this option requires IBMCertPath for trust validation. Use IbmX509 unless CRL checking is necessary.
com.ibm.ssl.keyManager IbmX509 Default key manager to use for choosing the client alias from the specified keystore. This key manager uses the com.ibm.ssl.keyStoreClientAlias property to specify the keystore alias. If this property is not specified, the choice is delegated to Java Secure Socket Extension (JSSE). JSSE typically chooses the first alias that it finds.
com.ibm.ssl.contextProvider IBMJSSE2 Choose the JSSE provider for the SSL context creation. IBM recommends that you default to IBMJSSE2 when you use a JVM. The client plug-in can use the SunJSSE provider when using a Sun JVM.
com.ibm.ssl.enableSignerExchangePrompt true Whether to display the signer exchange prompt when a signer is not present in the client truststore. The prompt displays information about the remote certificate so that WAS can decide whether or not to trust the signer. It is very important to validate the certificate signature (hash). This signature is the only reliable information that can guarantee that the certificate has not been modified from the original server certificate. For automated scenarios, disable this property to avoid SSL handshake exceptions. Run the retrieveSigners.bat file or the retrieveSigners.sh script, which sets up the SSL signer exchange, to download the signers from the server prior to running the client.
com.ibm.ssl.keyStoreClientAlias default Reference an alias from the specified keystore when the target does not request client authentication. When WAS creates a self-signed certificate for the SSL configuration, this property determines the alias and overrides the global com.ibm.ssl.defaultCertReqAlias property.
com.ibm.ssl.customTrustManagers Commented out by default Specify one or more custom trust managers, which are separated by commas.
These trust managers can be in the form of algorithm|provider or classname. For example, IbmX509|IBMJSSE2 is in thealgorithm|provider format, and the com.acme.myCustomTrustManager interface is in the classname format. The class must implement the javax.net.ssl.X509TrustManager interface. Optionally, the class can implement the com.ibm.wsspi.ssl.TrustManagerExtendedInfo interface. These trust managers run in addition to the default trust manager that is specified by the com.ibm.ssl.trustManager interface. These trust managers do not replace the default trust manager.
com.ibm.ssl.customKeyManager Commented out by default Custom key manager.
The key manager replaces the default key manager that is specified in the com.ibm.ssl.keyManager property.
The form of the key manager is algorithm|provider or classname. See the format examples for the com.ibm.ssl.customTrustManagers property. The class must implement the javax.net.ssl.X509KeyManager interface. Optionally, the class can implement the com.ibm.wsspi.ssl.KeyManagerExtendedInfo interface. This key manager is responsible for alias selection.
com.ibm.ssl.dynamicSelectionInfo Commented out by default Dynamic association with the SSL configuration.
The syntax for a dynamic association is outbound_protocol, target_host, or target_port.
For multiple specifications, use the vertical bar ( | ) as the delimiter. You can replace any of these values with an asterisk (*) to indicate a wildcard value. Valid outbound_protocol values include:

IIOP
HTTP
LDAP
SIP
BUS_CLIENT
BUS_TO_WEBSPHERE_MQ
BUS_TO_BUS
ADMIN_SOAP

When you want the dynamic selection criteria to choose the SSL configuration, uncomment the default property, and add the connection information. For example, add the following on one line
com.ibm.ssl.dynamicSelectionInfo=HTTP,.ibm.com,443|HTTP,.ibm.com,9443

com.ibm.ssl.enabledCipherSuites Commented out by default Custom cipher suite list and override the group selection in the com.ibm.ssl.securityLevel property. The valid list of ciphers varies according to the provider and JVM policy files that are applied. For cipher suites, use a space as the delimiter.
com.ibm.ssl.keyStoreName ClientDefaultKeyStore Keystore configuration name. If you have not already defined the keystore, the rest of the keystore properties must follow this property. After you define the keystore, you can specify this property to reference the previously specified keystore configuration. New keystore configurations in the ssl.client.props file have a unique name.
com.ibm.ssl.trustStoreName ClientDefaultTrustStore Truststore configuration name. If you have not already defined the truststore, the rest of the truststore properties must follow this property. After you define the truststore, you can specify this property to reference the previously specified truststore configuration. New truststore configurations in the ssl.client.props file should have a unique name.

Keystore configurations SSL configurations reference keystore configurations whose purpose is to identify the location of certificates. Certificates represent the identity of clients that use the SSL configuration. You can specify keystore configurations with other SSL configuration properties. However, it is recommended specified the keystore configurations in this section of the ssl.client.props file after the com.ibm.ssl.keyStoreName property identifies the start of a new keystore configuration. After you fully define the keystore configuration, the com.ibm.ssl.keyStoreName property can reference the keystore configuration at any other point in the file.

Property Default Description

com.ibm.ssl.keyStoreName ClientDefaultKeyStore Name of the keystore as it is referenced by the runtime. Other SSL configurations can reference this name further down in the ssl.client.props file to avoid duplication.
com.ibm.ssl.keyStore ${user.root}/etc/key.p12 Location of the keystore in the required format of the com.ibm.ssl.keyStoreType property. Typically, this property references a keystore file name. However, for cryptographic token types, this property references a Dynamic Link Library (DLL) file.
com.ibm.ssl.keyStorePassword WebAS Default password, which is the cell name for the profile when it is created. The password is typically encoded using an {xor} algorithm. You can use iKeyman to change the password in the keystore, then change this reference. If you do not know the password and if the certificate is created for you, change the password in this property, then delete the keystore from the location where it resides. Restart the client to recreate the keystore by using the new password, but only if the keystore name ends with DefaultKeyStore and if the fileBased property is true. Delete both the keystore and truststore at the same time so that a proper signer exchange can occur when both are recreated together.
com.ibm.ssl.keyStoreType PKCS12 Keystore type. Use the default, PKCS12, because of its interoperability with other applications. You can specify this property as any valid keystore type that is supported by the JVM on the provider list.
com.ibm.ssl.keyStoreProvider IBMJCE The IBM Java Cryptography Extension property is the keystore provider for the keystore type. The provider is typically IBMJCE or IBMPKCS11Impl for cryptographic devices.
com.ibm.ssl.keyStoreFileBased true Indicates to the runtime that the keystore is file-based, meaning it is located on the file system.
com.ibm.ssl.keyStoreReadOnly false Indicates to the runtime whether the keystore can be modified during the runtime.

Truststore Configurations
SSL configurations reference truststore configurations, whose purpose is to contain the signer certificates for servers that are trusted by this client. You can specify these properties with other SSL configuration properties. However, it is recommended that you specify truststore configurations in this section of the ssl.client.props file after the com.ibm.ssl.trustStoreName property has identified the start of a new truststore configuration. After you fully define the truststore configuration, the com.ibm.ssl.trustStoreName property can reference the configuration at any other point in the file.
A truststore is a keystore that JSSE uses for trust evaluation. A truststore contains the signers that WAS requires before it can trust the remote connection during the handshake. If you configure the com.ibm.ssl.trustStoreName=ClientDefaultKeyStore property, you can reference the keystore as the truststore. Further configuration is not required for the truststore because all of the signers that are generated through signer exchanges are imported into the keystore where they are called by the runtime.

Property Default Description

com.ibm.ssl.trustStoreName ClientDefaultTrustStore Name of the truststore as it is referenced by the runtime. Other SSL configurations can reference further down in the ssl.client.props file to avoid duplication.
com.ibm.ssl.trustStore ${user.root}/etc/trust.p12 Location of the truststore in the format that is required by the truststore type that is referenced by the com.ibm.ssl.trustStoreType property. Typically, this property references a truststore file name. However, for cryptographic token types, this property references a DLL file.
com.ibm.ssl.trustStorePassword WebAS Default password, which is the cell name for the profile when it is created. The password is typically encoded using an {xor} algorithm. You can use iKeyman to change the password in the keystore, then change the reference in this property. If you do not know the password and if the certificate was created for you, change the password in this property, then delete the truststore from the location where it resides. Restart the client to recreate the truststore by using the new password, but only if the keystore name ends with DefaultTrustStore and the fileBased property is true. IBM recommends that you delete the keystore and the truststore at the same time so that a proper signer exchange can occur when both are recreated together.
com.ibm.ssl.trustStoreType PKCS12 Truststore type. Use the default PKCS12 type because of its interoperability with other applications. You can specify this property as any valid truststore type that is supported by the JVM functionality on the provider list.
com.ibm.ssl.trustStoreProvider IBMJCE Truststore provider for the truststore type. The provider is typically IBMJCE or IBMPKCS11Impl for cryptographic devices.
com.ibm.ssl.trustStoreFileBased true Indicates to the runtime that the truststore is file-based, meaning it is located on the file system.
com.ibm.ssl.trustStoreReadOnly false Indicates to the runtime whether the truststore can be modified during the runtime.

Related tasks
Associating an SSL configuration dynamically with an outbound protocol and remote secure endpoint
Creating an SSL configuration

Property	Default	Description
com.ibm.ssl.defaultAlias	DefaultSSLSettings	Specifies the default alias that is used whenever an alias is not specified by the protocol that calls the JSSEHelper API to retrieve an SSL configuration. This property is the final arbiter on the client side for determining which SSL configuration to use.
com.ibm.ssl.validationEnabled	false	When set to true, this property validates each SSL configuration as it is loaded. Use this property for debug purposes only, to avoid unnecessary performance overhead during production.
com.ibm.ssl.performURLHostNameVerification	false	When set to true, this property enforces URL host name verification. When HTTP URL connections are made to target servers, the common name (CN) from the server certificate must match the target host name. Without a match, the host name verifier rejects the connection. The default value of false omits this check. As a global property, it sets the default host name verifier. Any javax.net.ssl.HttpsURLConnection object can choose to enable host name verification for that specific instance by calling the setHostnameVerifier method with its own HostnameVerifier instance.
com.ibm.security.useFIPS	false	When set to true, FIPS-compliant algorithms are used for SSL and other Java Cryptography Extension (JCE)-specific applications. This property is typically not enabled unless the property is required by the operating environment.
user.root	/WebSphere/AppServer/profiles/default	Used by key and truststore location properties as a single property for specifying the root path to the key and truststores. Typically, this property is the profile root. However, you can modify this property to any root directory on the local machine that has the proper read and potentially write authority to that directory.
profile_root of the profile	/WebSphere/AppServer/profiles/default	Key and truststore location properties can use this property as a single property for specifying the root path to the key and truststores. You can modify this property to any root directory on the local machine that has the proper read (and potentially write) authority to that directory.

Property	Default	Description
com.ibm.ssl.defaultCertReqAlias	default_alias	Default alias to use to reference the self-signed certificate that is created in the keystore. If the alias already exists with that name, the default alias is appended with _#, where the number sign (#) is an integer that starts with 1 and increments until it finds a unique alias.
com.ibm.ssl.defaultCertReqSubjectDN	cn=${hostname}, o=IBM,c=US	Distinguished name (DN) that you set for the certificate when it is created. The ${hostname} variable is expanded to the host name on which it resides. You can use correctly formed DNs as specified by the X.509 certificate.
com.ibm.ssl.defaultCertReqDays	365	Validity period for the certificate and can be as small as 1 day and as large as the maximum number of days that a certificate can be set, which is approximately 20 years.
com.ibm.ssl.defaultCertReqKeySize	1024	This property is the default key size. The valid values depend upon the JVM security policy files that are installed. By default, the product JVMs ship with the export policy file that limits the key size to 1024. To get a large key size such as 2048, you can download the restricted policy files from the Web site.

Property	Default	Description
com.ibm.ssl.alias	DefaultSSLSettings	Name of this SSL configuration and must be the first property for an SSL configuration because it references the SSL configuration. If you change the name of this property after it is referenced elsewhere in the configuration, the runtime defaults to the com.ibm.ssl.defaultAlias property whenever the reference is not found. The error trust file is null or key file is null might display when you start an application using an SSL reference that is no longer valid.
com.ibm.ssl.protocol	SSL_TLS	SSL handshake protocol that is used for this SSL configuration. This property attempts Transport Layer Security (TLS) first, but accepts any remote handshake protocol, including SSLv3 and TLS. Valid values for this property include SSLv2 (client side only), SSLv3, SSL, TLS, TLSv1, and SSL_TLS.
com.ibm.ssl.securityLevel	HIGH	Cipher group that is used for the SSL handshake. The typical selection is HIGH, which specifies 128-bit or higher ciphers. The MEDIUM selection provides 40-bit ciphers. The LOW selection provides ciphers that do not perform encryption, but do perform signing for data integrity. If you specify your own cipher list selection, uncomment the property com.ibm.ssl.enabledCipherSuites.
com.ibm.ssl.trustManager	IbmX509	Default trust manager that use to validate the certificate sent by the target server. This trust manager does not perform certificate revocation list (CRL) checking. You can choose to change this to IbmPKIX for CRL checking using CRL distribution lists in the certificate, which is a standard way to perform CRL checking. When you want to perform custom CRL checking, implement a custom trust manager and specify the trust manager in the com.ibm.ssl.customTrustManagers property. The IbmPKIX option might affect performance because this option requires IBMCertPath for trust validation. Use IbmX509 unless CRL checking is necessary.
com.ibm.ssl.keyManager	IbmX509	Default key manager to use for choosing the client alias from the specified keystore. This key manager uses the com.ibm.ssl.keyStoreClientAlias property to specify the keystore alias. If this property is not specified, the choice is delegated to Java Secure Socket Extension (JSSE). JSSE typically chooses the first alias that it finds.
com.ibm.ssl.contextProvider	IBMJSSE2	Choose the JSSE provider for the SSL context creation. IBM recommends that you default to IBMJSSE2 when you use a JVM. The client plug-in can use the SunJSSE provider when using a Sun JVM.
com.ibm.ssl.enableSignerExchangePrompt	true	Whether to display the signer exchange prompt when a signer is not present in the client truststore. The prompt displays information about the remote certificate so that WAS can decide whether or not to trust the signer. It is very important to validate the certificate signature (hash). This signature is the only reliable information that can guarantee that the certificate has not been modified from the original server certificate. For automated scenarios, disable this property to avoid SSL handshake exceptions. Run the retrieveSigners.bat file or the retrieveSigners.sh script, which sets up the SSL signer exchange, to download the signers from the server prior to running the client.
com.ibm.ssl.keyStoreClientAlias	default	Reference an alias from the specified keystore when the target does not request client authentication. When WAS creates a self-signed certificate for the SSL configuration, this property determines the alias and overrides the global com.ibm.ssl.defaultCertReqAlias property.
com.ibm.ssl.customTrustManagers	Commented out by default	Specify one or more custom trust managers, which are separated by commas. These trust managers can be in the form of algorithm\|provider or classname. For example, IbmX509\|IBMJSSE2 is in thealgorithm\|provider format, and the com.acme.myCustomTrustManager interface is in the classname format. The class must implement the javax.net.ssl.X509TrustManager interface. Optionally, the class can implement the com.ibm.wsspi.ssl.TrustManagerExtendedInfo interface. These trust managers run in addition to the default trust manager that is specified by the com.ibm.ssl.trustManager interface. These trust managers do not replace the default trust manager.
com.ibm.ssl.customKeyManager	Commented out by default	Custom key manager. The key manager replaces the default key manager that is specified in the com.ibm.ssl.keyManager property. The form of the key manager is algorithm\|provider or classname. See the format examples for the com.ibm.ssl.customTrustManagers property. The class must implement the javax.net.ssl.X509KeyManager interface. Optionally, the class can implement the com.ibm.wsspi.ssl.KeyManagerExtendedInfo interface. This key manager is responsible for alias selection.
com.ibm.ssl.dynamicSelectionInfo	Commented out by default	Dynamic association with the SSL configuration. The syntax for a dynamic association is outbound_protocol, target_host, or target_port. For multiple specifications, use the vertical bar ( \| ) as the delimiter. You can replace any of these values with an asterisk (*) to indicate a wildcard value. Valid outbound_protocol values include: IIOP HTTP LDAP SIP BUS_CLIENT BUS_TO_WEBSPHERE_MQ BUS_TO_BUS ADMIN_SOAP When you want the dynamic selection criteria to choose the SSL configuration, uncomment the default property, and add the connection information. For example, add the following on one line com.ibm.ssl.dynamicSelectionInfo=HTTP,.ibm.com,443\|HTTP,.ibm.com,9443
com.ibm.ssl.enabledCipherSuites	Commented out by default	Custom cipher suite list and override the group selection in the com.ibm.ssl.securityLevel property. The valid list of ciphers varies according to the provider and JVM policy files that are applied. For cipher suites, use a space as the delimiter.
com.ibm.ssl.keyStoreName	ClientDefaultKeyStore	Keystore configuration name. If you have not already defined the keystore, the rest of the keystore properties must follow this property. After you define the keystore, you can specify this property to reference the previously specified keystore configuration. New keystore configurations in the ssl.client.props file have a unique name.
com.ibm.ssl.trustStoreName	ClientDefaultTrustStore	Truststore configuration name. If you have not already defined the truststore, the rest of the truststore properties must follow this property. After you define the truststore, you can specify this property to reference the previously specified truststore configuration. New truststore configurations in the ssl.client.props file should have a unique name.

Property	Default	Description
com.ibm.ssl.keyStoreName	ClientDefaultKeyStore	Name of the keystore as it is referenced by the runtime. Other SSL configurations can reference this name further down in the ssl.client.props file to avoid duplication.
com.ibm.ssl.keyStore	${user.root}/etc/key.p12	Location of the keystore in the required format of the com.ibm.ssl.keyStoreType property. Typically, this property references a keystore file name. However, for cryptographic token types, this property references a Dynamic Link Library (DLL) file.
com.ibm.ssl.keyStorePassword	WebAS	Default password, which is the cell name for the profile when it is created. The password is typically encoded using an {xor} algorithm. You can use iKeyman to change the password in the keystore, then change this reference. If you do not know the password and if the certificate is created for you, change the password in this property, then delete the keystore from the location where it resides. Restart the client to recreate the keystore by using the new password, but only if the keystore name ends with DefaultKeyStore and if the fileBased property is true. Delete both the keystore and truststore at the same time so that a proper signer exchange can occur when both are recreated together.
com.ibm.ssl.keyStoreType	PKCS12	Keystore type. Use the default, PKCS12, because of its interoperability with other applications. You can specify this property as any valid keystore type that is supported by the JVM on the provider list.
com.ibm.ssl.keyStoreProvider	IBMJCE	The IBM Java Cryptography Extension property is the keystore provider for the keystore type. The provider is typically IBMJCE or IBMPKCS11Impl for cryptographic devices.
com.ibm.ssl.keyStoreFileBased	true	Indicates to the runtime that the keystore is file-based, meaning it is located on the file system.
com.ibm.ssl.keyStoreReadOnly	false	Indicates to the runtime whether the keystore can be modified during the runtime.

Property	Default	Description
com.ibm.ssl.trustStoreName	ClientDefaultTrustStore	Name of the truststore as it is referenced by the runtime. Other SSL configurations can reference further down in the ssl.client.props file to avoid duplication.
com.ibm.ssl.trustStore	${user.root}/etc/trust.p12	Location of the truststore in the format that is required by the truststore type that is referenced by the com.ibm.ssl.trustStoreType property. Typically, this property references a truststore file name. However, for cryptographic token types, this property references a DLL file.
com.ibm.ssl.trustStorePassword	WebAS	Default password, which is the cell name for the profile when it is created. The password is typically encoded using an {xor} algorithm. You can use iKeyman to change the password in the keystore, then change the reference in this property. If you do not know the password and if the certificate was created for you, change the password in this property, then delete the truststore from the location where it resides. Restart the client to recreate the truststore by using the new password, but only if the keystore name ends with DefaultTrustStore and the fileBased property is true. IBM recommends that you delete the keystore and the truststore at the same time so that a proper signer exchange can occur when both are recreated together.
com.ibm.ssl.trustStoreType	PKCS12	Truststore type. Use the default PKCS12 type because of its interoperability with other applications. You can specify this property as any valid truststore type that is supported by the JVM functionality on the provider list.
com.ibm.ssl.trustStoreProvider	IBMJCE	Truststore provider for the truststore type. The provider is typically IBMJCE or IBMPKCS11Impl for cryptographic devices.
com.ibm.ssl.trustStoreFileBased	true	Indicates to the runtime that the truststore is file-based, meaning it is located on the file system.
com.ibm.ssl.trustStoreReadOnly	false	Indicates to the runtime whether the truststore can be modified during the runtime.