Create an SSL configuration
- Log on as a user ID with administrator role authorization.
If using a user ID with operator role authorization, we can perform a node synchronization, but any changes that we make to security.xml are not synchronized.
- Set scope for an endpoint...Security | SSL certificate and key management | Manage endpoint security configurations
Scopes already associated with an SSL configuration are noted in parentheses. Scopes with no association inherit the properties of their parent scope. The cell scope, at the top of the topology, is always associated with an SSL configuration, and represents the default SSL configuration for all inbound and outbound connections.
- On either the Inbound or Outbound tree, click...SSL configuration | Related Items | SSL configurations | New
...and type an SSL configuration name.
- Select a truststore name from the drop-down list.
A truststore holds signer certificates for validating of certificates sent by remote connections during an SSL handshake.
- Select a keystore name from the drop-down list.
A keystore contains...
- Personal certificates that represent a signer identity
- Private key used to encrypt and sign data
To change the keystore name refresh the list of certificate aliases...Get certificate aliases
If there is no keystore in the list, create a keystore configuration.
- Choose a default server certificate alias for inbound connections.
- If required, choose a default client certificate alias for outbound connections.
- Make the management scope in this field identical to the link you selected earlier.
- Click Quality of protection (QoP) settings under Additional Properties.
QoP settings define the strength of the SSL encryption, the integrity of the signer, and the authenticity of the certificate.
- Select a client authentication setting...
None The server does not request that a client send a certificate during the handshake. Supported The server requests that a client send a certificate. If the client does not have a certificate, the handshake might still succeed. Required The server requests that a client send a certificate. If the client does not have a certificate, the handshake fails.
The signer certificate that represents the client must be in the SSL configuration truststore. By default, servers within the same cell trust each other because they use the common truststore, trust.p12. To use new keystores and truststores, perform a signer exchange after selecting either Supported or Required.
- Select a protocol for the SSL handshake.
SSL_TLS Supports client protocols TLSv1, SSLv3, and SSLv2. Default. TLSv1 Supports TLS and TLSv1. The SSL server connection must support this protocol for the handshake to proceed. SSLv3 Supports SSL and SSLv3. The SSL server connection must support this protocol for the handshake to proceed.
Do not use the SSLv2 protocol for the SSL server connection. Use it only when necessary on the client side.
- Select one of the following options:
- A predefined JSSE provider.
The IBMJSSE2 provider is recommended for use on all platforms which support it. It is required for use by the channel framework SSL channel. When FIPS is enabled, IBMJSSE2 is used in combination with the IBMJCEFIPS crypto provider.
- A custom JSSE provider.
Type a provider name in the Custom provider field.
- Select from among the following cipher suite groups:
Strong Perform 128-bit confidentiality algorithms for encryption and support integrity signing algorithms. A strong cipher suite can affect the performance of the connection. Medium Perform 40-bit encryption algorithms for encryption and support integrity signing algorithms. Weak Support integrity signing algorithms but do not perform encryption. Passwords and other sensitive information that cross the network are visible to an IP sniffer. Custom Select specific ciphers. Any time you change the ciphers that are listed from a specific cipher suite group, the group name changes to Custom.
- Update selected ciphers to view a list of the available ciphers for each cipher strength.
- Click OK to return to the new SSL configuration panel.
- Select a default trust manager for the primary SSL handshake trust decision...Additional Properties | Trust and key managers
Choose IbmPKIX when you require certificate revocation list (CRL) checking using CRL distribution points in the certificates or the online certificate status protocol (OCSP). Choose IbmX509 when you do not require CRL checking but do need increased performance.
To define a custom trust manager
- Go to...Security | SSL certificate and key management | Manage endpoint security configurations | SSL_configuration | Trust and key managers | Trust managers | New
- Type a unique trust manager name.
- Select the Custom option.
- Type a class name.
- Click OK.
- To override the default trust manager click Custom Property on the SSL configuration panel and set...
- To obtain product-specific information, implement...javax.net.ssl.X509TrustManager
- Select a key manager for the SSL configuration.
By default, IbmX509 is the only key manager.
To define a custom key manager, click...Security | Secure communications | SSL configurations | SSL_configuration | Trust and key managers | Key managers | New
Because the key manager is responsible for selecting the certificate alias from the keystore, custom key managers can adversely affect alias selection behavior.
- Click OK to save the trust and key manager settings and return to the new SSL configuration panel.
- Click Save to save the new SSL configuration.
- Associate the new SSL configuration with protocols...
- Set on the thread programmatically
- Associate with an outbound protocol, host, and port.
- Associate directly using the alias.
- Associate with groups or zones scoped for endpoints.
Related tasksAutomate SSL configurations using scripting
SSL certificate and key management
SSL configurations for selected scopes
SSL configurations collection
CA client configuration
CA client configuration collections
Create a chained personal certificate in SSL
Recover deleted certificates in SSL
Renew a certificate in SSL
Revoke a CA certificate in SSL
Use a CA client to create a personal certificate to be used as the default personal certificate
Create a CA certificate in SSL
Develop the WSPKIClient interface for communicating with a certificate authority
Create a custom trust manager configuration for SSL
Create a custom key manager for SSL
Associate an SSL configuration dynamically with an outbound protocol and remote secure endpoint
Quality of protection (QoP) settings
ssl.client.props client configuration file