SSL configurations

SSL configurations

SSL configurations contain attributes for controlling the behavior of client and server SSL endpoints. We can assign SSL configurations to have specific management scopes. The scope depends upon whether we create it using a cell, node, server, or endpoint link in the configuration topology.
When creating an SSL configuration, we can set the following SSL connection attributes:

Keystore
Default client certificate for outbound connections
Default server certificate for inbound connections
Truststore
Key manager for selecting a certificate
Trust manager or managers for establishing trust during the handshake
Handshaking protocol
Ciphers for negotiating the handshake
Client authentication support and requirements

Manage an SSL configuration using any of the following methods:

Central management selection
Direct reference selection
Dynamic outbound connection selection
Programmatic selection

Using the console, we can manage all of the SSL configurations for WebSphere Application Server. From the console, click...
Security | SSL certificates and key management | Manage endpoint security configurations | Inbound | Outbound | SSL_configuration

We can view an SSL configuration at the level it was created and in the inherited scope below that point in the topology. The entire cell to view an SSL configuration, create the configuration at the cell level in the topology.

security.xml

The attributes defining an SSL configuration repertoire entry for a specific management scope are stored in security.xml. The scope determines the point at which other levels in the cell topology can see the configuration...
<repertoire xmi:id="SSLConfig_1" 
            alias="NodeDefaultSSLSettings" 
            managementScope="ManagementScope_1" 
            type="JSSE">

    <setting xmi:id="SecureSocketLayer_1" 
              clientAuthentication="false" 
              clientAuthenticationSupported="false" 
              securityLevel="HIGH" 
              enabledCiphers="" 
              jsseProvider="IBMJSSE2" 
              sslProtocol="SSL_TLS"
              keyStore="KeyStore_1" 
              trustStore="KeyStore_2" 
              trustManager="TrustManager_1" 
              keyManager="KeyManager_1" 
              clientKeyAlias="default" 
              serverKeyAlias="default"/>

</repertoire>
...where...

security.xml attribute Description Default Associated SSL property
xmi:id Unique identifier for this XML entry. Determines links to other XML objects, such as SSLConfigGroup. This system-defined value must be unique.
None
alias Name of the SSL configuration. Direct selection uses the alias attribute and the node is not prefixed to the alias. Rather, the management scope takes care of ensuring that the name is unique within the scope. CellDefaultSSLSettings com.ibm.ssl.alias
managementScope Management scope for the SSL configuration. Determines the visibility of the SSL configuration at runtime. Cell The managementScope attribute is not mapped to an SSL property. However, it confirms whether or not the SSL configuration is associated with a process.
type JSSE or SSSL configuration option. JSSE is the SSL configuration type for most secure communications within WAS. JSSE com.ibm.ssl.sslType
clientAuthentication Whether SSL client authentication is required. false com.ibm.ssl.clientAuthentication
clientAuthenticationSupported Whether SSL client authentication is supported. The client does not have to supply a client certificate if it does not have a client certificate. When set the clientAuthentication attribute to true, you override the value set for the clientAuthenticationSupported attribute. false com.ibm.ssl.client.AuthenticationSupported
securityLevel Cipher suite group. Valid values include STRONG (128-bit ciphers), MEDIUM (40-bit ciphers), WEAK (for all ciphers without encryption), and CUSTOM (if the cipher suite group is customized. When set the enabledCiphers attribute with a specific list of ciphers, the system ignores this attribute. STRONG com.ibm.ssl.securityLevel
enabledCiphers Unique list of cipher suites. Separate each cipher suite in the list with a space. securityLevel attribute for cipher suite selection com.ibm.ssl.enabledCipherSuites
jsseProvider JSSE provider. IBMJSSE2 com.ibm.ssl.contextProvider
sslProtocol SSL_TLS (SSLv3 and TLSv1)
SSL (SSLv3), SSLv2
SSLv3
TLS (TLSv1)
TLSv1 SSL_TLSv2 (SSLv3, TLSv1, TLSv1.1, and TLSv1.2)
TLSv1.1
TLSv1.2.
Use listSSLProtocols command to list current configuration.
SSL_TLS com.ibm.ssl.protocol
keyStore keystore and attributes of the keyStore instance the SSL configuration uses for key selection. CellDefaultKeyStore

trustStore Key store the SSL configuration uses for certificate signing verification. CellDefaultTrustStore A trustStore is a logical JSSE term. It signifies a key store containing signer certificates. Signer certificates validate certificates sent to WAS during an SSL handshake.
keyManager Key manager WAS uses to select keys from a key store. A JSSE key manager controls the javax.net.ssl.X509KeyManager interface. A custom key manager controls the javax.net.ssl.X509KeyManager and the com.ibm.wsspi.ssl.KeyManagerExtendedInfo interfaces. The com.ibm.wsspi.ssl.KeyManagerExtendedInfo interface provides more information from WebSphere Application Server. IbmX509 com.ibm.ssl.keyManager defines a well-known key manager and accepts the algorithm and algorithm|provider formats, for example IbmX509 and IbmX509|IBMJSSE2. com.ibm.ssl.customKeyManager defines a custom key manager and takes precedence over the other keyManager properties. This class must implement javax.net.ssl.X509KeyManager and can implement com.ibm.wsspi.ssl.KeyManagerExtendedInfo.
trustManager Trust manager, or list of trust managers, to use for determining whether to trust the peer side of the connection. Implements the javax.net.ssl.X509TrustManager interface. A custom trust manager might also implement com.ibm.wsspi.ssl.TrustManagerExtendedInfo interface to get more information from the WAS environment. IbmPKIX. Can be configured for certificate revocation list (CRL) verification when the certificate contains a CRL distribution point. The other option is IbmX509. com.ibm.ssl.trustManager defines a well-known trust manager, which is required for most handshake situations. com.ibm.ssl.trustManager performs certificate expiration checking and signature validation. We can define com.ibm.ssl.customTrustManagers with additional custom trust managers called during an SSL handshake. Separate additional trust managers with the vertical bar (|) character.

Client SSL configurations are managed using...
profile_root/properties/ssl.client.props

Specifying any javax.net.ssl system properties will override the corresponding property in ssl.client.props.

Subtopics

Trust manager control of X.509 certificate trust decisions

Key manager control of X.509 certificate identities

(dist) Example: Enable certificate revocation checking with the default IbmPKIX trust manager

Related tasks
Create a Secure Sockets Layer configuration
Configure Federal Information Processing Standard Java Secure Socket Extension files

security.xml attribute	Description	Default	Associated SSL property
xmi:id	Unique identifier for this XML entry. Determines links to other XML objects, such as SSLConfigGroup. This system-defined value must be unique.		None
alias	Name of the SSL configuration. Direct selection uses the alias attribute and the node is not prefixed to the alias. Rather, the management scope takes care of ensuring that the name is unique within the scope.	CellDefaultSSLSettings	com.ibm.ssl.alias
managementScope	Management scope for the SSL configuration. Determines the visibility of the SSL configuration at runtime.	Cell	The managementScope attribute is not mapped to an SSL property. However, it confirms whether or not the SSL configuration is associated with a process.
type	JSSE or SSSL configuration option. JSSE is the SSL configuration type for most secure communications within WAS.	JSSE	com.ibm.ssl.sslType
clientAuthentication	Whether SSL client authentication is required.	false	com.ibm.ssl.clientAuthentication
clientAuthenticationSupported	Whether SSL client authentication is supported. The client does not have to supply a client certificate if it does not have a client certificate. When set the clientAuthentication attribute to true, you override the value set for the clientAuthenticationSupported attribute.	false	com.ibm.ssl.client.AuthenticationSupported
securityLevel	Cipher suite group. Valid values include STRONG (128-bit ciphers), MEDIUM (40-bit ciphers), WEAK (for all ciphers without encryption), and CUSTOM (if the cipher suite group is customized. When set the enabledCiphers attribute with a specific list of ciphers, the system ignores this attribute.	STRONG	com.ibm.ssl.securityLevel
enabledCiphers	Unique list of cipher suites. Separate each cipher suite in the list with a space.	securityLevel attribute for cipher suite selection	com.ibm.ssl.enabledCipherSuites
jsseProvider	JSSE provider.	IBMJSSE2	com.ibm.ssl.contextProvider
sslProtocol	SSL_TLS (SSLv3 and TLSv1) SSL (SSLv3), SSLv2 SSLv3 TLS (TLSv1) TLSv1 SSL_TLSv2 (SSLv3, TLSv1, TLSv1.1, and TLSv1.2) TLSv1.1 TLSv1.2. Use listSSLProtocols command to list current configuration.	SSL_TLS	com.ibm.ssl.protocol
keyStore	keystore and attributes of the keyStore instance the SSL configuration uses for key selection.	CellDefaultKeyStore
trustStore	Key store the SSL configuration uses for certificate signing verification.	CellDefaultTrustStore	A trustStore is a logical JSSE term. It signifies a key store containing signer certificates. Signer certificates validate certificates sent to WAS during an SSL handshake.
keyManager	Key manager WAS uses to select keys from a key store. A JSSE key manager controls the javax.net.ssl.X509KeyManager interface. A custom key manager controls the javax.net.ssl.X509KeyManager and the com.ibm.wsspi.ssl.KeyManagerExtendedInfo interfaces. The com.ibm.wsspi.ssl.KeyManagerExtendedInfo interface provides more information from WebSphere Application Server.	IbmX509	com.ibm.ssl.keyManager defines a well-known key manager and accepts the algorithm and algorithm\|provider formats, for example IbmX509 and IbmX509\|IBMJSSE2. com.ibm.ssl.customKeyManager defines a custom key manager and takes precedence over the other keyManager properties. This class must implement javax.net.ssl.X509KeyManager and can implement com.ibm.wsspi.ssl.KeyManagerExtendedInfo.
trustManager	Trust manager, or list of trust managers, to use for determining whether to trust the peer side of the connection. Implements the javax.net.ssl.X509TrustManager interface. A custom trust manager might also implement com.ibm.wsspi.ssl.TrustManagerExtendedInfo interface to get more information from the WAS environment.	IbmPKIX. Can be configured for certificate revocation list (CRL) verification when the certificate contains a CRL distribution point. The other option is IbmX509.	com.ibm.ssl.trustManager defines a well-known trust manager, which is required for most handshake situations. com.ibm.ssl.trustManager performs certificate expiration checking and signature validation. We can define com.ibm.ssl.customTrustManagers with additional custom trust managers called during an SSL handshake. Separate additional trust managers with the vertical bar (\|) character.