+

Search Tips   |   Advanced Search

(zos)

Create a new Java Secure Socket Extension repertoire alias

The following steps describe how to generate a new Java Secure Socket Extension (JSSE) repertoire alias. Using the JSSE repertoire, we can pick one of the JSSE repertoire settings defined here from any location within the console.

This simplifies the JSSE repertoire configuration process because we can reuse many of these JSSE configurations by specifying the alias in multiple places.

  1. Click Security > SSL to open the SSL Configuration Repertoires panel.

  2. To create a new JSSE repertoire, click New JSSE repertoire. The JSSE Repertoire panel appears.

  3. Enter the alias name in the Alias field.

  4. Optional: Select the Client authentication option for the authentication protocol. This option enables client authentication to occur if this repertoire is selected for HTTPS. However, the value is ignored if you use using Common Secure Interoperability Version 2 (CSIv2) or z/OS Secure Authentication Services (z/SAS).

    To enable client authentication for CSIv2, click Security > Global security > Authentication, expand RMI/IIOP, then click CSIv2 inbound authentication. Select the appropriate option for Client certificate authentication.

    To enable client authentication for z/SAS, click Security > Global security > Authentication, expand RMI/IIOP, then click z/SAS authentication. Select the Client certificate option.

    Important: z/SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.

  5. Select Strong, Medium, or Weak from the Security level menu to specify the strong, medium, or weak set of cipher suites. If we add specific cipher suites on this panel, those cipher suites take precedence over the strong, medium, or weak specification. If a cipher list is specified, WAS uses the list. If the cipher list is empty, WAS uses the strong, medium, or weak specification. The following list is an explanation of the high, medium, and low specifications:

    Strong

    128-bit cipher suites with digital signature

    Medium

    40-bit cipher suites with digital signature

    Weak

    No encryption is used, but digital signature is used

  6. Select the cipher suites to add from the Cipher suites menu. By default, this is not set. The set of cipher suites available is determined by the value of the Security Level (Strong, Medium, or Weak). A cipher suite is a combination of cryptographic algorithms used for an SSL connection.

  7. Select the Cryptographic token option if hardware or software cryptographic support is available.

  8. Indicate which JSSE provider that you are using by selecting either Predefined JSSE provider or Custom JSSE provider in the Provider field. WebSphere Application Server comes with the IBMJSSE2 provider predefined.

    If we are not using the IBMJSSE2 provider, configure a custom provider by selecting Custom JSSE provider. Under Additional properties, click Custom Properties > New. After specifying the custom provider, return to the JSSE repertoire panel.

  9. Select an SSL or Transport Layer Security (TLS) protocol version.

    The protocol chosen for the server must match the protocol chosen for the client. Also, for two servers to interoperate, they must use the same protocol.

  10. Specify the name of the key file in the Key file name field. Specify the fully qualified path to the Secure Sockets Layer (SSL) key file containing public keys and private keys. Type safkeyring:/// if you are using a RACF key ring for the key file.

  11. Specify the password needed to access the key file in the Key file password field. Type password if you are using a RACF key ring for the key store.

  12. Select the format of the key file from the Key file format menu.

  13. Click OK when we have made all the selections.


Related concepts

  • SSL security for WebSphere Application Server for z/OS
  • SSL repertoires
  • Secure transports with JSSE and JCE programming interfaces