WAS v8.5 > Secure applications > Secure communications > Secure communications using SSL > SSL configurationsKey manager control of X.509 certificate identities
JSSE key managers retrieve certificates used to identify the client or server during a SSL handshake.
WebSphere Application Server provides a default key manager that can select a certificate from a keystore when we define the following SSL configuration properties:
com.ibm.ssl.keyStoreClientAlias Alias chosen from the keystore for the client side of a connection. Alias must be present in the keystore. com.ibm.ssl.keyStoreServerAlias Alias chosen from the keystore for the server side of a connection. Alias must be present in the keystore. These two properties are set automatically when we use the dmgr console because the default key manager is already configured.
We can configure only one key manager at a time for a given SSL configuration. If you want custom certificate selection logic on the client side, you must write a new custom key manager to prompt the user to choose a certificate dynamically. Also, we can implement an extended interface so (com.ibm.wsspi.ssl.KeyManagerExtendedInfo) that a key manager can provide information during connection time.
Default IbmX509 key manager
The default IbmX509 key manager chooses a certificate to serve as the identity for an SSL handshake. The key manager is called to enable client authentication on either side of the SSL handshake; frequently on the server-side, and less frequently on the client side according to client and server requirements. If a keystore is not configured on the client-side and SSL client authentication is enabled, the key manager cannot select a certificate to send to the server. Therefore, the handshake fails.
The following sample code shows the key manager configuration in the security.xml file for an IbmX509 key manager.
<keyManagers xmi:id="KeyManager_1" name="IbmX509" provider="IBMJSSE2" algorithm="IbmX509" keyManagerClass="" managementScope="ManagementScope_1"/>We do not specify the keyManagerClass class because the key manager is provided by the IBMJSSE2 provider. However, we can specify whether the key manager is a custom class implementation, in which case specify the keyManager class, or an algorithm name that WAS can start from the Java security provider framework.
Custom key manager
The following sample code shows the key manager configuration in the security.xml file for a custom class.<keyManagers xmi:id="KeyManager_2" name="CustomKeyManager" keyManagerClass="com.ibm.ws.ssl.core.CustomKeyManager" managementScope="ManagementScope_1"/>The custom class must implement the javax.net.ssl.X509KeyManager interface and, optionally, implement the com.ibm.wsspi.ssl.KeyManagerExtendedInfo interface to retrieve additional WAS information. This interface replaces the function of the default key manager because we can configure only one key manager at a time. Therefore, the custom key manager has sole responsibility for selecting the alias to use from the configured keystore. The benefit of a custom key manager is its ability, on the client side, to prompt for an alias. This process enables the user to decide which certificate to use in situations where the user knows the client certificate identity. For more information, see Create a custom key manager for SSL.
Related concepts:
SSL configurations
Related
Create a custom key manager for SSL