SSL configurations

WAS v8.5 > Secure applications > Secure communications > Secure communications using SSL
SSL configurations

SSL configurations contain attributes that enable you to control the behavior of both the client and the server SSL endpoints. We can assign SSL configurations to have specific management scopes. The scope that an SSL configuration inherits depends upon whether you create it using a cell, node, server, or endpoint link in the configuration topology.
When creating an SSL configuration, we can set the following SSL connection attributes:

Keystore
Default client certificate for outbound connections
Default server certificate for inbound connections
Truststore
Key manager for selecting a certificate
Trust manager
Handshaking protocol
Ciphers for negotiating the handshake
Client authentication support and requirements

We can manage an SSL configuration using any of the following methods:

Central management selection
Direct reference selection
Dynamic outbound connection selection
Programmatic selection

Using the dmgr console, we can manage all of the SSL configurations for WebSphere Application Server. From the dmgr console, click...
Security | SSL certificates and key management | Manage endpoint security configurations | [Inbound | Outbound] | SSL_configuration

We can view an SSL configuration at the level it was created and in the inherited scope below that point in the topology, including cell level.
The attributes defining an SSL configuration repertoire entry for a specific management scope are stored in security.xml. The scope determines the point at which other levels in the cell topology can see the configuration, as shown in the following example:
<repertoire xmi:id="SSLConfig_1" 
            alias="NodeDefaultSSLSettings" 
            managementScope="ManagementScope_1" 
            type="JSSE"> 
<setting xmi:id="SecureSocketLayer_1" 
         clientAuthentication="false" 
         clientAuthenticationSupported="false" 
         securityLevel="HIGH" enabledCiphers="" 
         jsseProvider="IBMJSSE2" 
         sslProtocol="SSL_TLS" 
         keyStore="KeyStore_1" 
         trustStore="KeyStore_2" 
         trustManager="TrustManager_1" 
         keyManager="KeyManager_1" 
         clientKeyAlias="default" 
         serverKeyAlias="default"/> </repertoire>
security.xml attributes...

security.xml Description Default SSL property
xmi:id Unique identifier for XML entry. Determines how the SSL configuration is linked to other XML objects, such as SSLConfigGroup. System-defined. Must be unique. Determined by administrative configuration service. None. This value is used only for XML associations.
alias Name of the SSL configuration. Direct selection uses the alias attribute and the node is not prefixed to the alias. Rather, the management scope takes care of ensuring the name is unique within the scope. NodeDefaultSSLSettings com.ibm.ssl.alias
managementScope Visibility of the SSL configuration at runtime. node Not mapped to an SSL property. However, it confirms whether or not the SSL configuration is associated with a process.
type JSSE or SSSL. JSSE com.ibm.ssl.sslType
clientAuthentication Whether SSL client authentication is required. false com.ibm.ssl.clientAuthentication
clientAuthenticationSupported Whether SSL client authentication is supported. The client does not have to supply a client certificate if it does not have a client certificate. false com.ibm.ssl.client.AuthenticationSupported
securityLevel Cipher suite group. Valid values include STRONG (128-bit ciphers), MEDIUM (40-bit ciphers), WEAK (for all ciphers without encryption), and CUSTOM (if the cipher suite group is customized. Ignored if enabledCiphers is set. STRONG com.ibm.ssl.securityLevel
enabledCiphers Unique list of cipher suites. Separate each cipher suite in the list with a space. securityLevel com.ibm.ssl.enabledCipherSuites
jsseProvider JSSE provider IBMJSSE2 com.ibm.ssl.contextProvider
sslProtocol Handshake protocol

SSL_TLS - (SSLv3 and TLSv1)
SSL (SSLv3)
SSLv2
SSLv3
TLS (TLSv1)
TLSv1
SSL_TLSv2 (SSLv3, TLSv1, TLSv1.1, TLSv1.2)
TLSv1.1
TLSv1.2

The listSSLProtocols command provides more information about which protocol are valid in particular configurations, such as FIPS 140-2 or SP800-131.
SSL_TLS com.ibm.ssl.protocol
keyStore Keystore and attributes of the keyStore instance NodeDefaultKeyStore.

trustStore Key store the SSL configuration uses for certificate signing verification. The default is NodeDefaultTrustStore. A trustStore is a logical JSSE term. It signifies a key store containing signer certificates. Signer certificates validate certificates sent to WAS during an SSL handshake.
keyManager Defines the key manager used to select keys from a key store. A JSSE key manager controls the javax.net.ssl.X509KeyManager interface. A custom key manager controls the javax.net.ssl.X509KeyManager and the com.ibm.wsspi.ssl.KeyManagerExtendedInfo interfaces. The com.ibm.wsspi.ssl.KeyManagerExtendedInfo interface provides more information from WAS. IbmX509 com.ibm.ssl.keyManager defines a well-known key manager and accepts the algorithm and algorithm|provider formats, for example IbmX509 and IbmX509|IBMJSSE2. com.ibm.ssl.customKeyManager defines a custom key manager and takes precedence over the other keyManager properties. This class must implement javax.net.ssl.X509KeyManager and can implement com.ibm.wsspi.ssl.KeyManagerExtendedInfo.
trustManager Which trust manager or list of trust managers to use for determining whether to trust the peer side of the connection. A JSSE trust manager implements the javax.net.ssl.X509TrustManager interface. A custom trust manager might also implement com.ibm.wsspi.ssl.TrustManagerExtendedInfo interface to get more information from the WAS environment. IbmPKIX can be configured for certificate revocation list (CRL) verification when the certificate contains a CRL distribution point. The other option is IbmX509. IbmPKIX com.ibm.ssl.trustManager defines a well-known trust manager, which is required for most handshake situations. com.ibm.ssl.trustManager performs certificate expiration checking and signature validation. We can define com.ibm.ssl.customTrustManagers with additional custom trust managers called during an SSL handshake. Separate additional trust managers with the vertical bar (|) character.

Client SSL configurations are managed using...
${USER_INSTALL_ROOT}/properties/ssl.client.props

Specify any javax.net.ssl system properties will override the corresponding property in the ssl.client.props file.

Subtopics

Trust manager control of X.509 certificate trust decisions
Key manager control of X.509 certificate identities
Example: Enabling certificate revocation checking with the default IbmPKIX trust manager

Related

Create an SSL configuration
Configure Federal Information Processing Standard Java Secure Socket Extension files

+
Search Tips | Advanced Search

security.xml	Description	Default	SSL property
xmi:id	Unique identifier for XML entry. Determines how the SSL configuration is linked to other XML objects, such as SSLConfigGroup. System-defined. Must be unique.	Determined by administrative configuration service.	None. This value is used only for XML associations.
alias	Name of the SSL configuration. Direct selection uses the alias attribute and the node is not prefixed to the alias. Rather, the management scope takes care of ensuring the name is unique within the scope.	NodeDefaultSSLSettings	com.ibm.ssl.alias
managementScope	Visibility of the SSL configuration at runtime.	node	Not mapped to an SSL property. However, it confirms whether or not the SSL configuration is associated with a process.
type	JSSE or SSSL.	JSSE	com.ibm.ssl.sslType
clientAuthentication	Whether SSL client authentication is required.	false	com.ibm.ssl.clientAuthentication
clientAuthenticationSupported	Whether SSL client authentication is supported. The client does not have to supply a client certificate if it does not have a client certificate.	false	com.ibm.ssl.client.AuthenticationSupported
securityLevel	Cipher suite group. Valid values include STRONG (128-bit ciphers), MEDIUM (40-bit ciphers), WEAK (for all ciphers without encryption), and CUSTOM (if the cipher suite group is customized. Ignored if enabledCiphers is set.	STRONG	com.ibm.ssl.securityLevel
enabledCiphers	Unique list of cipher suites. Separate each cipher suite in the list with a space.	securityLevel	com.ibm.ssl.enabledCipherSuites
jsseProvider	JSSE provider	IBMJSSE2	com.ibm.ssl.contextProvider
sslProtocol	Handshake protocol SSL_TLS - (SSLv3 and TLSv1) SSL (SSLv3) SSLv2 SSLv3 TLS (TLSv1) TLSv1 SSL_TLSv2 (SSLv3, TLSv1, TLSv1.1, TLSv1.2) TLSv1.1 TLSv1.2 The listSSLProtocols command provides more information about which protocol are valid in particular configurations, such as FIPS 140-2 or SP800-131.	SSL_TLS	com.ibm.ssl.protocol
keyStore	Keystore and attributes of the keyStore instance	NodeDefaultKeyStore.
trustStore	Key store the SSL configuration uses for certificate signing verification.	The default is NodeDefaultTrustStore.	A trustStore is a logical JSSE term. It signifies a key store containing signer certificates. Signer certificates validate certificates sent to WAS during an SSL handshake.
keyManager	Defines the key manager used to select keys from a key store. A JSSE key manager controls the javax.net.ssl.X509KeyManager interface. A custom key manager controls the javax.net.ssl.X509KeyManager and the com.ibm.wsspi.ssl.KeyManagerExtendedInfo interfaces. The com.ibm.wsspi.ssl.KeyManagerExtendedInfo interface provides more information from WAS.	IbmX509	com.ibm.ssl.keyManager defines a well-known key manager and accepts the algorithm and algorithm\|provider formats, for example IbmX509 and IbmX509\|IBMJSSE2. com.ibm.ssl.customKeyManager defines a custom key manager and takes precedence over the other keyManager properties. This class must implement javax.net.ssl.X509KeyManager and can implement com.ibm.wsspi.ssl.KeyManagerExtendedInfo.
trustManager	Which trust manager or list of trust managers to use for determining whether to trust the peer side of the connection. A JSSE trust manager implements the javax.net.ssl.X509TrustManager interface. A custom trust manager might also implement com.ibm.wsspi.ssl.TrustManagerExtendedInfo interface to get more information from the WAS environment. IbmPKIX can be configured for certificate revocation list (CRL) verification when the certificate contains a CRL distribution point. The other option is IbmX509.	IbmPKIX	com.ibm.ssl.trustManager defines a well-known trust manager, which is required for most handshake situations. com.ibm.ssl.trustManager performs certificate expiration checking and signature validation. We can define com.ibm.ssl.customTrustManagers with additional custom trust managers called during an SSL handshake. Separate additional trust managers with the vertical bar (\|) character.