WAS v8.5 > Secure applications > Secure the Liberty profile and its applications > Secure communications with the Liberty profile

Enabling SSL communication for the Liberty profile

To enable SSL communication for the Liberty profile, there is a minimal set of SSL configuration options. It assumes most of the SSL options and only requires some keystore configuration information. SSL client authentication occurs during the connection handshake using SSL certificates. The SSL handshake is a series of messages that are exchanged over the SSL protocol to negotiate for connection-specific protection. During the handshake, the secure server requests the client send back a certificate or certificate chain for the authentication. To enable SSL for the Liberty profile, you add the ssl-1.0 Liberty feature to server.xml, along with code of the keystore information for authentication.

1. Enable the ssl-1.0 Liberty feature in server.xml.

   < featureManager>
       <feature>ssl-1.0</feature> </featureManager>

   If application security is required and security information is redirected to a secure port, you must add the appSecurity-1.0 Liberty feature to server.xml.

2. Add the keystore service object entry to the server.xml file.

   The keyStore element is called defaultKeyStore and contains the keystore password. The password can be entered in clear text or encoded. The securityUtility encode option can be used to encode the password.

   < keyStore id="defaultKeyStore" password="yourPassword" />

   An example of a SAF keyring in the minimal configuration:

   < keyStore id="defaultKeyStore" 
             location="safkeyring:///WASKeyring" 
             type="JCERACFKS" 
             password="password" 
             fileBased="false" 
             readOnly="true" />

   In this configuration the keystore type is JKS. We can create this default keystore using the securityUtility createSSLCertificate option. The server creates the keystore for you if it does not exist during SSL initialization. The password must be at least six characters long. The type of the keystore is JKS by default. Keystore of other types can also be specified in the minimal SSL configuration if the keystore file is already created. Only JKS keystore files are created by the server if the keystore file does not exist. The certificate has a validity period of 365 days, the CN value of the subjectDN is the host name of the machine where the server is running, and the signature algorithm of the certificate is SHA1 with RSA.

   The single keystore entry for a minimal SSL configuration can be extended to include the location and type as well.

   < keyStore id="defaultKeyStore" location="myKeyStore.p12" password="yourPassword" type="PKCS12"/>

   The location parameter can be an absolute path to the keystore file. If it is an absolute path, then the keystore file is assumed to have been already created. Keystore of other types can also be specified in the minimal SSL configuration if the keystore file is already created. When the minimal SSL configuration is used, the SSL configuration defaults are used to create the SSL context for an SSL handshake. The configuration protocol is SSL_TLS by default. The HIGH ciphers, 128 bit, and higher cipher suites can be used.

See also

• Liberty profile: SSL configuration attributes
  SSL configurations contain attributes that you use to control the behavior of the server SSL transport layer on a Liberty profile. This topic iterates all the settings available for an SSL configuration.

Parent topic: Secure communications with the Liberty profile

|