Create a custom trust manager configuration for SSL
Create a custom trust manager configuration at any management scope and associate the new trust manager with an SSL configuration.
We must develop, package, and locate a Java Archive JAR file for a custom key manager in the was.install.root/lib/ext directory on WebSphere Application Server. See Example: Developing a custom trust manager for custom SSL trust decisions.
Tasks
- Decide whether we want to create the custom trust manager at the cell scope or below the cell scope at the node, server, or cluster, for example.
Important: When we create a custom trust manager at a level below the cell scope, we can associate it only with an SSL configuration at the same scope or higher. An SSL configuration at a scope lower than the trust manager does not see the trust manager configuration.
- To create a custom trust manager at the cell scope, click Security > SSL certificate and key management > Trust managers. Every SSL configuration in the cell can select the trust manager at the cell scope.
- To create a custom trust manager at a scope below the cell level, click Security > SSL certificate and key management > Manage endpoint security configurations > {Inbound | Outbound} > ssl_configuration > Trust managers.
- Click New to create a new custom trust manager.
- Type a unique trust manager name.
- Select the Custom implementation setting. The custom setting enables us to define a Java class with an implementation of the javax.net.ssl.X509TrustManager Java interface and, optionally, the com.ibm.wsspi.ssl.TrustManagerExtendedInfo WAS interface.
The standard implementation setting applies only when the trust manager is already defined in the Java security provider list as a provider and an algorithm, which is not the case for a custom trust manager.
- Type a class name, for example, com.ibm.test.CustomTrustManager.
- Select one of the following actions:
- Click Apply, then click Custom properties under Additional Properties to add custom properties to the new custom trust manager. When we are finished adding custom properties, click OK and Save, then go to the next step.
- Click OK and Save, then go to the next step.
- Click SSL certificate and key management in the page navigation.
- Select one of the following actions:
- Click SSL configurations under Related Items for a cell-scoped SSL configuration.
- Click Manage endpoint security configurations to select an SSL configuration at a lower scope.
- Click the link for the existing SSL configuration to associate with the new custom trust manager. Create a new SSL configuration instead of associating the custom trust manager with an existing configuration. For more information, see Create a Secure Sockets Layer configuration.
- Click Trust and Key managers under Additional Properties. If the new custom trust manager is not listed in the Additional ordered trust managers list, verify that we selected an SSL configuration scope that is at the same level or below the scope that we selected in Step 8.
- Click Add. This action adds the new trust manager to the list of custom trust managers.
- Click OK and Save.
We have created a custom trust manager configuration that references a JAR file in the install directory of WAS and associates it with an SSL configuration during the connection handshake.
What to do next
Create a custom trust manager for a pure client. See TrustManagerCommands command group for the AdminTask object topic.
Subtopics
- Trust and key managers settings
Specify trust and key managers for the selected SSL configuration.- Trust managers collection
Use this page to define the implementation settings for the trust manager. A trust manager is a class that is invoked during an SSL handshake to make trust decisions about the remote end point. A default trust manager is used to validate the signature and expiration of the certificate. Custom trust managers can be plugged in to perform an extended certificate and host name check.- Trust managers settings
This page enables us to view and set definitions for trust manager implementation settings. A trust manager is a class that gets invoked during an SSL handshake to make trust decisions about the remote end point. A default trust manager is used to validate the signature and expiration of the certificate. Custom trust managers can be plugged in to perform an extended certificate and hostname check.
- Example: Developing a custom trust manager for custom SSL trust decisions
The following example is of a sample custom trust manager. The custom trust manager makes no trust decisions but instead uses the information in the X.509 certificate that it references to make decisions.
Related:
SSL configurations Trust manager control of X.509 certificate trust decisions Example: Developing a custom trust manager for custom SSL trust decisions TrustManagerCommands