Key set groups settings
Create new key set groups.
From the admin console, click...
Security > SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations > {Inbound | Outbound} > ssl_configuration. Under Related items, click Key set groups > New.
Key set group name
Name of key set group used. This name can be referenced using the com.ibm.websphere.crypto.KeySetHelper API to retrieve the managed keys from an application.
Information Value Data type: Text
Management scope
Scope where this SSL configuration is visible. For example, if we choose a specific node, then the configuration is only visible on that node and any servers that are part of that node.
Information Value Data type List Range: Applicable scopes
Key sets
Specifies a set of key instances of the same type for use in cryptographic operations.
This setting has the following options:
- Add
- Add the selected key set part of this key set group.
- Remove
- Remove the selection from the Key sets list.
Automatically generate keys
That the keys are generated automatically on a schedule. When a new key is generated, the security.xml is updated and saved by the runtime to track the key reference version. This can cause save conflicts when updating the same file from admin applications.
Starting with Versions 6.1.0.23 and 7.0.0.3, the default value for this property is Disabled.
If we try to enable this property, and automatic synchronization is off in any node, the following administrative console message displays:
Warning: At least one node in the cell was unreachable or is not configured to automatically synchronize. It is strongly recommended that you verify the node settings, and do not enable automatic generation of LTPA keys while automatic synchronization is disabled on any node.
Information Value Default for Versions 7.0, and 7.0.0.1: Enabled Default for Versions 7.0.0.3 and higher: Disabled
Scheduled time for generation
Scheduled time when the system generates selected key set group or groups. We can specify the scheduled time in hours and minutes; specify either A.M. or P.M., or specify 24-hour. We can also specify the day of the week we want the scheduled event to occur. IBM recommends that we set this event to occur during a low peak time, especially for keys used by runtime for token validation.
Information Value Data type Integer Default: 8, 0 A.M. Range: 1-12, with a A.M. or P.M. setting 0-59, with a 24-hour setting
Generate on a specific day
Specifies whether to have the generation occur on a specific day of the week. It is best to auto-generate keys during a low peak day.
This setting has the following options:
- Weekday
- Day of the week on which the expiration monitor will run if the Check on a specific day option is selected.
Information Value Default: Sunday Range: Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday
- Repeat interval
- Period of time, in weeks, between each schedule time to check for expired certificates or the interval between schedule checks.
Information Value Default: 4 weeks
Generate at an interval
To generate keys at the specified frequency regardless of the day of the week on which generation occurs.
Information Value Default: Disabled This setting has the following options:
- Repeat interval
- Period of time, in days, between each schedule time to check for expired certificates or the interval between schedule checks.
Information Value Default: 7 days
Next start date
Date for the next scheduled check. This allows the deployment manager to be stopped and restarted without resetting the date.
Create a Secure Sockets Layer configuration Keystores and certificates collection Key set groups collection