The name of the specific SSL setting
| Data type: | String |
Note: If you create a new SSL alias using the administrative console, the alias name is automatically created in the node/alias_name format. However, if you create a new SSL alias using wsadmin, create the SSL alias and specify both the node name and alias name in the node/alias_name format.
The fully qualified path to the SSL key file that contains public keys and might contain private keys.
You can create an SSL key file with the key management utility, or this file can correspond to a hardware device if one is available. In either case, this option indicates the source for personal certificates and for signer certificates unless a trust file is specified. The default SSL key files, DummyClientKeyFile.jks and DummyServerKeyFile.jks, contains a self-signed personal test certificate expiring on March 17, 2005. The test certificate is only intended for use in a test environment. The default SSL key files should never be used in a production environment because the private keys are the same on all the WebSphere Application Server installations. Refer to the Managing certificates article for information about creating and managing digital certificates for your WebSphere Application Server domain.
| Data type: | String |
Whether to request a certificate from the client for authentication purposes when making a connection.
This attribute is only valid when it is used by the Web container HTTP transport.
When performing client authentication with the Internet InterORB Protocol (IIOP) for EJB requests, click Security > Global security. Under Authentication, click Authentication protocol > CSIv2 inbound authentication or Authentication protocol > CSIv2 outbound authentication. Select the appropriate option under Client certificate authentication.
| Default: | Disabled |
| Range: | Enabled or Disabled |
Whether the server selects from a pre-configured set of security levels.
| Data type: | Valid values include Low, Medium or High.
To specify all ciphers or any particular range, you can set the com.ibm.ssl.enabledCipherSuites property. See the SSL documentation for more information. |
| Default: | High |
| Range: | Low, Medium, or High |
Specifies a list of supported cipher suites that can be selected during the SSL handshake. If you select cipher suites individually here, you override the cipher suites set in the Security Level field.
Refers to a package that implements a subset of the Java security application programming interface (API) cryptography aspects.
If you select Predefined JSSE provider, select a provider from the menu.
WebSphere Application Server has the IBMJSSE, IBMJSSE2, and the IBMJSSEFIPS predefined providers. When you select the Use Federal Information Processing Standard (FIPS) option on the Global security panel, IBMJSSE2 uses the IBMJCEFIPS provider that is Federal Information Processing Standard (FIPS) certified. If you select Custom JSSE provider, enter a custom provider. For a custom provider, you first must enter the cipher suites through Custom properties under Additional Properties. Cipher suites and protocol values depend upon the provider.
The name for the Cipher suite property is
com.ibm.ssl.enabledCiphersuites . The name for the protocol property is
com.ibm.ssl.protocol .
Note: You can only specify the IBMJSSE2 provider for transports using the channel framework, including HTTP and JMS. Any other provider specified causes the server to fail initialization.
Which SSL protocol to use.
If you are using a FIPS-approved custom JSSE provider, select a TLS protocol. However, because the FIPS-approved JSSE providers are not backwards-compatible, a server that uses the TLS protocol cannot communicate with a client that uses an SSL protocol.
| Default | SSLv3 |
| Range | SSL, SSLv2, SSLv3, TLS, TLSv1 |
The password for accessing the SSL key file.
| Data type: | String |
The format of the SSL key file.
You can choose from the following key file formats: JKS, JCEK, PKCS12, JCERACFKS (z/OS only). The JKS format does not store a shared key. For more secure key files, use the JCEK format. PKCS12 is the standard file format.
![[Version 6.0.2]](../../v602.gif)
You can choose from the following key file formats:
JKS, JCEK, PKCS12, JCERACFKS (z/OS only) and JCE4758RACFKS (z/OS only). The JKS format does not store a shared key. For more secure key files, use the JCEK format. PKCS12 is the standard file format.
| Data type: | String |
| Default: | JKS |
| Range: | JKS, JCEK, PKCS12, JCERACFKS (z/OS only), and JCE4758RACFKS (z/OS only) |
| Data type: | String |
| Default: | JKS |
| Range: | JKS, JCEK, PKCS12, JCERACFKS (z/OS only) |
The fully qualified path to a trust file containing the public keys.
You can create a trust file with the key management utility included in the WebSphere bin directory. Using the key management utility from Global Security Kit (GSKit), another SSL implementation, does not work with the Java Secure Socket Extension (JSSE) implementation. Unlike the SSL key file, no personal certificates are referenced; only signer certificates are retrieved. The default SSL trust files, DummyClientTrustFile.jks and DummyServerTrustFile.jks, contain multiple test public keys as signer certificates that can expire. The following public keys expire on October 13, 2021:
- WebSphere Application Server Version 4.x test certificates
- WebSphere Application Server Version 5.x test certificates
- WebSphere Application Server CORBA C++ client
- WebSphere Application Server Version 6.0.x test certificates
The test certificates are only intended for use in a test environment.
If a trust file is not specified but the SSL key file is specified, then the SSL key file is used for retrieval of signer certificates as well as personal certificates.
| Data type: | String |
The password for accessing the SSL trust file.
| Data type: | String |
The format of the SSL trust file.
You can choose from the following trust file formats: JKS, JCEK, PKCS12, JCERACFKS (z/OS only). The JKS format does not store a shared key. For more secure key files, use the JCEK format. PKCS12 is the standard file format.
You can choose from the following trust file formats:
JKS, JCEK, PKCS12, JCERACFKS (z/OS only) and JCE4758RACFKS (z/OS only). The JKS format does not store a shared key. For more secure key files, use the JCEK format. PKCS12 is the standard file format.
| Data type: | String |
| Default: | JKS |
| Range: | JKS, JCEK, PKCS12, JCERACFKS (z/OS only) |
| Data type: | String |
| Default: | JKS |
| Range: | JKS, JCEK, PKCS12, JCERACFKS (z/OS only) and JCE4758RACFKS (z/OS only) |