Add a keystore file to your configuration

A keystore file contains both public keys and private keys. Public keys are stored as signer certificates while private keys are stored in the personal certificates. In WebSphere Application Server, adding keystore files to the configuration is different between client and server. For the client, a keystore file is added to a property file like sas.client.props. For the server, a keystore file is added through the WebSphere Application Server administration console.

Before you add the keystore file to your configuration, consider the following questions:

• Is a self-signed or a certificate authority (CA)-signed personal certificate created in the keystore file?
• If you configure for client authentication using digital certificates, is the public key of the signed personal certificate imported as a signer certificate into the server truststore file?

To add a keystore file, perform these steps:

1. Add a keystore file into your client configuration.
2. Add a keystore file into your server configuration.

Add a keystore file into your client configuration

Add a keystore file into a client configuration by editing the sas.client.props file. (A copy of file is located in the /QIBM/UserData/WebAS5/product/instance/properties directory, where product is either Base or ND, and instance is the name of your server instance.)

Set the following properties in the sas.client.props file:

• For the com.ibm.ssl.keyStoreType property, specify the keystore format. Accepted values are JKS (default), PKCS12KS, or JCEK.
• For the com.ibm.ssl.keyStore property, specify the fully qualified path to the keystore file. Note that the keystore file contains private keys and sometimes public keys.
• For the com.ibm.ssl.keyStorePassword property, specify the password to access the keystore file.

Save the file.

Add a keystore file into your server configuration

To add a keystore file to your server instance configuration, perform the following steps in the WebSphere administrative console:

1. In the navigation menu, expand Security and click SSL Configuration Repertoires.

2. Create a new Secure Sockets Layer (SSL) setting alias if one does not exist.

3. Select the alias that you want to add into the keystore file.

4. If the Cryptographic Token field is selected and you only want to use cryptographic tokens for your keystore file, leave the Key File Name field and the Key File Password field blank.

   If not, in the Key File Name field, enter the path of the keystore file. In the Key File Password field, enter the password to access the keystore file.

5. Select the Key File Format for the keystore type: JKS (default), PKCS12KS, or JCEK.

6. Click OK.

7. Click Save to save the configuration.

The SSL configuration alias now has a valid keystore file for an SSL connection.