WebSEAL key database file

During installation, WebSEAL provides a default certificate key database used to authenticate both clients and junctioned servers. WebSEAL also provides an optional, separate certificate key database that can be used to authenticate junctioned servers. By default, the junction certificate key database option is commented out in the WebSEAL configuration file. Unless this option is enabled, junctions maintain the default behavior of using a shared key database for clients and junctioned servers. When a separate certificate key database is used for junctioned servers, it is not possible for a user to use a client certificate that is validated by a CA certificate stored in the junction key database. Similarly, it is not possible for a junctioned server to use a certificate that is validated by a CA certificate contained in the default certificate database. The webseal-cert-keyfile stanza entry, located in the [ssl] stanza of the WebSEAL configuration file, identifies the default certificate key database. For example:

[ssl]
webseal-cert-keyfile = pdsrv.kdb

The jct-cert-keyfile stanza entry in the [junction] stanza for the WebSEAL configuration file, identifies the optional, separate junction certificate key database. For example:

[junction]
jct-cert-keyfile = pdjct.kdb

We can use the SSL Certificates management page of the LMI to create a new key database. However, enter the name and location of this new key file in the webseal-cert-keyfile stanza entry so that WebSEAL can find and use the certificates contained in that database.

Parent topic: Configuration of the WebSEAL key database file