WebSEAL test certificate

During installation, WebSEAL provides a non-secure self-signed test certificate. The test certificate, acting as a server-side certificate, allows WebSEAL to identify itself to SSL clients. To better control how this test certificate is used, the certificate is not installed as a default certificate. Instead, the webseal-cert-keyfile-label stanza entry designates the certificate as the active server-side certificate and overrides any other certificate designated as "default" in the keyfile database.

[ssl]
webseal-cert-keyfile-label = WebSEAL-Test-Only

WebSEAL uses GSKit certificate handling functionality. GSKit allows but does not require that a certificate in keyfile databases be designated the default certificate.

Although this test certificate allows WebSEAL to respond to an SSL-enabled browser request, it cannot be verified by the browser (which does not contain an appropriate root CA certificate). Because the private key for this default certificate is contained in every WebSEAL distribution, this certificate offers no true secure communication.

We can use the LMI to generate a certificate request that can be sent to a Certificate Authority (CA). Use the LMI to install and label the returned server certificate.

If we use different certificates for other scenarios (such as -K junctions), we can use the LMI to create, install, and label these certificates. The keyfile label must not contain spaces.

WebSEAL (which by default runs as user ivmgr) must have read (r) permission on these key database files.

Parent topic: Configuration of the WebSEAL key database file