SSL settings

To configure SSL settings for the server.

To view this administrative console page, click Security > SSL > alias_name.

 

Configuration tab

Alias Name of the specific SSL setting

Data type... String

Key File Name Specifies the fully qualified path to the SSL key file that contains public keys and private keys.

You can create an SSL key file with the key management utility, or this file can correspond to a hardware device if one is available. In either case, this option indicates the source for personal certificates and for signer certificates unless a trust file is specified. The default SSL key files, DummyClientKeyFile.jks and DumservernameKeyFile.jks, contais a self-signed personal test certificate expiring on March 17, 2005. The test certificate is only intended for use in a test environment. The default SSL key files should never be used in a production environment because the private keys are the same on all the WAS installations. Refer to the Managing certificates article for information about creating and managing digital certificates for your WAS domain.

Data type... String

Key File Password Specifies the password for accessing the SSL key file.

Data type... String

Key File Format Specifies the format of the SSL key file.

Data type... String
Default... JKS
Range... JKS, JCEK, PKCS12

Trust File Name Specifies the fully qualified path to a trust file containing the public keys.

You can create a trust file with the key management utility included in the WebSphere bin directory. Using the key management utility from GSKit (another SSL implementation) does not work with the Java Secure Socket Extension (JSSE) implementation.

Unlike the SSL key file, no personal certificates are referenced; only signer certificates are retrieved. The default SSL trust files, DummyClientTrustFile.jks and DumservernameTrustFile.jks, contain multiple test public keys as signer certificates that can expire. The public key for the WAS Version 4.0 test certificates expires on January 15, 2004, and the public key for the WebSphere Application Server Version 5 test certificates and WAS CORBA C++ client expires on March 17, 2005. The test certificate is only intended for use in a test environment.

If a trust file is not specified but the SSL key file is specified, then the SSL key file is used for retrieval of signer certificates as well as personal certificates.

Data type... String

Trust File Password Specifies the password for accessing the SSL trust file.

Data type... String

Trust File Format Specifies the format of the SSL trust file.

Data type... String
Default... JKS
Range... JKS, JCEK, PKCS12

Client Authentication Specifies whether to request a certificate from the client for authentication purposes when making a connection.

This attribute is only valid when used by the Web container HTTP transport. When performing client authentication with IIOP for EJB requests, click Security > Authentication Protocol > CSIv2 Inbound or Outbound Authentication from the left navigation pane of the administrative console. Click SSL Client Certificate Authentication to enable it for these requests.

Data type... Boolean
Default... Disabled
Range... Enabled or Disabled

Security Level Specifies whether the server selects from a preconfigured set of security levels.

Data type... Valid values include Low, Medium or High.

  • Low specifies only digital signing ciphers (no encryption)

  • Medium specifies only 40-bit ciphers (including digital signing)

  • High specifies only 128-bit ciphers (including digital signing).

To specify all ciphers or any particular range, you can set the com.ibm.ssl.enabledCipherSuites property.

See the SSL documentation for more information.

Default... High
Range... Low, Medium, or High

Cipher Suites Specifies a list of supported cipher suites that can be selected during the SSL handshake. If you select cipher suites individually here, you override the cipher suites set in the Security Level field.

Data type...
Default...
Range...

Cryptographic Token Specifies whether the server enables or disables cryptographic hardware and software support. The SOAP connector does not use hardware cryptography.

Data type... Boolean
Default... Disabled
Range... Enabled or Disabled

Provider   Refers to a package that supplies a concrete implementation of a subset of the cryptography aspects of the Java Security API.

If you select the first button, select a provider from the menu. WebSphere Application Server has the IBMJSSE predefined provider and the IBMJSSEFIPS predefined provider. IBMJSSEFIPS is a version of the IBMJSSE provider that is undergoing Federal Information Processing Standard (FIPS) certification. If you select the second option, enter a custom provider. For a custom provider, you first must enter the cipher suites through Custom Properties under Additional Properties, Cipher suites and protocol values depend on the Provider.

Data type integer
Default 100
Range 1 to 86400

Protocol   Specifies the SSL protocol that is used.

If you are using a FIPS-approved JSSE such as IBMJSSEFIPS, select a TLS protocol. Because the FIPS-approved JSSE providers are not backwards-compatible, a server that uses the TLS protocol cannot communicate with a client that uses an SSL protocol.