Secure Sockets Layer configurations

Secure Sockets Layer configurations

SSL configurations contain attributes that enable you to control the behavior of both client and server SSL endpoints. You can identify SSL configurations by their user-assigned names or aliases, and assign them to specific management scopes. The scope that an SSL configuration inherits depends upon whether you create it using a cell, node, server, or endpoint link in the configuration topology.
When you create an SSL configuration, you can set the following SSL connection attributes:

Keystore

Default client certificate for outbound connections

Default server certificate for inbound connections

Truststore

Key manager for selecting a certificate

Trust manager or managers for establishing trust during the handshake

Handshaking protocol

Ciphers for negotiating the handshake

Client authentication support and requirements

You can manage an SSL configuration using any of the following methods:

Central management selection

Direct reference selection

Dynamic outbound connection selection

Programmatic selection

You can view an SSL configuration in the topology at the point where it was created and at all of the scopes below that point. If you want the entire cell to view an SSL configuration, create the configuration at the cell level in the topology. Using the console, you can manage all of the SSL configurations for WAS. From the console, click Security > SSL certificates and key management > Manage endpoint security configurations > Inbound | Outbound > SSL_configuration.
Use the ssl.client.props properties file, you can manage client SSL configurations. The ssl.client.props file is located in the ${USER_INSTALL_ROOT}/properties directory for each profile. For more information about configuring this file, see the ssl.client.props client configuration file.
SSL configuration in the security.xml file In the security.xml file, you can define specific attributes to configure an SSL configuration repertoire entry at a specific management scope. The scope determines the point at which other levels in the cell topology can see the configuration, as shown in the following example:
<repertoire xmi:id="SSLConfig_1" alias="NodeDefaultSSLSettings"  managementScope="ManagementScope_1" type="JSSE">
<setting xmi:id="SecureSocketLayer_1" clientAuthentication="false"  clientAuthenticationSupported="false" securityLevel="HIGH" enabledCiphers=""  jsseProvider="IBMJSSE2" sslProtocol="SSL_TLS" keyStore="KeyStore_1"  trustStore="KeyStore_2" trustManager="TrustManager_1" keyManager="KeyManager_1"  clientKeyAlias="default" serverKeyAlias="default"/>
</repertoire>
The SSL configuration attributes that display in the previous code are described in Table 1.

Table 1. security.xml Attributes

security.xml attribute Description Default Associated SSL property

xmi:id The xml:id attribute represents the unique identifier for this XML entry and determines how the SSL configuration is linked to other XML objects, such as SSLConfigGroup. This system-defined value must be unique. The administrative configuration service defines the default value. None. This value is used only for XML associations.
alias The alias attribute defines the name of the SSL configuration. Direct selection uses the alias attribute and the node is not prefixed to the alias. Rather, the management scope takes care of ensuring that the name is unique within the scope.
The default is CellDefaultSSLSettings.
com.ibm.ssl.alias
managementScope The managementScope attribute defines the management scope for the SSL configuration and determines the visibility of the SSL configuration at runtime.
The default scope is the cell.
The managementScope attribute is not mapped to an SSL property. However, it confirms whether or not the SSL configuration is associated with a process.
type The type attribute defines the Java Secure Socket Extension (JSSE) or System Secure Sockets Layer (SSSL) configuration option. JSSE is the SSL configuration type for most secure communications within WebSphere Application Server. The default is JSSE. com.ibm.ssl.sslType
clientAuthentication The clientAuthentication attribute determines whether SSL client authentication is required. The default is false. com.ibm.ssl.clientAuthentication
clientAuthenticationSupported The clientAuthenticationSupported attribute determines whether SSL client authentication is supported. The client does not have to supply a client certificate if it does not have a client certificate.
When you set the clientAuthentication attribute to true, you override the value that is set for the clientAuthenticationSupported attribute.
The default is false. com.ibm.ssl.client.AuthenticationSupported
securityLevel The securityLevel attribute determines the cipher suite group. Valid values include HIGH (128-bit ciphers), MEDIUM (40-bit ciphers), LOW (for all ciphers without encryption), and CUSTOM (if the cipher suite group is customized. When you set the enabledCiphers attribute with a specific list of ciphers, the system ignores this attribute. The default is HIGH. com.ibm.ssl.securityLevel
enabledCiphers You can set the enabledCiphers attribute to specify a unique list of cipher suites. Separate each cipher suite in the list with a space. The default is the securityLevel attribute for cipher suite selection. com.ibm.ssl.enabledCipherSuites
jsseProvider The jsseProvider attribute defines a specific JSSE provider. The default is IBMJSSE2. com.ibm.ssl.contextProvider
sslProtocol The sslProtocol attribute defines the SSL handshake protocol. Valid options include: SSLv2 (client-side only), SSLv3, SSL, SSL_TLS, TLSv1, and TLS values. The SSL option includes SSLv2 and SSLv3 values. The TLS option includes the TLSv1 value. SSL_TLS, which is the most interoperable protocol, includes all these values and defaults to a Transport Layer Security (TLS) handshake. The default is SSL_TLS. com.ibm.ssl.protocol
keyStore The keyStore attribute defines the keystore and attributes of the keyStore instance that the SSL configuration uses for key selection.
The default is CellDefaultKeyStore.
For more information, see Keystore configurations.
trustStore The trustStore attribute defines the key store that the SSL configuration uses for certificate signing verification.
The default is CellDefaultTrustStore.
A trustStore is a logical JSSE term. It signifies a key store that contains signer certificates. Signer certificates validate certificates that are sent to WAS during an SSL handshake.
keyManager The keyManager attribute defines the key manager that WAS uses to select keys from a key store. A JSSE key manager controls the javax.net.ssl.X509KeyManager interface. A custom key manager controls the javax.net.ssl.X509KeyManager and the com.ibm.wsspi.ssl.KeyManagerExtendedInfo interfaces. The com.ibm.wsspi.ssl.KeyManagerExtendedInfo interface provides more information from WAS. The default is IbmX509. com.ibm.ssl.keyManager defines a well-known key manager and accepts the algorithm and algorithm|provider formats, for example IbmX509 and IbmX509|IBMJSSE2. com.ibm.ssl.customKeyManager defines a custom key manager and takes precedence over the other keyManager properties. This class must implement javax.net.ssl.X509KeyManager and can implement com.ibm.wsspi.ssl.KeyManagerExtendedInfo. For more information, see Key manager control of X.509 certificate identities
trustManager The trustManager determines which trust manager or list of trust managers to use for determining whether to trust the peer side of the connection. A JSSE trust manager implements the javax.net.ssl.X509TrustManager interface. A custom trust manager might also implement com.ibm.wsspi.ssl.TrustManagerExtendedInfo interface to get more information from the WAS environment. The default is IbmX509. You can specify the IbmPKIX trust manager for certificate revocation list (CRL) verification when the certificate contains a CRL distribution point. com.ibm.ssl.trustManager defines a well-known trust manager, which is required for most handshake situations. com.ibm.ssl.trustManager performs certificate expiration checking and signature validation. You can define com.ibm.ssl.customTrustManagers with additional custom trust managers that are called during an SSL handshake. Separate additional trust managers with the vertical bar (|) character. For more information, see Trust manager control of X.509 certificate trust decisions

Sub-topics

Trust manager control of X.509 certificate trust decisions

Key manager control of X.509 certificate identities

Related concepts

Secure communications using Secure Sockets Layer

Related tasks

Creating a Secure Sockets Layer configuration
Configure Federal Information Processing Standard Java Secure Socket Extension files

security.xml attribute	Description	Default	Associated SSL property
xmi:id	The xml:id attribute represents the unique identifier for this XML entry and determines how the SSL configuration is linked to other XML objects, such as SSLConfigGroup. This system-defined value must be unique.	The administrative configuration service defines the default value.	None. This value is used only for XML associations.
alias	The alias attribute defines the name of the SSL configuration. Direct selection uses the alias attribute and the node is not prefixed to the alias. Rather, the management scope takes care of ensuring that the name is unique within the scope.	The default is CellDefaultSSLSettings.	com.ibm.ssl.alias
managementScope	The managementScope attribute defines the management scope for the SSL configuration and determines the visibility of the SSL configuration at runtime.	The default scope is the cell.	The managementScope attribute is not mapped to an SSL property. However, it confirms whether or not the SSL configuration is associated with a process.
type	The type attribute defines the Java Secure Socket Extension (JSSE) or System Secure Sockets Layer (SSSL) configuration option. JSSE is the SSL configuration type for most secure communications within WebSphere Application Server.	The default is JSSE.	com.ibm.ssl.sslType
clientAuthentication	The clientAuthentication attribute determines whether SSL client authentication is required.	The default is false.	com.ibm.ssl.clientAuthentication
clientAuthenticationSupported	The clientAuthenticationSupported attribute determines whether SSL client authentication is supported. The client does not have to supply a client certificate if it does not have a client certificate. When you set the clientAuthentication attribute to true, you override the value that is set for the clientAuthenticationSupported attribute.	The default is false.	com.ibm.ssl.client.AuthenticationSupported
securityLevel	The securityLevel attribute determines the cipher suite group. Valid values include HIGH (128-bit ciphers), MEDIUM (40-bit ciphers), LOW (for all ciphers without encryption), and CUSTOM (if the cipher suite group is customized. When you set the enabledCiphers attribute with a specific list of ciphers, the system ignores this attribute.	The default is HIGH.	com.ibm.ssl.securityLevel
enabledCiphers	You can set the enabledCiphers attribute to specify a unique list of cipher suites. Separate each cipher suite in the list with a space.	The default is the securityLevel attribute for cipher suite selection.	com.ibm.ssl.enabledCipherSuites
jsseProvider	The jsseProvider attribute defines a specific JSSE provider.	The default is IBMJSSE2.	com.ibm.ssl.contextProvider
sslProtocol	The sslProtocol attribute defines the SSL handshake protocol. Valid options include: SSLv2 (client-side only), SSLv3, SSL, SSL_TLS, TLSv1, and TLS values. The SSL option includes SSLv2 and SSLv3 values. The TLS option includes the TLSv1 value. SSL_TLS, which is the most interoperable protocol, includes all these values and defaults to a Transport Layer Security (TLS) handshake.	The default is SSL_TLS.	com.ibm.ssl.protocol
keyStore	The keyStore attribute defines the keystore and attributes of the keyStore instance that the SSL configuration uses for key selection.	The default is CellDefaultKeyStore.	For more information, see Keystore configurations.
trustStore	The trustStore attribute defines the key store that the SSL configuration uses for certificate signing verification.	The default is CellDefaultTrustStore.	A trustStore is a logical JSSE term. It signifies a key store that contains signer certificates. Signer certificates validate certificates that are sent to WAS during an SSL handshake.
keyManager	The keyManager attribute defines the key manager that WAS uses to select keys from a key store. A JSSE key manager controls the javax.net.ssl.X509KeyManager interface. A custom key manager controls the javax.net.ssl.X509KeyManager and the com.ibm.wsspi.ssl.KeyManagerExtendedInfo interfaces. The com.ibm.wsspi.ssl.KeyManagerExtendedInfo interface provides more information from WAS.	The default is IbmX509.	com.ibm.ssl.keyManager defines a well-known key manager and accepts the algorithm and algorithm\|provider formats, for example IbmX509 and IbmX509\|IBMJSSE2. com.ibm.ssl.customKeyManager defines a custom key manager and takes precedence over the other keyManager properties. This class must implement javax.net.ssl.X509KeyManager and can implement com.ibm.wsspi.ssl.KeyManagerExtendedInfo. For more information, see Key manager control of X.509 certificate identities
trustManager	The trustManager determines which trust manager or list of trust managers to use for determining whether to trust the peer side of the connection. A JSSE trust manager implements the javax.net.ssl.X509TrustManager interface. A custom trust manager might also implement com.ibm.wsspi.ssl.TrustManagerExtendedInfo interface to get more information from the WAS environment.	The default is IbmX509. You can specify the IbmPKIX trust manager for certificate revocation list (CRL) verification when the certificate contains a CRL distribution point.	com.ibm.ssl.trustManager defines a well-known trust manager, which is required for most handshake situations. com.ibm.ssl.trustManager performs certificate expiration checking and signature validation. You can define com.ibm.ssl.customTrustManagers with additional custom trust managers that are called during an SSL handshake. Separate additional trust managers with the vertical bar (\|) character. For more information, see Trust manager control of X.509 certificate trust decisions