SSL certificate and key management
Overview
SSL security can be used for establishing communications inbound to and outbound from an endpoint. A certificate and an SSL configuration must be specified for the endpoint.
To configure security for SSL and key management, certificates, and notifications, go to...
Security | SSL certificate and key management
Where we can...
- Manage endpoint security configurations
- Manage certificate expiration
Configuration settings
- Use FIPS (FIPS) algorithms
- Set FIPS-compliant Java cryptography engine enabled.
- Does not affect the SSL cryptography that is performed by the application server for z/OS System SSL (SSSL).
- Does not change the JSSE provider if this cell includes any Application Server versions before the appserver for z/OS V6.0.x.
When you select...
Use the FIPS (FIPS)
...the LTPA implementation uses IBMJCEFIPS, which supports the FIPS-approved cryptographic algorithms for...
- Data Encryption Standard (DES)
- Triple DES
- Advanced Encryption Standard (AES)
Although the LTPA keys are backwards compatible with prior releases of the appserver, the LTPA token is not compatible with prior releases. In prior releases, the application server did not generate the LTPA token using a FIPS-approved algorithm.
The IBMJSSE2 JSSE provider does not perform cryptographic functions directly, and therefore does not need to be FIPS-approved. Instead, the IBMJSSE2 JSSE provider uses the JCE framework for cryptographic functions and uses IBMJCEFIPS when FIPS mode is enabled.
[HP-UX]The IBMJSSEFIPS provider is not supported on the HP-UX platform. However, the IBMJSSE2 provider, which uses IBMJCEFIPS, is supported on the HP-UX platform.
Default: Disabled
- Dynamically update the runtime when SSL configuration changes occur
- All of the SSL-related attributes that change must be read from the configuration dynamically after they have been saved, then reused for new connections. To avoid customer impact, it is recommended that changes to production servers be made during off-peak periods.
Default: Disabled
When this option is selected, the configuration is updated each time you configure an SSL communication.
Related tasks
Create an SSL configuration
Related
Manage endpoint security configurations
Manage certificate expiration settings
Notifications
SSL configurations collection
Dynamic inbound and outbound endpoint SSL configurations collection
Keystores and certificates collection
Certificate authority (CA) client configuration collections
Key sets collection
Key set groups collection
Key managers collection
Trust managers collection
Default chained certificate configuration in SSL