SSL certificate and key management
Configure security for Secure Socket Layer (SSL) and key management, certificates, and notifications. The SSL protocol provides secure communications between remote server processes or endpoints. SSL security can be used for establishing communications inbound to and outbound from an endpoint. To establish secure communications, a certificate and an SSL configuration must be specified for the endpoint.
From the admin console, click...
Security > SSL certificate and key management.
Following administrative console tasks:
- Manage endpoint security configurations
- Manage certificate expiration
Use Federal Information Processing Standard (FIPS) algorithms
The FIPS-compliant Java cryptography engine is enabled.
- Does not affect the SSL cryptography performed by the application server for z/OS System Secure Sockets Layer (SSSL).
- Does not change the JSSE provider if this cell includes any Application Server versions before the application server for z/OS Version 6.0.x.
When we select the option, "Use the Federal Information Processing Standard (FIPS)", the LTPA implementation uses IBMJCEFIPS, which supports the FIPS-approved cryptographic algorithms for DES, Triple DES, and AES. Although the LTPA keys are backwards compatible with prior releases of the application server, the LTPA token is not compatible with prior releases. In prior releases, the application server did not generate the LTPA token using a FIPS-approved algorithm.
The IBMJSSE2 JSSE provider does not perform cryptographic functions directly, and therefore does not need to be FIPS-approved. Instead, the IBMJSSE2 JSSE provider uses the JCE framework for cryptographic functions and uses IBMJCEFIPS when FIPS mode is enabled.
Default is disabled.
Dynamically update the runtime when SSL configuration changes occur
That all of the SSL-related attributes and LTPA keys that change must be read from the configuration dynamically after they have been saved, then reused for new connections. To avoid customer impact, IBM recommends that changes to production servers be made during off-peak periods.
Default is enabled
When this option is selected, the configuration is updated each time we configure an SSL communication.
Create a Secure Sockets Layer configuration Manage endpoint security configurations Manage certificate expiration settings Notifications SSL configurations collection Dynamic inbound and outbound endpoint SSL configurations collection Keystores and certificates collection Certificate authority (CA) client configuration collections Key sets collection Key set groups collection Key managers collection Trust managers collection Default chained certificate configuration in SSL SecurityConfigurationCommands