+

Search Tips   |   Advanced Search

(ZOS) Create a new System SSL repertoire alias

With SSL configuration repertoire, administrators can define any number of SSL settings that can be used to make HyperText Transport Protocol SSL (HTTPS), Internet Inter-ORB Protocol SSL (IIOPS) or LDAP SSL (LDAPS) connections. We can reuse many of these SSL configurations by simply specifying an alias in multiple places.

We must start the administrative console.

Use the SSL configuration repertoire, we can pick one of the SSL settings defined here from any location within the administrative console that allows SSL connections. This simplifies the SSL configuration process because we can reuse many of these SSL configurations by simply specifying the alias in multiple places.


Tasks

  1. Click Security > SSL certificate and key management > SSL configuration to open the SSL configuration panel.

  2. To create a new SSL alias, click New SSSL Configuration.

  3. Type the alias name in the Alias field.

  4. Specify the SSL Resource Access Control Facility (RACF ) key ring in the Key file name field. All repertoires used by the same server (such as HTTPS, CSIV2, z/SAS) must have the same keyring name. If the keyring names are not the same, the HTTPS keyring name is used to initialize the server. If we specify the wrong RACF key ring, the server gets an error message at runtime.

    Important: z/SAS is supported only between v6.0.x and previous version servers that have been federated in a v6.1 cell.

  5. Optional: Select the Client authentication option for our authentication protocol. Client authentication occurs if this repertoire is selected for HTTPS. However, the value is ignored if we use using Common Secure Interoperability Version 2 (CSIv2) or z/OS Secure Authentication Services (z/SAS).

    To enable client authentication for CSIv2, click Security > Global security. Under Authentication, expand RMI/IIOP, then click CSIv2 inbound authentication. Select the appropriate option for Client certificate authentication.

    To enable client authentication for z/SAS, click Security > Global security. Under Authentication, expand RMI/IIOP, then click z/SAS authentication. Select the Client certificate option.

  6. Select Strong, Medium, or Weak from the Security level menu to specify the high, medium, or low set of cipher suites. If we add specific cipher suites on this panel, those cipher suites take precedence over the strong, medium, or weak specification. If a cipher list is specified, WebSphere Application Server uses the list. If the cipher list is empty, WAS uses the strong, medium, weak specification. The following list explains these specifications:

    Strong

    128-bit cipher suites with digital signature

    Medium

    40-bit cipher suites with digital signature

    Weak

    No encryption is used, but digital signature is used

  7. Specify the SSL V3 timeout value in the V3 timeout field. This value is the length of time, in seconds, the system holds session keys. The range is 0-86400 (1 day). The default is 600 seconds.

  8. Select the cipher suites to add from the Cipher suites menu. By default, this is not set, and the cipher suites available are determined by the value of the Security Level (Strong, Medium, or Weak). A cipher suite is a combination of cryptographic algorithms used for an SSL connection.

    See the Cipher suites reference for details.

  9. Click OK when we have made all your selections.


Related:

  • Secure Sockets Layer security for WAS for z/OS
  • SSL repertoires
  • Secure transports with JSSE and JCE programming interfaces
  • IBM SDK, v7 - Cipher suites