Configuring SSL and PKI certificates

You can know in detail about the SSL and PKI certificates through the information provided here.

IBM® Security Directory Integrator uses both Secure Socket Layer (SSL) and Public Key Infrastructure (PKI) encryption methods. SSL and PKI provides an important foundation for many of the IBM Security Directory Integrator and IBM Security Directory Integrator server features. SSL provides for encryption and authentication of network traffic between two remote communicating parties. Similarly, PKI (public key infrastructure) enables users of unsecured networks to securely and privately exchange data by using a public and a private cryptographic key pair that is obtained and shared through a trusted authority. See Configuring SSL and PKI certificates.

SSL certificate

An SSL certificate resides on a secure server and is used to encrypt the data that identifies the server. The SSL certificate helps to prove the site belongs to the entity who claims it and contains information about the certificate holder, the domain that the certificate was issued to, the name of the Certificate Authority who issued the certificate, and the root and the country it was issued in.

PKI certificate

A PKI certificate enables users of an unsecured network to add security and privacy to data exchanges. PKI uses a cryptographic key pair that it gets and shares through a trusted authority called a Certificate Authority (CA). Using PKI, you can obtain a certificate that can identify an individual or an organization and directory services that can store the certificates. The CA can also revoke the certificates when necessary. The most common use of a digital certificate is to verify that a user sending a message is who the sender claims to be, and to provide the receiver with the encryption of the reply.

Follow these steps to provide separate configuration options for certificates to be used for PKI Encryption and SSL:

  1. Add the following properties: 
    com.ibm.di.server.encryption.keystore
com.ibm.di.server.encryption.key.alias 
api.keystore.password 
api.key.password
  2. Rename the following properties as shown: 
    com.ibm.di.server.keystore ----- > api.keystore
com.ibm.di.server.key.alias ------>api.key.alias
Note: Theidisrv.sth file now holds the password only for the encryption file.
Parent topic: Encryption and FIPS mode