To configure your SSL server you create a server key ring
and certificate, export the server's signer certificate, and
transfer the server certificate to the client.
Create a server key ring and server certificate
Issue
the following command to create both the KeyStore and certificate:
Generates a key pair and wraps the public key into a self-signed
certificate.
-alias aliasname
Defines the alias name that identifies the store containing the
self-signed certificate and private key.
-keysize numericvalue
Defines the size of the key.
-dname distname
Specifies the X.500 distinguished name to be associated with the
alias. This is used as the issuer and subject fields of the self-signed
certificate. The distinguished name consists of a number of fields
separated by commas in the following format: An example of an X.500
distinguished name is shown here: Figure 1. An X.500 distinguished name
The abbreviations in the distinguished name have the following
meaning:
cn = common name
o = organization
ou = organization unit
l = city/locality
s = state/province
c = country name
-keystore location
The key ring file
location. For example: ktserverss.jks
-keypass password
The password used to protect the private key. Set
this to the same value as the -storepass password,
to enable the CICS® Transaction Gateway to
establish a connection over SSL.
-storepass password
The password used to protect the integrity of the key ring. Set
this to the same value as the -keypass password,
to enable the CICS Transaction Gateway to
establish a connection over SSL.
-keyalg algorithm
The algorithm to be used to generate the key pair.
An
example of this command is shown here:
Figure 2. Using
the keytool command
to create a key ring containing
a single self-signed certificate
The
next step is to export the signer certificate and store it in a safe
place. This can then be imported into the repository of any client
that needs to connect to this SSL server.
The certificate is exported
by using the following instance of the keytool command: