Secure Sockets Layers (SSL)
Secure Sockets Layer (SSL) is a protocol that provides secure communication over the Internet. It uses both symmetric and asymmetric cryptography.
- Server authentication is performed when a client connects to the server. After the initial handshake, the server sends its digital certificate to the client. The client validates the server certificate or certificate chain.
- Client authentication is performed when a server sends a certificate request to a client during the handshake. If the client certificate or chain is verified and the certificate verify message is verified, the handshake proceeds further.
- An optional additional authentication is performed by checking the common name in the certificate against the server's fully qualified domain name from a reverse Domain Name Server (DNS) lookup where the server's fully qualified domain name can be obtained.
Types of Trust
- CA Trust – Hierarchical trust based on a root certificate used to issue other certificates. This is the standard SSL certificate trust model.
- Direct Trust – Direct trust of self-signed certificates assumed to be distributed through secure out-of-band mechanisms. Direct trust and self-signed certificates are not part of the SSL standards, but are frequently used in certain trading communities.
Using SSL Certificates
To communicate using the SSL protocol, configure the systems involved to support either server authentication or client/server authentication. To perform authentication against a server, you need a root Certificate Authority (CA) certificate and the set of intermediate certificates in the chain or, if the server uses a self-signed certificate, a copy of the self-signed certificate.
To support client/server authentication you need a CA or self-signed certificate and a system certificate.
You can obtain an SSL certificate from a trusted CA by providing a Certificate Signing Request (CSR) to the CA. The SSL certificate binds the public key and the SSL server or client.
- Check in an existing key certificate file or PKCS12 file
- Generate a self-signed system certificate
- Generate a CSR and get a certificate from a CA.
- If the partner is using a self signed certificate, get the certificate. Check the certificate into the CA table and you are done.
- If the partner is using a CA signed certificate:
- You must get the root CA certificate or verify that the root CA certificate already exists in the system.
- Test the connection.
- If the connection isn't successful, get any intermediate certificates in the trust chain and check those into the CA table.
- Test the connection.
- If the connection isn't successful, this is a defect that should be raised to IBM Support.
- Incorrectly chained
- Incorrectly named
- SSL bug
When using the certificate grabber, don't check in the identity certificate unless it is self signed.
Cipher Strength Settings
To implement a cipher strength setting, contact Customer Support.
Earlier Versions of SSL
To enable an earlier version of SSL, contact Customer Support.