Securing the Global Mailbox User Interface with SSL

Secure Sockets Layer (SSL) is a protocol that references a keystore and a truststore file to provide secure communication over the Internet. You can also configure a Liberty profile to meet the SP800-131a requirement that is originated by the National Institute of Standards and Technology (NIST).

The SSL protocol provides server authentication and client authentication:
  • Server authentication is performed when a client connects to the server. After the initial handshake, the server sends its digital certificate to the client. The client validates the server certificate or certificate chain.
  • Client authentication is performed when a server is configured to require that clients send their own certificate to the server during the handshake. If the client certificate or chain is verified by the server, the handshake proceeds further.
  • An optional, additional authentication is performed by checking the common name in the certificate against the server's fully qualified domain name from a reverse Domain Name Server (DNS) lookup. The server's fully qualified domain name can be obtained from the reverse DNS lookup.

The IBM® WebSphere® Application Server Liberty profile provides the framework for Secure Sockets Layer (SSL) in Global Mailbox.

Global Mailbox is available with a default minimal SSL configuration upon installation. You can change the default SSL configuration with the server.xml file to suit your business requirements.

The default SSL configuration includes a Java™ KeyStore (JKS) with one self-signed server certificate and a one-year expiration date. The self-signed server certificate uses the server's host name as the Subject. The Subject is part of the X501 certificate specification and is a string that contains tokens such as common-name (CN), Organization (O), and Organization Unit (OU). The keystore and the server certificate are automatically created by Liberty during initialization.
  • The keystore is also used as the truststore.
  • The default password for the keystore is password.

The default SSL configuration creates a keystore file in ${server.config.dir}/resources/security/key.jks

Mailbox administrators can replace the default certificate that is created by Liberty with their own custom certificate. A custom certificate that is verified by a certificate authority provides increased trustworthiness about the identity of the certificate owner. You can replace the default certificate with your own certificate by editing the server.xml file.

If you modify the truststore file or the keystore file, and it does not require changes to the server.xml file, the Liberty server does not detect your changes. You must restart the Liberty server to process the changes you make to the truststore file or the keystore file.

You can configure a Liberty profile to meet the SP800-131a requirement that is originated by the National Institute of Standards and Technology (NIST). For more information about setting up a Liberty profile to run in SP800-131a, review the documentation that explains how to configure a Liberty profile to run in SP800-131a.