Configuring your SSL clients

Follow these steps to configure your SSL clients.

If your server does not use client authentication you need only complete the first task, Create a client key ring and import the server's signer certificate.

Create a client key ring and import the server's signer certificate

Issuing the following command to create the key ring and import the certificate:

keytool -import -alias aliasname -file certfile -keystore keystorefile
   -storepass password -noprompt

Where the options are:

-import: Import a certificate.
-alias aliasname: The name under which the certificate is to be stored.
-file certfile: The file that contains the certificate.
-keystore keystorefile: The key ring into which the certificate is to be imported.
-storepass password: The password used to protect the integrity of the key ring.
-noprompt: Removes the need to confirm that the certificate is imported.

An example of this command is shown here:

Figure 1. Using the keytool command to create a key ring containing the server's signer certificate

keytool -import -alias exampleServer -file exampleServerCertKT.arm -keystore clientStore.jks 
   -storepass default -noprompt

Create a self-signed certificate in the client key ring

To create a new keystore containing a self-signed certificate use the following instance of the keytool command:

keytool -genkey -alias aliasname -keysize numericvalue -dname distname
   -keystore location -keypass password -storepass password
   -keyalg algorithm

The options are:

-genkey

Generates a key pair and wraps the public key into a self-signed certificate.

-alias aliasname

Defines the alias name that identifies the store containing the self-signed certificate and private key.

-keysize numericvalue

Defines the size of the key.

-dname distname

Specifies the X.500 distinguished name to be associated with the alias. This is used as the issuer and subject fields of the self-signed certificate. The distinguished name consists of a number of fields separated by commas in the following format: An example of an X.500 distinguished name is shown here:

Figure 2. An X.500 distinguished name

"cn=someserver.location.ibm.com,o=IBM,ou=IBMGB,
   l=Winchester,s=Hants,c=GB"

The abbreviations in the distinguished name have the following meaning:

cn = common name
o = organization
ou = organization unit
l = city/locality
s = state/province
c = country name

-keystore location

The key ring file location. For example: ktserverss.jks

-keypass password

The password used to protect the private key. Set this to the same value as the -storepass password, to enable the CICS® Transaction Gateway to establish a connection over SSL.

-storepass password

The password used to protect the integrity of the key ring. Set this to the same value as the -keypass password, to enable the CICS Transaction Gateway to establish a connection over SSL.

-keyalg algorithm

The algorithm to be used to generate the key pair.

An example of the keytool command is shown here:

Figure 3. Using the keytool command to create a key ring containing a single self-signed certificate

keytool -genkey -alias exampleClientCert -keysize 1024 
   -dname "cn=John Doe,o=IBM,ou=IBMGB,l=Winchester,s=Hants,c=GB" 
   -keystore clientStore.jks -keypass default -storepass default 
   -keyalg RSA

Export the client's signer certificate

This certificate must be imported into the keystores of all servers that the SSL client needs to connect to.

To export the certificate use the following instance of the keytool command:

keytool -export -alias aliasname -keystore location
   -storepass password -file filename -rfc

Where the options are:

-export: Export a certificate.
-alias aliasname: Name of the key (in the key ring) to export.
-keystore location: The key ring location.
-storepass password: The password used to protect the integrity of the key ring.
-file filename: The name of the file to export the certificate to.
-rfc: Export the certificate in RFC format (Base64 encoded ASCII).

An example instance of the keytool command to export a signer certificate is shown here:

Figure 4. Using the keytool command to export the signer certificate

keytool -export -alias exampleClientCert -keystore clientStore.jks -storepass default 
   -file exampleClientCertKT.arm -rfc

Transfer the server certificate to the client

If you use FTP to transfer the file, ensure that your FTP client is in ASCII mode. For details on importing the certificate, see step Create a client key ring and import the server's signer certificate.