WebSEAL key database file
During installation, WebSEAL provides a default certificate key database that is used to authenticate both clients and junctioned servers. WebSEAL also provides an optional, separate certificate key database that can be used to authenticate junctioned servers.
By default,
the junction certificate key database option is commented
out in the WebSEAL configuration file. Unless this option is enabled,
junctions maintain the default behavior of using a shared key database
for clients and junctioned servers.
Note: When a separate certificate
key database is used for junctioned servers, it is not possible for
a user to use a client certificate that is validated by a CA certificate
stored in the junction key database. Similarly, it is not possible
for a junctioned server to use a certificate that is validated by
a CA certificate contained in the default certificate database.
The webseal-cert-keyfile stanza
entry, located in the [ssl] stanza of the WebSEAL
configuration file, identifies the default certificate key database.
For example:
[ssl]
webseal-cert-keyfile = pdsrv.kdb The jct-cert-keyfile stanza
entry in the [junction] stanza for the WebSEAL
configuration file, identifies the optional, separate junction certificate
key database. For example:
[junction]
jct-cert-keyfile = pdjct.kdbYou can use the SSL Certificates management page of the LMI to create a new key database. However, you must enter the name and location of this new key file in the webseal-cert-keyfile stanza entry so that WebSEAL can find and use the certificates contained in that database.