Enabling SSL communication in Liberty
To enable SSL communication in Liberty, add the Transport Security feature and specify a keystore configuration. The Transport Layer Security (TLS) protocol supersedes the now deprecated Secure Sockets Layer protocol.
For the most current information about enabling SSL communication in Liberty, see the Open Liberty website.
Procedure
-
Enable the
transportSecurity-1.0
Liberty feature in the server.xml file.<featureManager> <feature>transportSecurity-1.0</feature> </featureManager>
- Optional: Alternatively, you can enable SSL communication by adding the
ssl-1.0
Liberty feature in the server.xml file.<featureManager> <feature>ssl-1.0</feature> </featureManager>
transportSecurity-1.0
feature supersedes thessl-1.0
feature and adds functions that are not included with thessl-1.0
feature. For more information, see Differences between the transportSecurity-1.0 and ssl-1.0 features.
- Optional: Alternatively, you can enable SSL communication by adding the
-
Add the
keystore
element to the server.xml file.The default keystore configuration is called
defaultKeyStore
and contains the keystore password.<keyStore id="defaultKeyStore" password="yourPassword" />
The Liberty server creates a keystore password during profile creation and puts it in the server.env file that is in the server home directory. If no keystore element exists for the defaultKeyStore file, this password is used to create a keystore file. This keystore file is then used as the defaultKeyStore file. Likewise, if a defaultKeyStore entry exists without a password in the sever.xml file when the server starts, the password from the server.env file is used to open the file. If you don't want to use the Liberty-generated keystore password, remove the
keystore_password
entry from the server.env file. If a default keystore was already generated with the password from the server.env file, you might need to remove it.This configuration is the minimum that is needed to create an SSL configuration. In this configuration, the server creates the keystore and certificate if it does not exist during SSL initialization. The password that is provided must be at least 6 characters long. You can enter the password in clear text or encode it by using the securityUtility encode option.
The keystore is assumed to be a PKCS12 keystore file that is called key.p12 in the server home/resources/security directory.
In version 19.0.0.2 and earlier, the keystore is assumed to be a JKS keystore file that is called key.jks in the server home/resources/security directory.
If the file does not exist, the server creates it for you. If the server creates the keystore file, it also creates the certificate inside it. The certificate is a self-signed certificate with a validity period of 365 days. The CN value of the certificate
subjectDN
is the hostname of the machine where the server is running, and it has a signature algorithm of SHA256withRSA.- Optional: You can extend the single keystore entry for a minimal SSL
configuration to include the keystore location and type, as shown in the following example.
<keyStore id="defaultKeyStore" location="myKeyStore.p12" password="yourPassword" type="PKCS12"/>
- Optional: You can extend the single keystore entry for a minimal SSL
configuration to include the keystore location and type, as shown in the following example.