Keystores
Liberty can create only a keystore type of Java™ Keystore (JKS). Support for other types of keystore in Liberty can depend on what is supported by the underlying Java Runtime Environment (JRE).
You can encrypt (AES) or encode (XOR) passwords. Use the securityUtility command to set the password encoding type.
For more information on configuration attributes of the keystore
element, see
SSL configuration attributes.
PKCS12 keystore
Public Key Cryptography Standards #12 (PKCS12) keystore is an industry standard keystore type, which makes it compatible with other products.
PKCS12 is the Liberty default keystore type.
In version 19.0.0.2 and earlier, PKCS12 keystore can be used, but not created by Liberty, when you use the IBM® JRE.
<keyStore id="samplePKCS12KeyStore"
location="MyKeyStoreFile.p12"
type="PKCS12" password="myPassword" />
JKS and JCEKS
Java Keystore (JKS) and Java Cryptography Extensions Keystore (JCEKS) are common between the IBM JRE and the Oracle JRE, and can be configured the same using either JRE.
Public Key Cryptography Standards #12 (PKCS12) keystore is an industry standard keystore type, which makes it compatible with other products. PKCS12 is the Liberty default keystore type.
<keyStore id="samplePKCS12KeyStore"
location="MyKeyStoreFile.jks"
type="JKS" password="myPassword" />
In version 19.0.0.2 and earlier, JKS is the default keystore type in Liberty, and the only type of keystore Liberty can create. If no keystore type is specified in the configuration, JKS is used.
<keyStore id="sampleJKSKeyStore"
location="MyKeyStoreFile.jks"
type="JKS" password="myPassword" />
<keyStore id="sampleJCEKSKeyStore"
location="MyKeyStoreFile.jceks"
type="JCEKS" password="myPassword" />
PKCS11 keystore
A hardware cryptographic keystore can be configured so that the Liberty server can be used to provide cryptographic token support.
attribute
=
value
. The file must contain at least the name
and
library
attribute. For
example:
name = HWDevice
library = /opt/foo/lib/libpkcs11.so
The name
attribute is a name that is being given to this instance of the device.
The library
attribute contains a path to the library provided by the hardware
device to access the device. The configuration file can also contain configuration data specific to
the hardware device.
keystore
element must contain the following fields:id
- Uniquely identify thekeystore
element in the configuration.location
- The path to the hardware device-specific configuration file.type
- PKCS11 must be specified as the keystore type.fileBased
- Must be false to identify this keystore as a device.password
- Password that is needed to access keys in the device.provider
- The provider that is needed. For the IBM JRE, the value must beIBMPKCS11Impl
and for Oracle JRE it must beSunPKCS11
.
<keyStore id="hwKeyStore"
location="${server.config.dir}/HWCrypto.cfg"
type="PKCS11"
fileBased="false"
password="{xor}Lz4sLCgwLTs="
provider="IBMPKCS11Impl"/>
CMS keystore
com.ibm.security.cmskeystore.CMSProvider
class is added to the end of the list.
Ensure that the provider number is correct in the provider list. Liberty does not use the CMS keystore stash file
to gain access to the
keystore. security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=com.ibm.security.cmskeystore.CMSProvider
<keyStore id="sampleCMSKeyStore"
password="myPassword"
location="MyKeyStoreFile.kdb"
provider="IBMCMSProvider"
type="CMSKS"/>