A Secure Sockets Layer (SSL) configuration references keystore configurations during
security processing. If another keystore tool is used to create a keystore file, or the keystore
file was saved from a previous configuration, you must create a new keystore configuration object
that references the preexisting keystore file. The server then uses this new keystore configuration
object to obtain information from the preexisting keystore file.
Before you begin
A keystore must already exist. Alternative Method: To create a keystore by
using the wsadmin tool, use the createKeyStore command of the
AdminTask object. For more information, see the KeyStoreCommands
command group for the AdminTask object article.
About this task
Complete the following steps in the administrative console:
Procedure
- Click Security > SSL certificate and key management >
Manage endpoint security configurations > {Inbound | Outbound}.
- Under Related Items, click Key stores and certificates,
then click New.
- Type a name in the Name field.
This name
uniquely identifies the keystore in the configuration.
- Type the location of the keystore file in the Path field.
The location can be a file name or a file URL to an existing
keystore file.
- Type the Control region Started Task user
ID in which the Control region System Authorization Facility (SAF)
keyring is to be created in the Control region user field.
The user ID must match the exact ID being used by the Control
region.
Avoid trouble: This option only applies
when creating writable SAF keyrings on z/OS®.
- Type the servant region Started Task user
ID in which the servant region System Authorization Facility (SAF)
keyring is to be created in the Servant region user field.
The user ID must match the exact ID being used by the Control
region.
Avoid trouble: This option only applies
when creating writable SAF keyrings on z/OS.
- Type the keystore password in the Password field.
This password is for the keystore file that you specified in
the Path field.
- Type the keystore password in
the Password field.
This password
is for the keystore file that you specified in the Path field.
Unlike
other keystores, the JCERACFKS keystore is not password protected.
However to be compatible with the JCE keystore, which requires a password,
the JCERACFKS keystore requires the password password.
Security protection for the JCERACFKS keystore is based on the identity
of the executing thread for protection with RACF.
- Type the keystore password again in the Confirm Password field
to confirm the password.
- Select a keystore type from the list.
The type
that you select is for the keystore file that you specified in the Path field.
- Select any of the following optional selections:
- Click Apply and Save.
Results
You have created a keystore configuration object for the
keystore file that you specified. This keystore can now be used in
an SSL configuration.
You also can use this method
to add a z/OS keyring file to the configuration. The
keyring file must be read only, not file-based.