To enable SSL communication for the Liberty profile, there
is a minimal set of SSL configuration options. It assumes most of
the SSL options and only requires some keystore configuration information.
About this task
SSL client authentication occurs during the connection
handshake by using SSL certificates. The SSL handshake is a series
of messages that are exchanged over the SSL protocol to negotiate
for connection-specific protection. During the handshake, the secure
server requests that the client send back a certificate or certificate
chain for the authentication. To enable SSL for the Liberty profile,
you add the ssl-1.0 Liberty feature to the server.xml file,
along with code of the keystore information for authentication.
Procedure
- Enable the ssl-1.0 Liberty feature in
the server.xml file.
<featureManager>
<feature>ssl-1.0</feature>
</featureManager>
Note: If application security is required
and security information is redirected to a secure port, you must
add the
appSecurity-2.0 Liberty
feature to the
server.xml file.
- Add the keystore service object entry to the server.xml file.
The keyStore element is called defaultKeyStore and
contains the keystore password. The password can be entered in clear
text or encoded. The securityUtility
encode option can be used to encode the password.
<keyStore id="defaultKeyStore" password="yourPassword" />
An
example of a SAF keyring in the minimal configuration: <keyStore id="defaultKeyStore" location="safkeyring:///WASKeyring"
type="JCERACFKS" password="password" fileBased="false"
readOnly="true" />
In
this configuration the keystore type is JKS. You
can create this default keystore using the securityUtility
createSSLCertificate option. The server creates the keystore
for you if it does not exist during SSL initialization. The password
must be at least six characters long. The type of the keystore is JKS by
default. Keystore of other types can also be specified in the minimal
SSL configuration if the keystore file is already created. Only JKS keystore
files are created by the server if the keystore file does not exist.
The certificate has a validity period of 365 days, the CN value
of the subjectDN is the host name of the machine
where the server is running, and the signature algorithm of the certificate
is SHA1 with RSA. The single
keystore entry for a minimal SSL configuration can be extended to
include the location and type as well.
<keyStore id="defaultKeyStore" location="myKeyStore.p12" password="yourPassword" type="PKCS12"/>
The
location parameter
can be an absolute path to the keystore file. If it is an absolute
path, then the keystore file is assumed to have been already created.
Keystore of other types can also be specified in the minimal SSL configuration
if the keystore file is already created. When the minimal SSL configuration
is used, the SSL configuration defaults are used to create the SSL
context for an SSL handshake. The configuration protocol is
SSL_TLS by
default. The HIGH ciphers, 128 bit, and higher cipher suites can be
used.