<keyStore id="defaultKeyStore" password="yourPassword" />
The Liberty server
creates a keystore password during profile creation and puts it in the
server.env file that is in the server's home directory. If there is no keystore
element for the defaultKeyStore file, this password is used to create a
keystore file. This keystore file is then used as the defaultKeyStore file.
Likewise, if a defaultKeyStore entry exists without a password in the
sever.xml file when the server starts, the password from the
server.env file is used to open the file. If you don't want to use the Liberty-generated keystore password, remove the
keystore_password
entry from the server.env file. If a default
keystore was already generated with the password from the server.env file, you
might need to remove it.
An example of a SAF key ring in the minimal configuration:
<keyStore id="defaultKeyStore" location="safkeyring:///WASKeyring"
type="JCERACFKS" password="password" fileBased="false"
readOnly="true" />
RACF® key ring
needs to be set up before you configure them for use by the Liberty server. The server does not create
certificates and add them to RACF.
The safkeyring URL
is in the form:
safkeyring://racfid/WASKeyring
where the
racfid is the RACF user ID with read authority to the
key ring named,
WASKeyring.
The single keystore entry for a minimal SSL configuration can be extended to include the location
and type as well.
<keyStore id="defaultKeyStore" location="myKeyStore.p12" password="yourPassword" type="PKCS12"/>
This
configuration is the minimum that is needed to create an SSL configuration. In this configuration,
the server creates the keystore and certificate if it does not exist during SSL initialization. The
password that is provided must be at least 6 characters long.
The
keystore is assumed to be a PKCS12 keystore that is called key.p12 in the
server home/resources/security directory.
Through 19.0.0.2, the keystore
is assumed to be a JKS keystore that is called key.jks in the server
home/resources/security directory.
If the file does not exist the server
creates it for you. If the server creates the keystore file, it also creates the certificate inside
of it. The certificate is a self-signed certificate with a validity period of 365 days, the CN value
of the certificate's subjectDN is the host name of the machine where the server is running, and has
a signature algorithm of SHA256withRSA.
Note: When the use of a collective controller is not
practical, perhaps there is only one or two Liberty servers, a self-signed certificate can be
used to restrict the number of clients that can connect to the Liberty member server. It is suggested that an
IHS server is used in front of the Liberty
servers, where an appropriate CA signed certificate can be used, along with a CN allowlist, to
control which clients can connect to IHS. A trusted channel between IHS and the Liberty Member server can be maintained by using
the self-signed
certificate.