Use SSL configuration repertoires

An SSL repertoire contains the details necessary for building an SSL connection, such as the location of the key files, their type and the available ciphers. WebSphere Application Server - Express provides a default repertoire called DefaultSSLSettings. To view this page in the administrative console, click Security --> SSL to see the list of SSL repertoire settings.

Note: It is not recommended to use the default repertoire in a production environment. For more information, see Change the default SSL keystore and truststore files.

The appropriate repertoire is referenced during the configuration of a service that sends and receives requests encrypted using SSL, such as the Web container. Before deleting SSL configurations from the repertoire, remember that if an SSL configuration alias is referenced somewhere, and it is deleted here, an SSL connection fails if the deleted alias is accessed.

The SSL configuration repertoire allows administrators to define any number of SSL settings which can be used to make HTTPS, IIOPS, or LDAPS connections. You can pick one of the SSL settings defined here from any location within the administrative console which allows SSL connections. This simplifies the SSL configuration process since you can reuse many of these SSL configurations by simply specifying the alias in multiple places.

To create an SSL repertoire, perform these steps in the WebSphere administrative console:

1. In the navigation menu, expand Security and then click SSL.
2. From the SSL Configuration Repertoire window, click New. Type an Alias by which the configuration is known. Click OK.
3. Select the new SSL configuration repertoire by clicking the link.
4. Now click Secure Sockets Layer (SSL) under in Additional Properties. The new configuration details can be entered in the window that appears.
5. Type the fully qualified path name of the key file.
6. Type the password for the key file.
7. Repeat the above two steps for the trust file. Make sure that the trust file path name is fully qualified.
8. If Client Authentication is supported by this configuration, then select Client Authentication. This only affects HTTP and LDAP requests.
9. The appropriate security level must be set. Valid values are as follows:
   • Low
     Specifies only digital signing ciphers (no encryption).
   • Medium
     Specifies only 40-bit ciphers (including digital signing).
   • High
     specifies only 128-bit ciphers (including digital signing).
10. If the preset security level does not define the required cipher, it can be manually added to the cipher suite option.
11. Note that hardware or software cryptographic support is not available on the iSeries system. The Cryptographic Token setting is not applicable to iSeries.
12. Select IBMJSSE as the JSSE provider.

    Note: Other WebSphere Application Server platforms support the IBMJSSEFIPS JSSE provider, which adheres to the Federal Information Processing Standard (FIPS). FIPS is not currently supported on iSeries, so IBMJSSE is the only choice.

13. Select an SSL protocol version.
14. Click OK to apply the changes.
15. If there are no errors, save the changes to the master configuration and restart WebSphere Application Server - Express.