Change the default SSL keystore and truststore files

To protect the integrity of the messages being sent across the Internet, it is recommended that you change the default SSL keystore and truststore files that are packaged with WebSphere Application Server - Express. A single location is provided where you can specify SSL configurations that can be used among the various WebSphere Application Server - Express features that use SSL including the LDAP user registry, Web Container, and the Authentication Protocol (CSIv2 and SAS). For information on creating new keystore files, see Use Java keystore files.

You can create different keystore and truststore files for different uses or you can create one file that applies to all cases in which the server uses SSL. After you create the new KeyStore and truststore files, specify them in the SSL configuration repertoire. To work with the SSL configuration repertoire, expand Security and click SSL in the administrative console. You can edit DefaultSSLConfig or create a new SSL configuration with a new alias.

If you create a new alias for your new keystore and truststore files, you must also change all of the locations that refer to the SSL configuration alias DefaultSSLConfig. In the administrative console, make the change in each of these locations:

• Security --> User Registries --> LDAP
• Security --> Authentication Protocol --> CSIv2 Inbound Transport
• Security --> Authentication Protocol --> CSIv2 Outbound Transport
• Security --> Authentication Protocol --> SAS Inbound Transport
• Security --> Authentication Protocol --> SAS Outbound Transport
• Servers --> Application Servers --> app_server --> Web Container --> HTTP transports --> host
• Servers --> Application Servers --> app_server --> Server Level Security --> CSIv2 Inbound Transport
• Servers --> Application Servers --> app_server --> Server Security --> CSIv2 OutboundTransport
• Servers --> Application Servers --> app_server --> Server Security --> SAS Inbound Transport
• Servers --> Application Servers --> app_server --> Server Security --> SAS Outbound Transport
• Servers --> Application Servers --> app_server --> Administration Services --> JMX Connectors --> SOAPConnector --> Custom Properties --> sslConfig

In this list, app_server is the name of your application server and host is the value of the host property for an HTTP transport.

Updating the soap.client.props files

The soap.client.props file is used to support secure SOAP connections for administrative tools. See Use wsadmin in a secure environment in the Administration topic for more information about configuring secure SOAP connections for administrative tools.

Edit the soap.client.props files to set the following properties for your new client keystore files:

• com.ibm.ssl.keyStore
• com.ibm.ssl.keyStorePassword
• com.ibm.ssl.trustStore
• com.ibm.ssl.trustStorePassword

Note: To encode passwords in your soap.client.props files see Manually encoding passwords in properties files.

Updating the SSL configuration for the WebSphere Web server plug-in

For more information about updating the SSL configuration for the plug-in, see Configure SSL for WebSphere plug-ins.

Note: SSL is enabled for the Web server plug-in in the default configuration.