ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/sec/seccsktf.htm

61 lines
4.3 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Change the default SSL keystore and truststore files</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h4><a name="seccsktf"></a>Change the default SSL keystore and truststore files</h4>
<p>To protect the integrity of the messages being sent across the Internet, it is recommended that you change the default SSL keystore and truststore files that are packaged with WebSphere Application Server - Express. A single location is provided where you can specify SSL configurations that can be used among the various WebSphere Application Server - Express features that use SSL including the LDAP user registry, Web Container, and the Authentication Protocol (CSIv2 and SAS). For information on creating new keystore files, see <a href="secjavajsse.htm">Use Java keystore files</a>.</p>
<p>You can create different keystore and truststore files for different uses or you can create one file that applies to all cases in which the server uses SSL. After you create the new KeyStore and truststore files, specify them in the SSL configuration repertoire. To work with the SSL configuration repertoire, expand <strong>Security</strong> and click <strong>SSL</strong> in the administrative console. You can edit <strong>DefaultSSLConfig</strong> or create a new SSL configuration with a new alias.</p>
<p>If you create a new alias for your new keystore and truststore files, you must also change all of the locations that refer to the SSL configuration alias DefaultSSLConfig. In the administrative console, make the change in each of these locations:</p>
<ul>
<li>Security --&gt; User Registries --&gt; LDAP</li>
<li>Security --&gt; Authentication Protocol --&gt; CSIv2 Inbound Transport</li>
<li>Security --&gt; Authentication Protocol --&gt; CSIv2 Outbound Transport</li>
<li>Security --&gt; Authentication Protocol --&gt; SAS Inbound Transport</li>
<li>Security --&gt; Authentication Protocol --&gt; SAS Outbound Transport</li>
<li>Servers --&gt; Application Servers --&gt; <em>app_server</em> --&gt; Web Container --&gt; HTTP transports --&gt; <em>host</em></li>
<li>Servers --&gt; Application Servers --&gt; <em>app_server</em> --&gt; Server Level Security --&gt; CSIv2 Inbound Transport</li>
<li>Servers --&gt; Application Servers --&gt; <em>app_server</em> --&gt; Server Security --&gt; CSIv2 OutboundTransport</li>
<li>Servers --&gt; Application Servers --&gt; <em>app_server</em> --&gt; Server Security --&gt; SAS Inbound Transport</li>
<li>Servers --&gt; Application Servers --&gt; <em>app_server</em> --&gt; Server Security --&gt; SAS Outbound Transport</li>
<li>Servers --&gt; Application Servers --&gt; <em>app_server</em> --&gt; Administration Services --&gt; JMX Connectors --&gt; SOAPConnector --&gt; Custom Properties --&gt; sslConfig</li>
</ul>
<p>In this list, <em>app_server</em> is the name of your application server and <em>host</em> is the value of the <strong>Host</strong> property for an HTTP transport.</p>
<p><strong>Updating the soap.client.props files</strong></p>
<p>The soap.client.props file is used to support secure SOAP connections for administrative tools. See <a href="../admin/wsasecenv.htm">Use wsadmin in a secure environment</a> in the <em>Administration</em> topic for more information about configuring secure SOAP connections for administrative tools.</p>
<p>Edit the soap.client.props files to set the following properties for your new client keystore files:</p>
<ul>
<li>com.ibm.ssl.keyStore</li>
<li>com.ibm.ssl.keyStorePassword</li>
<li>com.ibm.ssl.trustStore</li>
<li>com.ibm.ssl.trustStorePassword</li>
</ul>
<p><strong>Note:</strong> To encode passwords in your soap.client.props files see <a href="encoding.htm#use_client">Manually encoding passwords in properties files</a>.</p>
<p><strong>Updating the SSL configuration for the WebSphere Web server plug-in</strong></p>
<p>For more information about updating the SSL configuration for the plug-in, see <a href="secjsswa.htm#cfgpi">Configure SSL for WebSphere plug-ins</a>.</p>
<p><strong>Note:</strong> SSL is enabled for the Web server plug-in in the default configuration.</p>
</body>
</html>