186 lines
9.1 KiB
HTML
186 lines
9.1 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
|
|
|
|
<title>Using Java key storefiles</title>
|
|
</head>
|
|
|
|
<BODY>
|
|
<!-- Java sync-link -->
|
|
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
|
|
|
|
<h5><a name="secjavajsse"></a>Using Java keystore files</h5>
|
|
|
|
<p>If you are porting a JSSE application from another platform, or require the Java JSSE interfaces to certificate storage using Java keystore files, or require access to miscellaneous SSL implementation classes such as com.ibm.net.ssl.SSLContext, use the configuration steps below to use Java JSSE. Also, you may use Java keystore files for applications that use the java.net.URL class to provide a direct connection to the Web server through HTTPS protocol. For more information, see <a href="secjavahttps.htm">Configure SSL for java.net.URL HTTPS protocol</a>.</p>
|
|
|
|
<p><strong>Configure the client Java keystore</strong></p>
|
|
|
|
<p>This step may be omitted if you already have a client Java keystore file populated with the required personal and signer certificates.</p>
|
|
|
|
<p>To configure the client Java keystore, create an SSL key file that is used for both trust validation and key storage. Peform these steps:</p>
|
|
|
|
<ol>
|
|
<li><p>Start the iKeyman utility on your workstation. For more information, see <a href="ikeyman.htm">The iKeyman utility</a>.</p></li>
|
|
|
|
<li>Create a new key database file:
|
|
<ol type="a">
|
|
<li>Click <strong>Key Database File</strong> and select <strong>New</strong>.</li>
|
|
<li>Specify settings:
|
|
<ul>
|
|
<li><strong>Key database type</strong>: JKS</li>
|
|
<li><strong>File Name</strong>: clientAppKeys.jks</li>
|
|
<li><strong>Location</strong>: your myKeys directory, such as <tt>WAS_INSTANCE_ROOT/myKeys</tt></li>
|
|
</ul></li>
|
|
|
|
<li>Click <strong>OK</strong>.</li>
|
|
<li>Enter a password (twice for confirmation) and click <strong>OK</strong>.</li>
|
|
</ol><p></p></li>
|
|
|
|
<li><p>Click <strong>Signer Certificates</strong> and select <strong>Personal Certificates</strong>.</p></li>
|
|
<li>Add a new self-signed certificate:
|
|
|
|
<ol type="a">
|
|
<li>Click <strong>New Self-Signed</strong> to add a self-signed certificate.</li>
|
|
<li>Specify settings:
|
|
<ul>
|
|
<li><strong>Key Label</strong>: clientAppTest</li>
|
|
<li><strong>Common Name</strong>: use the DNS name for your iSeries server</li>
|
|
<li><strong>Organization</strong>: IBM</li>
|
|
</ul></li>
|
|
<li>Click <strong>OK</strong>.</li>
|
|
</ol><p></p></li>
|
|
|
|
<li>Extract the certificate from this self-signed certificate so that it can be imported into the server application's SSL key file:
|
|
|
|
<ol type="a">
|
|
<li>Click <strong>Extract Certificate</strong>.</li>
|
|
<li>Specify settings:
|
|
<ul>
|
|
<li><strong>Data Type</strong>: Base64-encoded ASCII data</li>
|
|
<li><strong>Certificate file name</strong>: clientAppsCA.arm</li>
|
|
<li><strong>Location</strong>: the path to your myKeys directory</li>
|
|
</ul></li>
|
|
<li>Click <strong>OK</strong>.</li>
|
|
</ol><p></p></li>
|
|
|
|
<li>Import the server application's CA certificate from the serverAppKeys.jks file:
|
|
<ol type="a">
|
|
<li>Click <strong>Personal Certificates</strong> and select <strong>Signer Certificates</strong>.</li>
|
|
<li>Click <strong>Add</strong>.</li>
|
|
<li>Specify settings:
|
|
<ul>
|
|
<li><strong>Data Type</strong>: Base64-encoded ASCII data</li>
|
|
<li><strong>Certificate file name</strong>: serverAppsCA.arm</li>
|
|
<li><strong>Location</strong>: the path to your myKeys directory</li>
|
|
</ul></li>
|
|
<li>Click <strong>OK</strong>.</li>
|
|
</ol><p></p></li>
|
|
|
|
<li><p>Enter serverAppsCA for the label and click <strong>OK</strong>.</p></li>
|
|
<li><p>Click <strong>Key Database File</strong>.</p></li>
|
|
<li><p>Select <strong>Exit</strong>.</p></li>
|
|
</ol>
|
|
|
|
<p><strong>Configure the server Java keystore</strong></p>
|
|
|
|
<p>This step may be omitted if you already have a server Java keystore file populated with the required personal and signer certificates.</p>
|
|
|
|
<p>To configure the server Java keystore, create an SSL key file used for both trust validation and key storage. Perform these steps:</p>
|
|
|
|
<ol>
|
|
<li><p>Start iKeyman on your workstation. For more information, see <a href="ikeyman.htm">The iKeyman utility</a>.</p></li>
|
|
<li>Create a new key database file:
|
|
<ol type="a">
|
|
<li>Click <strong>Key Database File</strong> and select <strong>New</strong>.</li>
|
|
<li>Specify settings:
|
|
<ul>
|
|
<li><strong>Key database type</strong>: JKS</li>
|
|
<li><strong>File Name</strong>: serverAppKeys.jks</li>
|
|
<li><strong>Location</strong>: your myKeys directory, such as <tt>WAS_INSTANCE_ROOT/myKeys</tt></li>
|
|
</ul></li>
|
|
<li>Click <strong>OK</strong>.</li>
|
|
<li>Enter a password (twice for confirmation) and click <strong>OK</strong>..</li>
|
|
</ol><p></p></li>
|
|
|
|
<li>Click <strong>Signer Certificates</strong> and select <strong>Personal Certificates</strong>.</li>
|
|
<li>Add a new self-signed certificate:
|
|
<ol type="a">
|
|
<li>Click <strong>New Self-Signed</strong> to add a self-signed certificate.</li>
|
|
<li>Specify settings:
|
|
<ul>
|
|
<li><strong>Key Label</strong>: serverAppTest</li>
|
|
<li><strong>Common Name</strong>: use the DNS name for your iSeries server</li>
|
|
<li><strong>Organization</strong>: IBM</li>
|
|
</ul></li>
|
|
<li>Click <strong>OK</strong>.</li>
|
|
</ol><p></p></li>
|
|
|
|
<li>Extract the certificate from this self-signed certificate so that it can be imported into the client application's SSL key file:
|
|
<ol type="a">
|
|
<li>Click <strong>Extract Certificate</strong>.</li>
|
|
<li>Specify settings:
|
|
<ul>
|
|
<li><strong>Data Type</strong>: Base64-encoded ASCII data</li>
|
|
<li><strong>Certificate file name</strong>: serverAppsCA.arm</li>
|
|
<li><strong>Location</strong>: the path to your myKeys directory</li>
|
|
</ul></li>
|
|
<li>Click <strong>OK</strong>.</li>
|
|
</ol><p></p></li>
|
|
|
|
<li>Import the client application's CA certificate from the clientAppKeys.jks file:
|
|
<ol type="a">
|
|
<li>Click <strong>Personal Certificates</strong> and select <strong>Signer Certificates</strong>.</li>
|
|
<li>Click <strong>Add</strong>.</li>
|
|
<li>Specify settings:
|
|
<ul>
|
|
<li><strong>Data Type</strong>: Base64-encoded ASCII data</li>
|
|
<li><strong>Certificate file name</strong>: clientAppsCA.arm</li>
|
|
<li><strong>Location</strong>: the path to your myKeys directory</li>
|
|
</ul></li>
|
|
|
|
<li>Click <strong>OK</strong>.</li>
|
|
</ol><p></p></li>
|
|
|
|
<li><p>Enter clientAppsCA for the label and click <strong>OK</strong>.</p></li>
|
|
<li><p>Click <strong>Key Database File</strong>.</p></li>
|
|
<li><p>Select <strong>Exit</strong>.</p></li>
|
|
</ol>
|
|
|
|
<p><strong>Example client JSSE application code</strong></p>
|
|
|
|
<p>Note that your application code cannot use <tt>SocketFactory socketFactory = SSLSocketFactory.getDefault()</tt> to obtain the SocketFactory unless <tt>os400.jdk13.jst.factories=true</tt>
|
|
is specified as either a command line Java virtual machine system property or a security property in the java.security file.</p>
|
|
|
|
<p>For fully supported use of Java keystore files, two other properties which can only be specified in the java.security file must also be set as follows:</p>
|
|
|
|
<pre> ssl.SocketFactory.provider=com.ibm.jsse.JSSESocketFactory
|
|
ssl.ServerSocketFactory.provider=com.ibm.jsse.JSSEServerSocketFactory</pre>
|
|
|
|
<p>The default java.security file in the properties directory provided for each user instance sets the three properties as follows:</p>
|
|
|
|
<pre> os400.jdk13.jst.factories=true
|
|
ssl.SocketFactory.provider=com.ibm.jsse.JSSESocketFactory
|
|
ssl.ServerSocketFactory.provider=com.ibm.jsse.JSSEServerSocketFactory</pre>
|
|
|
|
<p>See <a href="secjssecltex.htm">Example: JSSE client servlet</a>. The client keystore must be placed in the working directory of WebSphere Application Server - Express.</p>
|
|
|
|
<p><strong>Example server JSSE application code</strong></p>
|
|
|
|
<p>Your application code cannot use <tt>ServerSocketFactory serverSocketFactory = SSLServerSocketFactory.getDefault()</tt> to obtain the ServerSocketFactory unless <tt>os400.jdk13.jst.factories=true</tt> is specified as either a command line Java virtual machine system property or a security property in the java.security file.</p>
|
|
|
|
<p>For fully supported use of Java keystore files, two other properties which can only be specified in the java.security file must also be set as follows:</p>
|
|
<pre> ssl.SocketFactory.provider=com.ibm.jsse.JSSESocketFactory
|
|
ssl.ServerSocketFactory.provider=com.ibm.jsse.JSSEServerSocketFactory</pre>
|
|
|
|
<p>The default java.security file in the properties directory provided for each user instance sets the three properties as follows:</p>
|
|
<pre> os400.jdk13.jst.factories=true
|
|
ssl.SocketFactory.provider=com.ibm.jsse.JSSESocketFactory
|
|
ssl.ServerSocketFactory.provider=com.ibm.jsse.JSSEServerSocketFactory</pre>
|
|
|
|
<p>See <a href="secjssesvrex.htm">Example: JSSE server servlet</a>. The server keystore must be placed in the working directory of the WebSphere Application Server - Express.</p>
|
|
|
|
</body>
|
|
</html>
|