SSL configuration settings
Use this page to define Secure Sockets Layer (SSL) configuration properties.
To view this administrative console page, click Security > SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations > {Inbound | Outbound} > nodes name. Under Related items, click SSL configurations > New.
Name
Specifies the unique name of the SSL configuration within the management scope in which it resides. For ways to programmatically access the properties that are configured for this SSL configuration, see the com.ibm.websphere.ssl.JSSEHelper application programming interface (API).
| Information | Value |
|---|---|
| Data type: | Text |
![[z/OS]](../images/ngzos.svg)
Keyring name
Specifies the name of the keyring for the System SSL configuration. This field implies the keystore and truststore.
This field applies to System SSL repertoires only
![[AIX Solaris HP-UX Linux Windows]](../images/ngdist.svg)
![[IBM i]](../images/ngibmi.svg)
Trust store name
Specifies a reference to a specific truststore used by Java™ Secure Sockets Extension (JSSE). The truststore holds signer certificates that validate the trust of certificates sent by remote connections during an SSL handshake.
| Information | Value |
|---|---|
| Data type: | Text |
| Default: | selected trust store |
Key store name
Specifies a reference to a specific key store. The key store holds personal certificates that represent the identity of one side of a connection. The public key of this personal certificate is sent to the other side of the connection to establish trust during the handshake. The remote side of the connection needs the root certificate authority (CA) certificate or self-signed public key (signer) to be in the truststore to validate this personal certificate.
| Information | Value |
|---|---|
| Data type: | Text |
| Default: | selected key store |
Get certificate aliases
Queries the keystore for the aliases of all the personal certificates in the keystore from which to choose.
Default server certificate alias
Specifies the certificate alias used as the identity for this SSL configuration if one has not been specified elsewhere.
If you select None, the Java Secure Sockets Extension (JSSE) key manager determines which certificate is used. If multiple certificates exist in the key store, the key manager might not consistently select the same certificate.
Note:
Be careful when using the localOS SAF security provider, such as RACF. The Certificates aliases displayed are obtained by querying all started processes (including controller, servant or adjunct regions), via an mbean, in the selected management scope at time of display.
The server processes (including controller, servant or adjunct regions) in the SSL management scope may or may not utilize the same keyring and process user. Because of this, do not assume that all certificate aliases in the list are available for use. Query the SAF security provider to be sure the safkeyring for each process ID contains the alias in question.
When selecting a personal alias, it must be connected to both the control and servant region keyring. Assigning an alias that does not exist in all the target server processes (Controller, Servant, Adjunct) keyring may result in SSL initialization and/or SSL runtime errors. Initialization errors could prevent all SSL behavior. For example, selecting a personal certificate that exists only on the servant region userid keyring could break inbound SSL to the control region, and selecting a personal certificate that exists only on the control region userid keyring could break outbound SSL from the servant region.
Consider using SSLConfigGroups instead. Using SSLConfigGroups will prevent SSL initialization errors, although SSL runtime errors can still occur if the certificate alias is not found in the process safkeyring.
| Information | Value |
|---|---|
| Data type: | Text |
Default client certificate alias
Specifies the certificate alias to be used if this configuration is to be used as a client.
If you select None, the Java Secure Sockets Extension (JSSE) key manager determines which certificate is used. If multiple certificates exist in the key store, the key manager might not consistently select the same certificate.
Note:
Be careful when using the localOS SAF security provider, such as RACF. The Certificates aliases displayed are obtained by querying all started processes (including controller, servant or adjunct regions), via an mbean, in the selected management scope at time of display.
The server processes (including controller, servant or adjunct regions) in the SSL management scope may or may not utilize the same keyring and process user. Because of this, do not assume that all certificate aliases in the list are available for use. Query the SAF security provider to be sure the safkeyring for each process ID contains the alias in question.
When selecting a personal alias, it must be connected to both the control and servant region keyring. Assigning an alias that does not exist in all the target server processes (Controller, Servant, Adjunct) keyring may result in SSL initialization and/or SSL runtime errors. Initialization errors could prevent all SSL behavior. For example, selecting a personal certificate that exists only on the servant region userid keyring could break inbound SSL to the control region, and selecting a personal certificate that exists only on the control region userid keyring could break outbound SSL from the servant region.
Consider using SSLConfigGroups instead. Using SSLConfigGroups will prevent SSL initialization errors, although SSL runtime errors can still occur if the certificate alias is not found in the process safkeyring.
| Information | Value |
|---|---|
| Data type: | Text |
Management scope
Specifies the scope where this SSL configuration is visible. For example, if you choose a specific node, then the configuration is visible only on that node and on any servers that are part of that node.
| Information | Value |
|---|---|
| Data type: | Text |