[Java programming language only]

Developing keystore files for data encryption

[Version 8.6.0.4 and later]You can configure Transport Layer Security (TLS) by modifying or replacing the keystore and truststore, and choosing the certificate alias for your configuration.

Before you begin

  • You must have access to the keytool tool. This tool is in the java_home/bin directory.

About this task

To use SSL or TLS for secure transport, you must create a keystore and a truststore. There are multiple ways and tools to help set up keystore and truststore files, and depending on the tools that are provided with your certificate authority, the specific steps can vary. You can use any tool that can create a compliant .p12 or .jks file. In this task, you use the keytool in Java™ 7, along with the certificate issuance capabilities of the local certificate authority (CA). The Java 7 runtime environment that is shipped with the WebSphere® eXtreme Scale client and server includes keytool, and it also includes a graphical tool, iKeyman, which you might also use. All of the eXtreme Scale servers in a deployment might share copies of a single keystore and truststore, but this file sharing is not necessary.

The keystore must contain one or several certificates of type keyEntry, along with the corresponding private keys. The certificate is typically of one of the following types:
  • Self-signed. In this case, the certificate is its own signer. To establish trust in the certificate, you must export the certificate and import it into the truststore files for each of the client applications, and for each of the eXtreme Scale servers.
  • Signed by a known certificate authority. The certificate of that certificate authority must be in each truststore.
  • A chained certificate that is signed by a local certificate authority. The certificate for the certificate authority at the root of the chain must be added to each truststore.

Procedure

  1. Create or modify the truststore, which contains the signer certificates that the appliance trusts when it connects to other members of the collective, or for ORB configurations, when the appliance makes callbacks to clients.
    Use the following command in the keytool to create a new truststore file. In this example, the root.arm file contains the certificate for the local root CA. This certificate is exported from the CA, using the tools that come with the CA, and then it is shared so that clients and servers trust certificates that are issued by the root CA and any intermediate CAs.
    keytool -importcert -alias root -file d:\chainsample\root.arm -keystore d:\chainsample\wxstrust.jks -storepass ogpass

    The Java runtime environment includes a cacerts file that has certificates from many known CAs. You can use the -trustcacerts option to include these certificates in your truststore.

    You can also add any other certificates for which trust is needed. However, for certificates that are issued by the root CA or its associated intermediate CAs, this certificate is the only one that you must import.

  2. Create a keystore by importing the certificate that you have.
    The keystore must have the root certificate or you cannot use the keytool to import generated certificates:
    keytool -importcert -alias root -file d:\chainsample\root.arm -keystore d:\chainsample\wxskey.jks -storepass ogpass
  3. Generate a key pair.
    In the appliance, the keypass and the storepass name must be the same. The key size, alias, key algorithm, signature algorithm, distinguished name, and validity in the following code snippet are examples only. Specify values according to your local policies.
    keytool -genkeypair -alias server -keyalg RSA -keysize 2048 -sigalg sha256withRSA -dname cn=server,o=acme -validity 3650 -keypass ogpass -keystore d:\chainsample\wxskey.jks -storepass ogpass
  4. Request a certificate from the local CA. 
    keytool -certreq -alias server -sigalg sha256withRSA -file d:\chainsample\serverreq.arm -keypass ogpass -keystore d:\chainsample\wxskey.jks -dname cn=server,o=acme -storepass ogpass
    The arm file is a certificate request that can be sent to an intermediate CA and used by that CA to build the actual certificate to be used in the appliance keystore.
  5. Import the certificate from the local CA into the new keystore for the appliance.
    In this example, the file, serverresp.arm, is received from the local CA in response to the request. The generated certificate should be a chained certificate that includes, in the chain certificate information for the root CA, certificate information for one or several intermediate CAs that link in a chain to the root and the certificate to be used by the appliance or collective. In the following example, the certificate response is imported:
    keytool -importcert -alias server -file d:\chainsample\serverresp.arm -keypass ogpass -keystore d:\chainsample\wxskey.jks -storepass ogpass
    The following example keystore file includes a chained certificate of the required keyEntry type. The contents of your keystore can be displayed by issuing the keytool -list command. 
    Keystore type: jks
Keystore provider: IBMJCE

Your keystore contains 1 entry

Alias name: server
Creation date: Jul 31, 2013
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=server, O=acme
Issuer: CN=inter, O=acme
Serial number: 697527ba
Valid from: 7/31/13 12:58 PM until: 7/29/23 12:58 PM
Certificate fingerprints:
	 MD5:  F8:29:F1:6E:E3:D5:8C:4E:4C:68:98:AD:7D:90:AF:36
	 SHA1: 2C:42:8B:B6:85:68:B4:A3:A9:46:11:91:E0:8D:68:47:C9:61:C9:02
	 SHA256: 49:A8:EA:AC:99:39:DB:6D:93:38:2E:88:CE:3E:54:1E:14:80:FC:24:C7:63:6E:FD:BA:4E:CE:C1:63:90:6F:DE
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 57 d9 49 2c 5c f8 13 9f  eb 98 a7 2b f5 ae 64 2e  W.I...........d.
0010: fe 2a 02 fd                                        ....
]
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 48 8b 07 dc 6c 20 cd 1b  ec 54 d0 a6 19 c4 02 2e  H...l....T......
0010: af b1 b5 2c                                        ....
]
]

Certificate[2]:
Owner: CN=inter, O=acme
Issuer: CN=root, O=acme
Serial number: 5e399139
Valid from: 7/31/13 12:58 PM until: 7/29/23 12:58 PM
Certificate fingerprints:
	 MD5:  9C:25:76:99:AB:F4:DD:98:35:18:54:03:A5:D8:84:18
	 SHA1: 7C:66:B2:86:6E:D7:2F:0E:70:B1:49:BB:3B:FF:45:CF:90:C2:28:D8
	 SHA256: CB:E7:ED:3E:0F:AF:09:58:4E:EB:94:14:58:45:ED:CC:16:F0:F6:A3:D6:92:50:8F:10:CE:D8:17:07:DE:03:CC
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 69 6e 41 41 a4 17 97 44  4a 8d e0 e3 dc 51 0a d8  inAA...DJ....Q..
0010: d9 0a 5a 49                                        ..ZI
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 57 d9 49 2c 5c f8 13 9f  eb 98 a7 2b f5 ae 64 2e  W.I...........d.
0010: fe 2a 02 fd                                        ....
]
]

Certificate[3]:
Owner: CN=root, O=acme
Issuer: CN=root, O=acme
Serial number: 1d5fdbdd
Valid from: 7/31/13 12:58 PM until: 7/29/23 12:58 PM
Certificate fingerprints:
	 MD5:  06:8F:A0:D0:9A:FB:43:3F:C7:A0:8E:2D:49:61:D8:FE
	 SHA1: 42:9B:9B:4C:FA:82:1B:BF:15:6F:DF:B5:14:C0:85:9D:97:86:2F:0A
	 SHA256: 9F:53:6D:6A:80:D6:6B:5D:C6:E2:BB:45:9B:FC:A1:57:61:F0:4E:2E:1D:F9:D5:0F:B5:69:9B:F1:2C:AC:50:BC
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 69 6e 41 41 a4 17 97 44  4a 8d e0 e3 dc 51 0a d8  inAA...DJ....Q..
0010: d9 0a 5a 49                                        ..ZI
]
]
  6. Upload the new keystore and truststore, and configure the password for each one.
  7. Change the certificate alias setting to match the name of the certificate in the keystore.
    The truststore files for all data grid clients must also be updated to establish trust with the appliance certificate.
  8. Specify an SSL mode from the following options: TCP/IP, where SSL is not used for data grid communication, TLS Supported, and TLS Required.

    The TLS Required setting is suggested for security. When TLS is not used, passwords and sensitive grid data pass unencrypted over the network links connecting the grid clients and the server.

  9. Optional: Enable Federal Information Processing Standard (FIPS).

    You can configure the appliance collective to use FIPS 140-2 for all encrypted network communication. This standard ensures high protection of data as it is sent over the wire. Select Enable FIPS 140-2 Cryptography to enable FIPS.

    Restriction: Some web browser versions do not work with a FIPS-enabled server. Current® versions of most browsers, including Mozilla Firefox, Microsoft Internet Explorer, and Google Chrome, do support communication with FIPS-enabled servers. You might configure the browser to enable TLS because SSLv3 is not supported in FIPS mode. For more information, see the documentation for your browser.
  10. Optional: Enable client certificate authentication.

    When client certificate authentication is enabled, the keystore for each client and browser that communicate with the appliance must be configured to have a certificate that is trusted by the appliance truststore. Client certificate authentication is not used for ORB transport. It is used only for HTTPS and XIO transport. It is not necessary to enable client certificate authentication to have a secure configuration.

What to do next

Configure server-to-server authentication, client authentication, telnet access, and LDAP to finish securing your data grid.