How To
Summary
The ISIM DAML code uses the keystore or truststores that are defined on the Java Virtual Machine (JVM), not the WebSphere ones. By default, the JVM uses cacerts as the default truststore. There is no default keystore. In this case, the DAML code creates an empty keystore to use, and that does not contain the client certificate. Also, IBM Security Identity Manager expects these stores to be in the format that is specified by "keystore.type" in the jre/lib/security/java.security file. This is "jks" by default.
Steps
There are two ways to specify the stores to IBM Security Identity Manager:
(1) Add the keystore or truststores as the Java Virtual Machine properties.
- On the WebSphere Application Server administrative console, click Servers > Application Servers > server1 > Process Definition > Java Virtual Machine > Custom Properties > New.
- Define the name of the javax properties that have been changed using a key management tool. The javax property values you set in the WebSphere Application Server administrative console must reflect the same values that you set using a key management utility.
Property Name | Description | Default Value |
javax.net.ssl.trustStore | File path of the truststore file. If you do not use javax.net.ssl.keyStore to specify a client certificate, you can use the truststore to install CA certificates and client certificates. | jre_install_dir\lib\security\cacerts
Example: C:\Program Files\WebSphere\AppServer\java\jre\lib\security\cacerts |
javax.net.ssl.trustStorePassword | Password that protects the truststore. | changeit |
javax.net.ssl.trustStoreType |
Key database type. This property is required for truststore. The value is specified when creating a self-signed certificate. Note: This approach exposes the keystore or truststore passwords. To avoid this, see WAS javax.net.ssl.trustStorePassword disclosure |
jks |
javax.net.ssl.keyStore | File path of the keystore file. The keystore contains the certificate used by the IBM Security Identity Manager Server. The certificate must be present either in the keystore or the truststore if the application operating as an SSL server (for example, an ADK-based adapter) is set to require client authentication. If this property is not defined, the truststore must contain the certificate when client authentication is required. | None. The truststore file path is searched by default. |
javax.net.ssl.keyStorePassword | Password that protects the keystore. | changeit
This is the default password for the JVM default truststore. |
(2) Specify the values in the enRole.properties file.
You can override this, by configuring the DAML Context settings in <ISIM_HOME>\data\enRole.properties, to point to your JKSs or just one JKS that you may have created through 'ikeyman'.
If my new Java Key Store and Trust store are the same value, 'myJKS', and the password is 'myJKSpassword', then add the bellow anywhere in enRole.properties:
########### Two Way SSL #####################
com.ibm.daml.jndi.DAMLContext.KEY_STORE=c:\\progra~1\\IBM\\WebSphere\\Ap
pServer\\java\\jre\\lib\\security\\myJKS
com.ibm.daml.jndi.DAMLContext.KEY_STORE_PASSWORD=myJKSpassword
########### One way SSL #####################
com.ibm.daml.jndi.DAMLContext.TRUST_STORE=c:\\progra~1\\IBM\\WebSphere\\ AppServer\\java\\jre\\lib\\security\\myJKS
com.ibm.daml.jndi.DAMLContext.TRUST_STORE_PASSWORD=myJKSpassword
You must restart ISIM after, or WebSphere application server that's hosting ISIM for changes to take effect.
Note: It attempts to use the enRole.properties file settings before looking at the JVM settings. You can also edit the enRoleLogging.properties file to set the DAML line to DEBUG_MAX to see all the handshake details from the IBM Security Identity Manager. This helps to show if it is finding the keystore and client certificate.
Was this topic helpful?
Document Information
Modified date:
03 July 2018
UID
ibm10713583