Friday, 14 May 2010

Security 3 : websphere, plugin, IHS key database

IHS --> SSLengine ON
Certificate location
keyfile location
chainfile location

Plugin : CMS type=> .kdb
ikeyman tools => generate self-signed cert
extract it to a .arm file
transfer it to a WAS servers to be put it in key (or trust file)
more precisely is "ADD" in signer certificate (not personal certificate)

WAS : jks = javakeystore => a db file of certicates collection (new generated by ikeyman tool)
a. one.jks => private key and trusted certs are here
b. key.jks and trust.jks => private key in key.jks while trusted certs in trust.jks

ikeyman tools ==> generate self-signed cert in personal certs
extract it to a .arm file
transfer it to a Plugin servers to be put it in key.kdb
==> signer certificates => ADD
I wonder why, we need "add" to signer certs as well in WAS side.

If you use LDAPS in WAS, then you "add" also the ldap server certs in that jks file.

Note : 1. dont forget to set the path in ISC to the correct location of jks file
2. ikeyman tools is GUI, gsk7cmd is CLI,
3. keytool can be used as well to read the jks wihtout password
4. during the creation of jks, it prompts password, this password is encrypted in a stash file.
5. .arm = .cer
6. keyring = keystore
7. signer certificate = trust certs = ssl from client side
8. key = private key = ssl from server side

reference : http://publib.boulder.ibm.com/infocenter/wasinfo/v4r0/index.jsp?topic=/com.ibm.websphere.v4.doc/wass_content/06061801a07.html

1 comment:

  1. This is your second blog today that saved me a lot of time as one of the other blog helped me basic configuration of IHS.Thanks man for writing such useful and informative articles that save time of many like me.
    electronic signatures

    ReplyDelete