4.15 SSL Support

LANSA Integrator supplied HTTP services can communicate using SSL via the standard Java SSL extensions.

Use the IBM Information Center site to configure your IBM i for SSL support.

Following is an example of JSM manager.properties file:

 

#

# Java Service Manager configuration

#

# javax.net.ssl.keyStore=

# javax.net.ssl.keyStoreType=jks

# javax.net.ssl.keyStorePassword=

# javax.net.ssl.trustStore=

# javax.net.ssl.trustStoreType=jks

# javax.net.ssl.trustStorePassword=

# javax.net.debug=all

# javax.net.debug=ssl,handshake,data,trustmanager

#

# ssl.KeyManagerFactory.algorithm=IBMX509

# ssl.TrustManagerFactory.algorithm=IBMX509

# ssl.SocketFactory.provider=com.ibm.jsse.JSSESocketFactory

# ssl.ServerSocketFactory.provider=com.ibm.jsse.JSSEServerSocketFactory

 

Java Trust/Key Store

By default, IBM Technology for Java JDK's use the cacerts trust/key store file.

The location of the cacerts file depends upon the JDK version and bit mode.

The cacerts file is located in one of the following directories.

 

/QOpenSys/QIBM/ProdData/JavaVM/jdk50/32bit/jre/lib/security

/QOpenSys/QIBM/ProdData/JavaVM/jdk50/64bit/jre/lib/security

/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre/lib/security

/QOpenSys/QIBM/ProdData/JavaVM/jdk60/64bit/jre/lib/security

/QOpenSys/QIBM/ProdData/JavaVM/jdk70/32bit/jre/lib/security

/QOpenSys/QIBM/ProdData/JavaVM/jdk70/64bit/jre/lib/security

/QOpenSys/QIBM/ProdData/JavaVM/jdk80/32bit/jre/lib/security

/QOpenSys/QIBM/ProdData/JavaVM/jdk80/64bit/jre/lib/security

 

By default, IBM Classic JDK's 1.5 and 1.6 use the cacerts trust/key store file.

The location of the cacerts file depends upon the JDK version.

 

/QIBM/ProdData/Java400/jdk15/lib/security

/QIBM/ProdData/Java400/jdk6/lib/security

 

 

SSL Client Authentication on the Client

If the server is configured for client authentication then after the client has authenticated the server, the server requests the client's certificate.

The client then sends its signed certificate, and the server performs the same authentication process as the client did, comparing the client certificate to a library of existing certificates.

If the trust manager is Digital Certificate Manager then the certificate to be sent to the server for authentication is specified by the os400.certificateLabel property.

Some servers require the certificate to contain the extended key attribute 'client authentication' (1.3.6.1.5.5.7.3.2).

The CA certificate that signed the client certificate will need to be sent to the other party to be included in the server's list of trusted certificates.

SSL Client Authentication on the Server

If the server is configured for client authentication then after the client has authenticated the server, the server requests the client's certificate.

 

<VirtualHost 10.2.0.170>

  Options None

  ServerName SERVER1

  SSLEngine On

  SSLClientAuth required

  SSLAppName QIBM_HTTP_SERVER_JSMSSL

</VirtualHost>

 

The client then sends its signed certificate, and the server performs the same authentication process as the client did, comparing the client certificate to a library of existing certificates.