SSL configuration
This topic describes how to how to configure an IBM® WebSphere® sMash application to accept requests from clients using HTTPS.
The configuration described in this topic allows an application to accept requests
from clients using HTTPS.
For information about configuring an application to make outbound HTTPS requests
using the Connection API, see
HTTP and HTTPS protocols.
SSL configuration reference
The following table lists configuration that can be included in zero.config
to enable an application to accept requests using HTTPS:
| Configuration key | Description | Default |
|---|---|---|
/config/https/port
|
The port number on which the application will listen for HTTPS requests. |
-1 (no HTTPS listener) |
/config/https/ipAddress
|
The HTTPS listener will be bound the specified IP address. | If not specified then requests coming in on any of the machine's network adapters will be accepted. |
/config/https/sslconfig#keyStore
|
The location of the key store file containing the private SSL keys and certificates for the application. | Required. |
/config/https/sslconfig#keyStorePassword
|
The password for accessing the key store. XOR strings are allowed. See Leveraging XOREncoding for more information. | Required. |
/config/https/sslconfig#keyStoreType
|
The type of file used for the key store. See the Key store types section for more information. | Required. |
/config/https/sslconfig#trustStore
|
The location of the trust store file containing the public SSL keys and certificates for the application. | If not set then no trust store file will be used. |
/config/https/sslconfig#trustStorePassword
|
The password for accessing the trust store. XOR strings are allowed. See Leveraging XOREncoding for more information. | Required if trustStore is set. |
/config/https/sslconfig#trustStoreType
|
The type of file used for the trust store. See the Key store types section for more information. | Required if trustStore is set. |
/config/https/sslconfig#clientAuthentication
|
Boolean value indicating whether to require client authentication for an SSL connection. | No, defaults to false. |
Configuring an application to accept requests using HTTPS does not automatically prevent it from
also accepting requests using HTTP. To prevent the application from accepting HTTP requests,
set /config/http/port = -1.
Key stores and trust stores
When you configure an application to accept requests using HTTPS, you must define a key store. The key store must contain the private keys that the application will use when negotiating an incomming HTTPS connection from a client.
Trust stores normally contain the public keys used by the server to negotiate a connection with a client. If a trust store is not defined, then the public keys must also be stored within the defined key store. The defined key store is used as both the source for the private and public encryption keys.
Most application development and testing occurs with privately created and signed encryption keys in which only the key store configuration is necessary. When a certificate is obtained from a commercial certificate authority, they supply both the key store and trust store files.
Key store types
WebSphere sMash uses the Java™ Secure Socket Extension (JSSE) implementation provided by the Java runtime and supports all of the key types of the underlying JSSE implementation. JSSE became a standard extension to J2SE in Java 2 Standard Edition 5.0.
The exact key types supported by the JSSE implementation vary between JDK vendors, however the most common key types are Java Key Store (JKS) and Personal Information Exchange Syntax Standard (PKCS12).
For more information on the key types supported by a specific JDK, see the JSSE documentation of the vendor.
The following JSSE documentation links show documentation provided by some vendors:
Example SSL configuration
The following extract shows an example configuration to allow an application to accept requests over HTTPS:
/config/https/port = 8443
/config/https/sslconfig = {
"keyStore": "./config/key.jks",
"keyStorePassword": "<xor>JTotMC8+LCw=",
"keyStoreType": "JKS"
}
The example configurations specifies a JKS key store file but not a separate trust store file. The password for the key store has been encoded using the XOR encoder command. For more information on the XOR encoder command, see Leveraging XOREncoding.
After adding this configuration to an application, a client can send requests over HTTPS using the following URL:
https://localhost:8443/
Default SSL certificate for testing
The component zero.core.webtools provides a preconfigured test SSL certificate
for use during development. To enable the use of the SSL configuration for an application,
all that is required is to specify the https port in addition to adding zero.core.webtools as a dependency.
It is important to remember that the test certificate is for testing purposes only and should not be used for deployed applications. Refer to the following section to create a valid certificate once initial testing has completed.
Creating an SSL certificate
There are many tools for creating and managing SSL certificates and keys. Any tools that support the creation of certificates in which the types match the supported types of the underlying JSSE implementation can be used.
Two of the most common SSL key management tools for Java developers are IBM's IKeyman and Sun's keytool, both of which are distributed with their respective Java development kits.
For examples of creating certificates and keys with these tools, see the following articles:
