4.15 SSL Support
LANSA Integrator supplied HTTP services can communicate using SSL via the standard Java SSL extensions.
Use the IBM Information Center site to configure your IBM i for SSL support.
Following is an example of JSM manager.properties file:
#
# Java Service Manager configuration
#
# javax.net.ssl.keyStore=
# javax.net.ssl.keyStoreType=jks
# javax.net.ssl.keyStorePassword=
# javax.net.ssl.trustStore=
# javax.net.ssl.trustStoreType=jks
# javax.net.ssl.trustStorePassword=
# javax.net.debug=all
# javax.net.debug=ssl,handshake,data,trustmanager
#
# ssl.KeyManagerFactory.algorithm=IBMX509
# ssl.TrustManagerFactory.algorithm=IBMX509
# ssl.SocketFactory.provider=com.ibm.jsse.JSSESocketFactory
# ssl.ServerSocketFactory.provider=com.ibm.jsse.JSSEServerSocketFactory
Java Trust/Key Store
By default, IBM Technology for Java JDK's use the cacerts trust/key store file.
The location of the cacerts file depends upon the JDK version and bit mode.
The cacerts file is located in one of the following directories.
/QOpenSys/QIBM/ProdData/JavaVM/jdk50/32bit/jre/lib/security
/QOpenSys/QIBM/ProdData/JavaVM/jdk50/64bit/jre/lib/security
/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre/lib/security
/QOpenSys/QIBM/ProdData/JavaVM/jdk60/64bit/jre/lib/security
/QOpenSys/QIBM/ProdData/JavaVM/jdk70/32bit/jre/lib/security
/QOpenSys/QIBM/ProdData/JavaVM/jdk70/64bit/jre/lib/security
By default, IBM Classic JDK's 1.5 and 1.6 use the cacerts trust/key store file.
The location of the cacerts file depends upon the JDK version.
/QIBM/ProdData/Java400/jdk15/lib/security
/QIBM/ProdData/Java400/jdk6/lib/security
By default, IBM Classic JDK 1.4 uses Digital Certificate Manager.
The IBM Classic JDK 1.4 cacerts file is located in the following directory.
/QIBM/ProdData/Java400/jdk14/lib/security
To configure the IBM Classic JDK 1.4 to use a cacerts file as the trust/key store, the following steps need to be performed.
Edit the manager.properties file and enable the following properties.
ssl.KeyManagerFactory.algorithm=IBMX509
ssl.TrustManagerFactory.algorithm=IBMX509
ssl.SocketFactory.provider=com.ibm.jsse.JSSESocketFactory
ssl.ServerSocketFactory.provider=com.ibm.jsse.JSSEServerSocketFactory
To select a digital certificate to use for client authentication connections when using Digital Certificate Manager you can use the default certificate or specify your own.
To specify which digital certificate to use, use the following properties:
os400.certificateLabel=MYLABEL
os400.certificateContainer=/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KDB
Digital certificate containers store digital certificates. If you want to use the IBM i system default certificate container, you do not need to specify a certificate container.
To use a specific digital certificate container, you need to specify that digital certificate container.
SSL Client Authentication on the Client
If the server is configured for client authentication then after the client has authenticated the server, the server requests the client's certificate.
The client then sends its signed certificate, and the server performs the same authentication process as the client did, comparing the client certificate to a library of existing certificates.
If the trust manager is Digital Certificate Manager then the certificate to be sent to the server for authentication is specified by the os400.certificateLabel property.
Some servers require the certificate to contain the extended key attribute 'client authentication' (1.3.6.1.5.5.7.3.2).
The CA certificate that signed the client certificate will need to be sent to the other party to be included in the server's list of trusted certificates.
SSL Client Authentication on the Server
If the server is configured for client authentication then after the client has authenticated the server, the server requests the client's certificate.
<VirtualHost 10.2.0.170>
Options None
ServerName LANSA01
SSLEngine On
SSLClientAuth required
SSLAppName QIBM_HTTP_SERVER_JSMSSL
</VirtualHost>
The client then sends its signed certificate, and the server performs the same authentication process as the client did, comparing the client certificate to a library of existing certificates.