Key store and trust store in WebSphere

A key store (in JSSE terms) stores the personal certificate, which represents the X509Certificate, public key, and private key. This is the representation of the identity of this entity.

A key store contains the personal certificates that can be used as the identity for the SSL end point referencing the key store. If more than one certificate is present, a certificate alias on the SSL configuration specifies one of the personal certificates. When an SSL connection is made (on either the client or the server side), certificates may be exchanged. The personal certificate referenced by the SSL configuration and stored in the key store is the certificate that will be used.

A keystore contains both public keys and private keys. Public keys are stored as signer certificates, while private keys are stored as personal certificates. In WebSphere Application Server, adding keystore files to the configuration is different between client and server. For the client, a keystore file is added to a file, like the sas.client.props property file. For the server, a keystore file is added through the WebSphere Application Server administrative console.

A personal certificate represents the identity of the end point and contains a public and private key for signing/encrypting data.

A trust store (in JSSE terms) stores the X509Certificate and public key only (also referred to as a signer certificate). The trust store must contain all signer certificates from all other entities that it is trusting to make connections to or with. Without the signer of the remote entity, an SSLHandshakeException occurs with a message stating “No trusted certificate found.”

A trust store contains the signer certificates which this end point trusts when either making connections (from an outbound end point) or accepting connections (for an inbound end point).

The default server truststore is called the DummyServerTrustFile.jks file. The file is located in the ${USER_INSTALL_ROOT}/etc/ directory. The default password is WebAS. It is recommended that you create a new key file and trust file if you plan to use the certificate in a production environment.

Reference:

http://webspheretalk.com/threads/66-SSL-KeyStore-And-TrustStore-Used-in-Websphere

Advertisements

About Ishtiaque

I am IBM Certified Infrastructure Systems Architect, Linux Foundation Certified System Administrator, Oracle Certified Programmer in Java and Web Component Developer, and TOGAF 9 certified with over 10 years of support and development experience in IBM middleware software and Java. Additionally, have a sound grip in databases and OpenStack administration. I hold the following certifications: IBM Certified Infrastructure Systems Architect Linux Foundation Certified System Administrator (LFCS) TOGAF 9 Certified Oracle Certified Expert, Java EE6 Web Component Developer Oracle Certified Professional – Java 6 Programmer ITIL v3 Foundation Certified IBM Certified Solution Architect – Cloud Computing Infrastructure V1 IBM Certified System Administrator – WebSphere Portal V8, V7, V6.1, V6 IBM Certified System Administrator – WebSphere Application Server V7, V6.1 IBM Certified System Administrator – AIX V7 IBM Certified System Administrator – WebSphere MQ V7 IBM Certified Deployment Professional – Business Process Manager Advanced V7.5 IBM Certified Solution Advisor – Cloud Computing Architecture V3 IBM Certified Solution Developer – WebSphere Portal V5.1
This entry was posted in Security, WAS. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s