WebSphere Issues


Key store and trust store in WebSphere

Filed under: Security, WAS — Ishtiaque @ 7:04 pm

A key store (in JSSE terms) stores the personal certificate, which represents the X509Certificate, public key, and private key. This is the representation of the identity of this entity.

A key store contains the personal certificates that can be used as the identity for the SSL end point referencing the key store. If more than one certificate is present, a certificate alias on the SSL configuration specifies one of the personal certificates. When an SSL connection is made (on either the client or the server side), certificates may be exchanged. The personal certificate referenced by the SSL configuration and stored in the key store is the certificate that will be used.

A keystore contains both public keys and private keys. Public keys are stored as signer certificates, while private keys are stored as personal certificates. In WebSphere Application Server, adding keystore files to the configuration is different between client and server. For the client, a keystore file is added to a file, like the sas.client.props property file. For the server, a keystore file is added through the WebSphere Application Server administrative console.

A personal certificate represents the identity of the end point and contains a public and private key for signing/encrypting data.

A trust store (in JSSE terms) stores the X509Certificate and public key only (also referred to as a signer certificate). The trust store must contain all signer certificates from all other entities that it is trusting to make connections to or with. Without the signer of the remote entity, an SSLHandshakeException occurs with a message stating “No trusted certificate found.”

A trust store contains the signer certificates which this end point trusts when either making connections (from an outbound end point) or accepting connections (for an inbound end point).

The default server truststore is called the DummyServerTrustFile.jks file. The file is located in the ${USER_INSTALL_ROOT}/etc/ directory. The default password is WebAS. It is recommended that you create a new key file and trust file if you plan to use the certificate in a production environment.




Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: