Show TOC

Configuration of the AS Java Keystore Views for SSLLocate this document in the navigation structure

Use

To use SSL, the AS Java must possess a key pair which consists of a public key (distributed using a X.509 public-key certificate) and a corresponding private key. To use a key pair for SSL, the public key of the AS Java key pair must be certified by a well known Certification Authority (CA) that clients using SSL trust. Therefore, you create a certificate signing request (CSR) that you then send to the CA of your choice. After receiving the CSR, the CA returns the corresponding signed public-key certificate in the form of a certificate request response, which you then import into the key pair for which you created the request.

ICM_SSL_<instance_ID>_<port> Keystore Views

The AS Java uses the ICM_SSL_ <instance_ID>_<port> keystore views to store the key pair and trusted client certificates to use for SSL. In addition, the keystore view service_ssl contains backup copies of the default key pair and trusted certificates to use for SSL.

Note

By default, the AS Java uses the ICM_SSL_ <instance_ID> view for setting up an SSL connection. The ICM_SSL_ <instance_ID>_<port> views are used for setting up additional ports for SSL connections. More information about these views: Additional SSL Ports .

Note

Every time you make a change in an ICM_SSL_ <instance_ID>_<port> view you must export it to a PSE file and restart the ICM in order for the changes to take effect.

Server Key Pair

Each of the ICM_SSL_ <instance_ID>_<port> keystore views can contain only one key pair that is used for establishing SSL connections. For this reason before you add a new key pair to one of these views, you must remove the old key pair. The key pair you add must use the RSA algorithm for encryption.

If you use a key pair that is signed by a CA, you must also add the CA's public certificate to the corresponding ICM_SSL_ <instance_ID>_<port> view.

Client Certificates

Each of the ICM_SSL_ <instance_ID>_<port> views can contain an arbitrary number of trusted client CA certificates that are used by the system to verify the incoming client certificates. The system accepts only client certificates that are signed by one of these trusted client CAs.

More information about configuring the ICM_SSL_ <instance_ID>_<port> views: Configuring the SSL Key Pair and Trusted X.509 Certificates .