To configure your SSL clients you create a client key ring
and import the server's signer certificate, create a self-signed
certificate in the client. Next you export the client's signer certificate,
and transfer the server certificate to the client. Finally you import
the client signer certificate into the server's key ring file.
If your server does not use client authentication you complete
the first task (create a client key ring and import the server's signer
certificate) but you do not have to complete the other tasks.
Create a client key ring and import
the server's signer certificate.
Issuing the following command
to create the key ring and
import the certificate:
keytool -import -alias aliasname -file certfile -keystore keystorefile
-storepass password -noprompt
Where the options are:
- -import
- Import a certificate.
- -alias aliasname
- The name under which the certificate is to be stored.
- -file certfile
- The file that contains the certificate.
- -keystore keystorefile
- The key ring into
which the certificate is to be imported.
- -storepass password
- The password used to protect the integrity of the key ring.
- -noprompt
- Removes the need to confirm that the certificate is imported.
An example of this command is shown here:
Figure 1. Using the keytool command
to create a key ring containing
the server's signer certificatekeytool -import -alias exampleServer -file exampleServerCertKT.arm -keystore clientStore.jks
-storepass default -noprompt
Create a self-signed certificate
in the client key ring
To create a new keystore containing
a self-signed certificate use the following instance of the keytool command:
keytool -genkey -alias aliasname -keysize numericvalue -dname distname
-keystore location -keypass password -storepass password
-keyalg algorithm
The options are:
- -genkey
- Generates a key pair and wraps the public key into a self-signed
certificate.
- -alias aliasname
- Defines the alias name that identifies the store containing the
self-signed certificate and private key.
- -keysize numericvalue
- Defines the size of the key.
- -dname distname
- Specifies the X.500 distinguished name to be associated with the
alias. This is used as the issuer and subject fields of the self-signed
certificate. The distinguished name consists of a number of fields
separated by commas in the following format:
Each strvalue is
a string value. The meaning of the abbreviations is as follows:
- cn = common name
- o = organization
- ou = organization unit
- l = city/locality
- s = state/province
- c = country name
An example of an X.500 distinguished name is shown here: Figure 2. An X.500 distinguished name"cn=someserver.location.ibm.com,o=IBM,ou=IBMGB,
l=Winchester,s=Hants,c=GB"
- -keystore location
- The key ring file
location. For example: ktserverss.jks
- -keypass password
- The password used to protect the private key. Set
this to the same value as the -storepass password,
to enable the CICS Transaction Gateway to
establish a connection over SSL.
- -storepass password
- The password used to protect the integrity of the key ring. Set
this to the same value as the -keypass password,
to enable the CICS Transaction Gateway to
establish a connection over SSL.
- -keyalg algorithm
- The algorithm to be used to generate the key pair.
An example
of the keytool command is shown here:
Figure 3. Using
the keytool command
to create a key ring containing
a single self-signed certificatekeytool -genkey -alias exampleClientCert -keysize 1024
-dname "cn=John Doe,o=IBM,ou=IBMGB,l=Winchester,s=Hants,c=GB"
-keystore clientStore.jks -keypass default -storepass default
-keyalg RSA
Export the client's signer certificate
This
certificate must be imported into the keystores of all servers that
the SSL client needs to connect to.
To export the certificate
use the following instance of the
keytool command:
keytool -export -alias aliasname -keystore location
-storepass password -file filename -rfc
Where the options are:
- -export
- Export a certificate.
- -alias aliasname
- Name of the key (in the key ring)
to export.
- -keystore location
- The key ring location.
- -storepass password
- The password used to protect the integrity of the key ring.
- -file filename
- The name of the file to export the certificate to.
- -rfc
- Export the certificate in RFC format (Base64 encoded ASCII).
An example
instance of the
keytool command
to export a signer certificate is shown here:
Figure 4. Using
the keytool command
to export the signer certificatekeytool -export -alias exampleClientCert -keystore clientStore.jks -storepass default
-file exampleClientCertKT.arm -rfc