资源描述:
《SSL, certificate, and key management enhancements for even stronger security in WebSphere Application Server V6.1.pdf》由会员上传分享,免费在线阅读,更多相关内容在学术论文-天天文库。
1、IBMWebSphereDeveloperTechnicalJournal:SSL,certificate,andkeymanagementenhancementsforevenstrongersecurityinWebSphereApplicationServerV6.1PeterBirk,SeniorSoftwareEngineer,IBMKeysBotzum,SeniorTechnicalStaffMember,IBMSummary:ExcitingchangeshavebeenmadetotheSSL,certif
2、icate,andkeymanagementinfrastructureinIBM®WebSphere®ApplicationServerV6.1.Thisarticletouchesonhowthesechangeswillimprovesecurity,providemanagementflexibilityandsimplification,andmaintainaconsistentSSLruntimethatistightlyintegratedwiththenewconfiguration.Introducti
3、onInpreviousreleasesofIBMWebSphereApplicationServer,SSLmanagementisbasedonacollectionofSSLconfigurationsthatarereferencedbyanaliasnamefromendpointsthroughoutthecell.Eachaliasisprefixedwiththenodenamereflectingwhereitwascreated.TheSSLruntimeforagivenendpointreadsth
4、eSSLconfigurationthatitreferencesandcreatestheSSLsocketsfromthisinformation.Asetofdefaultself-signedcertificateslocatedintheDummyServerKeyFile.jksandDummyClientKeyFile.jkskeystoresareshippedwitheachinstallation.Whilethisissimple,itisnotsecureandshouldnotbeusedthis
5、wayinproduction.ManagingcertificatesrequirestheuseofanexternalkeymanagementtoolcalledIKeyMan.TherearereferencestoSSLconfigurationsineveryserver.xmlthroughoutthesystem,sotheabilitytoreorganizetheSSLconfigurationswhentopologieschangecanbedifficult.Applicationsdonoth
6、avetheabilitytoaccesstheseSSLconfigurations.InWebSphereApplicationServerV6.1,SSLmanagementaddsanentirenewlevelofsimplicity,security,andflexibility.Uniqueself-signedcertificatesarecreatedforeachprofileduringprofilecreation.Whenaprofileisfederatedintoacell,trustisa
7、utomaticallyestablishedwiththecell.Theseself-signedcertificatesaremanagedbyafullyintegratedcertificatemanagementinfrastructurethatreplacestheexternalIKeyMantool.Theexpirationofthesecertificatesismonitoredonapre-definedschedulewithnotificationstosystemlogsandemail-
8、sendingcapabilities.Thecertificateswillbeautomaticallyreplacedbeforeexpiration,bydefault,and,therewillofcoursebeawarningpriortothecertificatereplacement