Sample configuration  Sample configuration

Chapter 10: Security Configuration Tasks

Configuring JSSE

The Java Secure Socket Extension (JSSE) is a set of Java packages that implements SSL and Transport Layer Security, which enable data encryption, server authentication, message integrity, and client authentication. JSSE is a client-side feature, which can be used with EAServer when it has been configured for SSL communication.

StepsConfiguring JSSE on the server

  1. From the Web Management Console, expand the Servers folder.

  2. Expand the server for which you are configuring JSSE.

  3. Select the Security tab.

  4. Configure JSSE by completing these properties:

    • SSL Trust Store – the path of an SSL truststore. The trust store is a trusted keystore. For example, if you receive data from an entity that you already trust, and if you can verify that the entity is the one it claims to be, then you can assume that the data really came from that entity.

      Add an entry to a truststore only if the user makes a decision to trust that entity. By generating a keypair or importing a certificate, you grant trust to that entry, and any entry in the keystore is considered a trusted entry.

    • SSL Trust Store Password – the password used to access the trust store.

    • SSL Trust Store Type – the format of the truststore. Possible values are JKS and PKCS12.

    • SSL Key Store – the path to the key store. A key store is a database of key material (certificates or key pairs for example), which are used for authentication and data integrity. Supported key store types include PKCS12 and JKS.

    • SSL KeyStore Password – the password used to access the keystore.

    • FIPS Mode Enabled – enable FIPS, which has the following effect on EAServer:

      • Permits TLS protocol only by the SSL/TLS runtime engine.

      • Permits the use of TLS cipher suites and security characteristics.

      • Accepts X.509 certificates signed using a SHA1WithRsa algorithm. Certificates signed with any other algorithm are not accepted and generate an error.

      • Other cryptographic functionality that normally employs a non-FIPS approved algorithm now fails. For example, a PKCS #12 certificate containing a private key shrouded (signed) with a pbeWithSHA1And40bitRc4 algorithm fails to import, since RC4 is not a FIPS 140-2-approved algorithm. The private key and public keys must be shrouded using pbeWithSHA1And3KeyTripleDescbc.

    • JSSE Key Store Type – valid options are PKCS12 or JKS.




Copyright © 2006. Sybase Inc. All rights reserved. Sample configuration

View this document as PDF