Liberty profile: Keystores

Support for a particular type of keystore in the Liberty profile can depend on what is supported by the underlying Java Runtime Environment (JRE). This document shows how to configure different keystore type in the Liberty profile.

JKS and JCEKS keystores

For more information on configuration attributes of the keystore element, see Liberty profile: SSL configuration attributes.

JKS and JCEKS keystore are common between the IBM JRE and the Oracle JRE, and can be configured the same using either JRE. JKS is the default keystore type in the Liberty profile, so if no keystore type is specified in the configuration, JKS is used.

An example of JKS keystore configuration is as follows:
     <keyStore id="sampleJKSKeyStore"
           		location="MyKeyStoreFile.jks"
           		type="JKS" password="myPassword" />
An example of JCEKS keystore configuration is as follows:
    <keyStore id="sampleJCEKSKeyStore"
           		location="MyKeyStoreFile.jceks"
           		type="JCEKS" password="myPassword" />

PKCS12 keystore

PKCS12 keystore can be used when using the IBM JRE. An example of PKCS12 keystore configuration is as follows:
    <keyStore id="samplePKCS12KeyStore"
           		location="MyKeyStoreFile.p12"
           		type="PKCS12" password="myPassword" />

CMS keystore

CMS keystore can be configured when using the IBM JRE but some special configuration is required. The CMS provider is not available by default on the IBM JRE, therefore it must be added to the provider list in the java.security file of the JRE. In the following example, the com.ibm.security.cmskeystore.CMSProvider class is added to the end of the list. Make sure the provider number is correct for where it is put in the provide list. The Liberty profile does not use the CMS keystore stash file to gain access to the keystore.
  security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
	security.provider.2=com.ibm.crypto.provider.IBMJCE
	security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
	security.provider.4=com.ibm.security.cert.IBMCertPath
	security.provider.5=com.ibm.security.sasl.IBMSASL
	security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
	security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
	security.provider.8=org.apache.harmony.security.provider.PolicyProvider
	security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
	security.provider.10=com.ibm.security.cmskeystore.CMSProvider
To use the CMS keystore, the configuration in the server.xml file is as follows:
    <keyStore id="sampleCMSKeyStore" 
              password="myPassword"
              location="MyKeyStoreFile.kdb"
              provider="IBMCMSProvider"
              type="CMSKS"/>
Parent topic: Enabling SSL communication for the Liberty profile

Icon that indicates the type of topic Reference topic
Terms and conditions for information centers | Feedback


Timestamp icon Last updated: Wednesday, 22 May 2013
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-mp&topic=rwlp_sec_keystores
File name: rwlp_sec_keystores.html