WebSphere Application Server V6 Advanced Security Enhancement, part 1th (ii)

Figure 9. Enable LDAP SSL

If you use a custom registry, you need to use any mechanism available to protect the transmission.

11. Change the default key file

As mentioned earlier, enabling WebSphere application Server security enables most internal transmissions to use SSL to protect them from various forms of network attacks. However, in order to establish an SSL connection, the server must hold the certificate and the corresponding private key. To simplify the initial installation process, a key file sample containing the private key example is also provided when the WebSphere application Server is delivered. Each WebSphere application Server copy sold contains this "private" key. Therefore it is also not very private. The name of the key file, Dummyserverkeyfile, shows this.

To protect your environment, you should create your own private key and certificate for communication. All of this is done using the Ikeyman tool. Use Ikeyman to create a new KeyStore and trust repository, and then update the existing SSL configuration to use these new files. For more details, see WebSphere Application Information Center and WebSphere Application Security 6.0 Safety Red Book.

When you create a new KeyStore and trust repository, keep in mind that each signer you put in the Trust repository is a declaration of trust. You trust the signer to determine the body in the system. If you trust more than one signer, depending on the mapping relationship between the certificate and the user's identity, multiple signers may create certificates for the same user, which is a great risk. If you use certificates to authenticate clients, to mitigate this risk, you should reduce the number of signers in the Trust repository to minimize the number of certificates.

When we discuss a certificate, we need to temporarily move to a key point-the certificate expires. When the WebSphere Application Server certificate expires, the WebSphere application server should stop working. Any communication is no longer possible. So when you create a certificate as we suggest, make sure you mark the expiration date. If you do not follow our advice, but use the default keys, remember their deadlines as well. You must prepare for the expiration of the certificate and obtain or generate a new certificate before the certificate expires.