A key manager is the component of WebSphere that decides what certificate in a keystore will be used for SSL cryptography. For example, let's say you have two certificates in a keystore, default and testing.

Let's also say the Default server certificate alias drop-down in the SSL configuration is set to "none", which means that neither the default or testing certificates are being used as the default certificate.

In this scenario, the key manager will decide if the "default" or "testing" certificate will be used. In the WebSphere admin console, you can navigate to Securtiy > SSL certificate and key management > Key managers, and you'll see that ibmX509 is the name of the key manager being used.

Selecting ibmX509 will let you see that all you can really do is to change the Implementation settings (which you usually do not need to change). In other words, there isn't much to configure here. For the most part, you just let the key manager do it's thing, and you only need to consider a custom class name if the key manager is not behaving per your needs.