You can use the key management utility to open a cryptographic
token. Once opened, you can manage your keys and certificates just like you
do with keystore and truststore files.
Before you begin
Verify that your cryptographic token device is installed and functions
properly. Create a cryptographic token, following the instructions provided
by the manual of the cryptographic device.
From your cryptographic token
device documentation, identify the token library. For example, the IBM 4758
PCI Cryptographic Card uses CRYPTOKI.DLL as the PKCS#11-type token library.
For more information, see CryptoCards.
Read the IKeyman documentation located
in the http://www-128.ibm.com/developerworks/java/jdk/security for
further information about using the key management utility (iKeyman).
Important
Note: To use iKeyman for key management with a cryptographic
token device, you must edit the
app_server_root/java/jre/lib/security/java.security file. Uncomment the line containing
com.ibm.crypto.pkcs11.provider.IBMPKCS11.
About this task
You can use the key management utility to open a cryptographic token.
Once opened, you can manage your keys and certificates just like you do with
keystore and truststore files:
- Create a self-signed digital certificate
- Extract or add both certificate authority (CA) roots and personal certificate
signer certificates
- Request and receive a digital certificate from a CA
Procedure
- Start the key management utility, if it is not already running.
- Click Key DataBase File > Open.
- Click Cryptographic Token from the list of key database
types.
- Fill in the information for File Name and Location,
or browse for the cryptographic device library.
- Click OK to open the library.
- Type in the slot number in the next panel. This is
the number of the slot in which you previously created the cryptographic token.
- Enter the password. This is the password configured
for the cryptographic token that you created.
Results
All of the personal and signer certificates are stored on the cryptographic
token card. With the token open, you can create or request digital certificates
and receive CA-signed certificates.
What to do next
Use a cryptographic token device as a key database to manage keys
and certificates for an Secure Sockets Layer (SSL) connection. Once the
cryptographic token is open, you can add or delete keys and certificates.
Configure the cryptographic token settings in WebSphere Application Server.