Configuring a hardware cryptographic keystore

You can create a hardware cryptographic keystore that WebSphere Application Server can use to provide cryptographic token support in the server configuration.

About this task

Complete the following steps in the administrative console:

Procedure

  1. Click Security > SSL certificate and key management >{Inbound | Outbound } > Key stores and certificates.
  2. Click New.
  3. Type a name to identify the keystore. This name is used to enable hardware cryptography in the Web services security configuration.
  4. Optionally, you can type a description for the keystore in the Description field.
  5. You can specify a Management scope for the key store. This is not required. The management scope specifies the scope where this Secure Sockets Layer (SSL) configuration is visible. For example, if you choose a specific node, then the configuration is only visible on that node and any servers that are part of that node.
  6. Type the path for the hardware device-specific configuration file. The configuration file is a text file that contains entries in the following format: attribute = value. The valid values for attribute and value are described in detail in the Software Developer Kit, Java Technology Edition documentation. The two mandatory attributes are name and library, as shown in the following sample code:
    name = FooAccelerator
    library = /opt/foo/lib/libpkcs11.so
    slotListIndex = 0
    The configuration file should also include device-specific configuration data. Navigate to the PKCS11ImplConfigSamples.jar file, which contains sample configuration files, under the heading "PKCS 11 Implementation Provider" on the Java technology site http://www.ibm.com/developerworks/java/jdk/security/50/.
    [AIX HP-UX Linux Solaris Windows] [iSeries] Note: If you want to use the IBMPKCS11Impl provider, you must initialize the provider individually and explicitly express the provider in the JCE getInstance method. JSEE2 is unable to use the IBMPKCS11Impl provider for acceleration.
    1. You can use this link http://www.ibm.com/developerworks/java/jdk/security/50/secguides/pkcs11implDocs/IBMJavaPKCS11ImplementationProvider.html to initialize the IBMPKCS11 provider in a thread safe way
    2. Specify a unique .cfg file that contains information about the supported hardware device. A list of supported hardware devices are available at http://www.ibm.com/developerworks/java/jdk/security/50/secguides/pkcs11implDocs/IBMPKCS11SupportList.html
    3. You specify the Signature.getInstance method with the properly initialized IBMPKCS11Impl provider instance as shown.
      Signature.getInstance("SHA1withRSA", ibmpkcs11implinstance);
  7. [AIX HP-UX Linux Solaris Windows] [iSeries] If the token login is required, type a password.

    Operations that use keys on the token require a secure login. This field is optional if the keystore is used as a cryptographic accelerator. In this case, you need to select the Enable cryptographic operations on hardware device option.

  8. [z/OS] [Updated in March 2011] If the token login is required, type the keystore password in the Password field.

    Operations that use keys on the token require a secure login. This field is optional if the keystore is used as a cryptographic accelerator. In this case, you need to select the Enable cryptographic operations on hardware device option.

    To be compatible with the JCE keystore in requiring a password, the JCERACFKS password is password. Security for this keystore is not really protected using a password as other keystore types, but rather it is based on the identity of the executing thread for protection with RACF. This password is for the keystore file that you specified in the Path field.

    [Updated in March 2011]
    mar2011
  9. Select the PKCS11 type.
  10. Select Read only.
  11. Click OK and Save.

Results

WebSphere Application Server can now provide cryptographic token support in the server configuration.

What to do next

You can refer to this keystore in any server Secure Sockets Layer (SSL) configuration to achieve the following results: You can also refer to this keystore in the Web services security default bindings configuration to achieve similar results.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 2:56:59 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=tsec_sslconfhwcrypkeystore
File name: tsec_sslconfhwcrypkeystore.html