WebSphere Application Server Version 6.1 Feature Pack for Web Services
             Operating Systems: AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS

             Personalize the table of contents and search results
             New or updated topic for this feature pack

Configuring hardware cryptographic devices for Web Services Security

Before you can use a hardware cryptographic device, you must configure and enable it. You must first configure a hardware cryptographic device using the Secure Sockets Layer (SSL) certificate and key management panels in the administrative console. The key for the cryptographic operation can be stored in an ordinary Java keystore file and need not be stored on the hardware devices. You enable cryptographic operations by performing specific file setup procedures to ensure that the cryptographic device can be used.

Before you begin [AIX HP-UX Linux Solaris Windows] [i5/OS]

You must first configure a hardware cryptographic device using the Secure Sockets Layer (SSL) certificate and key management panels in the administrative console.

Procedure

  1. [AIX HP-UX Linux Solaris Windows] [i5/OS] In the administrative console, click Servers > Server Types > WebSphere application servers and then select the server name.
  2. [AIX HP-UX Linux Solaris Windows] [i5/OS] Under Security, select JAX-WS and JAX-RPC security runtime.
  3. [AIX HP-UX Linux Solaris Windows] [i5/OS] Under Cryptographic Hardware, select Enable cryptographic operations on hardware device and then specify the name of the hardware cryptographic device configuration name. For more information, see Configuring a hardware cryptographic keystore.
  4. [AIX HP-UX Linux Solaris Windows] [i5/OS] Click OK.
  5. [z/OS] Stop the WebSphere Application Server.
  6. [z/OS] Download and install the new policy files.
    1. Click J2SE 5.0
    2. Scroll down the page then click IBM SDK Policy files.

      The Unrestricted JCE Policy files for SDK 5 Web site displays.

    3. Click Sign in and provide your IBM.com ID and password.
    4. Select Unrestricted JCE Policy files for SDK 5 and click Continue.
    5. View the license and click I Agree to continue.
    6. Click Download Now.
    7. Extract the unlimited jurisdiction policy files that are packaged in the ZIP file. The ZIP file contains a US_export_policy.jar file and a local_policy.jar file.
    8. In your WebSphere Application Server installation, go to the $JAVA_HOME/jre/lib/security directory and back up your US_export_policy.jar and local_policy.jar files.
    9. Replace your US_export_policy.jar and local_policy.jar files with the two files that you downloaded from the IBM.com Web site.
    Below is an example of this copy operation.
    $JAVA_HOME/demo/jce/policy-files/unrestricted/* to
    $JAVA_HOME/lib/security
  7. [z/OS] Delete any symbolic links in these policy files and copy the result to the appropriate $JAVA_HOME. directory Perform this deletion for both the deployment manager and Application Server. For example,
    These are the files before the symbolic change.
    /WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security : > ls -l
    lrwxrwxrwx   1 WSOWNER  WSCFG1        54 Sep 19 16:22 US_export_policy.jar -> /zWAS61B/V6R1/java64/lib/security/US_export_policy.jar
    lrwxrwxrwx   1 WSOWNER  WSCFG1        41 Sep 19 16:22 cacerts -> /zWAS61B/V6R1/java64/lib/security/cacerts
    lrwxrwxrwx   1 WSOWNER  WSCFG1        45 Sep 19 16:22 java.policy -> /zWAS61B/V6R1/java64/lib/security/java.policy
    -rwxrwxr-x   1 WSOWNER  WSCFG1      9917 Sep 19 16:22 java.security
    lrwxrwxrwx   1 WSOWNER  WSCFG1        50 Sep 19 16:22 local_policy.jar -> /zWAS61B/V6R1/java64/lib/security/local_policy.jar
    
    
    Here is where the symbolic links are removed.
    /WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security : > rm US_export_policy.jar
    /WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security : > rm local_policy.jar
    
    
    Copy the files from the product HFS to your configuration HFS.
    /WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security : > cp /WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/demo/jce/policy-files/unrestricted/US_export_policy.jar US_export_policy.jar
    /WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security : > cp /WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/demo/jce/policy-files/unrestricted/local_policy.jar local_policy.jar
    
    
    Here are the final results after the symbolic change.
    /WebSphere/V6R1M0B/DeploymentManager1/java64/lib/security : > ls -l
    -rw-r--r--   1 ACHARYA  WSCFG1      2199 Oct  2 17:06 US_export_policy.jar
    lrwxrwxrwx   1 WSOWNER  WSCFG1        41 Sep 28 21:38 cacerts -> /zWAS61B/V6R1/java64/lib/security/cacerts
    lrwxrwxrwx   1 WSOWNER  WSCFG1        45 Sep 28 21:38 java.policy -> /zWAS61B/V6R1/java64/lib/security/java.policy
    -rwxrwxr-x   1 WSOWNER  WSCFG1      9917 Oct  2 18:00 java.security
    -rw-r--r--   1 ACHARYA  WSCFG1      2212 Oct  2 17:06 local_policy.jar
    
    
  8. [z/OS] Alter the java.security file in $JAVA_HOME/lib/security directory. The file name in the example is: /WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security/java.security
    1. Make sure you perform this alteration in the appropriate $JAVA_HOME directory. For example, ../java64/lib/security.
    2. Uncomment the following line of the file:
       #security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
      and reorder the list of providers and preference orders as follows:
      security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
      #security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
      security.provider.2=com.ibm.crypto.provider.IBMJCE
      security.provider.3=com.ibm.jsse.IBMJSSEProvider
      security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
      security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
      security.provider.6=com.ibm.security.cert.IBMCertPath
      security.provider.7=com.ibm.security.sasl.IBMSASL
      security.provider.8=com.ibm.security.cmskeystore.CMSProvider
      security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
    The file structure and content are ready for use.
  9. [z/OS] Start up the WebSphere Application Server. The cryptographic device is enabled for all Web service security applications that run on the WebSphere Application Server.

Results

This procedure configures and enables a hardware cryptographic device for all Web services security applications running on the WebSphere Application Server.



In this information ...


IBM Redbooks, demos, education, and more


Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

IBM Suggests
Task topic    

Terms of Use | Feedback

Last updated: Nov 25, 2008 2:35:59 AM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.wsfep.multiplatform.doc/info/ae/ae/twbs_enable_hardacc.html