You can create a hardware cryptographic keystore that WebSphere
Application Server can use to provide cryptographic token support
in the server configuration.
About this task
Complete the following steps in the administrative console:
Procedure
- Click Security > SSL certificate and key management
>{Inbound | Outbound } > Key stores and certificates.
- Click New.
- Type a name to identify the keystore. This name
is used to enable hardware cryptography in the Web services security
configuration.
- Optionally, you can type a description for the keystore
in the Description field.
- You can specify a Management scope for the key store.
This is not required. The management scope specifies the
scope where this Secure Sockets Layer (SSL) configuration is visible.
For example, if you choose a specific node, then the configuration
is only visible on that node and any servers that are part of that
node.
- Type the path for the hardware device-specific
configuration file. The configuration file is a text file
that contains entries in the following format: attribute = value. The valid values for attribute and value are
described in detail in the Software Developer Kit, Java Technology
Edition documentation. The two mandatory attributes are name and
library, as shown in the following sample code:
name = FooAccelerator
library = /opt/foo/lib/libpkcs11.so
slotListIndex = 0
The configuration file should also include
device-specific configuration data. Navigate to the PKCS11ImplConfigSamples.jar
file, which contains sample configuration files, under the heading
"PKCS 11 Implementation Provider" on the Java technology site http://www.ibm.com/developerworks/java/jdk/security/50/.
-
If the token login is required,
type the keystore password in the Password field. Operations that use keys
on the token require a secure login. This field is optional if the
keystore is used as a cryptographic accelerator. In this case, you
need to select the Enable cryptographic operations on hardware
device option.
To be compatible with the JCE keystore in
requiring a password, the JCERACFKS password is password. Security for this keystore is not really protected using a password
as other keystore types, but rather it is based on the identity of
the executing thread for protection with RACF. This password is for
the keystore file that you specified in the Path field.
![[Updated in March 2011]](../../deltaend.gif)
mar2011
- Select the PKCS11 type.
- Select Read only.
- Click OK and Save.
Results
WebSphere Application Server can now provide cryptographic
token support in the server configuration.
What to do next
You can refer to this keystore in any server Secure Sockets
Layer (SSL) configuration to achieve the following results:
- Cryptographic acceleration because the cryptographic hardware
device has no persistent key storage
- Secure cryptographic hardware because a cryptographic token generates
and securely stores the private key that WebSphere Application Server
uses for SSL key exchange.
You can also refer to this keystore in the Web services security
default bindings configuration to achieve similar results.