[jul2010] [AIX HP-UX Linux Solaris Windows]

Setting your system environment for using IKEYMAN

This topic provides detailed information on tasks that you can perform using the IBM® Key Management utility (IKEYMAN). This information does not explain how to configure security options that require updates to the server configuration file.

Before you begin [Linux]

Ensure that the required compat-libstdc++ package exists for your operating system architecture. For more information, see the topic on installating and verifying Linux packages.

About this task

The IKEYMAN user interface is based on the Java platform and uses the Java support that is installed with IBM HTTP Server. IBM HTTP Server installs a Java Virtual Machine (JVM) for IKEYMAN. Do not use IKEYMAN with a JVM that was not installed by IBM HTTP Server, because this is not supported.
In IBM HTTP Server 7.0, two different versions of IKEYMAN are provided.. The native Tivoli Global Security Kit (GSKit) that is bundled with IBM HTTP Server 7.0 contains IKEYMAN Version 7, but the JVM that is bundled with IBM HTTP Server includes IKEYMAN Version 8. IKEYMAN Version 8 is enabled by default and is recommended on all platforms.
Supported configurations: Be aware of the following version restrictions:
  • [oct2010] IBM HTTP Server Versions 2.0.47, 6.0, and 6.1 all use IKEYMAN Version 7 exclusively. These versions require that the user remove the <ihsinst>/java/jre/lib/ext/gskikm.jar to make sure the latest IKEYMAN code provided by GSKit is used. [oct2010]
    oct2010
  • [oct2010] In IBM HTTP Server 7.0, the default IKEYMAN Version 8 must be used on on Solaris or HP-UX, while the other operating systems can optionally use IKEYMAN Version 7. [oct2010]
    oct2010
sptcfg
There are some key differences between Version 7 and Version 8 of IKEYMAN. Version 8 of IKEYMAN:
  • Changes the PKCS11 (cryptographic hardware) interface from previous releases. You must now create an external configuration file and make updates to the /java/jre/lib/security/java.security file.
  • Includes enhanced error reporting
  • Does not add default signer certificates until you press the Populate button.

Procedure

  1. Optional: Users of operating systems other than Solaris and HP-UX who desire to use the traditional IKEYMAN Version 7 interface (for example to use older PKCS11 dialogues) can configure the system to use IKEYMAN Version 7:
    • To use IKEYMAN Version 7.0, move the <ihsinst>/java/jre/lib/ext/gskikm.jar file to a directory that is not in the JDK class path, extdirs path, or the bootclasspath environment variable.
      For example, use the following command to move the file:
      mv <ihs_install_path>/java/jre/lib/ext/gskikm.jar <ihs_install_path>/lib/gskikm.jar
    • [oct2010] To use IKEYMAN Version 8.0, ensure that the /java/jre/lib/ext/gskikm.jar file exists. Applying Java SDK maintenance will restore this file if it has been moved or removed. [oct2010]
      oct2010
  2. Optional: Install unlimited strength JCE policy files. You might experience a certificate problem when you open a certificate that has a key with a higher level of cryptography than your policy files permit.
    1. Download and install the files from the Unrestricted JCE policy files topic on the IBM support site.
    2. Find the maximum key sizes permitted by key type with the default policy files in the Maximum Key Sizes Allowed by "Strong" Jurisdiction Policy Files section of the Java Cryptography Extension (JCE) Reference Guide.



Related tasks
Using IKEYMAN Version 7 to store keys on a PKCS11 device
Using IKEYMAN Version 8 to store keys on a PKCS11 device
[Linux] Installing and verifying Linux packages
Related reference
Unrestricted JCE policy files
Maximum Key Sizes Allowed by "Strong" Jurisdiction Policy Files, Java Cryptography Extension (JCE) Reference Guide
Related information
Managing keys with the IKEYMAN graphical interface (Distributed systems)
Task topic    

Terms of Use | Feedback

Last updated: Oct 21, 2010 11:50:03 AM CDT
File name: tihs_ikeyman.html

[jul2010]
jul2010