Configure to use cryptographic tokens

 

+

Search Tips   |   Advanced Search

 

Overview

To configure a Java client application with cryptographic token support, edit...

$WAS_HOME/sas.client.props
To configure an appserver with cryptographic token support, use the Admin console

To make WAS (both the run time and the key management utility) work correctly with any cryptographic token device, become familiar with Java Secure Socket Extension.

Unzip...

$WAS_HOME/web/docs/jsse/native-support.zip

...and copy the correct libraries, with respect to target operating system, to the appropriate location. Otherwise, link errors might occur at run time, or the key management tool might not work properly with the cryptographic device library.

To install your device, follow the documentation that accompanies your device.

 

Procedures

  1. To configure a client to use a cryptographic token, edit the sas.client.props file and set the following properties.

    Leave the KeyStore File Name and the KeyStore File Password field in a SSL configuration blank, if you want to use only cryptographic tokens as your keystore file.

    com.ibm.ssl.tokenType= Specifies the type of built-in keystore file that is implemented in the cryptographic token. The valid values are:
    • PKCS\#7
    • PKCS\#11
    • PKCS\#12
    • MSCAPI

    com.ibm.ssl.tokenLibraryFile= Specifies the token file name for PKCS#7 tokens, PKCS#12 tokens, and the library name for PKCS#11, MSCAPI tokens. Make sure the cryptographic token device is installed and functions properly with a cryptographic token created. Unzip...

    $WAS_HOME/web/docs/jsse/native-support.zip

    ...to copy the required libraries with respect to the target operating system.

    com.ibm.ssl.tokenPassword= Specifies the password to unlock the cryptographic token.

  2. To configure an appserver to use cryptographic token.

    Leave the KeyStore File Name and the KeyStore File Password field in an SSL configuration blank, if you want to use only cryptographic tokens as your keystore file.

    1. Go to...

      Administrative console | Security | SSL

    2. Create a new SSL setting alias if one does not exist. Otherwise, click the alias that you want to configure for the cryptographic token.

    3. Click...
      Cryptographic Token SSL Configuration Repertoires | SSL alias | Cryptographic Token

    4. Complete the information for Token Type to specify the type of built-in keystore file that is implemented in the cryptographic token. The valid values are:
      • PKCS#7
      • PKCS#11
      • PKCS#12
      • MSCAPI

    5. Complete the information for Library File to specify the token and file name for PKCS#7 tokens, PKCS#12 tokens and the library name for PKCS#11, MSCAPI tokens. Make sure the cryptographic token device is installed and functions properly with a new cryptographic token. Unzip...

      $WAS_HOME/web/docs/jsse/native-support.zip

      ... to copy the required libraries with respect to the target operating system.

    6. Complete the information for Password to specify the password for unlocking the cryptographic token.

    7. Click Apply and OK to go back to the SSL Alias panel.

    8. Select the box to enable Cryptographic Token.

    9. Click Apply, OK, and Save to save the configuration.

The configuration is enabled to support the specified cryptographic token for and SSL connection.

 

Usage Scenario

If the server configuration has changed, restart the configured server.

 

See Also

Managing digital certificates
Cryptographic token settings
Cryptographic token support