Operating Systems: i5/OS
             Personalize the table of contents and search results
Configure a hardware cryptographic keystore
You can create a hardware cryptographic keystore that WebSphere
Application Server can use to provide cryptographic token support in the server
configuration.
Overview
Complete the following steps in the administrative console:
Procedure
- Click Security > SSL certificate and key management > Manage
endpoint security configurations > {Inbound | Outbound} > >
Key stores and certificates.
- Click New.
- Type a name to identify the keystore. This name is used
to enable hardware cryptography in the Web services security configuration.
- Type the path for the hardware device-specific
configuration file. The configuration file is a text file that
contains entries in the following format: attribute = value.
The valid values for attribute and value are described in detail in the Software
Developer Kit, Java Technology Edition documentation. The two mandatory attributes
are name and library, as shown in the following sample code:
name = FooAccelerator
library = /opt/foo/lib/libpkcs11.so
slotListIndex = 0
The configuration file should also include device-specific
configuration data. Navigate to the PKCS11ImplConfigSamples.jar file, which
contains sample configuration files, under the heading "PKCS 11 Implementation
Provider" on the Java technology site http://www.ibm.com/developerworks/java/jdk/security/50/.
Note: If you want to use
the IBMPKCS11Impl provider, initialize the provider individually
and explicitly express the provider in the JCE getInstance method. JSEE2 is
unable to use the IBMPKCS11Impl provider for acceleration.
- You can use this link http://www.ibm.com/developerworks/java/jdk/security/50/secguides/pkcs11implDocs/IBMJavaPKCS11ImplementationProvider.html to initialize the IBMPKCS11 provider in a thread
safe way
- Specify a unique .cfg file that contains information about the supported
hardware device. A list of supported hardware devices are available at http://www.ibm.com/developerworks/java/jdk/security/50/secguides/pkcs11implDocs/IBMPKCS11SupportList.html
- You specify the Signature.getInstance method with the properly initialized
IBMPKCS11Impl provider instance as shown.
Signature.getInstance("SHA1withRSA", ibmpkcs11implinstance);
- Type a password if the token login is required. Operations
that use keys on the token require a secure login. This field is optional
if the keystore is used as a cryptographic accelerator. In this case, you
need to select Enable pure acceleration for hardware cryptographic operations.
- Select the PKCS11 type.
- Select Read only.
- Click OK and Save.
Results
WebSphere Application Server can now provide cryptographic token support
in the server configuration.
What to do next
You can refer to this keystore in any server Secure Sockets Layer
(SSL) configuration to achieve the following results:
- Cryptographic acceleration because the cryptographic hardware device has
no persistent key storage
- Secure cryptographic hardware because a cryptographic token generates
and securely stores the private key that WebSphere Application Server uses
for SSL key exchange.
You can also refer to this keystore in the Web services security default
bindings configuration to achieve similar results.
}
Key management for cryptographic uses
  Â