Home

 

Configuring IHS to use nCipher and Rainbow accelerator devices and PKCS11 devices

The IBM HTTP Server enables nCipher and Rainbow accelerator devices by default. To disable your accelerator device, add the SSLAcceleratorDisable directive to your configuration file.

When using the IBM e-business Cryptographic Accelerator, or the IBM 4758, the user ID under which the Web server runs must be a member of the PKCS11 group. You can create the PKCS11 group by installing the bos.pkcs11 package or its updates. Change the Group directive in the configuration file to group pkcs11.

If we want the IHS to use the PKCS11 interface, configure the following:

1. Stash your password to the PKCS11 device, or optionally enable password prompting: Syntax: sslstash [-c] <file> <function> <password> where:

   • -c: Creates a new stash file. If not specified, an existing stash file is updated.

   • file: Represents a fully-qualified name of the file to create or update.

   • function: Represents the function for which the server uses the password. Valid values include crl or crypto.

   • password: Indicates the password to stash.

2. Place the following directives in your configuration file:
   • SSLPKCSDriver <fully qualified name of the PKCS11 driver used to access PKCS11 device>

     See SSLPKCSDriver directive for the default locations of the PKCS11 module, for each PKCS11 device.

   • SSLServerCert <token label: key label of certificate on PKCS11 device>
   • SSLStashfile <fully qualified path to the file containing the password for the PKCS11 device>
   • Keyfile <fully qualified path to key file with signer certificates>