Before starting the iKeyman GUI, do the following:
1. Install IBM or an IBM-equivalent JDK 1.3; or, if using JDK 1.4, pay
attention to special instructions in Step 6a.
2. Set JAVA_HOME to point to the directory where JDK 1.3 is installed; for
example:
export JAVA_HOME=/opt/IBMJava2-13 for PowerPC
3. Remove the ibmjsse.jar and the gskikm.jar (if any) and
ibmjcaprovider.jar files from your JAVA_HOME/jre/lib/ext directory.
4. Register IBM JCE, IBM CMS, and/or IBMJCEFIPS service providers:
- For JSSE, you must register the IBMJCE provider as
described below:
Update the JAVA_HOME/jre/lib/security/java.security file to add the IBMJCE
provider after the Sun provider. For example:
-- security.provider.1=sun.security.provider.Sun
-- security.provider.2=com.ibm.crypto.provider.IBM JCE
A sample java.security file for JSSE users is located in
/usr/local/ibm/gsk6/classes/gsk_java.security.
- For GSKit, you must register both the IBM CMS and IBM JCE
service providers as described below:
Update the JAVA_HOME/jre/lib/security/java.security file to add both IBM
CMS and IBM JCE providers after the Sun provider. For example:
-- security.provider.1=sun.security.provider.Sun
-- security.provider.2=com.ibm.spi.IBMCMSProvider
-- security.provider.3=com.ibm.crypto.provider.IBMJCE
A sample java.security file can be found in GSKit Installation
path\classes\gsk_java.security.
To enable FIPS operation, you must update the
JAVA_HOME/jre/lib/security/java.security file to add IBMCMS, IBMJCE and
IBMJCEFIPS providers after the Sun provider. Ensure the IBMJCEFIPS
provider is registered at a higher priority than IBMJCE. For example:
security.provider.1=sun.security.provider.Sun
security.provider.2=com.ibm.spi.IBMCMSProvider
security.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.4=com.ibm.crypto.provider.IBMJCE
5. This step is optional. If you are using JSSE and use JSSE to access
crypto hardware, install the ibmpkcs11.jar in the JAVA_HOME\jre\lib\ext
directory and follow the instructions in GSKit Installation
path/classes/native/nativesupport. Zip to setup the crypto hardware
DLLs.
Note: To register an IBMPKCS11 service provider, an example that updates
the JAVA_HOME/jre/lib/security/java.security file is the following:
security.provider.1=sun.security.provider.Sun
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.crypto.pkcs11.provider.IBMPKCS11
6. If you want to use your own jce jar files, go to Step 6b. (For MOST,
skip to Step 6b.)
a. For JDK 1.3, make sure JAVA_HOME\jre\lib\ext\ has the following jar
files:
ibmjceprovider.jar
ibmpkcs.jar
ibmjcefw.jar
ibmjcefips.jar (optional to support FIPS)
local_policy.jar
US_export_policy.jar
JDK 1.4 has the following changes in the location of the jce jar files:
/jre/lib/ibmjcefw.jar
/jre/lib/security/local_policy.jar
/jre/lib/ext/ibmjceprovider.jar
/jre/lib/ibmpkcs11.jar
To start iKeyman, type: gsk6ikm
b. To start iKeyman using the GSKit jce jars (recommended), type:
gsk6ikm -Djava.ext.dirs=GSKit Installation
path/classes/jre/lib/ext/
Using the default installation path, the command is:
gsk6ikm -Djava.ext.dirs=/usr/local/ibm/gsk6/classes/jre/lib/ext/
Note: The above jar files and ibmpkcs11.jar are available under GSKit
Installation path\classes\jre\lib\ext for your convenience. Also, the
instructions above assume that /bin/ is included in the system PATH.
|