Configuring to use cryptographic tokens

You can configure cryptographic token support in both client and server configurations. To configure a Java client application, use the sas.client.props configuration file. By default, the sas.client.props file is located in the properties directory under the <install_root> of your WebSphere Application Server installation. To configure a WebSphere Application Server, use the administrative console. To start the administrative console, specify URL: http://<server_hostname>:9090/admin.

Before you begin

To understand how to make WebSphere Application Server (both the runtime and the iKeyman utility) work correctly with any cryptographic token device, become familiar with the Java Secure Socket Extension (JSSE) documentation that is available on the DeveloperWorks Web site at the following address: http://www.ibm.com/developerworks/java/jdk/security/ . On this Web site, select the appropriate Java 2 Platform, Standard Edition (J2SE) version and read the Java Secure Socket Extension (JSSE) and iKeyman documentation.

Unzip the install_root/web/docs/jsse/native-support.zip file and copy the correct libraries, with respect to target operating system, to the appropriate location. Otherwise, link errors might occur at run time, or the key management tool might not work properly with the cryptographic device library.

Follow the documentation that accompanies your device to install your cryptographic device. Installation instructions for IBM cryptographic hardware devices can be found in the Administration section of Resources for learning.

Steps for this task

  1. To configure a client to use a cryptographic token, edit the sas.client.props file and set the following properties. Leave the KeyStore File Name, KeyStore File Password, TrustStore File Name, and TrustStore File Password fields in a Secure Sockets Layer (SSL) configuration blank, if you want to use only cryptographic tokens as your keystore.
    com.ibm.ssl.tokenType
    Specifies the type of built-in keystore file that is implemented in the cryptographic token. (For example, com.ibm.ssl.tokenType=PKCS\#11). The valid values are: PKCS\#7, PKCS\#11, PKCS\#12, and MSCAPI.
    com.ibm.ssl.tokenLibraryFile
    Specifies the token file name for PKCS#7 tokens, PKCS#12 tokens, and the library name for PKCS#11, MSCAPI tokens. Make sure the cryptographic token device is installed and functions properly with a cryptographic token created. Unzip the native-support.zip file from install_root/web/docs/jsse directory to copy the required libraries with respect to the target operating system.
    com.ibm.ssl.tokenPassword
    Specifies the password to unlock the cryptographic token.
  2. Configure your server to use the cryptographic device.
    Leave the KeyStore File Name, KeyStore File Password, TrustStore File Name, and TrustStore File Password fields in an SSL configuration blank, if you want to use only cryptographic tokens as your keystore. You can modify an existing configuration if you click Security > SSL > alias. You must specify an alias and select the Cryptographic token option. If you are using the default cryptographic device, unzip the native-support.zip file from install_root/web/docs/jsse directory to copy the required libraries with respect to the target operating system. The following directions explain how to configure WebSphere Application Server for a new cryptographic device.
    1. Specify http://server_hostname:9090/admin to start the administrative console.
    2. Click Security > SSL to open the SSL Configuration Repertoires panel.
    3. Click New to create a new SSL setting alias if you do not want to use the default.
    4. Specify an alias name in the alias field for the new cryptographic device
      After you configure the cryptographic device, this alias appears on the Security > SSL panel and in the Authentication protocol > SAS outbound transport list.
    5. Select Cryptographic token and click OK.
      The SAS outbound transport panel opens.
    6. Complete the information for Token Type to specify the type of built-in keystore file that is implemented in the cryptographic token. The valid values are: PKCS#7, PKCS#11, PKCS#12,or MSCAPI.
    7. Complete the information for Library File to specify the path to the cryptographic device driver.
      Make sure the cryptographic token device is installed and functions properly with a new cryptographic token.
    8. Complete the information for Password to specify the password for unlocking the cryptographic device.
    9. Click Apply and OK.
      WebSphere Application Server displays the Authentication protocol > SAS outbound transport list.
    10. Select the appropriate cryptographic device from the SSLSettings menu.

Results

The configuration is enabled to support the specified cryptographic token for the SSL connection.

Example

What to do next

If the server configuration has changed, restart the configured server.

Related tasks
Managing digital certificates
Related reference
Cryptographic token settings
Cryptographic token support



Searchable topic ID:   tseccrypto
Last updated: Jun 21, 2007 8:07:48 PM CDT    WebSphere Business Integration Server Foundation, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/ae/tsec_crypto.html

Library | Support | Terms of Use | Feedback