Cryptographic token support

A cryptographic token is a hardware or software device with a built-in keystore implementation. The cryptographic device is used to manage certificates stored on the cryptographic tokens (also known as smartcards).

Both cryptographic accelerators, where the cryptographic hardware device has no persistent key storage, and secure cryptographic hardware, where a cryptographic token generates and securely stores the private key used for Secure Sockets Layer (SSL) key exchange, are supported in the product.

[AIX HP-UX Linux Solaris Windows] Hardware cryptographic token support has changed providers in Version 6. In Version 5 and before, WebSphere Application Server used com.ibm.crypto.pkcs11.provider.IBMPKCS11 provider for hardware crypto support along with the old IBMJSSE provider for SSL. The IBMPKCS11 provider is still used when accessing hardware using IKeyMan. The IBMJSSE provider can still be used, if necessary, for SSL.

[AIX HP-UX Linux Solaris Windows] Note: To use cryptographic token devices in the Solaris Operating Environment, you must edit the ${WAS_INSTALL_ROOT}/java/jre/lib/security/java.security file. Uncomment the line containing com.ibm.crypto.pkcs11.provider.IBMPKCS11. By default, the line is commented out because the algorithm MD4 is not present in the IBMPKCS11 provider.

The WebSphere Application Server runtime in Version 6 now uses the com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl provider for hardware crypto support and the IBMJSSE2 provider for SSL. Both the IBMPKCS11Impl and IBMJSSE2 providers are initialized programmatically. The IBMPKCS11Impl provider is only initialized when hardware crypto is configured in one of the SSL repertoire configurations. Once IBMPKCS11Impl provider is configured, the IBMPKCS11 provider cannot be used in the system since only one provider can initialize a hardware crypto card in the same process.

For more information on the IBMPKCS11Impl provider, see the DeveloperWorks Security Information Web site. On this Web site, select the appropriate Java 2 Platform, Standard Edition (J2SE) version and read the IBMPKCS11Impl documentation. The documentation is not available for J2SE 1.4.2 for Intel 32-bit Debug Platforms and z/OS64 and AMD 64.

For more information on the IBMJSSE2 provider, see the DeveloperWorks Security Information Web site. On this Web site, select the appropriate Java 2 Platform, Standard Edition (J2SE) version and read the IBMJSSE2 documentation.




Related tasks
[AIX HP-UX Linux Solaris Windows] Configuring to use cryptographic tokens
Reference topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 10:43:27 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=v602web&product=was-nd-mp&topic=rseccryptts
File name: rsec_cryptts.html