Integrated Cryptographic Service Facility (ICSF) is the
software on a z/OS system that serves as an interface with the hardware
where keys can be stored. IBMJCE4758RACFKS keystores handle certificates
and keys managed in Resource Access Control Facility (RACF). The certificates
are stored in RACF, but you can store keys in ICSF to achieve hardware crypto exploitation,
such as encryption, decryption and signing
Before you begin
Note: The JCE4758RACFKS keystore type, is only available
on the z/OS platform.
About this task
Note: If
the key is going to be stored in the hardware, generating new keys
in RACF requires using the ICSF option.
Procedure
- Make a backup copy of the original restricted local_policy.jar and US_export_policy.jar files.
- Obtain the Java unrestricted policy jars from the IBM
developer kit: Security information Web site and place them
on the WebSphere Application Server for z/OS system.
Important: Your country of origin
might have restrictions on the import, possession, use, or re-export
to another country, of encryption software. Before downloading or
using the unrestricted policy files, you must check the laws of your
country, its regulations, and its policies concerning the import,
possession, use, and re-export of encryption software, to determine
if it is permitted.
Complete the following steps:
- Click J2SE 1.4.2.
- Scroll down the page then click IBM SDK Policy files.
- Click Sign in and provide your IBM.com ID and password.
- Select Unrestricted JCE Policy files for SDK for
all newer versions: Version 1.4.1 + and click Continue.
- View the license, select I agree, and click I
confirm to continue.
- Click Download now.
- Download the unrestricted local_policy.jar and US_export_policy.jar files
to your WebSphere Application Server for z/OS system and place them
in the WAS_HOME/AppServer/java/lib/security directory.
- Use the chmod 644 command to change the file permissions
so that the control and servant region address spaces can access the
Java archive (JAR) files. For example:
chmod 644 local_policy.jar
chmod 644 US_export_policy.jar
- Start the required ICSF services. Refer to
JAVA and ICSF documentation for more information.
- In the java.security file that is
located under $JAVA_HOME/lib/security, Add the
following IBMJCE4758 provider
to the top of the provider list:
security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCE4758
- Renumber the remaining providers in the provider list.
- Navigate to Security > Global
Security > SSL.
- Select the JSSE repertoire that
needs to reference the keyring with one or more ICSF certificates.
- Change the Key File Format and Trust
File Format to JCE4758RACFKS. The URI must
contain safkeyringhw instead of safkeyring, for example, safkeyringhw:///WASKeyring.
- Click OK, then click Save to apply these
changes to the master configuration.
Results
A keystore is now available to configure SSL connections.
What to do next
You can continue securing communication between the client
and server using this keystore file when setting up an SSL configuration.