You can create a hardware cryptographic keystore that WebSphere
Application Server can use to provide cryptographic token support in the server
configuration.
About this task
Complete the following steps in the administrative console:
Procedure
- Click Security > SSL certificate and key management >{Inbound
| Outbound } > Key stores and certificates.
- Click New.
- Type a name to identify the keystore. This name is used
to enable hardware cryptography in the Web services security configuration.
- Optionally, you can type a description for the keystore in the Description field.
- You can specify a Management scope for the key store. This
is not required. The management scope specifies the scope where
this Secure Sockets Layer (SSL) configuration is visible. For example, if
you choose a specific node, then the configuration is only visible on that
node and any servers that are part of that node.
- Type the path for the hardware device-specific
configuration file. The configuration file is a text file that
contains entries in the following format: attribute = value.
The valid values for attribute and value are described in detail in the Software
Developer Kit, Java Technology Edition documentation. The two mandatory attributes
are name and library, as shown in the following sample code:
name = FooAccelerator
library = /opt/foo/lib/libpkcs11.so
slotListIndex = 0
The configuration file should also include device-specific
configuration data. Navigate to the PKCS11ImplConfigSamples.jar file, which
contains sample configuration files, under the heading "PKCS 11 Implementation
Provider" on the Java technology site http://www.ibm.com/developerworks/java/jdk/security/50/.
- Type a password if the token login is required. Operations
that use keys on the token require a secure login. This field is optional
if the keystore is used as a cryptographic accelerator. In this case, you
need to select the Enable cryptographic operations on hardware device option.
- Select the PKCS11 type.
- Select Read only.
- Click OK and Save.
Results
WebSphere Application Server can now provide cryptographic token support
in the server configuration.
What to do next
You can refer to this keystore in any server Secure Sockets Layer
(SSL) configuration to achieve the following results:
- Cryptographic acceleration because the cryptographic hardware device has
no persistent key storage
- Secure cryptographic hardware because a cryptographic token generates
and securely stores the private key that WebSphere Application Server uses
for SSL key exchange.
You can also refer to this keystore in the Web services security default
bindings configuration to achieve similar results.