Before you can use a hardware cryptographic device, you
must configure and enable it. You must first configure a hardware
cryptographic device using the Secure Sockets Layer (SSL) certificate
and key management panels in the administrative console. The key for
the cryptographic operation can be stored in an ordinary Java™ keystore file and need not be stored on
the hardware devices. You enable cryptographic
operations by performing specific file setup procedures to ensure
that the cryptographic device can be used.
Before you begin
You must first configure a hardware
cryptographic device using the Secure Sockets Layer (SSL) certificate
and key management panels in the administrative console.
Procedure
In the administrative console,
click Servers > Server types > WebSphere® application
servers and then select the server name.
Under Security, select JAX-WS
and JAX-RPC security runtime.
Under Cryptographic Hardware, select Enable
cryptographic operations on hardware device and then specify the
name of the hardware cryptographic device configuration name.
For more information, read about configuring a hardware cryptographic
keystore.
Click OK.
Stop the WebSphere Application
Server.
Download and install the new policy files.
Important: Your country of origin
might have restrictions on the import, possession, use, or re-export
to another country, of encryption software. Before downloading or
using the unrestricted policy files, you must check the laws of your
country, its regulations, and its policies concerning the import,
possession, use, and re-export of encryption software, to determine
if it is permitted.
- Click J2SE 5.0
- Scroll down the page then click IBM® SDK
Policy files.
The Unrestricted JCE Policy files for SDK 5 Web
site displays.
- Click Sign in and provide your IBM.com
ID and password.
- Select Unrestricted JCE Policy files for SDK 5 and click Continue.
- View the license and click I Agree to continue.
- Click Download Now.
- Extract the unlimited jurisdiction policy files that are packaged
in the ZIP file. The ZIP file contains a US_export_policy.jar file
and a local_policy.jar file.
- In your WebSphere Application Server installation,
go to the $JAVA_HOME/jre/lib/security directory and back
up your US_export_policy.jar and local_policy.jar files.
- Replace your US_export_policy.jar and local_policy.jar files
with the two files that you downloaded from the IBM.com
Web site.
Below is an example of this copy operation. $JAVA_HOME/demo/jce/policy-files/unrestricted/* to
$JAVA_HOME/lib/security
Delete any symbolic links in these policy
files and copy the result to the appropriate $JAVA_HOME. directory
Perform this deletion for both the deployment manager and Application
Server. For example,These are the files before the symbolic
change./WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security : > ls -l
lrwxrwxrwx 1 WSOWNER WSCFG1 54 Sep 19 16:22 US_export_policy.jar -> /zWAS61B/V6R1/java64/lib/security/US_export_policy.jar
lrwxrwxrwx 1 WSOWNER WSCFG1 41 Sep 19 16:22 cacerts -> /zWAS61B/V6R1/java64/lib/security/cacerts
lrwxrwxrwx 1 WSOWNER WSCFG1 45 Sep 19 16:22 java.policy -> /zWAS61B/V6R1/java64/lib/security/java.policy
-rwxrwxr-x 1 WSOWNER WSCFG1 9917 Sep 19 16:22 java.security
lrwxrwxrwx 1 WSOWNER WSCFG1 50 Sep 19 16:22 local_policy.jar -> /zWAS61B/V6R1/java64/lib/security/local_policy.jar
Here is where the symbolic links are removed./WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security : > rm US_export_policy.jar
/WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security : > rm local_policy.jar
Copy the files from the product HFS to your
configuration HFS./WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security : > cp /WebSphere/V6R1M0B/DeploymentManager1/
$JAVA_HOME/demo/jce/policy-files/unrestricted/US_export_policy.jar US_export_policy.jar
/WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security : > cp /WebSphere/V6R1M0B/DeploymentManager1/
$JAVA_HOME/demo/jce/policy-files/unrestricted/local_policy.jar local_policy.jar
Here are the final results after the symbolic
change.
/WebSphere/V6R1M0B/DeploymentManager1/java64/lib/security : > ls -l
-rw-r--r-- 1 ACHARYA WSCFG1 2199 Oct 2 17:06 US_export_policy.jar
lrwxrwxrwx 1 WSOWNER WSCFG1 41 Sep 28 21:38 cacerts -> /zWAS61B/V6R1/java64/lib/security/cacerts
lrwxrwxrwx 1 WSOWNER WSCFG1 45 Sep 28 21:38 java.policy -> /zWAS61B/V6R1/java64/lib/security/java.policy
-rwxrwxr-x 1 WSOWNER WSCFG1 9917 Oct 2 18:00 java.security
-rw-r--r-- 1 ACHARYA WSCFG1 2212 Oct 2 17:06 local_policy.jar
Alter the java.security file in $JAVA_HOME/lib/security
directory. The file name in the example is: /WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security/java.security
- Make sure you perform this alteration in the appropriate $JAVA_HOME
directory. For example, ../java64/lib/security.
- Uncomment the following line of the file:
#security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
and
reorder the list of providers and preference orders as follows:security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
#security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.jsse.IBMJSSEProvider
security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL
security.provider.8=com.ibm.security.cmskeystore.CMSProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
The file structure and content are ready for use.
Start up the WebSphere Application
Server. The cryptographic device is enabled for all Web
service security applications that run on the WebSphere Application
Server.
Results
This procedure configures and enables a
hardware cryptographic device for all Web services security applications
running on the WebSphere Application Server.