Configuring hardware cryptographic devices for Web Services Security

Before you can use a hardware cryptographic device, you must configure and enable it. You must first configure a hardware cryptographic device using the Secure Sockets Layer (SSL) certificate and key management panels in the administrative console. The key for the cryptographic operation can be stored in an ordinary Java™ keystore file and need not be stored on the hardware devices. You enable cryptographic operations by performing specific file setup procedures to ensure that the cryptographic device can be used.

Procedure

  1. Stop the WebSphere® Application Server.
  2. Download and install the new policy files.
    Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, you must check the laws of your country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.
    1. Click J2SE 5.0
    2. Scroll down the page then click IBM® SDK Policy files.

      The Unrestricted JCE Policy files for SDK 5 Web site displays.

    3. Click Sign in and provide your IBM.com ID and password.
    4. Select Unrestricted JCE Policy files for SDK 5 and click Continue.
    5. View the license and click I Agree to continue.
    6. Click Download Now.
    7. Extract the unlimited jurisdiction policy files that are packaged in the ZIP file. The ZIP file contains a US_export_policy.jar file and a local_policy.jar file.
    8. In your WebSphere Application Server installation, go to the $JAVA_HOME/jre/lib/security directory and back up your US_export_policy.jar and local_policy.jar files.
    9. Replace your US_export_policy.jar and local_policy.jar files with the two files that you downloaded from the IBM.com Web site.
    Below is an example of this copy operation.
    $JAVA_HOME/demo/jce/policy-files/unrestricted/* to
    $JAVA_HOME/lib/security
  3. Delete any symbolic links in these policy files and copy the result to the appropriate $JAVA_HOME. directory Perform this deletion for both the deployment manager and Application Server. For example,
    These are the files before the symbolic change.
    /WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security : > ls -l
    lrwxrwxrwx   1 WSOWNER  WSCFG1        54 Sep 19 16:22 US_export_policy.jar -> /zWAS61B/V6R1/java64/lib/security/US_export_policy.jar
    lrwxrwxrwx   1 WSOWNER  WSCFG1        41 Sep 19 16:22 cacerts -> /zWAS61B/V6R1/java64/lib/security/cacerts
    lrwxrwxrwx   1 WSOWNER  WSCFG1        45 Sep 19 16:22 java.policy -> /zWAS61B/V6R1/java64/lib/security/java.policy
    -rwxrwxr-x   1 WSOWNER  WSCFG1      9917 Sep 19 16:22 java.security
    lrwxrwxrwx   1 WSOWNER  WSCFG1        50 Sep 19 16:22 local_policy.jar -> /zWAS61B/V6R1/java64/lib/security/local_policy.jar
    
    
    Here is where the symbolic links are removed.
    /WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security : > rm US_export_policy.jar
    /WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security : > rm local_policy.jar
    
    
    Copy the files from the product HFS to your configuration HFS.
    /WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security : > cp /WebSphere/V6R1M0B/DeploymentManager1/
    $JAVA_HOME/demo/jce/policy-files/unrestricted/US_export_policy.jar US_export_policy.jar
    /WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security : > cp /WebSphere/V6R1M0B/DeploymentManager1/
    $JAVA_HOME/demo/jce/policy-files/unrestricted/local_policy.jar local_policy.jar
    
    
    Here are the final results after the symbolic change.
    /WebSphere/V6R1M0B/DeploymentManager1/java64/lib/security : > ls -l
    -rw-r--r--   1 ACHARYA  WSCFG1      2199 Oct  2 17:06 US_export_policy.jar
    lrwxrwxrwx   1 WSOWNER  WSCFG1        41 Sep 28 21:38 cacerts -> /zWAS61B/V6R1/java64/lib/security/cacerts
    lrwxrwxrwx   1 WSOWNER  WSCFG1        45 Sep 28 21:38 java.policy -> /zWAS61B/V6R1/java64/lib/security/java.policy
    -rwxrwxr-x   1 WSOWNER  WSCFG1      9917 Oct  2 18:00 java.security
    -rw-r--r--   1 ACHARYA  WSCFG1      2212 Oct  2 17:06 local_policy.jar
    
    
  4. Alter the java.security file in $JAVA_HOME/lib/security directory. The file name in the example is: /WebSphere/V6R1M0B/DeploymentManager1/$JAVA_HOME/lib/security/java.security
    1. Make sure you perform this alteration in the appropriate $JAVA_HOME directory. For example, ../java64/lib/security.
    2. Uncomment the following line of the file:
       #security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
      and reorder the list of providers and preference orders as follows:
      security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
      #security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
      security.provider.2=com.ibm.crypto.provider.IBMJCE
      security.provider.3=com.ibm.jsse.IBMJSSEProvider
      security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
      security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
      security.provider.6=com.ibm.security.cert.IBMCertPath
      security.provider.7=com.ibm.security.sasl.IBMSASL
      security.provider.8=com.ibm.security.cmskeystore.CMSProvider
      security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
    The file structure and content are ready for use.
  5. Start up the WebSphere Application Server. The cryptographic device is enabled for all Web service security applications that run on the WebSphere Application Server.

Results

This procedure configures and enables a hardware cryptographic device for all Web services security applications running on the WebSphere Application Server.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 22, 2010 12:21:29 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-zos&topic=twbs_enable_hardacc
File name: twbs_enable_hardacc.html