A key set group manages one or more key sets. WebSphere® Application
Server uses key set groups to automatically generate cryptographic
keys or
multiple synchronized key sets.
About this task
Complete the following
steps in the administrative console:
Procedure
- Decide
whether you want to create the key set group at the cell
scope or below the cell scope at the node, server, or cluster, for
example.
- To create a key set group
at the cell scope, click Security >
SSL certificate and key management > Key set groups.
- To create a key set group at a scope below the cell level,
click Security >
SSL certificate and key management > Manage endpoint security configurations >
{Inbound | Outbound} > SSL_configuration > Key
set groups.
- You can choose
to generate a key for an existing key set group,
delete an existing key set group, or create a new key set group.
- To generate a key for an existing key set group,
select a key set
group from the list of existing key set groups, and click Generate
keys.
You have generated a new key for each key set in the selected group.
- To delete an existing key set group, select a key set group
from
the list of existing key set groups, and click Delete. You
have deleted
the key set group.
- To create a new key set group,
go to step 3.
CAUTION:
Do not
delete the cell or node LTPAKeySetGroup,
which is used by the Lightweight Third Party Authentication (LPTA)
mechanism.
- Click New to create a new
key set group.
- Type a key set group name.
You can reference this name
by using the com.ibm.websphere.crypto.KeySetHelper API to retrieve
the managed
keys from an application.
- Select one or more
key sets from the Key sets list.
Note: If
the key set(s) you want is not listed, make sure that it was created
at the
same scope or a higher scope than where you are creating the new key
set group.
- Click Add to add
the selected key set(s) to the new key
set group.
- Select Automatically generate
keys to generate the new keys
on a schedule. If you decide to generate keys automatically,
then
you must specify a scheduled time of day.
- Specify
the scheduled time to generate keys automatically in hours
and minutes, A.M. or P.M., or every 24 hours.
- You
can choose to generate new keys on a specific day or at an
interval.
- Select Generate on a specific
day. Select a day of the week
from the drop-down list, and type a repeat interval number for the
number
of days between each key generation. This choice enables you to schedule
key
generation when your systems are least busy.
- Select Generate
at an interval. Type a repeat interval number
for the number of days between each key generation. This choice enables
you
to schedule key generation more frequently than once a week.
Note: The Next start date is a read-only field
that specifies
the date for the next scheduled generation. You can stop and restart
the deployment
manager or base application server without resetting this date.
If you do
not see the next start date appear after changing the configuration,
click OK to
save it, then check that the next start date displays.
- Click Save.
Results
You
have created a new key set group to manage key sets and key generation
on a schedule.
What to do next
After you generate new keys from a
key set, you can access them programmatically
using the com.ibm.websphere.crypto.KeySetHelper API. You must have Java 2
Security permissions, if enabled, to access keys in key sets. Specify
the
key set name within the fine-grained permissions, as in the following
code
sample:
WebSphereRuntimePermission "getKeySets.keySetName".
For more information, see
Example: Retrieving the generated keys from a key set group.