Before you can use a hardware cryptographic
device, you must configure and enable it. You must first configure
a hardware cryptographic device using the Secure Sockets Layer (SSL)
certificate and key management panels in the administrative console.
The key for the cryptographic operation can be stored in an ordinary Java keystore file and need not be stored on
the hardware devices. After you complete the alterations
to the java.security file, as part of the following procedure, the
cryptographic operations are enabled and the Java Virtual Machine
(JVM) is able to select the hardware cryptographic device provider.
Before you begin
You must first configure a hardware cryptographic device using
the Secure Sockets Layer (SSL) certificate and key management panels
in the administrative console.
Note: Fix packs
that include updates to the Software Development Kit (SDK) might overwrite
unrestricted policy files. Back up unrestricted policy files before
you apply a fix pack and reapply these files after the fix pack is
applied.
For transitioning users: The
unrestricted Java policy files are not required when using hardware
cryptographic devices. These policy files were required in some earlier
versions of the product.
trns
Procedure
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
In the administrative console,
click and then select the server name.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
Under Security,
select JAX-WS and JAX-RPC security runtime.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
Under Cryptographic Hardware, select Enable
cryptographic operations on hardware device and then specify
the name of the hardware cryptographic device configuration name. For more information, read about configuring a hardware cryptographic
keystore.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
Click OK.
Stop the application server.
Alter the java.security file.
The java.security file
is located in the profile_root/properties directory.
The java.security file is located
in the app_server_root/java/jre/lib/security directory.
The java.security file is located
in the app_server_root/properties directory.
The
following changes need to be made to this file:
- Uncomment the following line of the file:
#security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
- Reorder the list of providers and preference orders as follows:
security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
#security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.jsse.IBMJSSEProvider
security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL
security.provider.8=com.ibm.security.cmskeystore.CMSProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.9=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.10=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.11=org.apache.harmony.security.provider.PolicyProvider
The file structure and content are ready for use.
Start the application server. The
cryptographic device is enabled for all Web service security applications
that run on this application server.
Results
This procedure configures
and enables a
hardware cryptographic device for all Web Services Security applications
running on this application server.