You can create a hardware cryptographic keystore that WebSphere® Application Server can use to
provide cryptographic token support in the server configuration.
About this task
Note: The hardware accelerator is not supported except
for the following situations:
- If you are using WebSphere Application
Server for z/OS® and are using
the IBMJCECCA crypto provider.
- If you are using WebSphere Application
Server Version 7.0 and above running on zLinux and are using the IBMPKCS11
provider.
Complete the following steps in the administrative
console:
Procedure
- Click Security > SSL certificate and key management >
Key stores and certificates.
- Click New.
- Type a name to identify the keystore. This name
is used to enable hardware cryptography in the Web Services Security
configuration.
- Optionally, you can type a description for the keystore
in the Description field.
- You can specify a Management scope for the key store.
This is not required. The management scope specifies the
scope where this Secure Sockets Layer (SSL) configuration is visible.
For example, if you choose a specific node, then the configuration
is only visible on that node and any servers that are part of that
node.
- Type the path for the hardware device-specific configuration
file. The configuration file is a text file that contains entries in the following format:
attribute = value. The valid values for attribute and value are
described in detail in the Software Developer Kit, Java Technology
Edition documentation. The two mandatory attributes are name and library, as shown in the
following sample code:
name = FooAccelerator
library = /opt/foo/lib/libpkcs11.so
slotListIndex = 0
The
configuration file should also include device-specific configuration data. Navigate to the
PKCS11ImplConfigSamples.jar file, which contains sample configuration files, under the
heading "PKCS 11 Implementation Provider" on the Java technology site
http://publib.boulder.ibm.com/infocenter/javasdk/v6r0/topic/com.ibm.java.security.component.60.doc/security-component/introduction.html.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
Type a password if the token login
is required. Operations that use keys on the token require
a secure login. This field is optional if the keystore is used as
a cryptographic accelerator. In this case, you need to select Enable
cryptographic operations on hardware device.
If the token login is required, type the
keystore password in the Password field. Operations that use keys on the token require a secure login.
This field is optional if the keystore is used as a cryptographic
accelerator. In this case, you need to select the Enable cryptographic
operations on hardware device option.
To be compatible with
the JCE keystore in requiring a password, the JCERACFKS password is password.
Security for this keystore is not really protected using a password
as other keystore types, but rather it is based on the identity of
the executing thread for protection with RACF. This password is for
the keystore file that you specified in the Path field.
- Select the PKCS11 type.
- Select Read only.
- Click OK and Save.
Results
WebSphere Application Server can now provide
cryptographic token support in the server configuration.