Configuring hardware cryptographic devices for Web Services Security

Before you can use a hardware cryptographic device, you must configure and enable it. You must first configure a hardware cryptographic device using the Secure Sockets Layer (SSL) certificate and key management panels in the administrative console. The key for the cryptographic operation can be stored in an ordinary Java keystore file and need not be stored on the hardware devices. After you complete the alterations to the java.security file, as part of the following procedure, the cryptographic operations are enabled and the Java Virtual Machine (JVM) is able to select the hardware cryptographic device provider.

Before you begin

You must first configure a hardware cryptographic device using the Secure Sockets Layer (SSL) certificate and key management panels in the administrative console.
Note: Fix packs that include updates to the Software Development Kit (SDK) might overwrite unrestricted policy files. Back up unrestricted policy files before you apply a fix pack and reapply these files after the fix pack is applied.
For transitioning users For transitioning users: WebSphere Application Server Version 7 uses Java the IBM Software Development Kit (SDK) Version 6. Therefore, the unrestricted Java policy files are no longer required when using hardware cryptographic devices.trns

Procedure

  1. [AIX Solaris HP-UX Linux Windows] In the administrative console, click Servers > Server Types > WebSphere® application servers and then select the server name.
  2. [AIX Solaris HP-UX Linux Windows] Under Security, select JAX-WS and JAX-RPC security runtime.
  3. [AIX Solaris HP-UX Linux Windows] Under Cryptographic Hardware, select Enable cryptographic operations on hardware device and then specify the name of the hardware cryptographic device configuration name. For more information, read about configuring a hardware cryptographic keystore.
  4. [AIX Solaris HP-UX Linux Windows] Click OK.
  5. [z/OS] Stop the application server.
  6. Alter the java.security file.

    [z/OS] [AIX Solaris HP-UX Linux Windows] The java.security file is located in the app_server_root/java/jre/lib/security directory.

    The following changes need to be made to this file:

    1. Uncomment the following line of the file:
       #security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
    2. Reorder the list of providers and preference orders as follows:
      security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
      #security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
      security.provider.2=com.ibm.crypto.provider.IBMJCE
      security.provider.3=com.ibm.jsse.IBMJSSEProvider
      security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
      security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
      security.provider.6=com.ibm.security.cert.IBMCertPath
      security.provider.7=com.ibm.security.sasl.IBMSASL
      security.provider.8=com.ibm.security.cmskeystore.CMSProvider
      security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
      security.provider.9=com.ibm.xml.crypto.IBMXMLCryptoProvider
      security.provider.10=com.ibm.xml.enc.IBMXMLEncProvider
      security.provider.11=org.apache.harmony.security.provider.PolicyProvider
    The file structure and content are ready for use.
  7. [z/OS] Start the application server. The cryptographic device is enabled for all Web service security applications that run on this application server.

Results

This procedure configures and enables a hardware cryptographic device for all Web services security applications running on this application server.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Jun 11, 2013 8:40:09 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=v701sca&product=was-nd-mp&topic=twbs_enable_hardacc
File name: twbs_enable_hardacc.html