Cryptographic hardware for Secure Sockets Layer
IBM HTTP Server supports many types of cryptographic hardware devices.
The following table contains hardware cryptographic devices that have been tested with IBM HTTP Server. However, since device drivers for these devices are frequently upgraded by the hardware vendors to correct customer-reported problems or to provide support for new operating system platforms, check with the hardware vendors for specific applications of these devices.
A list of cryptographic devices tested with GSKit is available at this IBM Web site:
IBM Global Security Kit, Version 8 - PKCS#11 device integration
If your device is not listed, contact the device vendor to ensure that the device functions correctly when used with IBM HTTP Server.
For a list of supported Hardware Cryptographic Cards for Java™ Version 7, see Supported Hardware Cryptographic Cards for Java Version 7 in the product documentation.
Device | Key Storage | Acceleration Support | Notes |
---|---|---|---|
Rainbow Cryptoswift PCI with BSAFE Interface Model | No | Yes | Use with SSLAcceleratorDisable directive only. Supported on HP, Solaris, and the Windows operating systems. |
nCipher nFast Accelerator with BHAPI plug-in under BSAFE 4.0 | No | Pure accelerator | Requires either a SCSI or PCI-based nForce unit; use with SSLAcceleratorDisable directive only. Supported on Solaris and Windows operating systems. |
nCipher nForce Accelerator, accelerator mode | No | Yes | Uses the BHAPI and BSAFE interface. Supported on Solaris and Windows operating systems. |
nCipher nForce Accelerator, Key stored accelerator mode | Yes | Yes | Uses the PKCS#11 interface. Requires either a SCSI, or PCI-based nForce unit. Move to nCipher nForce Accelerator V4.0 or later for better performance. Supported on AIX®, HP, Linux®, Solaris, and Windows operating systems. |
IBM 4758 Model 002/023 PCI Cryptographic Coprocessors | Yes | No | Supported on AIX and Windows operating systems. |
AIX operating systems. Support for the following adapters has been tested with WebSphere® Application Server V4.0.2 or later:
Device | Key Storage | Acceleration Support | Notes |
---|---|---|---|
Rainbow Cryptoswift PCI with BSAFE Interface Model CS/200 and CS/600 | No | Yes | Supported on the AIX operating system. |
IBM e-business Cryptographic Accelerator | No | Yes | Uses the PKCS11 interface. Because this device uses the PKCS11 interface, the SSLAcceleratorDisable directive does not apply to this device. Supported on the AIX operating system. |
Use the Rainbow Cryptoswift, IBM e-business Cryptographic Accelerator, nCipher nFast Accelerator and nCipher nForce Accelerator, for public key operations, and RSA key decryption. These devices store keys on your hard drive. Accelerator devices speed up the public key cryptographic functions of SSL, freeing up your server processor, which increases server throughput and shortens wait time. The Rainbow Cryptoswift, IBM e-business Cryptographic Accelerator, and nCipher accelerators incorporate faster performance and more concurrent secure transactions.
The PKCS#11 protocol either stores RSA keys on cryptographic hardware, or encrypts keys using cryptographic hardware to ensure protection. The nCipher nForce Accelerator can either perform acceleration, or it can perform both acceleration and key storage with PKCS#11 support. The IBM 4758 and nCipher nForce Accelerator with PKCS#11 support ensures inaccessible keys to the outside world. This support never reveals keys in an unencrypted form because the key is either encrypted by the hardware, or stored on the hardware.
nCipher nForce Accelerator V4.0 and later using PKCS11 key storage, has a nonremovable option which can noticeably improve performance. Contact nCipher Technical Support for instructions to turn on this feature.