Configure IBM HTTP Server to use nCipher and Rainbow accelerator devices and PKCS11 devices

The IBM HTTP Server enables nCipher and Rainbow accelerator devices by default. To disable your accelerator device, add the SSLAcceleratorDisable directive to your configuration file.


Before you begin

When using the IBM e-business Cryptographic Accelerator, or the IBM 4758, the user ID under which the Web server runs must be a member of the PKCS11 group. We can create the PKCS11 group by installing the bos.pkcs11 package or its updates. Change the Group directive in the configuration file to group pkcs11.


About this task

If you want the IBM HTTP Server to use the PKCS11 interface, configure the following:


Procedure

  1. Stash your password to the PKCS11 device, or optionally enable password prompting. The stash file that the sslstash command creates is completely independent of the stash file that often accompanies a CMS KeyFile (*.kdb). Therefore, make sure that you:

    • Do not overwrite an existing *.sth file when you issue the sslstash command.

    • Never choose a filename for the output of the sslstash command that corresponds to the filename of a CMS KeyFile (*.kdb).

    Syntax: sslstash [-c] <file> <function> <password> where:

    • -c: Creates a new stash file. If not specified, an existing stash file is updated.

    • file: Represents a fully-qualified name of the file to create or update.

    • function: Represents the function for which the server uses the password. Valid values include crl or crypto.

    • password: Indicates the password to stash.

  2. Place the following directives in your configuration file.

    • SSLPKCSDriver <fully qualified name of the PKCS11 driver used to access PKCS11 device>

      See SSLPKCSDriver directive for the default locations of the PKCS11 module, for each PKCS11 device.

    • SSLServerCert <token label: key label of certificate on PKCS11 device>

    • SSLStashfile<fully qualified path to the file containing the password for the PKCS11 device>

    • Keyfile<fully qualified path to key file with signer certificates>