The RSA signing and encryption algorithm (developed by Ron Rivest, Adi Shamir, and Leonard Adleman) is a well-known public key cipher. RSA Laboratories (Part of EMC Corp.) have published the PKCS#11 standard, which defines a platform-independent API to hardware cryptographic tokens, such as Hardware Security Modules and smart cards. The PKCS#11 API defines most commonly used cryptographic object types, including:
Public-Key Cryptography Standards (PKCS) PKCS#11 is a standard that provides a common application interface to cryptographic services on various platforms using various hardware cryptographic devices. Hardware Cryptographic key storage devices allow keys to be stored on hardware devices. IBM TDI supports private keys and certificates on crypto devices that are PKCS#11 compliant. Support is provided on all hardware devices supported by the IBM Java PKCS libraries shipped with the IBM Java Runtime Environment (JRE). PKCS standards are a set of common protocols that allow secure information exchange over networks using a public key infrastructure (PKI). IBM TDI can store Secure Socket Layer (SSL) keys on the hardware devices. For the requirement to store keys on hardware devices, the following new properties are available in the global.properties file:
##PKCS11 options
##Set the value of following properties to use PKCS11 enabled devices to store TDI servers private key /
##certificate.
com.ibm.di.pkcs11cfg=etc\pkcs11.cfg
com.ibm.di.server.pkcs11=false
com.ibm.di.server.pkcs11.library=
com.ibm.di.server.pkcs11.slot=
{protect}-com.ibm.di.server.pkcs11.password=PASSWORD
The default value of the property com.ibm.di.server.pkcs11 is false. The value corresponding to the property com.ibm.di.server.pkcs11.password is encrypted.
IBM TDI uses IBMPCKS11 to access crypto hardware devices that store the SSL keys and certificates. Support is provided for all hardware devices supported by the IBM Java PKCS libraries and shipped with the IBM JRE.
| Property | Default value | Description |
|---|---|---|
| com.ibm.di.pkcs11.cfg | etc\pkcs11.cfg | Use CFG file to point to the path of the configuration file required to initialize the IBM PKCS11 implementation provider. |
| com.ibm.di.server.pkcs11 | false | Use PKCS#11 compliant crypto devices for ssl. |
| com.ibm.di.server.pkcs11.library | Use this property to specify the path to the PKCS11client library. | |
| com.ibm.di.server.pkcs11.slot | Specify the slot number of the device. | |
| {protect}-com.ibm.di.server.pkcs11.pass | Use this password to access the pkcs11 compliant crypto device. | |
| com.ibm.di.server.pkcs11.accl | false | Use =true to set hardware cryptographic devices for cryptographic operations. |
Padding means adding extra bits to a transmission so that the transmission is the exact, required, size. Some encryption and decryption algorithms require their input to be an exact multiple of the block size. If the plaintext to be encrypted is not an exact multiple, pad before encrypting by adding a padding string. When decrypting let the receiving party know how to remove the padding.
All properties listed in the global.properties file can be set in the configuration file by the same name; it is recommended that you edit the solution.properties file instead if we have one. These properties can be protected by encryption using the {protect}- prefix (see section Standard TDI encryption of global.properties or solution.properties for details).
When setting the property for padding, the default value is DES/ECB/NoPadding. The padding property defines an algorithm or cipher for password-based encryption and decryption of TDI configurations. The property is: com.ibm.di.securityTransformation.