Managing certificates on PKCS #11 hardware

 

This section tells you about managing digital certificates on cryptographic hardware that supports the PKCS #11 interface. Note that you still need a key database file, even when you store all your certificates on your cryptographic hardware.

Perform the following steps to work with your cryptographic hardware:

1. On UNIX, login as the root user. On Windows, login as Administrator or a member of the MQM group.

2. Execute the gsk7ikm command to start the iKeyman GUI.

3. From the Key Database File menu, click Open. The Open window displays.

4. Click Key database type and select Cryptographic token.

5. In the File Name field, type the name of the module for managing your cryptographic hardware, for example PKCS11_API.so

6. In the Location field, type the path, for example /usr/lib/pksc11 (on UNIX). On Windows, we can type the library name, for example cryptoki.

7. Click OK. The Open Cryptographic Token window displays.

8. In the Cryptographic Token Password field, type the password that you set when you configured the cryptographic hardware.

9. If your cryptographic hardware has the capacity to hold the signer certificates required to receive or import a personal certificate, clear both secondary key database check boxes and continue from step 17.

   If you require a secondary CMS key database to hold the signer certificates, select either the Open existing secondary key database file check box or the Create new secondary key database file check box.

10. In the File Name field, type a file name. This field already contains the text key.kdb. If your stem name is key, leave this field unchanged. If you have specified a different stem name, replace key with your stem name but not change the .kdb

11. In the Location field, type the path, for example:

    • For a queue manager: /var/mqm/qmgrs/QM1/ssl

    • For a WebSphere MQ client: /var/mqm/ssl

12. Click OK. The Password Prompt window displays.

13. If you selected the Open existing secondary key database file check box in step 9, type a password in the Password field, and continue from step 17.

14. If you selected the Create new secondary key database file check box in step 9, type a password in the Password field, and type it again in the Confirm Password field.

15. Select the Stash the password to a file check box. Note that if you do not stash the password, attempts to start SSL channels fail because they cannot obtain the password required to access the key database file.

16. Click OK. A window displays, confirming that the password is in file key.sth (unless you specified a different stem name).

17. Click OK. The Key database content frame displays.

• Requesting a personal certificate for your PKCS #11 hardware
  

• Importing a personal certificate to your PKCS #11 hardware
  

 

Parent topic:

Configuring for cryptographic hardware

sy12390_