Cryptographic token support

A cryptographic token is a hardware or software device with a built-in keystore implementation. The cryptographic device is used to manage certificates stored on the cryptographic tokens (also known as smartcards).

Both cryptographic accelerators, where the cryptographic hardware device has no persistent key storage, and secure cryptographic hardware, where a cryptographic token generates and securely stores the private key used for SSL key exchange, are supported in the product.

Hardware cryptographic token support has changed providers in V6. In V5 and before, WebSphere Application Server used com.ibm.crypto.pkcs11.provider.IBMPKCS11 provider for hardware crypto support along with the old IBMJSSE provider for SSL. The IBMPKCS11 provider is still used when accessing hardware using IKeyMan. The IBMJSSE provider can still be used, if necessary, for SSL.

Note: To use cryptographic token devices in the Solaris Operating Environment, edit the ${WAS_INSTALL_ROOT}/java/jre/lib/security/java.security file. Uncomment the line containing com.ibm.crypto.pkcs11.provider.IBMPKCS11. By default, the line is commented out because the algorithm MD4 is not present in the IBMPKCS11 provider.

The WAS runtime in V6 now uses the com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl provider for hardware crypto support and the IBMJSSE2 provider for SSL. Both the IBMPKCS11Impl and IBMJSSE2 providers are initialized programmatically. The IBMPKCS11Impl provider is only initialized when hardware crypto is configured in one of the SSL repertoire configurations. Once IBMPKCS11Impl provider is configured, the IBMPKCS11 provider cannot be used in the system since only one provider can initialize a hardware crypto card in the same process.

Please see the following document for more information on the IBMPKCS11Impl provider: http://www.ibm.com/developerworks/java/jdk/security/142/pkcs11implDocs.zip

Please see the following document for more information on the IBMJSSE2 provider: http://www.ibm.com/developerworks/java/jdk/security/142/jsse2docs.zip


 

Related Tasks


Configuring to use cryptographic tokens