Configure <a href="http://www.setgetweb.com/tech/WAS61/ae/Install_IBM_HTTP_Server1521.html">IBM HTTP Server</a> to use nCipher and Rainbow accelerator devices and PKCS11 devices

+

Search Tips   |   Advanced Search

 

Configure IBM HTTP Server to use nCipher and Rainbow accelerator devices and PKCS11 devices

The IBM HTTP Server enables nCipher and Rainbow accelerator devices by default. To disable our accelerator device, add the SSLAcceleratorDisable directive to our configuration file.

 

Before we begin

When using the IBM e-business Cryptographic Accelerator, or the IBM 4758, the user ID under which the Web server runs must be a member of the PKCS11 group. We can create the PKCS11 group by installing the bos.pkcs11 package or its updates. Change the Group directive in the configuration file to group pkcs11.

 

Overview

If we want the IBM HTTP Server to use the PKCS11 interface, configure the following:

 

Procedure

  1. Stash our password to the PKCS11 device, or optionally enable password prompting: Syntax: sslstash [-c] <file> <function> <password> where:

    • -c: Creates a new stash file. If not specified, an existing stash file is updated.

    • file: Represents a fully-qualified name of the file to create or update.

    • function: Represents the function for which the server uses the password. Valid values include crl or crypto.

    • password: Indicates the password to stash.

  2. Place the following directives in our configuration file:

    • SSLPKCSDriver <fully qualified name of the PKCS11 driver used to access PKCS11 device>

      See SSLPKCSDriver directive for the default locations of the PKCS11 module, for each PKCS11 device.

    • SSLServerCert <token label: key label of certificate on PKCS11 device>

    • SSLStashfile <fully qualified path to the file containing the password for the PKCS11 device>

    • Keyfile <fully qualified path to key file with signer certificates>