Create a key set configuration


Overview

Key sets manage generation of multiple instances of cryptographic keys for...

We must have write-access to the keystore that will contain the keys.

To generate keys outside of WAS, reference the keys from a read-only keystore that contains a secret key.


Create a key set configuration

  1. To create a key set at the cell scope...

    Security | SSL certificate and key management | Key sets

    To create a key set at a scope below the cell level, click...

    Security | SSL certificate and key management | Manage endpoint security configurations | {Inbound | Outbound} | ssl_configuration | Key sets.

  2. Click New

  3. Type a key set name. For example, CellmyKey.

  4. Type a key alias prefix name.

    For example, myKey.

    Following the prefix is the key reference version number, for example, 2, so that the full key alias name would be myKey_2. If the key reference already has a specified alias for a key that exists in the keystore, then WAS ignores this field.

  5. Type a key password.

    This password is ignored by WAS if we already specified a password for the key alias reference. To check for a key reference password, click...

    Additional Properties | Active key history

    The key reference password protects keys that are generated by a key generator class.

  6. Type the key generator class name. For example...

    com.ibm.ws.security.ltpa.LTPAKeyGenerator

    If the class implements...

    com.ibm.websphere.crypto.KeyGenerator

    ...then a getKey method returns object...

    java.security.Key

    ...that is set in the keystore using the setKey method.

    If the class implements...

    com.ibm.websphere.crypto.KeyPairGenerator

    .then a getKeyPair method returns object...

    com.ibm.websphere.crypto.KeyPair

    ...that contains either...

    • java.security.PublicKey
    • java.security.PrivateKey

    ...or...

    • java.security.cert.Certificate
    • java.security.PrivateKey

    The key generator class and the KeySetHelper API specify the details of the keys that are generated.

  7. If we do not want old keys saved in the keystore after WAS removes their references from the Active key history listing, select...

    Delete key references that are beyond the maximum number of keys

    The Active key history lists the keys that the KeySetHelper API is currently tracking. The number of keys in the list is equal to the number of keys specified in...

    Maximum number of keys referenced

  8. Type a numeric value for the maximum number of keys referenced.

    For example, if we type 3 and select...

    Delete key references that are beyond the maximum number of keys

    ...the fourth key version generation automatically triggers WAS to delete the first key version from the keystore. If we choose not to delete the old keys, they do not display in the Active key history list but instead remain in the keystore where we can remove them manually.

  9. Select a keystore from the drop-down list.

    • Select a JCEKS keystore if we are storing a secret key.
    • Select any keystore if we are storing a key pair with an X509Certificate and PrivateKey object.

  10. If the key generator class name implements the interface...

    com.ibm.websphere.crypto.KeyPairGenerator

    ...instead of the interface...

    com.ibm.websphere.crypto.KeyGenerator

    ...select...

    Generates key pair

    A key pair contains both a public key and a private key. The WAS run time determines whether or not key pairs are stored and loaded differently than single keys.

  11. Click Apply

  12. To add alias references and generate more keys, select...

    Additional Properties | Active key history | Add key alias reference

    Use this option to retrieve keys from a read-only keystore without the key set generating them.

    To generate a key using the class name defined in the key sets panel click...

    Generate key

    Each new key increments numerically, for example, myAlias_2.

  13. Click Apply.

  14. Click the key set name in the navigation path at the top of the panel.

  15. Click OK and Save.

After we generate new keys from a key set, we can access them programmatically using...

com.ibm.websphere.crypto.KeySetHelper

You must have Java 2 Security permissions, if enabled, to access keys in key sets...

WebSphereRuntimePermission "getKeySets.keySetName"

 

Related

SSL configurations
Active key history collection
Add key alias reference settings
Key sets collection
Key sets settings
Key management for cryptographic uses
Example: Develop a key or key pair generation class for automated key generation
Example: Retrieve the generated keys from a key set group
KeySetCommands
Create a key set group configuration