Hardware cryptographic device support for WS-Security
In IBM WAS V6.1 or later, WS-Security supports the use of cryptographic hardware devices. There are two ways in which to use hardware cryptographic devices with WS-Security.
Enable cryptographic operations on hardware devices
We can enable cryptographic operations on hardware devices. The keys that are used can be stored in a Java keystore file; it is not necessary to store them on the hardware device. The decision to use enable cryptographic operations on hardware devices is made at the server level only, not at the application level.
If cryptographic operations on hardware device is enabled, the Web service security run time first attempts to use the hardware device for cryptographic operations. If the attempt to use the hardware device fails or if the algorithm is not supported by the hardware device, the run time uses a software provider from the security providers list.
Enable this feature might improve the performance, depending on the hardware device.
See on how to enable cryptographic operations on hardware devices, see Set hardware cryptographic devices for WS-Security.
Secure keys
Cryptographic keys can be stored on the hardware cryptographic device and never leave the device. These secure keys are confined to the hardware cryptographic device for security considerations rather than performance considerations. The option to select whether to use keys that are stored in a hardware cryptographic device or a Java keystore file can be made at the application level.
If the keystore reference is specified to be a hardware device configuration, the WS-Security run time first attempts to obtain the cryptographic algorithm from the hardware device. If the algorithm is not supported or fails, the run time uses a software provider from the security providers list.
See further information about how to enable secure keys, see Enable cryptographic keys stored in hardware devices in WS-Security.
Limitations
The hardware cryptographic device support for WS-Security currently has the following limitations:
- There is no support for a Web services client running as a Java EE Application Client.
- There is no support for hardware cryptographic devices on iSeries.
- Only V6.1 and later, WS-Security applications can take advantage of the hardware cryptographic support.
Vs 5.x and 6.0.x WS-Security applications can run in a V6.1 WAS, but these versions cannot take advantage of the hardware cryptographic support.
Long-term usage of session keys
You can configure WAS to use the hardware keystore, or we can configure the hardware acceleration card to allow the long-term usage of session keys. Session keys might be insecure.
If we are concerned about insecure session keys, configure WAS to use the hardware keystore. See the information about how to enable cryptographic keys that are stored in hardware devices in WS-Security. To configure the hardware acceleration card to allow the long-term usage of session keys, see the manufacturer’s documentation for the specific hardware acceleration card. For example:
- For the nCipher nforce 1600 server V2.23.6, follow the nCipher documentation instructions.
- We can set the CKNFAST_SECURITY_ASSURANCES_OVERRIDE=longterm parameter in the cknfastrc configuration file. This configuration change eliminates the time limit that is associated with session keys.
- Follow the documentation for Cipher to restart the nCipher server.
- Restart WAS.
Related concepts
Overview of platform configuration and bindings
Related tasks
Enable hardware cryptographic devices for WS-Security
Set hardware cryptographic devices for WS-Security
Enable cryptographic keys stored in hardware devices in WS-Security