WAS v8.5 > Secure applications > Secure communications > Create a keystore configuration for a preexisting keystore file

Configure a hardware cryptographic keystore

We can create a hardware cryptographic keystore that WebSphere Application Server can use to provide cryptographic token support in the server configuration.

The hardware accelerator is not supported except for the following situations:

Complete the following steps in the dmgr console:

  1. Click Security > SSL certificate and key management > Key stores and certificates.

  2. Click New.

  3. Type a name to identify the keystore. This name is used to enable hardware cryptography in the Web Services Security configuration.

  4. Optionally, we can type a description for the keystore in the Description field.
  5. We can specify a Management scope for the key store. This is not required. The management scope specifies the scope where this SSL configuration is visible. For example, if you choose a specific node, then the configuration is only visible on that node and any servers that are part of that node.

  6. Type the path for the hardware device-specific configuration file. The configuration file is a text file containing entries in the following format: attribute = value.

    The valid values for attribute and value are described in detail in the Software Developer Kit, Java Technology Edition documentation. The two mandatory attributes are name and library, as shown in the following sample code:

    name = FooAccelerator
    library = /opt/foo/lib/libpkcs11.so
    slotListIndex = 0
    The configuration file should also include device-specific configuration data. cd PKCS11ImplConfigSamples.jar file, which contains sample configuration files, under the heading "PKCS 11 Implementation Provider" on the Java technology site http://www.ibm.com/developerworks/java/jdk/security/60/.

    JSSE2 is unable to use the IBMPKCS11Impl provider for acceleration.

    1. We can use this link http://www.ibm.com/developerworks/java/jdk/security/50/secguides/pkcs11implDocs/IBMJavaPKCS11ImplementationProvider.html to initialize the IBMPKCS11 provider in a thread safe way

    2. Specify a unique .cfg file containing information about the supported hardware device. A list of supported hardware devices are available at http://www.ibm.com/developerworks/java/jdk/security/50/secguides/pkcs11implDocs/IBMPKCS11SupportList.html
    3. You specify the Signature.getInstance method with the properly initialized IBMPKCS11Impl provider instance as shown.

        Signature.getInstance("SHA1withRSA", ibmpkcs11implinstance);

  7. Type a password if the token login is required. Operations that use keys on the token require a secure login. This field is optional if the keystore is used as a cryptographic accelerator. In this case, you need to select Enable cryptographic operations on hardware device.

  8. Select the PKCS11 type.

  9. Select Read only.

  10. Click OK and Save.


Results

WAS can now provide cryptographic token support in the server configuration.


Related concepts:

Key management for cryptographic uses


+

Search Tips   |   Advanced Search