WAS v8.5 > Secure applications > Secure communications

Create a key set configuration

We can use key sets to manage multiple instances of cryptographic keys. WebSphere Application Server uses keys to encrypt or sign outbound data, and decrypt or verify inbound data during cryptographic operations.

You must have write-access to the keystore that will contain the keys after you generate them from a key set. However, to generate keys outside of WAS, we can reference the keys from a read-only keystore containing a secret key that we can access when we generate the keys. If we are creating a key pair using an X509Certificate and a PrivateKey object , see Example: Developing a key or key pair generation class for automated key generation.

Complete the following steps in the dmgr console:

  1. Decide whether to create the key set at the cell scope or below the cell scope at the node, server, or cluster, for example:

  2. Click New to create a new key set.

  3. Type a key set name. For example, CellmyKey.

  4. Type a key alias prefix name. For example, myKey. This field specifies the prefix for the key alias when the new key is generated and stored in the keystore. Following the prefix is the key reference version number, for example, 2, so the full key alias name would be myKey_2. If the key reference already has a specified alias for a key that exists in the keystore, then WAS ignores this field.

  5. Type a key password. The key password protects the key in the keystore. This password is ignored by WAS if you already specified a password for the key alias reference. To check for a key reference password, click Active key history under Additional Properties. The key reference password protects keys that are generated by a key generator class.

  6. Type the password again to confirm it.

  7. Optional: Type the key generator class name. For example, com.ibm.ws.security.ltpa.LTPAKeyGenerator. The class name generates keys. If the class implements com.ibm.websphere.crypto.KeyGenerator, then a getKey method returns a java.security.Key object set in the keystore using the setKey method without a certificate chain. If the class implements com.ibm.websphere.crypto.KeyPairGenerator, then a getKeyPair method returns a com.ibm.websphere.crypto.KeyPair object containing either a java.security.PublicKey and java.security.PrivateKey or a java.security.cert.Certificate and a java.security.PrivateKey object. The key generator class and the KeySetHelper API specify the details of the keys that are generated.

  8. Optional: Select Delete key references that are beyond the maximum number of keys if we do not want old keys saved in the keystore after WAS removes their references from the Active key history listing. The Active key history lists the keys the KeySetHelper API is currently tracking. The number of keys in the list is equal to the number of keys specified in Maximum number of keys referenced.

  9. Type a numeric value for the maximum number of keys referenced. For example, if you type 3 and select Delete key references that are beyond the maximum number of keys, the fourth key version generation automatically triggers WAS to delete the first key version from the keystore. If we choose not to delete the old keys, they do not display in the Active key history list but instead remain in the keystore where we can remove them manually.

  10. Select a keystore from the drop-down list.

    • Select a JCEKS keystore if you are storing a secret key.

    • Select any keystore if you are storing a key pair with an X509Certificate and PrivateKey object.

  11. Optional: Select Generates key pair if your key generator class name implements the com.ibm.websphere.crypto.KeyPairGenerator interface instead of the com.ibm.websphere.crypto.KeyGenerator interface. This option designates the key references a key pair instead of a single key. A key pair contains both a public key and a private key. The WAS run time determines whether or not key pairs are stored and loaded differently than single keys.

  12. Optional: Click Apply to select Active key history under Additional Properties to add alias references or generate more keys.

    1. Click Active key history.

    2. Click Add key alias reference if you are not using the key generator class name to add key alias references to the keys that already exist in the keystore. Use this option to retrieve the keys from a read-only keystore without the key set generating them.

    3. Type an alias reference.

    4. Click Generate key to generate a key using the class name definedd in the key sets panel. Each new key increments numerically, for example, myAlias_2.

    5. Click Apply.

  13. Click the key set name in the navigation path at the top of the panel.

  14. Click OK and Save.


Results

You have created a key set that we can manage using the Active key history link. We can generate keys manually to associate them with specified key sets.

After you generate new keys from a key set, we can access them programmatically using the com.ibm.websphere.crypto.KeySetHelper API. You must have Java 2 Security permissions, if enabled, to access keys in key sets. Specify the key set name within the fine-grained permissions, as in the following code sample: WebSphereRuntimePermission "getKeySets.keySetName". For more information, see Example: Retrieving the generated keys from a key set group. To generate multiple key types at the same time or to schedule the key generation on a specific schedule, see Create a key set group configuration.


Subtopics


Related concepts:

SSL configurations
Key management for cryptographic uses


Reference:

Example: Developing a key or key pair generation class for automated key generation
Example: Retrieving the generated keys from a key set group
KeySetCommands command group for AdminTask


+

Search Tips   |   Advanced Search