WAS v8.5 > Secure applications > Secure communicationsCreate a key set group configuration
A key set group manages one or more key sets. WebSphere Application Server uses key set groups to automatically generate cryptographic keys or multiple synchronized key sets.
Complete the following steps in the dmgr console:
- Decide whether to create the key set group at the cell scope or below the cell scope at the node, server, or cluster, for example.
- To create a key set group at the cell scope, click Security > SSL certificate and key management > Key set groups.
- To create a key set group at a scope below the cell level, click Security > SSL certificate and key management > Manage endpoint security configurations > {Inbound | Outbound} > SSL_configuration > Key set groups.
- Choose to generate a key for an existing key set group, delete an existing key set group, or create a new key set group.
- To generate a key for an existing key set group, select a key set group from the list of existing key set groups, and click Generate keys. You have generated a new key for each key set in the selected group.
- To delete an existing key set group, select a key set group from the list of existing key set groups, and click Delete. You have deleted the key set group.
- To create a new key set group, go to step 3.
CAUTION:
Do not delete the cell or node LTPAKeySetGroup, which is used by the LTPA (LTPA) mechanism.
- Click New to create a new key set group.
- Type a key set group name. We can reference this name using the com.ibm.websphere.crypto.KeySetHelper API to retrieve the managed keys from an application.
- Select one or more key sets from the Key sets list.
If the key set(s) you want is not listed, verify it was created at the same scope or a higher scope than where you are creating the new key set group.
- Click Add to add the selected key set(s) to the new key set group.
- Select Automatically generate keys to generate the new keys on a schedule. If we decide to generate keys automatically, then specify a scheduled time of day.
- Specify the scheduled time to generate keys automatically in hours and minutes, A.M. or P.M., or every 24 hours.
- Choose to generate new keys on a specific day or at an interval.
- Select Generate on a specific day. Select a day of the week from the drop-down list, and type a repeat interval number for the number of days between each key generation. This choice enables you to schedule key generation when the systems are least busy.
- Select Generate at an interval. Type a repeat interval number for the number of days between each key generation. This choice enables you to schedule key generation more frequently than once a week.
The Next start date is a read-only field that specifies the date for the next scheduled generation. We can stop and restart the deployment manager or base application server without resetting this date. If we do not see the next start date appear after changing the configuration, click OK to save it, then check the next start date displays.
- Click Save.
Results
You have created a new key set group to manage key sets and key generation on a schedule.
After you generate new keys from a key set, we can access them programmatically using the com.ibm.websphere.crypto.KeySetHelper API. You must have Java 2 Security permissions, if enabled, to access keys in key sets. Specify the key set name within the fine-grained permissions, as in the following code sample: WebSphereRuntimePermission "getKeySets.keySetName". For more information, see Example: Retrieving the generated keys from a key set group.
Subtopics
- Example: Retrieving the generated keys from a key set group
This example shows how applications can use the com.ibm.websphere.crypto.KeySetHelper API to retrieve managed keys from the KeySet or KeySetGroup configurations. Use the com.ibm.websphere.crypto.KeySetHelper API to get either the latest set of keys or all the keys in the KeySet or KeySetGroup object.- Example: Developing a key or key pair generation class for automated key generation
A class that generates keys for cryptographic operations can be created automatically. With this capability, the key management infrastructure can maintain a list of keys for a predefined key set, and applications can access these keys.- Key set groups page
Use this page to manage groups of public, private, and shared keys. These key groups enable the application server to control multiple sets of LTPA keys.- Key set groups settings
Use this page to create new key set groups.- Example: Retrieving the generated keys from a key set group
This example shows how applications can use the com.ibm.websphere.crypto.KeySetHelper API to retrieve managed keys from the KeySet or KeySetGroup configurations. Use the com.ibm.websphere.crypto.KeySetHelper API to get either the latest set of keys or all the keys in the KeySet or KeySetGroup object.- Example: Developing a key or key pair generation class for automated key generation
A class that generates keys for cryptographic operations can be created automatically. With this capability, the key management infrastructure can maintain a list of keys for a predefined key set, and applications can access these keys.- Key set groups page
Use this page to manage groups of public, private, and shared keys. These key groups enable the application server to control multiple sets of LTPA keys.- Key set groups settings
Use this page to create new key set groups.
Related concepts:
Key management for cryptographic uses
Related
Create a key set configuration
Reference:
KeySetCommands command group for AdminTask