Key management for cryptographic uses
WebSphere Application Server provides a framework for managing keys (secret keys or key pairs) that applications use to perform cryptographic operations on data. The key management framework provides an API for retrieving these keys. Keys are managed in keystores so the keystore type can be supported by WAS, provided that the keystores can store the referenced key type. We can configure keys and scope keystores so that they are visible only to particular processes, nodes, clusters, and so on.
The key management infrastructure is based on two key configuration object types: key sets and key set groups. WAS uses a key set to manage instances of keys of the same type. We can configure a key set to generate a single key or a key pair, depending on the key or key pair generator class. A key set group manages one or more key sets and enables us to configure and generate different key types at the same time. For example, if the application needs both a secret key and key pair for cryptographic operations, we can configure two key sets, one for the key pair and one for the secret key that the key set group manages. The key set group controls the auto-generation characteristics of the keys, including the schedule. The framework can automatically generate keys on a scheduled basis, such as on a particular day of the week and time of day, so that key generation is done during off-peak hours.
Example of a key set group configured to manage two key sets: key set 1 and key set 2.
Key set 1 generates key pairs. Key set 2 generates secret keys.
The application needs both types of keys for its cryptographic operations, signing and encryption, on data. The keys for each key set need to be generated in tandem. The application stores the key set group name with the encrypted data. The key set group generates a new set of keys every Sunday night at 11 P.M.. The application maintains key generation data for two weeks.
Create a key set configuration Configure a hardware cryptographic keystore Create a key set group configuration Example: Developing a key or key pair generation class for automated key generation