Configure hardware cryptographic devices for Web Services Security
Before we can use a hardware cryptographic device, configure and enable it. We must first configure a hardware cryptographic device using the SSL certificate and key management panels in the administrative console. The key for the cryptographic operation can be stored in an ordinary Java keystore file and need not be stored on the hardware devices. (ZOS) After completing the alterations to the java.security file, as part of the following procedure, the cryptographic operations are enabled and the Java Virtual Machine (JVM) is able to select the hardware cryptographic device provider.
We must first configure a hardware cryptographic device using the SSL certificate and key management panels in the administrative console.
Fix packs that include updates to the SDK might overwrite unrestricted policy files. Back up unrestricted policy files before applying a fix pack and reapply these files after the fix pack is applied.
For transitioning users: The unrestricted Java policy files are not required when using hardware cryptographic devices. These policy files were required in some earlier versions of the product.trns
Tasks
- (iSeries) In the administrative console, click Servers > Server Types > WebSphere application servers and then select the server name.
- (iSeries) Under Security, select security runtime.
- (iSeries) Under Cryptographic Hardware, select Enable cryptographic operations on hardware device and then specify the name of the hardware cryptographic device configuration name. See configuring a hardware cryptographic keystore.
- (iSeries) Click OK.
- Stop the application server.
- Alter the java.security file.
(iSeries) The java.security file is located in the profile_root/properties directory.
The java.security file is located in the app_server_root/java/jre/lib/security directory.
(ZOS) The java.security file is located in the app_server_root/properties directory.
The following changes need to be made to this file:
- Uncomment the following line of the file:
#security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA- Reorder the list of providers and preference orders as follows:
security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA #security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.jsse.IBMJSSEProvider security.provider.4=com.ibm.jsse2.IBMJSSEProvider2 security.provider.5=com.ibm.security.jgss.IBMJGSSProvider security.provider.6=com.ibm.security.cert.IBMCertPath security.provider.7=com.ibm.security.sasl.IBMSASL security.provider.8=com.ibm.security.cmskeystore.CMSProvider security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.9=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.10=com.ibm.xml.enc.IBMXMLEncProvider security.provider.11=org.apache.harmony.security.provider.PolicyProviderThe file structure and content are ready for use.
- Start the application server. The cryptographic device is enabled for all Web service security applications that run on this application server.
This procedure configures (ZOS) and enables a hardware cryptographic device for all Web Services Security applications running on this application server.
Related:
Hardware cryptographic device support for Web Services Security Enable cryptographic keys stored in hardware devices in Web Services Security Configure a hardware cryptographic keystore