Configuring the Cryptographic Coprocessor
Configuring your Cryptographic Coprocessor allows you to begin to use all of its cryptographic operations. To configure the Cryptographic Coprocessor on your system running the i5/OS operating system, you can either use the Cryptographic Coprocessor configuration web–based utility or write your own application.
The easiest and fastest way to configure your Cryptographic Coprocessor is to use the Cryptographic Coprocessor configuration web–based utility found off of the System Tasks page at http://server-name:2001 (specify another port if you have changed it from port 2001). The utility includes the Basic configuration wizard that is used for configuring (and initializing) a Coprocessor that has not been previously configured. If HTTP and SSL have not been previously configured, you will need to do the following before using the Configuration Wizard.
- Start the HTTP Administrative server.
- Configure the HTTP Administrative server to use SSL.
- Use DCM to create a certificate, specifying that the private key be generated and stored in software.
- Use DCM to receive the signed certificate.
- Associate the certificate with the HTTP Administrative server application ID.
- Restart the HTTP Administrative server to enable it for SSL processing.
If the Cryptographic Coprocessor has already been configured, then click on the Manage configuration option to change the configuration for specific portions of the Coprocessor.
If you would prefer to write your own application to configure the Coprocessor, you can do so by using the Cryptographic_Facility_Control (CSUACFC), Access_Control_Initialize (CSUAACI), Master_Key_Process (CSNBMKP), and Key_Store_Initialize (CSNBKSI) API verbs. Many of the pages in this section include one or more program examples that show how to configure the Coprocessor via an application. Change these programs to suit your specific needs.
Whether you choose to use the Cryptographic Coprocessor configuration utility or write your own applications, the following outlines the steps take to properly configure your Cryptographic Coprocessor:
- Creating a device description
The device description specifies a default location for key storage. You can create a device description with or without naming any key store files for the Cryptographic Coprocessor on your system running the i5/OS operating system.- Naming files to key store file
Before you can perform any operation in i5/OS using a key store file or key stored in a key store file, name the key store file.- Setting the environment ID and clock
The Cryptographic Coprocessor on your system running the i5/OS operating system uses the EID to verify which Coprocessor created a key token. It uses the clock for time and date stamping and to control whether a profile can log on.- Loading a function control vector
The function control vector tells the Cryptographic Coprocessor for the system running the i5/OS operating system what key length to use to create keys. You cannot perform any cryptographic functions without loading a function control vector.- Loading and setting a master key
After you load a function control vector, load and set the master key. The master key is used to encrypt other keys. It is a special key-encrypting key stored within the Coprocessor secure module on systems running the i5/OS operating system.- Configuring the Cryptographic Coprocessor for use with DCM and SSL
This topic provides information on how to make the Cryptographic Coprocessor ready for use with SSL in i5/OS.- Configuring the Cryptographic Coprocessor for use with i5/OS applications
This topic lists the steps needed to make Cryptographic Coprocessors ready for use with an i5/OS application.
Parent topic:
4764 and 4758 Cryptographic CoprocessorsRelated concepts
Scenario: Protecting private keys with cryptographic hardware Configuring the Cryptographic Coprocessor for use with DCM and SSL Scenario: Writing an i5/OS application to use the Cryptographic Coprocessor