Cryptographic hardware for Secure Sockets Layer
IBM HTTP Server supports many types of cryptographic hardware devices.
The following cryptographic devices have been tested with IBM HTTP Server. However, since device drivers for these devices are frequently upgraded by the hardware vendors to correct customer-reported problems or to provide support for new operating system platforms, check with the hardware vendors for specific applications of these devices.
Device Key Storage Acceleration Support Notes Rainbow Cryptoswift PCI with BSAFE Interface Model No Yes Use with SSLAcceleratorDisable directive only. Supported on HP, Solaris, and the Windows operating systems. nCipher nFast Accelerator with BHAPI plug-in under BSAFE 4.0 No Pure accelerator Requires either a SCSI or PCI-based nForce unit; use with SSLAcceleratorDisable directive only. Supported on Solaris and Windows operating systems. nCipher nForce Accelerator, accelerator mode No Yes Uses the BHAPI and BSAFE interface. Supported on Solaris and Windows operating systems. nCipher nForce Accelerator, Key stored accelerator mode Yes Yes Uses the PKCS#11 interface. Requires either a SCSI, or PCI-based nForce unit. Move to nCipher nForce Accelerator V4.0 or later for better performance. Supported on AIX, HP, Linux, Solaris, and Windows operating systems. IBM 4758 Model 002/023 PCI Cryptographic Coprocessors Yes No Supported on AIX and Windows operating systems.
AIX operating systems. Support for the following adapters has been tested with WAS V4.0.2 or later:
Device Key Storage Acceleration Support Notes Rainbow Cryptoswift PCI with BSAFE Interface Model CS/200 and CS/600 No Yes Supported on the AIX operating system. IBM e-business Cryptographic Accelerator No Yes Uses the PKCS11 interface. Because this device uses the PKCS11 interface, the SSLAcceleratorDisable directive does not apply to this device. Supported on the AIX operating system.
Use the Rainbow Cryptoswift, IBM e-business Cryptographic Accelerator,
nCipher nFast Accelerator and nCipher nForce Accelerator, for public key operations, and RSA key decryption. These devices store keys on our hard drive. Accelerator devices speed up the public key cryptographic functions of SSL, freeing up our server processor, which increases server throughput and shortens wait time. The Rainbow Cryptoswift, IBM e-business Cryptographic Accelerator, and
nCipher accelerators incorporate faster performance and more concurrent secure transactions.The PKCS#11 protocol either stores RSA keys on cryptographic hardware, or encrypts keys using cryptographic hardware to ensure protection. The nCipher nForce Accelerator can either perform acceleration, or it can perform both acceleration and key storage with PKCS#11 support. The IBM 4758 and nCipher nForce Accelerator with PKCS#11 support ensures inaccessible keys to the outside world. This support never reveals keys in an unencrypted form because the key is either encrypted by the hardware, or stored on the hardware.
nCipher nForce Accelerator V4.0 and later using PKCS11 key storage, has a nonremovable option which can noticeably improve performance. Contact nCipher Technical Support for instructions to turn on this feature.