You can create a hardware cryptographic keystore that WebSphere® Application Server can use to
provide cryptographic token support in the server configuration.
About this task
Note: The hardware accelerator is not supported except
for the following situations:
- If you are using WebSphere Application
Server for z/OS® and are using
the IBMJCECCA crypto provider.
- If you are using WebSphere Application
Server Version 7.0 and later running on zLinux and are using the IBMPKCS11
provider.
Complete the following steps in the administrative
console:
Procedure
- Click Security > SSL certificate and key management >
Key stores and certificates.
- Click New.
- Type a name to identify the keystore.
This name
is used to enable hardware cryptography in the Web Services Security
configuration.
- Optionally, you can type a description for the keystore
in the Description field.
- You can specify a Management scope for the key store.
This is not required.
The management scope specifies the
scope where this Secure Sockets Layer (SSL) configuration is visible.
For example, if you choose a specific node, then the configuration
is only visible on that node and any servers that are part of that
node.
- Type the path for the hardware device-specific configuration file.
The
configuration file is a text file that contains entries in the following format:
attribute = value. The valid values for attribute and value are described in
detail in the Software Developer Kit, Java™ Technology Edition documentation. The two mandatory
attributes are name and library, as shown in the following sample code:
name = FooAccelerator
library = /opt/foo/lib/libpkcs11.so
slotListIndex = 0
The
configuration file should also include device-specific configuration data. Navigate to the
PKCS11ImplConfigSamples.jar file, which contains sample configuration files, in
the
IBM SDK documentation.
- Type a password if the token login
is required.
Operations that use keys on the token require
a secure login. This field is optional if the keystore is used as
a cryptographic accelerator. In this case, you need to select Enable
cryptographic operations on hardware device.
- Select the PKCS11 type.
- Select Read only.
- Click OK and Save.
Results
WebSphere Application Server can now provide
cryptographic token support in the server configuration.