Scenario: Protecting private keys with cryptographic hardware

This scenario might be useful for a company that needs to increase the security of the system digital certificate private keys that are associated with the IBM i SSL-secured business transactions.

Situation:

A company has a system dedicated to handling business-to-business (B2B) transactions. This company's system specialist, Sam, has been informed by management of a security requirement from its B2B customers. The requirement is to increase the security of the system's digital certificate private keys that are associated with the SSL-secured business transactions that Sam's company performs. Sam has heard that there is a cryptographic hardware option available for systems that both encrypts and stores private keys associated with SSL transactions in tamper-responding hardware: a Cryptographic Coprocessor card.

Sam researches the Cryptographic Coprocessor, and learns that he can use it with the IBM i Digital Certificate Manager (DCM) to provide secure SSL private key storage, as well as increase system performance by off-loading from the system those cryptographic operations which are completed during SSL-session establishment.
Note: To support load balancing and performance scaling, Sam can use multiple Cryptographic Coprocessors with SSL on the system.

Sam decides that the Cryptographic Coprocessor meets his company's requirement to increase the security of his company's system.

Details:

  1. The company's system has a Cryptographic Coprocessor installed and configured to store and protect private keys.
  2. Private keys are generated by the Cryptographic Coprocessor.
  3. Private keys are then stored on the Cryptographic Coprocessor.
  4. The Cryptographic Coprocessor resists both physical and electronic hacking attempts.

Prerequisites and assumptions:

  1. The system has a Cryptographic Coprocessor installed and configured properly. Planning for the Cryptographic Coprocessor includes getting SSL running on the system.
    Note: To use multiple Cryptographic Coprocessor cards for application SSL handshake processing, and securing private keys, Sam will need to ensure that his application can manage multiple private keys and certificates.
  2. Sam's company has Digital Certificate Manager (DCM) installed and configured, and uses it to manage public Internet certificates for SSL communications sessions.
  3. Sam's company obtain certificates from a public Certificate Authority (CA).
  4. The Cryptographic Coprocessor is varied on prior to using DCM. Otherwise, DCM will not provide a page for selecting a storage option as part of the certificate creation process.

Configuration steps:

Sam needs to perform the following steps to secure private keys with cryptographic hardware on his company's system:
  1. Ensure that the prerequisites and assumptions for this scenario have been met.
  2. Use the IBM Digital Certificate Manager (DCM) to create a new digital certificate, or renew a current digital certificate:
    1. Select the type of certificate authority (CA) that is signing the current certificate.
    2. Select the Hardware as your storage option for certificate's private key.
    3. Select which cryptographic hardware device you want to store the certificate's private key on.
    4. Select a public CA to use.

The private key associated with the new digital certificate is now stored on the Cryptographic Coprocessor specified in Step 2.c. Sam can now go into the configuration for his company's web server and specify that the newly created certificate be used. Once he restarts the web server, it will be using the new certificate.