Scenario: Protecting private keys with cryptographic hardware
This scenario might be useful for a company that needs to increase the security of the system digital certificate private keys that are associated with the IBM i SSL-secured business transactions.
Situation:
A company has a system dedicated to handling business-to-business (B2B) transactions. This company's system specialist, Sam, has been informed by management of a security requirement from its B2B customers. The requirement is to increase the security of the system's digital certificate private keys that are associated with the SSL-secured business transactions that Sam's company performs. Sam has heard that there is a cryptographic hardware option available for systems that both encrypts and stores private keys associated with SSL transactions in tamper-responding hardware: a Cryptographic Coprocessor card.
Sam decides that the Cryptographic Coprocessor meets his company's requirement to increase the security of his company's system.
Details:
- The company's system has a Cryptographic Coprocessor installed and configured to store and protect private keys.
- Private keys are generated by the Cryptographic Coprocessor.
- Private keys are then stored on the Cryptographic Coprocessor.
- The Cryptographic Coprocessor resists both physical and electronic hacking attempts.
Prerequisites and assumptions:
- The system has a Cryptographic Coprocessor installed and configured
properly. Planning for the Cryptographic Coprocessor includes getting
SSL running on the system. Note: To use multiple Cryptographic Coprocessor cards for application SSL handshake processing, and securing private keys, Sam will need to ensure that his application can manage multiple private keys and certificates.
- Sam's company has Digital Certificate Manager (DCM) installed and configured, and uses it to manage public Internet certificates for SSL communications sessions.
- Sam's company obtain certificates from a public Certificate Authority (CA).
- The Cryptographic Coprocessor is varied on prior to using DCM. Otherwise, DCM will not provide a page for selecting a storage option as part of the certificate creation process.
Configuration steps:
- Ensure that the prerequisites and assumptions for this scenario have been met.
- Use the IBM Digital Certificate Manager (DCM) to create
a new digital certificate, or renew a current digital certificate:
- Select the type of certificate authority (CA) that is signing the current certificate.
- Select the Hardware as your storage option for certificate's private key.
- Select which cryptographic hardware device you want to store the certificate's private key on.
- Select a public CA to use.
The private key associated with the new digital certificate is now stored on the Cryptographic Coprocessor specified in Step 2.c. Sam can now go into the configuration for his company's web server and specify that the newly created certificate be used. Once he restarts the web server, it will be using the new certificate.