Detailed set up examples for the Tivoli WebSEAL performance tests

Edit online

The detailed setup we performed to enable WebSEAL with cryptographic hardware support is provided here.

Enable and run WebSEAL with cryptographic hardware support

Use the following steps to enable and run WebSEAL with cryptographic hardware support.

  1. Load the System z9® crypto device driver using the following command (performed at each system startup):
    /etc/init.d/z90crypt start
  2. Start the PKCS11 subsystem using the following command (performed at each system startup):
    /etc/init.d/pkcsslotd start
  3. Configure the PKCS#11 device by doing the following (this is performed once)
    1. Initialize the token using the following command:
      /usr/lib/pkcs11/methods/pkcsconf -c 0 -I
    2. When prompted, enter the default Security Officer (SO) PIN (87654321) and a unique token label as shown below:
      /usr/lib/pkcs11/methods/pkcsconf -c 0 -I
      Enter the SO PIN: ********                        
      Enter a unique token label: websealserver
      For our example, 87654321 was the SO PIN default password and a token label name of "websealserver" was used.
    3. Set the SO PIN to a value different from the default (87654321) as show below: 
      /usr/lib/pkcs11/methods/pkcsconf -c 0 -P
Enter the SO PIN: ********         87654321 
Enter the new SO PIN: ********     76543210 
Re-enter the new SO PIN: ********  76543210
      "76543210" is just an example. You can choose any number you wish.
    4. Set the user PIN as shown below: 
      /usr/lib/pkcs11/methods/pkcsconf -c 0 –u
Enter the SO PIN: ********            76543210
Enter the new user PIN: ********      12345678
Re-enter the new user PIN: ********   12345678
    5. Change the user PIN as shown below: 
      /usr/lib/pkcs11/methods/pkcsconf -c 0 -p
Enter user PIN: ********              12345678
Enter the new user PIN: ********      01234567
Re-enter the new user PIN: ********   01234567
  4. Create a self-signed certificate using the PKCS#11 token, to be used by WebSEAL by doing the following (this is performed once). Use the gsk7ikm utility to add a self-signed certificate to the CMS Cryptographic Token.
    Note: Before starting the gsk7ikm utility, set the JAVA_HOME environment variable to point to your Java™ JRE and ensure Java is in the PATH as shown below:
    export JAVA_HOME=/opt/IBMJava2-s390-142/jre/
    export PATH=/opt/IBMJava2-s390-142/jre/bin:$PATH
    gsk7ikm
    1. Run gsk7ikm.

      The following screen appears.

      Figure 1. IBM key management screen
      seal18
      1. From Figure 1, select Key Database File –> Open.
      2. The following box opens.
      Figure 2. Key database file entry box
      seal19
      1. Select the Key Database Type of CMS Cryptographic Token.
      2. Enter PKCS11_API.so for the file name.
      3. Enter "/usr/lib/pkcs11" for the location.
      4. Click the OK button and the following screen appears:
      Figure 3. Open cryptographic token screen
      seal20
      1. Enter the cryptographic token password that you set before (01234567).
      2. Deselect the Open existing secondary key database file box.
      3. Click OK.
      4. On the IBM® key management screen (see Figure 1), click on New Self-Signed...

      The following screen is displayed:

      Figure 4. Create new self-signed certificate screen
      seal21
      1. Enter the appropriate information to create the certificate.
      2. Click OK.

      The self-signed certificate you just created will now be visible on the IBM Key Management screen as show below.

    Figure 5. IBM Key Management screen showing self-signed certificate
    seal22

    Exit the gsk7ikm application.

  5. Configure WebSEAl to use the PKCS#11 devices for cryptographic operations as detailed below (this is performed once):
    • Add ivmgr to group pkcs11 by issuing the following:
      usermod -G ivmgr,tivoli,pkcs11 ivmgr
    • Update the following parameters in the webseald-xxx.conf file (in our case webseald-default.conf):
      unix-group = pkcs11
      webseal-cert-keyfile-label =  websealserver:leeds
               [The value for the webseal-cert-keyfile-label directive has the
                form – token_label:certificate_label]
      [ssl]
         pkcs11-driver-path = /usr/lib/pkcs11/PKCS11_API.so
         pkcs11-token-label = websealserver
         pkcs11-token-pwd = 01234567   (user PIN set during token
                                        initialization)
         pkcs11-symmetric-cipher-support = yes   (this directive enables the use
                                                 of CPACF)

      [ssl-qop]

      ssl-qop-mgmt = yes
      [ssl-qop-mgmt-default]
      default = AES-128 or
        DES-168
  6. Start or re-start WebSEAL using one of the following commands:
    pdweb start      or
    pdweb restart