You can create a hardware cryptographic keystore that WebSphere® Application Server can use to
provide cryptographic token support in the server configuration.
About this task
Note: The hardware accelerator is not supported except
for the following situations:
- If you are using WebSphere Application
Server for z/OS® and are using
the IBMJCECCA crypto provider.
- If you are using WebSphere Application
Server Version 7.0 and later running on zLinux and are using the IBMPKCS11
provider.
Complete the following steps in the administrative
console:
Procedure
- Click Security > SSL certificate and key management >
Key stores and certificates.
- Click New.
- Type a name to identify the keystore.
This name
is used to enable hardware cryptography in the Web Services Security
configuration.
- Optionally, you can type a description for the keystore
in the Description field.
- You can specify a Management scope for the key store.
This is not required.
The management scope specifies the
scope where this Secure Sockets Layer (SSL) configuration is visible.
For example, if you choose a specific node, then the configuration
is only visible on that node and any servers that are part of that
node.
- Type the path for the hardware device-specific configuration
file.
The configuration file is a text file that contains
entries in the following format:
attribute = value.
The valid values for attribute and value are described in
detail in the Software Developer Kit, Java™ Technology
Edition documentation. The two mandatory attributes are
name and library, as shown in the following sample code:
name = FooAccelerator
library = /opt/foo/lib/libpkcs11.so
slotListIndex = 0
The configuration file should
also include device-specific configuration data. Navigate to the
PKCS11ImplConfigSamples.jar file, which contains sample configuration
files, under the heading
PKCS 11 Implementation Provider
on
the Java technology site
http://publib.boulder.ibm.com/infocenter/javasdk/v6r0/topic/com.ibm.java.security.component.60.doc/security-component/introduction.html.
- Type a password if the token login
is required.
Operations that use keys on the token require
a secure login. This field is optional if the keystore is used as
a cryptographic accelerator. In this case, you need to select Enable
cryptographic operations on hardware device.
- Select the PKCS11 type.
- Select Read only.
- Click OK and Save.
Results
WebSphere Application Server can now provide
cryptographic token support in the server configuration.