A key set group manages one or more key sets. WebSphere® Application Server uses key set
groups to automatically generate cryptographic keys or multiple synchronized
key sets.
About this task
Complete the following steps in the administrative console:
Procedure
- Decide whether you want to create the key set group at
the cell scope or below the cell scope at the node, server, or cluster,
for example.
- To create a key set group at the cell scope, click Security >
SSL certificate and key management > Key set groups.
- To create a key set group at a scope below the cell level,
click Security > SSL certificate and key management > Manage
endpoint security configurations > {Inbound | Outbound} > SSL_configuration >
Key set groups.
- You can choose to generate a key for an existing key set
group, delete an existing key set group, or create a new key set group.
- To generate a key for an existing key set group, select a
key set group from the list of existing key set groups, and click Generate
keys. You have generated a new key for each key set in the selected
group.
- To delete an existing key set group, select a key set group
from the list of existing key set groups, and click Delete.
You have deleted the key set group.
- To create a new key set group, go to step 3.
CAUTION:
Do not delete the cell or node LTPAKeySetGroup,
which is used by the Lightweight Third Party Authentication (LPTA)
mechanism.
- Click New to create a new key set group.
- Type a key set group name.
You can reference
this name by using the com.ibm.websphere.crypto.KeySetHelper API to
retrieve the managed keys from an application.
- Select one or more key sets from the Key sets list.
Note: If the key set(s) you want is not listed, make sure that
it was created at the same scope or a higher scope than where you
are creating the new key set group.
- Click Add to add the selected key set(s) to the
new key set group.
- Select Automatically generate keys to generate the new keys on a
schedule.
Avoid Trouble: For Automatically generate keys to operate
properly, be sure to enable Dynamically update the runtime when SSL configuration changes
occur. Specifically, using the administrative console, select Security >
SSK certificate and key management. Under Configuration settings, ensure that
you check the box for Dynamically update the runtime when SSL configuration changes
occur.
If you decide to generate keys automatically, then you must specify a
scheduled time of day.
- Specify the scheduled time to generate keys automatically
in hours and minutes, A.M. or P.M., or every 24 hours.
- You can choose to generate new keys on a specific day or
at an interval.
- Select Generate on a specific day. Select a day of
the week from the drop-down list, and type a repeat interval number
for the number of days between each key generation. This choice enables
you to schedule key generation when your systems are least busy.
- Select Generate at an interval. Type a repeat interval
number for the number of days between each key generation. This choice
enables you to schedule key generation more frequently than once
a week.
Note: The Next start date is a read-only field that specifies
the date for the next scheduled generation. You can stop and restart
the deployment manager or base application server without resetting
this date. If you do not see the next start date appear after changing
the configuration, click OK to save it, then check that the
next start date displays.
- Click Save.
Results
You have created a new key set group to manage key sets and
key generation on a schedule.
What to do next
After you generate new keys from a key set, you can access
them programmatically using the com.ibm.websphere.crypto.KeySetHelper
API. You must have Java™ 2 Security permissions, if
enabled, to access keys in key sets. Specify the key set name within
the fine-grained permissions, as in the following code sample: WebSphereRuntimePermission
"getKeySets.keySetName". For more information, see Example: Retrieving the generated keys from a key set group.