Before you can use a hardware cryptographic device, you must configure and
enable it. You must first configure a hardware cryptographic device using the Secure Sockets Layer
(SSL) certificate and key management panels in the administrative console. The key for the
cryptographic operation can be stored in an ordinary Java™ keystore file and need not
be stored on the hardware devices. After you complete the alterations to the
java.security file, as part of the following procedure, the cryptographic operations are enabled and
the Java Virtual Machine (JVM) is able to select the hardware cryptographic device
provider.
Before you begin
You must first configure a hardware cryptographic device using the Secure Sockets Layer
(SSL) certificate and key management pages in the administrative console.Required: Fix packs that include updates to the Software Development Kit (SDK) might
overwrite unrestricted policy files. Back up unrestricted policy files before you apply a fix pack
and reapply these files after the fix pack is applied.
For transitioning users: The unrestricted Java policy files are not required
when using hardware cryptographic devices. These policy files were required in some earlier versions
of the product.
Procedure
-
In the administrative console, click and then select the server name.
-
Under Security, select JAX-WS and JAX-RPC security
runtime.
-
Under Cryptographic Hardware, select Enable cryptographic operations on hardware
device and then specify the name of the hardware cryptographic device configuration
name.
For more information, read about configuring a hardware cryptographic keystore.
-
Click OK.
-
Stop the application server.
-
Alter the java.security file.
The java.security file is located in the
profile_root/properties directory.
The java.security file is located in the
app_server_root/java/jre/lib/security directory.
The java.security file is located in the
app_server_root/properties directory.
The following
changes need to be made to this file:
- Uncomment the following line of the file:
#security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
- Reorder the list of providers and preference orders as
follows:
security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
#security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.jsse.IBMJSSEProvider
security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL
security.provider.8=com.ibm.security.cmskeystore.CMSProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.9=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.10=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.11=org.apache.harmony.security.provider.PolicyProvider
The file structure and content are ready for use.
-
Start the application server.
The cryptographic device is enabled for all Web service security applications that run on this
application server.
Results
This procedure configures and enables a hardware cryptographic
device for all Web Services Security applications running on this application server.