Scenario 2: IBM WebSphere Application Server with IBM HTTP server transport SSL setup
An overview of the cryptographic software and hardware stack for scenario 2.
Prerequisites: The following configuration description assumes that the Linux® cryptographic setup has been configured as described in IBM Linux on System z cryptographic setup for the IBM WebSphere Application Server SSL support. The IBM WebSphere Application Server (WAS) web server plugin is already configured, so that IBM HTTP server (IHS) and WAS can communicate.
For additional information on configuring the WAS web server plugin, see
WAS Version 8 information center:
Based on the Linux cryptographic setup completed in IBM Linux on System z cryptographic setup for the IBM WebSphere Application Server SSL support, the ÍBM System z cryptographic features should be ready to use from an operating system point of view. For this scenario, the IHS must be configured to exploit the IBM System z cryptographic features. In this scenario IHS drives the SSL connection.
The setup recommendations in the following match IHS Version 8.0 for WAS Version 8.
Figure 1 shows the cryptographic flow through the various levels of application interfaces, Linux shared libraries and device drivers to access the IBM System z cryptographic features. IHS uses the Global Secure ToolKit API (GSKit) to interact with the PKCS#11 API (openCryptoki). openCryptoki then uses the libICA interface library via the ICA token to offload cryptographic operations to CPACF directly and CEX3 over the zcrypt device driver. GSKit also uses IBM Crypto for C (ICC) for some cryptographic operations.
Attention: For previous IHS versions it was required to remove gskikm.jar file from the /opt/IBM/HTTPServer/java/jre/lib/ext directory.
Do not perform this step if you are using IHS Version 8.