ibm http server & ibm websphere application server · ibm websphere application server utilizes...
TRANSCRIPT
IBM HTTP Server & IBM WebSphere Application Server
INTEGRATION GUIDE
SAFENET LUNA HSM
SAFENET DATA PROTECTION ON DEMAND
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
2
Document Information
Document Part Number 007-009320-001
Release Date 23 December 2019
Revision History
Revision Date Reason
AA 23 December 2019 Update
Trademarks, Copyrights, and Third-Party Software
© 2019 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of
Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and
service marks, whether registered or not in specific countries, are the property of their respective owners.
Disclaimer
All information herein is either public information or is the property of and owned solely by Gemalto NV.
and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of
intellectual property protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise,
under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information.
This document can be used for informational, non-commercial, internal and personal use only provided
that:
The copyright notice below, the confidentiality and proprietary legend and this full warning notice
appear in all copies.
This document shall not be posted on any network computer or broadcast in any media and no
modification of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided “AS IS” without any warranty of any kind. Unless
otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of
information contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically
added to the information herein. Furthermore, Gemalto reserves the right to make any change or
improvement in the specifications data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein,
including all implied warranties of merchantability, fitness for a particular purpose, title and non-
infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect,
special or consequential damages or any damages whatsoever including but not limited to damages
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
3
resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use
or performance of information contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall
not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security
standards in force on the date of their design, security mechanisms' resistance necessarily evolves
according to the state of the art in security and notably under the emergence of new attacks. Under no
circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any
successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any
liability with respect to security for direct, indirect, incidental or consequential damages that result from any
use of its products. It is further stressed that independent testing and verification by the person using the
product is particularly encouraged, especially in any application in which defective, incorrect or insecure
functioning could result in damage to persons or property, denial of service or loss of privacy.
Contents
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
4
CONTENTS
PREFACE.............................................................................................................................. 5
Audience ............................................................................................................................................................ 5 Document Conventions ...................................................................................................................................... 5
Command Syntax and Typeface Conventions ............................................................................................... 6 Support Contacts ............................................................................................................................................... 6
Customer Support Portal ................................................................................................................................ 7 Telephone Support ......................................................................................................................................... 7 Email Support ................................................................................................................................................. 7
CHAPTER 1: Getting Started ............................................................................................ 8
About IBM HTTP Server and WebSphere Application Server ........................................................................... 8 Third Party Application Details ........................................................................................................................... 8 Supported Platforms .......................................................................................................................................... 9 Prerequisites ...................................................................................................................................................... 9
Configure the SafeNet Luna HSM .................................................................................................................. 9 SafeNet Luna HSM HA (High-Availability) Setup ......................................................................................... 10 Provision HSM on Demand Service ............................................................................................................. 10 Constraints on HSMoD Services .................................................................................................................. 11 Set up IBM HTTP Server and WebSphere Application Server .................................................................... 11
CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM 12
Configuring the iKeyman to recognize a SafeNet HSM ................................................................................... 12 Configuring the SSL using SafeNet HSM for IHS ............................................................................................ 17 Configuring IBM WebSphere Application Server using SafeNet HSM ............................................................ 18 Configuring SSL using SafeNet HSM for IBM WAS ........................................................................................ 20
Preface
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
5
PREFACE
This document provides the necessary information to install, configure, and integrate IBM HTTP Server
and IBM WebSphere Application Server with SafeNet Luna HSMs or an HSM on Demand service. It
contains the following chapters:
“Getting Started” describes the third-party applications, supported platforms, and prerequisites for the
integration.
“Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM” provides
the steps for integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet Luna
HSMs or an HSM on Demand service.
Audience This document is intended to guide security administrators through the steps for integrating IBM HTTP
Server and IBM WebSphere Application Server with SafeNet Luna HSMs or an HSM on Demand service.
All products manufactured and distributed by Gemalto, Inc. are designed to be installed, operated, and
maintained by personnel who have the knowledge, training, and qualifications required to safely perform
the tasks assigned to them. The information, processes, and procedures contained in this document are
intended for use by trained and qualified personnel only.
Document Conventions This section provides information on the conventions used in this template.
Notes
Notes are used to alert you to important or helpful information.
NOTE: Take note. Notes contain important or helpful information.
Cautions
Cautions are used to alert you to important information that may help prevent unexpected results or data
loss.
CAUTION! Exercise caution. Caution alerts contain important information that may
help prevent unexpected results or data loss.
Warnings
Warnings are used to alert you to the potential for catastrophic data loss or personal injury.
Preface
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
6
**WARNING** Be extremely careful and obey all safety and security measures. In
this situation you might do something that could result in catastrophic data loss
or personal injury
Command Syntax and Typeface Conventions
Convention Description
Bold The bold attribute is used to indicate the following:
Command-line commands and options (Type dir /p.)
Button names (Click Save As.)
Check box and radio button names (Select the Print Duplex check box.)
Window titles (On the Protect Document window, click Yes.)
Field names (User Name: Enter the name of the user.)
Menu names (On the File menu, click Save.) (Click Menu > Go To >
Folders.)
User input (In the Date box, type April 1.)
Italic The italic attribute is used for emphasis or to indicate a related document. (See the Installation Guide for more information.)
Double quote marks Double quote marks enclose references to other sections within the document.
<variable> In command descriptions, angle brackets represent variables. You must substitute a value for command line arguments that are enclosed in angle brackets.
[ optional ]
[ <optional> ]
[ a | b | c ]
[<a> | <b> | <c>]
Square brackets enclose optional keywords or <variables> in a command line description. Optionally enter the keyword or <variable> that is enclosed in square brackets, if it is necessary or desirable to complete the task.
Square brackets enclose optional alternate keywords or variables in a command line description. Choose one command line argument enclosed within the braces, if desired. Choices are separated by vertical (OR) bars.
{ a | b | c }
{ <a> | <b> | <c> }
Braces enclose required alternate keywords or <variables> in a command line description. You must choose one command line argument enclosed within the braces. Choices are separated by vertical (OR) bars.
Support Contacts If you encounter a problem while installing, registering, or operating this product, refer to the
documentation. If you cannot resolve the issue, contact your supplier or Gemalto Customer Support.
Gemalto Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is
governed by the support plan arrangements made between Gemalto and your organization. Please consult
Preface
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
7
this support plan for further information about your entitlements, including the hours when telephone
support is available to you.
Customer Support Portal
The Customer Support Portal, at https://supportportal.thalesgroup.com, is a repository where you can find
solutions for most common problems. The Customer Support Portal is a comprehensive, fully searchable
database of support resources, including software and firmware downloads, release notes listing known
problems and workarounds, a knowledge base, FAQs, product documentation, technical notes, and more.
You can also use the portal to create and manage support cases.
NOTE: You require an account to access the Customer Support Portal. To create a new account, go to the portal and click on the REGISTER link.
Telephone Support
If you have an urgent problem, or cannot access the Customer Support Portal, you can contact Gemalto
Customer Support by telephone at +1 410-931-7520. Additional local telephone support numbers are listed
on the support portal.
Email Support
You can also contact technical support by email at [email protected].
CHAPTER 1: Getting Started
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
8
CHAPTER 1: Getting Started
This chapter contains the following topics:
About IBM HTTP Server and WebSphere Application Server
Third Party Application Details
Supported Platforms
Prerequisites
About IBM HTTP Server and WebSphere Application Server IBM WebSphere Application Server is a software platform for deploying enterprise Java-based applications
utilizing IBM HTTP Server. IBM WebSphere Application Server provides key management security for
certificates and certificate-based authentication. With IBM WebSphere Application Server, users can
import trusted CA certificates from a software-based keystore to a hardware-based keystore, and generate
self-signed certificates and personal certificate requests using the IBM Key Management Utility (iKeyman).
IBM WebSphere Application Server utilizes the following APIs:
PKCS #11
JCA/JCE
IBM Java Secure Sockets Extension (JSSE)
The SafeNet HSM solutions for IBM WebSphere Application Server provide secure key management,
accelerated signing for private keys associated with the IBM WebSphere Application Server, and secure
SSL Acceleration. SSL acceleration is accomplished on the IBM WebSphere Application Server through
implementing the Java Secure Sockets Extension (JSSE) Provider.
Using SafeNet Luna HSMs or an HSM on Demand (HSMoD) service to generate the keys (RSA/ECDSA)
and certificate for IBM HTTP Server and WebSphere Application Server provides the following benefits:
Secure generation, storage, and protection of the private keys on FIPS 140-2 level 3 validated
hardware.
Full life cycle management of the keys.
Access to the HSM audit trail*.
Significant performance improvements by off-loading cryptographic operations from signing servers.
*HSMoD services do not have access to the secure audit trail.
Third Party Application Details This integration guide uses the following third party applications:
IBM HTTP Server
CHAPTER 1: Getting Started
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
9
IBM WebSphere Application Server
Supported Platforms SafeNet Luna HSM: SafeNet Luna HSM appliances are purposefully designed to provide a balance of
security, high performance, and usability that makes them an ideal choice for enterprise, financial, and
government organizations. SafeNet Luna HSMs physically and logically secure cryptographic keys and
accelerate cryptographic processing.
The SafeNet Luna HSM on premise offerings include the SafeNet Luna Network HSM, SafeNet PCIe
HSM, and SafeNet Luna USB HSMs. SafeNet Luna HSMs are also available for access as an offering
from cloud service providers such as IBM cloud HSM and AWS cloud HSM classic.
This integration is supported on the following platforms:
RHEL
AIX
Solaris SPARC
Windows Server
SafeNet Data Protection on Demand (DPoD): SafeNet DPoD is a cloud-based platform that provides on-
demand HSM and Key Management services through a simple graphical user interface. With DPoD,
security is simple, cost effective, and easy to manage because there is no hardware to buy, deploy, and
maintain. As an Application Owner, you click and deploy services, generate usage reports, and maintain
just the services you need.
This integration is supported on the following platforms:
RHEL
Windows Server
Prerequisites Before proceeding with the integration, ensure you have configured the SafeNet Luna HSM or provisioned
the HSM on demand service, depending on the integration you are completing.
Configure the SafeNet Luna HSM
Complete the following steps if you are using a SafeNet Luna HSM:
NOTE: Refer to the SafeNet Network Luna HSM documentation for detailed steps for creating NTLS connection, initializing the partition, and various user roles.
1. Ensure that the HSM is set up, initialized, provisioned, and ready for deployment.
2. Create a partition on the HSM for use with IBM HTTP Server and IBM WebSphere Application Server.
3. Register a client for the system and assign the client to the partition to create an NTLS connection. Initialize the Crypto Officer and Crypto User roles for the registered partition.
CHAPTER 1: Getting Started
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
10
4. Ensure that each partition is successfully registered and configured. The command to see the registered partitions is:
# /usr/safenet/lunaclient/bin/lunacm
lunacm.exe (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights
reserved.
Available HSMs:
Slot Id -> 0
Label -> ihs-was
Serial Number -> 1280780175938
Model -> LunaSA 7.3.0
Firmware Version -> 7.3.0
Configuration -> Luna User Partition With SO (PW) Key Export
With Cloning Mode
Slot Description -> Net Token Slot
Current Slot Id: 0
5. For PED-authenticated HSM, enable partition policies 22 and 23 to allow activation and auto-activation.
SafeNet Luna HSM HA (High-Availability) Setup
If you want to configure a high-availability setup, refer to the SafeNet Luna HSM Product Documentation
for HA steps and details regarding configuring and setting up two or more HSM boxes on host systems.
You must enable the HAOnly setting in HA for failover to work so that if primary stops functioning, all calls
are automatically routed to secondary till primary starts functioning again.
Provision HSM on Demand Service
This service provides your client machine with access to an HSM partition for storing cryptographic objects
used by your applications. Service partitions can be assigned to a single client, or a single service partition
can be assigned to and shared by multiple clients.
To use the HSM on Demand service, you need to provision your application partition, starting with
initializing the following roles:
Security Officer (SO) is responsible for setting the partition policies and for creating the Crypto
Officer.
Crypto Officer (CO) is responsible for creating, modifying, and deleting crypto objects within the
partition. The CO can use the crypto objects and create an optional, limited-capability role called
Crypto User that can use the crypto objects but cannot modify them.
Crypto User (CU) is an optional role that can use crypto objects while performing cryptographic
operations.
CHAPTER 1: Getting Started
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
11
NOTE: Refer to the SafeNet Data Protection on Demand Application Owner Guide for procedural information on configuring the HSM on Demand service and create a service client.
The HSM on Demand service client package is a zip file that contains system information needed to connect your client machine to an existing HSM on Demand service
Constraints on HSMoD Services
Please consider the following limitations when provisioning your HSMoD services:
HSM on Demand Service in FIPS mode
HSMoD services operate in a FIPS and non-FIPS mode. If your organization requires non-FIPS
algorithms, ensure you enable the Allow non-FIPS approved algorithms check box when configuring
your HSM on Demand service. The FIPS mode is enabled by default.
Refer to the Mechanism List in the SDK Reference Guide for more information about the available FIPS
and non-FIPS algorithms.
Verify HSM on Demand <slot> value
LunaCM commands work on the current slot. If there is only one slot, then it is always the current slot. If
you are completing an integration using HSMoD services, you need to verify the slot on HSMoD service to
which you are sending the commands. If there is more than one slot, use the slot set command to direct a
command to a specified slot. You can use slot list to determine which slot numbers are in use by which
HSMoD service.
Set up IBM HTTP Server and WebSphere Application Server
Install IBM HTTP Server and IBM WebSphere Application Server on the target machine to complete the
integration process. Download and install IBM Agent to install and configure IBM HTTP Server and
WebSphere Application Server.
Refer to the IBM HTTP Server and IBM WebSphere Application Server Documentation for detailed
installation procedures.
CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
12
CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM
This chapter contains the following topics:
Configuring the iKeyman to recognize a SafeNet HSM
Configuring the SSL using SafeNet HSM for IHS
Configuring IBM WebSphere Application Server using SafeNet HSM
Configuring SSL using SafeNet HSM for WAS
Configuring the iKeyman to recognize a SafeNet HSM Configure the IBM Key Management Utility (iKeyman) to recognize and use the SafeNet Luna HSM or
HSMoD service for cryptographic operations. Complete the following procedures as the root user.
To configure the iKeyman to recognize a SafeNet HSM
1. Create a file named luna.cfg that contains the information about the SafeNet Luna HSM partition or HSMoD service.
The required entries in luna.cfg are:
name = LUNA
library = <Path to Cryptoki library>
description = Luna config
tokenLabel = <partition name>
attributes (*, CKO_PRIVATE_KEY, *) = {
CKA_SENSITIVE = true
}
attributes (*,CKO_PUBLIC_KEY, *) = {
CKA_VERIFY = true
CKA_ENCRYPT = true
}
NOTE: IBM HTTP Server 8.5.5 and earlier versions only support a 32-bit Cryptoki library version on Windows operating systems. If using IBM HTTP Server 8.5.5 or an earlier version, use the 32-bit Cryptoki library path in the library field.
CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
13
IBM HTTP Server 9.0.0 and later versions support the 64-bit Cryptoki library version on Windows operating systems. If using IBM HTTP Server 9.0.0 or a later version, use the 64-bit Cryptoki library path in the library field.
2. Update the java.security file located in the directory:
UNIX: <HTTP Server Installation Directory>/java/jre/lib/security
Windows: <HTTP Server Installation Directory>\java\jre\lib\security
To include the following:
security.provider.x=com.ibm.security.cmskeystore.CMSProvider
security.provider.x=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl <Path
of luna.cfg file>
For example:
# List of providers and their preference orders (see above):
security.provider.1=com.ibm.security.jgss.IBMJGSSProvider
security.provider.2=sun.security.provider.Sun
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.jsse.IBMJSSEProvider
security.provider.5=com.ibm.jsse2.IBMJSSEProvider2
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl <Path
of luna.cfg file>
security.provider.8=com.ibm.security.cmskeystore.CMSProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
If using UNIX, add the following entry to the SafeNet HSM configuration file Chrystoki.conf for HTTP Server:
Misc = {
Apache = 1;
}
3. Restart the HTTP Server.
UNIX: <HTTP Server Installation Directory>/bin/apachectl –k restart
Windows: <HTTP Server Installation Directory>\bin\apache.exe –k restart
4. Run the IBM Key Management Utility (ikeyman) using the command below:
# <HTTPServer-Installation-Directory>/bin/ikeyman.sh
CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
14
5. Click Key Database File > Open and select PKCS11Config from the Key database type drop-down menu.
6. Select LUNA from the Token Label drop-down menu and enter the partition password in the Cryptographic Token Password field. Select the Create new secondary key database file check box, select CMS from the Key database type drop-down menu, browse the location where you want to save key.kdb file, and then click OK.
CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
15
7. Enter the password for Key Database File in the Password and Confirm Password fields and select the Stash password to a file check box. Click OK.
8. Click Create > New Certificate Request, enter the certificate details, and browse the file in which you want to store the certificate request. Click OK.
9. Minimize the IBM Key Management console and open the certificate request file. Copy the contents, and send the certificate request to the CA. Save the response received from the certificate authority.
CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
16
10. Open the IBM Key Management console and select Personal Certificates. Click Receive…. Browse and select the signed certificate received from CA. Click OK.
11. Verify that the certificate has been successfully stored on the SafeNet Luna HSM partition or HSMoD service with the label "Token Label: Certificate Name". Close the IBM Key Management Utility.
CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
17
Configuring the SSL using SafeNet HSM for IHS To enable the Secure Sockets Layer (SSL) using SafeNet HSM on the IBM HTTP Server, follow these
steps.
To enable SSL using SafeNet HSM
1. Open the shell and navigate to directory <HTTP Server Installation Directory>/bin.
2. Save the SafeNet Luna HSM partition password or HSMoD service password using the SSLStash
Utility and execute the following command:
UNIX: ./sslstash –c <IBM HTTP Server Installation
Directory>/conf/ssl.passwd crypto "<partition-password>"
Windows: SSLStash.exe -c "<IBM HTTP Server Installation Directory>\conf\ssl.passwd" crypto "<partition password>"
3. Enable SSL Security for HTTP Server and execute the following command:
UNIX: ./gskcmd -keydb -stashpw -db key.kdb -pw <password>
./gskcapicmd -keydb -stashpw -db key.kdb -pw <password>
Windows: gskcmd.bat -keydb -stashpw -db key.kdb -pw <password>
gskcapicmd -keydb -stashpw -db key.kdb -pw <password>
4. Modify and add SSL Security settings to <HTTPServer-Installation-Directory>/conf/httpd.conf. Add or uncomment the appropriate lines throughout the file so that it appears as follows in the Virtual Host section:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen localhost:443
<VirtualHost *:443>
SSLEnable
KeyFile <Path to key.kdb file>
SSLServerCert <partition name>:<key label >
SSLClientAuth None
SSLPKCSDriver <Path to Cryptoki library>
SSLStashfile <Path to ssl.passwd file>
</VirtualHost>
5. Restart the HTTP Server.
UNIX: <HTTP Server Installation Directory>/bin/apachectl –k restart
Windows: <HTTP Server Installation Directory>\bin\apachectl.exe –k restart
CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
18
6. Open the browser and type the following web address: https://<hostname or ip address>:443. You will receive the following Security Alert:
7. Click Yes to accept the certificate.
Doing so will display the Welcome to the HTTP Server web page.
Configuring IBM WebSphere Application Server using SafeNet HSM After you have installed IBM WebSphere Application Server, complete the following procedure:
To configure IBM WebSphere Application Server using SafeNet HSM
1. Create a file named luna.cfg which contains the information about the SafeNet Luna HSM partition or HSMoD service. The required entries in luna.cfg are:
name = LUNA
library = <Path to Cryptoki library>
description = Luna config
tokenLabel = <partition name>
attributes (*, CKO_PRIVATE_KEY, *) = {
CKA_SENSITIVE = true
}
attributes (*,CKO_PUBLIC_KEY, *) = {
CKA_VERIFY = true
CKA_ENCRYPT = true
}
CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
19
NOTE: IBM HTTP Server 8.5.5 and earlier versions only support a 32-bit Cryptoki library version on Windows operating systems. If using IBM HTTP Server 8.5.5 or an earlier version, use the 32-bit Cryptoki library path in the library field. IBM HTTP Server 9.0.0 and later versions support the 64-bit Cryptoki library version on Windows operating systems. If using IBM HTTP Server 9.0.0 or a later version, use the 64-bit Cryptoki library path in the library field.
2. Update the java.security file located in directory:
UNIX: <IBM WebSphere Installation
Directory>/AppServer/java/jre/lib/security
Windows: <IBM WebSphere Installation Directory>\AppServer\java\jre\lib\security
To include the following:
security.provider.x=com.ibm.security.cmskeystore.CMSProvider
security.provider.x=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl <Path
of luna.cfg file>
For example:
# List of providers and their preference orders (see above):
security.provider.1=com.ibm.security.jgss.IBMJGSSProvider
security.provider.2=sun.security.provider.Sun
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.jsse.IBMJSSEProvider
security.provider.5=com.ibm.jsse2.IBMJSSEProvider2
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl <Path
of luna.cfg file>
security.provider.8=com.ibm.security.cmskeystore.CMSProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
3. Restart WebSphere Application Server:
UNIX: <IBM WebSphere Installation
Directory>/AppServer/profiles/AppSrv01/bin/stopServer.sh
<servername>
<IBM WebSphere Installation
Directory>/AppServer/profiles/AppSrv01/bin/startServer.sh
<servername>
Windows: <IBM WebSphere Installation Directory>\AppServer\profiles\AppSrv01\bin\stopServer.bat
<server_name>
<IBM WebSphere Installation
Directory>\AppServer\profiles\AppSrv01\bin\startServer.bat
<server_name>
CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
20
Configuring SSL using SafeNet HSM for IBM WAS After the server is set up and operational, you can configure it to use the SafeNet HSM for cryptographic
operations. Complete the following steps in the administrative console (http://<hostname or
ipaddress>:9060/ibm/console).
To configure SSL on IBM WAS using SafeNet HSM
1. Login to the IBM WAS admin console.
2. Click Security > SSL certificate and Key management > Key stores and certificates.
3. Click New. Type a name to identify the keystore. This name is used to enable hardware cryptography in the Web services security configuration.
4. Type the path for the hardware device-specific configuration file <Path to Luna cfg file>.
5. Type a password if the token login is required. Select Cryptographic Token Device (PKCS11) as the type.
6. Select the Read only check box. Click OK and Save.
7. Click Security > SSL Certificate and Key Management > SSL Configurations > Node Default SSLSettings. For the keystore name, select the newly created keystore and click Get Certificate Aliases.
8. The Default server certificate alias and Default client certificate alias drop-down menu will list all certificates present on the SafeNet HSM. Select any one certificate. Click OK and Save.
9. Click Security > SSL certificate and Key management > Manage endpoint security configurations > Inbound | Outbound > SSL_configuration_name. Select SSL configuration as NodeDefaultSSLSettings and click Update certificate alias list. The Certificate alias in keystore drop-down box will list all the certificates present on the SafeNet HSM. Select the certificate. Click OK and Save.
CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
21
10. Restart WebSphere Application Server:
UNIX: <IBM WebSphere Installation
Directory>/AppServer/profiles/AppSrv01/bin/stopServer.sh
<servername>
<IBM WebSphere Installation
Directory>/AppServer/profiles/AppSrv01/bin/startServer.sh
<servername>
Windows: <IBM WebSphere Installation Directory>\AppServer\profiles\AppSrv01\bin\stopServer.bat
<server_name>
<IBM WebSphere Installation
Directory>\AppServer\profiles\AppSrv01\bin\startServer.bat
<server_name>
11. Use the Retrievesigners Utility to add server certificate to the ClientDefaulttrust store from CellDefaulttruststore.
UNIX: <IBM WebSphere Installation
Directory>/AppServer/profiles/AppSrv01/bin/retrieveSigners.sh
<CellDefaulttruststore> <ClientDefaulttrust>
Windows: <IBM WebSphere Installation Directory>\AppServer\profiles\AppSrv01\bin\retrieveSigners.bat
<CellDefaulttruststore> <ClientDefaulttrust>
CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM
IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto
22
12. Log out and log in to the administrative console on the configured secure port (https://<hostname or ipaddress>:9043/ibm/console). The Certificate Security Alert window will be displayed before you can access the Login page.
13. View and verify the certificate. Click Yes to continue. The administrative console default page will be displayed.
This completes IBM HTTP Server and WebSphere Application Server Integration with SafeNet HSM by securing SSL private keys/certificate on SafeNet HSM.