ibm http server & ibm websphere application server · ibm websphere application server utilizes...

22
IBM HTTP Server & IBM WebSphere Application Server INTEGRATION GUIDE SAFENET LUNA HSM SAFENET DATA PROTECTION ON DEMAND

Upload: others

Post on 24-Jul-2020

42 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

IBM HTTP Server & IBM WebSphere Application Server

INTEGRATION GUIDE

SAFENET LUNA HSM

SAFENET DATA PROTECTION ON DEMAND

Page 2: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

2

Document Information

Document Part Number 007-009320-001

Release Date 23 December 2019

Revision History

Revision Date Reason

AA 23 December 2019 Update

Trademarks, Copyrights, and Third-Party Software

© 2019 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of

Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and

service marks, whether registered or not in specific countries, are the property of their respective owners.

Disclaimer

All information herein is either public information or is the property of and owned solely by Gemalto NV.

and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of

intellectual property protection in connection with such information.

Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise,

under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information.

This document can be used for informational, non-commercial, internal and personal use only provided

that:

The copyright notice below, the confidentiality and proprietary legend and this full warning notice

appear in all copies.

This document shall not be posted on any network computer or broadcast in any media and no

modification of any part of this document shall be made.

Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.

The information contained in this document is provided “AS IS” without any warranty of any kind. Unless

otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of

information contained herein.

The document could include technical inaccuracies or typographical errors. Changes are periodically

added to the information herein. Furthermore, Gemalto reserves the right to make any change or

improvement in the specifications data, information, and the like described herein, at any time.

Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein,

including all implied warranties of merchantability, fitness for a particular purpose, title and non-

infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect,

special or consequential damages or any damages whatsoever including but not limited to damages

Page 3: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

3

resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use

or performance of information contained in this document.

Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall

not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security

standards in force on the date of their design, security mechanisms' resistance necessarily evolves

according to the state of the art in security and notably under the emergence of new attacks. Under no

circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any

successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any

liability with respect to security for direct, indirect, incidental or consequential damages that result from any

use of its products. It is further stressed that independent testing and verification by the person using the

product is particularly encouraged, especially in any application in which defective, incorrect or insecure

functioning could result in damage to persons or property, denial of service or loss of privacy.

Page 4: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

Contents

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

4

CONTENTS

PREFACE.............................................................................................................................. 5

Audience ............................................................................................................................................................ 5 Document Conventions ...................................................................................................................................... 5

Command Syntax and Typeface Conventions ............................................................................................... 6 Support Contacts ............................................................................................................................................... 6

Customer Support Portal ................................................................................................................................ 7 Telephone Support ......................................................................................................................................... 7 Email Support ................................................................................................................................................. 7

CHAPTER 1: Getting Started ............................................................................................ 8

About IBM HTTP Server and WebSphere Application Server ........................................................................... 8 Third Party Application Details ........................................................................................................................... 8 Supported Platforms .......................................................................................................................................... 9 Prerequisites ...................................................................................................................................................... 9

Configure the SafeNet Luna HSM .................................................................................................................. 9 SafeNet Luna HSM HA (High-Availability) Setup ......................................................................................... 10 Provision HSM on Demand Service ............................................................................................................. 10 Constraints on HSMoD Services .................................................................................................................. 11 Set up IBM HTTP Server and WebSphere Application Server .................................................................... 11

CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM 12

Configuring the iKeyman to recognize a SafeNet HSM ................................................................................... 12 Configuring the SSL using SafeNet HSM for IHS ............................................................................................ 17 Configuring IBM WebSphere Application Server using SafeNet HSM ............................................................ 18 Configuring SSL using SafeNet HSM for IBM WAS ........................................................................................ 20

Page 5: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

Preface

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

5

PREFACE

This document provides the necessary information to install, configure, and integrate IBM HTTP Server

and IBM WebSphere Application Server with SafeNet Luna HSMs or an HSM on Demand service. It

contains the following chapters:

“Getting Started” describes the third-party applications, supported platforms, and prerequisites for the

integration.

“Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM” provides

the steps for integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet Luna

HSMs or an HSM on Demand service.

Audience This document is intended to guide security administrators through the steps for integrating IBM HTTP

Server and IBM WebSphere Application Server with SafeNet Luna HSMs or an HSM on Demand service.

All products manufactured and distributed by Gemalto, Inc. are designed to be installed, operated, and

maintained by personnel who have the knowledge, training, and qualifications required to safely perform

the tasks assigned to them. The information, processes, and procedures contained in this document are

intended for use by trained and qualified personnel only.

Document Conventions This section provides information on the conventions used in this template.

Notes

Notes are used to alert you to important or helpful information.

NOTE: Take note. Notes contain important or helpful information.

Cautions

Cautions are used to alert you to important information that may help prevent unexpected results or data

loss.

CAUTION! Exercise caution. Caution alerts contain important information that may

help prevent unexpected results or data loss.

Warnings

Warnings are used to alert you to the potential for catastrophic data loss or personal injury.

Page 6: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

Preface

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

6

**WARNING** Be extremely careful and obey all safety and security measures. In

this situation you might do something that could result in catastrophic data loss

or personal injury

Command Syntax and Typeface Conventions

Convention Description

Bold The bold attribute is used to indicate the following:

Command-line commands and options (Type dir /p.)

Button names (Click Save As.)

Check box and radio button names (Select the Print Duplex check box.)

Window titles (On the Protect Document window, click Yes.)

Field names (User Name: Enter the name of the user.)

Menu names (On the File menu, click Save.) (Click Menu > Go To >

Folders.)

User input (In the Date box, type April 1.)

Italic The italic attribute is used for emphasis or to indicate a related document. (See the Installation Guide for more information.)

Double quote marks Double quote marks enclose references to other sections within the document.

<variable> In command descriptions, angle brackets represent variables. You must substitute a value for command line arguments that are enclosed in angle brackets.

[ optional ]

[ <optional> ]

[ a | b | c ]

[<a> | <b> | <c>]

Square brackets enclose optional keywords or <variables> in a command line description. Optionally enter the keyword or <variable> that is enclosed in square brackets, if it is necessary or desirable to complete the task.

Square brackets enclose optional alternate keywords or variables in a command line description. Choose one command line argument enclosed within the braces, if desired. Choices are separated by vertical (OR) bars.

{ a | b | c }

{ <a> | <b> | <c> }

Braces enclose required alternate keywords or <variables> in a command line description. You must choose one command line argument enclosed within the braces. Choices are separated by vertical (OR) bars.

Support Contacts If you encounter a problem while installing, registering, or operating this product, refer to the

documentation. If you cannot resolve the issue, contact your supplier or Gemalto Customer Support.

Gemalto Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is

governed by the support plan arrangements made between Gemalto and your organization. Please consult

Page 7: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

Preface

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

7

this support plan for further information about your entitlements, including the hours when telephone

support is available to you.

Customer Support Portal

The Customer Support Portal, at https://supportportal.thalesgroup.com, is a repository where you can find

solutions for most common problems. The Customer Support Portal is a comprehensive, fully searchable

database of support resources, including software and firmware downloads, release notes listing known

problems and workarounds, a knowledge base, FAQs, product documentation, technical notes, and more.

You can also use the portal to create and manage support cases.

NOTE: You require an account to access the Customer Support Portal. To create a new account, go to the portal and click on the REGISTER link.

Telephone Support

If you have an urgent problem, or cannot access the Customer Support Portal, you can contact Gemalto

Customer Support by telephone at +1 410-931-7520. Additional local telephone support numbers are listed

on the support portal.

Email Support

You can also contact technical support by email at [email protected].

Page 8: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

CHAPTER 1: Getting Started

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

8

CHAPTER 1: Getting Started

This chapter contains the following topics:

About IBM HTTP Server and WebSphere Application Server

Third Party Application Details

Supported Platforms

Prerequisites

About IBM HTTP Server and WebSphere Application Server IBM WebSphere Application Server is a software platform for deploying enterprise Java-based applications

utilizing IBM HTTP Server. IBM WebSphere Application Server provides key management security for

certificates and certificate-based authentication. With IBM WebSphere Application Server, users can

import trusted CA certificates from a software-based keystore to a hardware-based keystore, and generate

self-signed certificates and personal certificate requests using the IBM Key Management Utility (iKeyman).

IBM WebSphere Application Server utilizes the following APIs:

PKCS #11

JCA/JCE

IBM Java Secure Sockets Extension (JSSE)

The SafeNet HSM solutions for IBM WebSphere Application Server provide secure key management,

accelerated signing for private keys associated with the IBM WebSphere Application Server, and secure

SSL Acceleration. SSL acceleration is accomplished on the IBM WebSphere Application Server through

implementing the Java Secure Sockets Extension (JSSE) Provider.

Using SafeNet Luna HSMs or an HSM on Demand (HSMoD) service to generate the keys (RSA/ECDSA)

and certificate for IBM HTTP Server and WebSphere Application Server provides the following benefits:

Secure generation, storage, and protection of the private keys on FIPS 140-2 level 3 validated

hardware.

Full life cycle management of the keys.

Access to the HSM audit trail*.

Significant performance improvements by off-loading cryptographic operations from signing servers.

*HSMoD services do not have access to the secure audit trail.

Third Party Application Details This integration guide uses the following third party applications:

IBM HTTP Server

Page 9: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

CHAPTER 1: Getting Started

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

9

IBM WebSphere Application Server

Supported Platforms SafeNet Luna HSM: SafeNet Luna HSM appliances are purposefully designed to provide a balance of

security, high performance, and usability that makes them an ideal choice for enterprise, financial, and

government organizations. SafeNet Luna HSMs physically and logically secure cryptographic keys and

accelerate cryptographic processing.

The SafeNet Luna HSM on premise offerings include the SafeNet Luna Network HSM, SafeNet PCIe

HSM, and SafeNet Luna USB HSMs. SafeNet Luna HSMs are also available for access as an offering

from cloud service providers such as IBM cloud HSM and AWS cloud HSM classic.

This integration is supported on the following platforms:

RHEL

AIX

Solaris SPARC

Windows Server

SafeNet Data Protection on Demand (DPoD): SafeNet DPoD is a cloud-based platform that provides on-

demand HSM and Key Management services through a simple graphical user interface. With DPoD,

security is simple, cost effective, and easy to manage because there is no hardware to buy, deploy, and

maintain. As an Application Owner, you click and deploy services, generate usage reports, and maintain

just the services you need.

This integration is supported on the following platforms:

RHEL

Windows Server

Prerequisites Before proceeding with the integration, ensure you have configured the SafeNet Luna HSM or provisioned

the HSM on demand service, depending on the integration you are completing.

Configure the SafeNet Luna HSM

Complete the following steps if you are using a SafeNet Luna HSM:

NOTE: Refer to the SafeNet Network Luna HSM documentation for detailed steps for creating NTLS connection, initializing the partition, and various user roles.

1. Ensure that the HSM is set up, initialized, provisioned, and ready for deployment.

2. Create a partition on the HSM for use with IBM HTTP Server and IBM WebSphere Application Server.

3. Register a client for the system and assign the client to the partition to create an NTLS connection. Initialize the Crypto Officer and Crypto User roles for the registered partition.

Page 10: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

CHAPTER 1: Getting Started

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

10

4. Ensure that each partition is successfully registered and configured. The command to see the registered partitions is:

# /usr/safenet/lunaclient/bin/lunacm

lunacm.exe (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights

reserved.

Available HSMs:

Slot Id -> 0

Label -> ihs-was

Serial Number -> 1280780175938

Model -> LunaSA 7.3.0

Firmware Version -> 7.3.0

Configuration -> Luna User Partition With SO (PW) Key Export

With Cloning Mode

Slot Description -> Net Token Slot

Current Slot Id: 0

5. For PED-authenticated HSM, enable partition policies 22 and 23 to allow activation and auto-activation.

SafeNet Luna HSM HA (High-Availability) Setup

If you want to configure a high-availability setup, refer to the SafeNet Luna HSM Product Documentation

for HA steps and details regarding configuring and setting up two or more HSM boxes on host systems.

You must enable the HAOnly setting in HA for failover to work so that if primary stops functioning, all calls

are automatically routed to secondary till primary starts functioning again.

Provision HSM on Demand Service

This service provides your client machine with access to an HSM partition for storing cryptographic objects

used by your applications. Service partitions can be assigned to a single client, or a single service partition

can be assigned to and shared by multiple clients.

To use the HSM on Demand service, you need to provision your application partition, starting with

initializing the following roles:

Security Officer (SO) is responsible for setting the partition policies and for creating the Crypto

Officer.

Crypto Officer (CO) is responsible for creating, modifying, and deleting crypto objects within the

partition. The CO can use the crypto objects and create an optional, limited-capability role called

Crypto User that can use the crypto objects but cannot modify them.

Crypto User (CU) is an optional role that can use crypto objects while performing cryptographic

operations.

Page 11: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

CHAPTER 1: Getting Started

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

11

NOTE: Refer to the SafeNet Data Protection on Demand Application Owner Guide for procedural information on configuring the HSM on Demand service and create a service client.

The HSM on Demand service client package is a zip file that contains system information needed to connect your client machine to an existing HSM on Demand service

Constraints on HSMoD Services

Please consider the following limitations when provisioning your HSMoD services:

HSM on Demand Service in FIPS mode

HSMoD services operate in a FIPS and non-FIPS mode. If your organization requires non-FIPS

algorithms, ensure you enable the Allow non-FIPS approved algorithms check box when configuring

your HSM on Demand service. The FIPS mode is enabled by default.

Refer to the Mechanism List in the SDK Reference Guide for more information about the available FIPS

and non-FIPS algorithms.

Verify HSM on Demand <slot> value

LunaCM commands work on the current slot. If there is only one slot, then it is always the current slot. If

you are completing an integration using HSMoD services, you need to verify the slot on HSMoD service to

which you are sending the commands. If there is more than one slot, use the slot set command to direct a

command to a specified slot. You can use slot list to determine which slot numbers are in use by which

HSMoD service.

Set up IBM HTTP Server and WebSphere Application Server

Install IBM HTTP Server and IBM WebSphere Application Server on the target machine to complete the

integration process. Download and install IBM Agent to install and configure IBM HTTP Server and

WebSphere Application Server.

Refer to the IBM HTTP Server and IBM WebSphere Application Server Documentation for detailed

installation procedures.

Page 12: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

12

CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM

This chapter contains the following topics:

Configuring the iKeyman to recognize a SafeNet HSM

Configuring the SSL using SafeNet HSM for IHS

Configuring IBM WebSphere Application Server using SafeNet HSM

Configuring SSL using SafeNet HSM for WAS

Configuring the iKeyman to recognize a SafeNet HSM Configure the IBM Key Management Utility (iKeyman) to recognize and use the SafeNet Luna HSM or

HSMoD service for cryptographic operations. Complete the following procedures as the root user.

To configure the iKeyman to recognize a SafeNet HSM

1. Create a file named luna.cfg that contains the information about the SafeNet Luna HSM partition or HSMoD service.

The required entries in luna.cfg are:

name = LUNA

library = <Path to Cryptoki library>

description = Luna config

tokenLabel = <partition name>

attributes (*, CKO_PRIVATE_KEY, *) = {

CKA_SENSITIVE = true

}

attributes (*,CKO_PUBLIC_KEY, *) = {

CKA_VERIFY = true

CKA_ENCRYPT = true

}

NOTE: IBM HTTP Server 8.5.5 and earlier versions only support a 32-bit Cryptoki library version on Windows operating systems. If using IBM HTTP Server 8.5.5 or an earlier version, use the 32-bit Cryptoki library path in the library field.

Page 13: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

13

IBM HTTP Server 9.0.0 and later versions support the 64-bit Cryptoki library version on Windows operating systems. If using IBM HTTP Server 9.0.0 or a later version, use the 64-bit Cryptoki library path in the library field.

2. Update the java.security file located in the directory:

UNIX: <HTTP Server Installation Directory>/java/jre/lib/security

Windows: <HTTP Server Installation Directory>\java\jre\lib\security

To include the following:

security.provider.x=com.ibm.security.cmskeystore.CMSProvider

security.provider.x=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl <Path

of luna.cfg file>

For example:

# List of providers and their preference orders (see above):

security.provider.1=com.ibm.security.jgss.IBMJGSSProvider

security.provider.2=sun.security.provider.Sun

security.provider.3=com.ibm.crypto.provider.IBMJCE

security.provider.4=com.ibm.jsse.IBMJSSEProvider

security.provider.5=com.ibm.jsse2.IBMJSSEProvider2

security.provider.6=com.ibm.security.cert.IBMCertPath

security.provider.7=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl <Path

of luna.cfg file>

security.provider.8=com.ibm.security.cmskeystore.CMSProvider

security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

If using UNIX, add the following entry to the SafeNet HSM configuration file Chrystoki.conf for HTTP Server:

Misc = {

Apache = 1;

}

3. Restart the HTTP Server.

UNIX: <HTTP Server Installation Directory>/bin/apachectl –k restart

Windows: <HTTP Server Installation Directory>\bin\apache.exe –k restart

4. Run the IBM Key Management Utility (ikeyman) using the command below:

# <HTTPServer-Installation-Directory>/bin/ikeyman.sh

Page 14: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

14

5. Click Key Database File > Open and select PKCS11Config from the Key database type drop-down menu.

6. Select LUNA from the Token Label drop-down menu and enter the partition password in the Cryptographic Token Password field. Select the Create new secondary key database file check box, select CMS from the Key database type drop-down menu, browse the location where you want to save key.kdb file, and then click OK.

Page 15: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

15

7. Enter the password for Key Database File in the Password and Confirm Password fields and select the Stash password to a file check box. Click OK.

8. Click Create > New Certificate Request, enter the certificate details, and browse the file in which you want to store the certificate request. Click OK.

9. Minimize the IBM Key Management console and open the certificate request file. Copy the contents, and send the certificate request to the CA. Save the response received from the certificate authority.

Page 16: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

16

10. Open the IBM Key Management console and select Personal Certificates. Click Receive…. Browse and select the signed certificate received from CA. Click OK.

11. Verify that the certificate has been successfully stored on the SafeNet Luna HSM partition or HSMoD service with the label "Token Label: Certificate Name". Close the IBM Key Management Utility.

Page 17: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

17

Configuring the SSL using SafeNet HSM for IHS To enable the Secure Sockets Layer (SSL) using SafeNet HSM on the IBM HTTP Server, follow these

steps.

To enable SSL using SafeNet HSM

1. Open the shell and navigate to directory <HTTP Server Installation Directory>/bin.

2. Save the SafeNet Luna HSM partition password or HSMoD service password using the SSLStash

Utility and execute the following command:

UNIX: ./sslstash –c <IBM HTTP Server Installation

Directory>/conf/ssl.passwd crypto "<partition-password>"

Windows: SSLStash.exe -c "<IBM HTTP Server Installation Directory>\conf\ssl.passwd" crypto "<partition password>"

3. Enable SSL Security for HTTP Server and execute the following command:

UNIX: ./gskcmd -keydb -stashpw -db key.kdb -pw <password>

./gskcapicmd -keydb -stashpw -db key.kdb -pw <password>

Windows: gskcmd.bat -keydb -stashpw -db key.kdb -pw <password>

gskcapicmd -keydb -stashpw -db key.kdb -pw <password>

4. Modify and add SSL Security settings to <HTTPServer-Installation-Directory>/conf/httpd.conf. Add or uncomment the appropriate lines throughout the file so that it appears as follows in the Virtual Host section:

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so

Listen localhost:443

<VirtualHost *:443>

SSLEnable

KeyFile <Path to key.kdb file>

SSLServerCert <partition name>:<key label >

SSLClientAuth None

SSLPKCSDriver <Path to Cryptoki library>

SSLStashfile <Path to ssl.passwd file>

</VirtualHost>

5. Restart the HTTP Server.

UNIX: <HTTP Server Installation Directory>/bin/apachectl –k restart

Windows: <HTTP Server Installation Directory>\bin\apachectl.exe –k restart

Page 18: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

18

6. Open the browser and type the following web address: https://<hostname or ip address>:443. You will receive the following Security Alert:

7. Click Yes to accept the certificate.

Doing so will display the Welcome to the HTTP Server web page.

Configuring IBM WebSphere Application Server using SafeNet HSM After you have installed IBM WebSphere Application Server, complete the following procedure:

To configure IBM WebSphere Application Server using SafeNet HSM

1. Create a file named luna.cfg which contains the information about the SafeNet Luna HSM partition or HSMoD service. The required entries in luna.cfg are:

name = LUNA

library = <Path to Cryptoki library>

description = Luna config

tokenLabel = <partition name>

attributes (*, CKO_PRIVATE_KEY, *) = {

CKA_SENSITIVE = true

}

attributes (*,CKO_PUBLIC_KEY, *) = {

CKA_VERIFY = true

CKA_ENCRYPT = true

}

Page 19: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

19

NOTE: IBM HTTP Server 8.5.5 and earlier versions only support a 32-bit Cryptoki library version on Windows operating systems. If using IBM HTTP Server 8.5.5 or an earlier version, use the 32-bit Cryptoki library path in the library field. IBM HTTP Server 9.0.0 and later versions support the 64-bit Cryptoki library version on Windows operating systems. If using IBM HTTP Server 9.0.0 or a later version, use the 64-bit Cryptoki library path in the library field.

2. Update the java.security file located in directory:

UNIX: <IBM WebSphere Installation

Directory>/AppServer/java/jre/lib/security

Windows: <IBM WebSphere Installation Directory>\AppServer\java\jre\lib\security

To include the following:

security.provider.x=com.ibm.security.cmskeystore.CMSProvider

security.provider.x=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl <Path

of luna.cfg file>

For example:

# List of providers and their preference orders (see above):

security.provider.1=com.ibm.security.jgss.IBMJGSSProvider

security.provider.2=sun.security.provider.Sun

security.provider.3=com.ibm.crypto.provider.IBMJCE

security.provider.4=com.ibm.jsse.IBMJSSEProvider

security.provider.5=com.ibm.jsse2.IBMJSSEProvider2

security.provider.6=com.ibm.security.cert.IBMCertPath

security.provider.7=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl <Path

of luna.cfg file>

security.provider.8=com.ibm.security.cmskeystore.CMSProvider

security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

3. Restart WebSphere Application Server:

UNIX: <IBM WebSphere Installation

Directory>/AppServer/profiles/AppSrv01/bin/stopServer.sh

<servername>

<IBM WebSphere Installation

Directory>/AppServer/profiles/AppSrv01/bin/startServer.sh

<servername>

Windows: <IBM WebSphere Installation Directory>\AppServer\profiles\AppSrv01\bin\stopServer.bat

<server_name>

<IBM WebSphere Installation

Directory>\AppServer\profiles\AppSrv01\bin\startServer.bat

<server_name>

Page 20: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

20

Configuring SSL using SafeNet HSM for IBM WAS After the server is set up and operational, you can configure it to use the SafeNet HSM for cryptographic

operations. Complete the following steps in the administrative console (http://<hostname or

ipaddress>:9060/ibm/console).

To configure SSL on IBM WAS using SafeNet HSM

1. Login to the IBM WAS admin console.

2. Click Security > SSL certificate and Key management > Key stores and certificates.

3. Click New. Type a name to identify the keystore. This name is used to enable hardware cryptography in the Web services security configuration.

4. Type the path for the hardware device-specific configuration file <Path to Luna cfg file>.

5. Type a password if the token login is required. Select Cryptographic Token Device (PKCS11) as the type.

6. Select the Read only check box. Click OK and Save.

7. Click Security > SSL Certificate and Key Management > SSL Configurations > Node Default SSLSettings. For the keystore name, select the newly created keystore and click Get Certificate Aliases.

8. The Default server certificate alias and Default client certificate alias drop-down menu will list all certificates present on the SafeNet HSM. Select any one certificate. Click OK and Save.

9. Click Security > SSL certificate and Key management > Manage endpoint security configurations > Inbound | Outbound > SSL_configuration_name. Select SSL configuration as NodeDefaultSSLSettings and click Update certificate alias list. The Certificate alias in keystore drop-down box will list all the certificates present on the SafeNet HSM. Select the certificate. Click OK and Save.

Page 21: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

21

10. Restart WebSphere Application Server:

UNIX: <IBM WebSphere Installation

Directory>/AppServer/profiles/AppSrv01/bin/stopServer.sh

<servername>

<IBM WebSphere Installation

Directory>/AppServer/profiles/AppSrv01/bin/startServer.sh

<servername>

Windows: <IBM WebSphere Installation Directory>\AppServer\profiles\AppSrv01\bin\stopServer.bat

<server_name>

<IBM WebSphere Installation

Directory>\AppServer\profiles\AppSrv01\bin\startServer.bat

<server_name>

11. Use the Retrievesigners Utility to add server certificate to the ClientDefaulttrust store from CellDefaulttruststore.

UNIX: <IBM WebSphere Installation

Directory>/AppServer/profiles/AppSrv01/bin/retrieveSigners.sh

<CellDefaulttruststore> <ClientDefaulttrust>

Windows: <IBM WebSphere Installation Directory>\AppServer\profiles\AppSrv01\bin\retrieveSigners.bat

<CellDefaulttruststore> <ClientDefaulttrust>

Page 22: IBM HTTP Server & IBM WebSphere Application Server · IBM WebSphere Application Server utilizes the following APIs: PKCS #11 JCA/JCE IBM Java Secure Sockets Extension (JSSE) The SafeNet

CHAPTER 2: Integrating IBM HTTP Server and IBM WebSphere Application Server with SafeNet HSM

IBM HTTP Server & Websphere Application Server: Integration Guide 007-009320-001, Rev. AA, December 2019 Copyright © 2019 Gemalto

22

12. Log out and log in to the administrative console on the configured secure port (https://<hostname or ipaddress>:9043/ibm/console). The Certificate Security Alert window will be displayed before you can access the Login page.

13. View and verify the certificate. Click Yes to continue. The administrative console default page will be displayed.

This completes IBM HTTP Server and WebSphere Application Server Integration with SafeNet HSM by securing SSL private keys/certificate on SafeNet HSM.