135 lines
8.8 KiB
HTML
135 lines
8.8 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Scenario: Protect private keys with cryptographic hardware" />
|
||
|
<meta name="abstract" content="This scenario might be useful for a company that needs to increase the security of the system digital certificate private keys that are associated with the SSL-secured business transactions." />
|
||
|
<meta name="description" content="This scenario might be useful for a company that needs to increase the security of the system digital certificate private keys that are associated with the SSL-secured business transactions." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzajcscen4758.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzajcmultiplecoprocessors.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzajcplan4758.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzajcsetup.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu437completenewstore.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzajcprereqcustomapps.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="privatekeys4758" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Scenario: Protect private keys with cryptographic hardware</title>
|
||
|
</head>
|
||
|
<body>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<div class="nested0" id="privatekeys4758"><a name="privatekeys4758"><!-- --></a><h1 class="topictitle1">Scenario: Protect private keys with cryptographic hardware</h1>
|
||
|
<div><p>This scenario might be useful for a company that needs to increase
|
||
|
the security of the system digital certificate private keys that are associated
|
||
|
with the SSL-secured business transactions.</p>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajcscen4758.htm" title="To give you some ideas of how you can use this cryptographic hardware with your system, read these usage scenarios.">Cryptographic Coprocessor scenarios</a></div>
|
||
|
</div>
|
||
|
</div></div>
|
||
|
<div class="nested0" xml:lang="en-us" id="situation"><a name="situation"><!-- --></a><h1 class="sectionscenariobar">Situation</h1>
|
||
|
<div><p>A company has a system dedicated to handling business-to-business (B2B)
|
||
|
transactions. This company's system specialist, Sam, has been informed by
|
||
|
management of a security requirement from its B2B customers. The requirement
|
||
|
is to increase the security of the system's digital certificate private keys
|
||
|
that are associated with the SSL-secured business transactions that Sam's
|
||
|
company performs. Sam has heard that there is a cryptographic hardware option
|
||
|
available for systems that both encrypts and stores private keys associated
|
||
|
with SSL transactions in tamper-responding hardware: a Cryptographic Coprocessor
|
||
|
card. </p>
|
||
|
<div class="p">Sam researches the Cryptographic Coprocessor, and learns that he can use
|
||
|
it with the i5/OS™ Digital
|
||
|
Certificate Manager (DCM) to provide secure SSL private key storage, as well
|
||
|
as increase system performance by off-loading from the system those cryptographic
|
||
|
operations which are completed during SSL-session establishment. <div class="note"><span class="notetitle">Note:</span> To
|
||
|
support load balancing and performance scaling, Sam can use multiple Cryptographic
|
||
|
Coprocessors with SSL on the system.</div>
|
||
|
</div>
|
||
|
<p>Sam decides that the Cryptographic Coprocessor meets his company's requirement
|
||
|
to increase the security of his company's system.</p>
|
||
|
</div>
|
||
|
<div><div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
<div><a href="rzajcmultiplecoprocessors.htm" title="You can have up to eight Cryptographic Coprocessors per partition. The maximum number of Cryptographic Coprocessors supported per server is dependent the system mode. Read this topic if you are using multiple coprocessors with SSL.">Manage multiple Cryptographic Coprocessors</a></div>
|
||
|
</div>
|
||
|
</div></div>
|
||
|
<div class="nested0" xml:lang="en-us" id="scenariodetails"><a name="scenariodetails"><!-- --></a><h1 class="sectionscenariobar">Details</h1>
|
||
|
<div><ol><li>The company's system has a Cryptographic Coprocessor installed and configured
|
||
|
to store and protect private keys.</li>
|
||
|
<li>Private keys are generated by the Cryptographic Coprocessor.</li>
|
||
|
<li>Private keys are then stored on the Cryptographic Coprocessor.</li>
|
||
|
<li>The Cryptographic Coprocessor resists both physical and electronic hacking
|
||
|
attempts.</li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="nested0" xml:lang="en-us" id="prerequisites"><a name="prerequisites"><!-- --></a><h1 class="sectionscenariobar">Prerequisites and assumptions</h1>
|
||
|
<div><ol><li>The system has a Cryptographic Coprocessor installed and configured properly.
|
||
|
Planning for the Cryptographic Coprocessor includes getting SSL running on
|
||
|
the system. <div class="note"><span class="notetitle">Note:</span> To use multiple Cryptographic Coprocessor cards for application
|
||
|
SSL handshake processing, and securing private keys, Sam will need to ensure
|
||
|
that his application can manage multiple private keys and certificates.</div>
|
||
|
</li>
|
||
|
<li>Sam's company has Digital Certificate Manager (DCM) installed and configured,
|
||
|
and uses it to manage public Internet certificates for SSL communications
|
||
|
sessions.</li>
|
||
|
<li>Sam's company obtain certificates from a public Certificate Authority
|
||
|
(CA).</li>
|
||
|
<li>The Cryptographic Coprocessor is varied on prior to using DCM. Otherwise,
|
||
|
DCM will not provide a page for selecting a storage option as part of the
|
||
|
certificate creation process.</li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
<div><div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
<div><a href="rzajcplan4758.htm" title="This information is pertinent to those planning to install an IBM Cryptographic Coprocessor in their server.">Plan for the Cryptographic Coprocessor</a></div>
|
||
|
<div><a href="rzajcsetup.htm" title="Configuring your Cryptographic Coprocessor allows you to begin to use all of its cryptographic operations.">Configure the Cryptographic Coprocessor</a></div>
|
||
|
</div>
|
||
|
<div class="relinfo"><strong>Related information</strong><br />
|
||
|
<div><a href="../rzahu/rzahurzahu437completenewstore.htm">Manage public Internet certificates for SSL communications sessions</a></div>
|
||
|
</div>
|
||
|
</div></div>
|
||
|
<div class="nested0" xml:lang="en-us" id="configurationsteps"><a name="configurationsteps"><!-- --></a><h1 class="sectionscenariobar">Configuration steps</h1>
|
||
|
<div><div class="section"><p>Sam needs to perform the following steps to secure private keys
|
||
|
with cryptographic hardware on his company's system:</p>
|
||
|
</div>
|
||
|
<ol><li><span>Ensure that the prerequisites and assumptions for this scenario
|
||
|
have been met.</span></li>
|
||
|
<li><span>Use the IBM<sup>®</sup> Digital Certificate Manager (DCM) to create a new
|
||
|
digital certificate, or renew a current digital certificate: </span><ol type="a"><li><span>Select the type of certificate authority (CA) that is signing
|
||
|
the current certificate.</span></li>
|
||
|
<li><span>Select the <span class="uicontrol">Hardware</span> as your storage option
|
||
|
for certificate's private key.</span></li>
|
||
|
<li><span>Select which cryptographic hardware device you want to store
|
||
|
the certificate's private key on.</span></li>
|
||
|
<li><span>Select a public CA to use.</span></li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
</ol>
|
||
|
<div class="section"><p> The private key associated with the new digital certificate is
|
||
|
now stored on the Cryptographic Coprocessor specified in Step 2.c. Sam can
|
||
|
now go into the configuration for his company's web server and specify that
|
||
|
the newly created certificate be used. Once he restarts the web server, it
|
||
|
will be using the new certificate.</p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div><div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
<div><a href="rzajcprereqcustomapps.htm" title="This topic lists the steps needed to make Cryptographic Coprocessors ready for use with an i5/OS application.">Configure the Cryptographic Coprocessor for use with i5/OS applications</a></div>
|
||
|
</div>
|
||
|
</div></div>
|
||
|
|
||
|
</body>
|
||
|
</html>
|