87 lines
6.3 KiB
HTML
87 lines
6.3 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="task" />
|
||
|
<meta name="DC.Title" content="Use the coprocessor master key to encrypt the certificate private key" />
|
||
|
<meta name="abstract" content="For extra security to protect access to and use of a certificate's private key, you can use the master key of an IBM Cryptographic Coprocessor to encrypt the private key and store the key in a special key file. You can select this key storage option as part of creating or renewing a certificate in Digital Certificate Manager (DCM)." />
|
||
|
<meta name="description" content="For extra security to protect access to and use of a certificate's private key, you can use the master key of an IBM Cryptographic Coprocessor to encrypt the private key and store the key in a special key file. You can select this key storage option as part of creating or renewing a certificate in Digital Certificate Manager (DCM)." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzahurzahucrp1createcertonhw.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="hw_assist_storage" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Use the coprocessor master key to encrypt the certificate private key</title>
|
||
|
</head>
|
||
|
<body id="hw_assist_storage"><a name="hw_assist_storage"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Use the coprocessor master key to encrypt the certificate private key</h1>
|
||
|
<div><p>For extra security to protect access to and use of a certificate's
|
||
|
private key, you can use the master key of an IBM<sup>®</sup> Cryptographic Coprocessor to encrypt
|
||
|
the private key and store the key in a special key file. You can select this
|
||
|
key storage option as part of creating or renewing a certificate in Digital
|
||
|
Certificate Manager (DCM).</p>
|
||
|
<div class="section"> <p>Before you can use this option successfully, you
|
||
|
must use the <a href="../rzajc/rzajcoverview.htm">IBM Cryptographic
|
||
|
Coprocessor</a> configuration Web interface to create an appropriate keystore
|
||
|
file. Also, you must use the coprocessor configuration Web interface to associate
|
||
|
the keystore file with the coprocessor device description that you want to
|
||
|
use. You can access the coprocessor configuration Web interface from the <span class="keyword">iSeries™</span> Tasks page. </p>
|
||
|
<p>If your system
|
||
|
has more than one coprocessor device installed and varied on, you can choose
|
||
|
to share the certificate's private key among multiple devices. In order for
|
||
|
device descriptions to share the private key, all of the devices must have
|
||
|
the same master key. The process for distributing the same master key to multiple
|
||
|
devices is called <em>cloning</em>. Sharing the key among devices allows you
|
||
|
to use Secure Sockets Layer (SSL) load balancing, which can improve performance
|
||
|
for secure sessions. </p>
|
||
|
<p>Follow these steps from the <span class="uicontrol">Select
|
||
|
a Key Storage Location</span> page to use the coprocessor master key
|
||
|
to encrypt the certificate's private key and store it in a special keystore
|
||
|
file:</p>
|
||
|
</div>
|
||
|
<ol><li class="stepexpand"><span>Select <span class="uicontrol">Hardware encrypted</span> as your storage
|
||
|
option. </span></li>
|
||
|
<li class="stepexpand"><span>Click <span class="uicontrol">Continue</span>. This displays the <span class="uicontrol">Select
|
||
|
a Cryptographic Device Description</span> page.</span></li>
|
||
|
<li class="stepexpand"><span>From the list of devices, select the one that you want to use for
|
||
|
encrypting the certificate's private key.</span></li>
|
||
|
<li class="stepexpand"><span>Click <span class="uicontrol">Continue</span>. If you have more than one
|
||
|
coprocessor device installed and varied on, the <span class="uicontrol">Select Additional
|
||
|
Cryptographic Device Descriptions</span> page displays. </span> <div class="note"><span class="notetitle">Note:</span> If
|
||
|
you do not have multiple coprocessor devices available, DCM continues to display
|
||
|
pages for the task that you are completing, such as identifying information
|
||
|
for the certificate that you are creating or renewing.</div>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>From the list of devices, select the name of one or more device
|
||
|
descriptions with which you want to share the certificate's private key.</span> <div class="note"><span class="notetitle">Note:</span> The device descriptions that you select must have the same master
|
||
|
key as the device you selected on the previous page. To verify that the master
|
||
|
key is the same on the devices, use the Master Key Verification task in the
|
||
|
4758 Cryptographic Coprocessor Configuration Web interface. You can access
|
||
|
the coprocessor configuration Web interface from the <span class="keyword">iSeries</span> Tasks
|
||
|
page. </div>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>Click <span class="uicontrol">Continue</span>. DCM continues to display
|
||
|
pages for the task that you are completing, such as identifying information
|
||
|
for the certificate that you are creating or renewing. </span></li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahucrp1createcertonhw.htm" title="Review this information to learn how to use an installed coprocessor to provide more secure storage for your certificates' private keys.">Store certificate keys on an IBM Cryptographic Coprocessor</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|