ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzajc_5.4.0.1/rzajcprivatekeys4758.htm

135 lines
8.8 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Scenario: Protect private keys with cryptographic hardware" />
<meta name="abstract" content="This scenario might be useful for a company that needs to increase the security of the system digital certificate private keys that are associated with the SSL-secured business transactions." />
<meta name="description" content="This scenario might be useful for a company that needs to increase the security of the system digital certificate private keys that are associated with the SSL-secured business transactions." />
<meta name="DC.Relation" scheme="URI" content="rzajcscen4758.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajcmultiplecoprocessors.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajcplan4758.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajcsetup.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu437completenewstore.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajcprereqcustomapps.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="privatekeys4758" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Protect private keys with cryptographic hardware</title>
</head>
<body>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<div class="nested0" id="privatekeys4758"><a name="privatekeys4758"><!-- --></a><h1 class="topictitle1">Scenario: Protect private keys with cryptographic hardware</h1>
<div><p>This scenario might be useful for a company that needs to increase
the security of the system digital certificate private keys that are associated
with the SSL-secured business transactions.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajcscen4758.htm" title="To give you some ideas of how you can use this cryptographic hardware with your system, read these usage scenarios.">Cryptographic Coprocessor scenarios</a></div>
</div>
</div></div>
<div class="nested0" xml:lang="en-us" id="situation"><a name="situation"><!-- --></a><h1 class="sectionscenariobar">Situation</h1>
<div><p>A company has a system dedicated to handling business-to-business (B2B)
transactions. This company's system specialist, Sam, has been informed by
management of a security requirement from its B2B customers. The requirement
is to increase the security of the system's digital certificate private keys
that are associated with the SSL-secured business transactions that Sam's
company performs. Sam has heard that there is a cryptographic hardware option
available for systems that both encrypts and stores private keys associated
with SSL transactions in tamper-responding hardware: a Cryptographic Coprocessor
card. </p>
<div class="p">Sam researches the Cryptographic Coprocessor, and learns that he can use
it with the i5/OS™ Digital
Certificate Manager (DCM) to provide secure SSL private key storage, as well
as increase system performance by off-loading from the system those cryptographic
operations which are completed during SSL-session establishment. <div class="note"><span class="notetitle">Note:</span> To
support load balancing and performance scaling, Sam can use multiple Cryptographic
Coprocessors with SSL on the system.</div>
</div>
<p>Sam decides that the Cryptographic Coprocessor meets his company's requirement
to increase the security of his company's system.</p>
</div>
<div><div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajcmultiplecoprocessors.htm" title="You can have up to eight Cryptographic Coprocessors per partition. The maximum number of Cryptographic Coprocessors supported per server is dependent the system mode. Read this topic if you are using multiple coprocessors with SSL.">Manage multiple Cryptographic Coprocessors</a></div>
</div>
</div></div>
<div class="nested0" xml:lang="en-us" id="scenariodetails"><a name="scenariodetails"><!-- --></a><h1 class="sectionscenariobar">Details</h1>
<div><ol><li>The company's system has a Cryptographic Coprocessor installed and configured
to store and protect private keys.</li>
<li>Private keys are generated by the Cryptographic Coprocessor.</li>
<li>Private keys are then stored on the Cryptographic Coprocessor.</li>
<li>The Cryptographic Coprocessor resists both physical and electronic hacking
attempts.</li>
</ol>
</div>
</div>
<div class="nested0" xml:lang="en-us" id="prerequisites"><a name="prerequisites"><!-- --></a><h1 class="sectionscenariobar">Prerequisites and assumptions</h1>
<div><ol><li>The system has a Cryptographic Coprocessor installed and configured properly.
Planning for the Cryptographic Coprocessor includes getting SSL running on
the system. <div class="note"><span class="notetitle">Note:</span> To use multiple Cryptographic Coprocessor cards for application
SSL handshake processing, and securing private keys, Sam will need to ensure
that his application can manage multiple private keys and certificates.</div>
</li>
<li>Sam's company has Digital Certificate Manager (DCM) installed and configured,
and uses it to manage public Internet certificates for SSL communications
sessions.</li>
<li>Sam's company obtain certificates from a public Certificate Authority
(CA).</li>
<li>The Cryptographic Coprocessor is varied on prior to using DCM. Otherwise,
DCM will not provide a page for selecting a storage option as part of the
certificate creation process.</li>
</ol>
</div>
<div><div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajcplan4758.htm" title="This information is pertinent to those planning to install an IBM Cryptographic Coprocessor in their server.">Plan for the Cryptographic Coprocessor</a></div>
<div><a href="rzajcsetup.htm" title="Configuring your Cryptographic Coprocessor allows you to begin to use all of its cryptographic operations.">Configure the Cryptographic Coprocessor</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzahu/rzahurzahu437completenewstore.htm">Manage public Internet certificates for SSL communications sessions</a></div>
</div>
</div></div>
<div class="nested0" xml:lang="en-us" id="configurationsteps"><a name="configurationsteps"><!-- --></a><h1 class="sectionscenariobar">Configuration steps</h1>
<div><div class="section"><p>Sam needs to perform the following steps to secure private keys
with cryptographic hardware on his company's system:</p>
</div>
<ol><li><span>Ensure that the prerequisites and assumptions for this scenario
have been met.</span></li>
<li><span>Use the IBM<sup>®</sup> Digital Certificate Manager (DCM) to create a new
digital certificate, or renew a current digital certificate: </span><ol type="a"><li><span>Select the type of certificate authority (CA) that is signing
the current certificate.</span></li>
<li><span>Select the <span class="uicontrol">Hardware</span> as your storage option
for certificate's private key.</span></li>
<li><span>Select which cryptographic hardware device you want to store
the certificate's private key on.</span></li>
<li><span>Select a public CA to use.</span></li>
</ol>
</li>
</ol>
<div class="section"><p> The private key associated with the new digital certificate is
now stored on the Cryptographic Coprocessor specified in Step 2.c. Sam can
now go into the configuration for his company's web server and specify that
the newly created certificate be used. Once he restarts the web server, it
will be using the new certificate.</p>
</div>
</div>
<div><div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajcprereqcustomapps.htm" title="This topic lists the steps needed to make Cryptographic Coprocessors ready for use with an i5/OS application.">Configure the Cryptographic Coprocessor for use with i5/OS applications</a></div>
</div>
</div></div>
</body>
</html>