Breadcrumbs

SecurityServer JCE Configuration

  1. Locate the Utimaco JCE configuration file in your SecurityServer directory, Linux/x86-64/Crypto_APIs/JCE/sample/CryptoServer.cfg.

  2. Create a non-root user and set its password.

›_ Console 

# useradd oracle # passwd oracle

  1. Log in to Oracle user and copy the Utimaco JCE configuration file CryptoServer.cfg into Oracle user’s home directory.

›_ Console 

# cd <installation_directory>/Software/Linux/x86-64/Crypto_APIs/JCE/sample/CryptoServer.cfg

# cp CryptoServer.cfg $home

  1. Open /home/oracle/.bash_profile and add the following line.

›_ .bash_profile

 
export CRYPTOSERVER_JCE_CONFIG=/home/oracle/CryptoServer.cfg

  1. Create one Cryptographic user with CXI group.

›_ Console 

# /opt/utimaco/bin/csadm Dev=3001@127.0.0.1 LogonSign=ADMIN,/opt/utimaco/bin/ADMIN.key AddUser=<user_name>,00000002{CXI_GROUP=<cxi_group_name>},hmacpwd,<PIN>
tmppe88l5vg.jpg

User creation with csadm

  1. Edit the $home/CryptoServer.cfg file and make the appropriate changes to the file.

›_CryptoServer.cfg

 
LogFile = /tmp/CryptoServerJCE.log LogLevel = 1

LogSize = 10000 Device = <HSM_IP>

ConnectionTimeout = 3000

Timeout = 30000

KeepSessionAlive = 1

DefaultUser = <Cryptographic_User_Name> KeyGroup = <CXI_Group_Name>

StoreKeysExternal = false

For more information regarding the commands and command parameters please check the Utimaco CryptoServer documentation. The device may be a CryptoServer (PCIe or LAN) device. The device line will follow one of these patterns, based on the HSM form-factor:

Device = 288@<HSM IP address> Hardware (LAN) HSM

OR

Device = /dev/cs2.0 Hardware (PCIe) HSM

To make your testing easier, enable the Cryptoserver JCE log file. It can be enabled by editing the Logging Loglevel. Set the LogFile and Logging Loglevel to 1. For testing, you may want to increase it to 4. The added LogFile points to a file. If you encounter problems, check the log file named CryptoServerJCE.log in the LogFile defined file. When you are done testing, you should change Logging to 1 or 2. This will limit the logging to only critical and important messages.

  1. Obtain the below jurisdiction (unlimited strength) policy files from Oracle for your country and for the correct Java version:

    1. US_export_policy.jar.

    2. local_policy.jar.

The unlimited policy files are required only for JDK 8 updates earlier than 8u161. On those versions and later, the stronger cryptographic algorithms are available by default.

  1. Copy these jurisdiction policy files into the directory <java-home>/lib/security.

›_ Console 

# cp US_export_policy.jar <java_home>/lib/security # cp local_policy.jar <java_home>/lib/security