Description
Currently, IBM Liberty documentation does not include guidance for configuring Hardware Security Modules (HSMs), which is becoming increasingly important for modern security requirements.
With the push toward:
FIPS 140-3 compliance (driving increased need for high-performance cryptographic processing), and
Post-Quantum Cryptography (PQC) readiness, aligned with IBM’s strategic direction,
It is essential that Liberty provides clear, supported documentation for integrating with modern hardware crypto devices. Modern HSMs are capable of efficiently supporting both FIPS 140-3 and PQC-ready algorithms. Providing official documentation will help customers adopt these capabilities proactively.
The HSM configuration steps include Java-related configuration steps required for proper integration with Liberty runtimes. I would like to review this content with the documentation team to determine whether it fits within IBM Docs. If it does not, I plan to publish the material as a Technote and/or community blog. In either case, I am opening this issue to both engage the doc team and retain the information here for reference.
Proposal
Create a new Liberty documentation section that covers:
- HSM integration and configuration steps
- Guidance for both Liberty on distributed and z/OS environments
Reference Material
A customer-validated and approved draft of the configuration steps for Liberty on distributed is available here:
👉 https://github.com/una-tapa/HSM_ConfigSteps_Liberty_Distributed_For_Review
The WAS on z/OS support team vaidated the following steps with multiple customers:
👉 Enabling hardware cryptography for Liberty for z/OS using Java 8
👉Enabling hardware cryptography for Liberty for z/OS using Java 11, Java 17, or Java 21
The README in this repository provides important background.
The content has been reviewed and approved by a customer for Community & OpenLiberty blog
The contributing customer wishes to remain anonymous
Notes
This is not a net-new requirement; it has been missing from Liberty documentation to date
The referenced material can be generalized and adapted for official Liberty documentation
Since the customer used Luna HSM device, the next steps for IBM doc would be:
- The doc team to review the referenced repository content
- Generalize and adapt into Liberty documentation format
Description
Currently, IBM Liberty documentation does not include guidance for configuring Hardware Security Modules (HSMs), which is becoming increasingly important for modern security requirements.
With the push toward:
FIPS 140-3 compliance (driving increased need for high-performance cryptographic processing), and
Post-Quantum Cryptography (PQC) readiness, aligned with IBM’s strategic direction,
It is essential that Liberty provides clear, supported documentation for integrating with modern hardware crypto devices. Modern HSMs are capable of efficiently supporting both FIPS 140-3 and PQC-ready algorithms. Providing official documentation will help customers adopt these capabilities proactively.
The HSM configuration steps include Java-related configuration steps required for proper integration with Liberty runtimes. I would like to review this content with the documentation team to determine whether it fits within IBM Docs. If it does not, I plan to publish the material as a Technote and/or community blog. In either case, I am opening this issue to both engage the doc team and retain the information here for reference.
Proposal
Create a new Liberty documentation section that covers:
Reference Material
A customer-validated and approved draft of the configuration steps for Liberty on distributed is available here:
👉 https://github.com/una-tapa/HSM_ConfigSteps_Liberty_Distributed_For_Review
The WAS on z/OS support team vaidated the following steps with multiple customers:
👉 Enabling hardware cryptography for Liberty for z/OS using Java 8
👉Enabling hardware cryptography for Liberty for z/OS using Java 11, Java 17, or Java 21
The README in this repository provides important background.
The content has been reviewed and approved by a customer for Community & OpenLiberty blog
The contributing customer wishes to remain anonymous
Notes
This is not a net-new requirement; it has been missing from Liberty documentation to date
The referenced material can be generalized and adapted for official Liberty documentation
Since the customer used Luna HSM device, the next steps for IBM doc would be: