This tip is related to this part of the documentation in the  CA Chorus Software Manager Administration Guide.

When using ICSF with a Crypto-HW as a keystore:

• Copy the coding example from the manual.
• Set the keystoreType to be equal to “JCECCARACFKS” in server.xml.
• Verify that the parameters for sslprotocols fit the side requirements.
• When running into java.io.IOException: no such provider: IBMJCE4758.

Verify that the file $JAVA_HOME/lib/security/java.security was updated to include the ICSF hardware provider, based on IBM’s web site you need to change that file to have the following as the first provider: 

security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA 

Note: You need to change the other providers already in the list to a later sequence.

1. Add the following RACF privileges with READ access to the MSM STC userid:
   CSFIQF CL(CSFSERV )
   CSFDSV CL(CSFSERV )
   CSFRNGL CL(CSFSERV )
   CSFDSG CL(CSFSERV )
   CSFPKE CL(CSFSERV )
   Note: For a detail description of these functions, see the "IBM z/OS ICSF Administrators Guide."
2. Verify that in the server.xml the "Connector port=" for https matches the "redirectPort=" in the part before for non-SSL HTTP/1.1.