Sun Java System Application Server 9.1 Administration Guide

Configuring J2SE 5.0 PKCS#11 Providers

Application Server relies on J2SE PKCS#11 providers to access keys and certificates that are located in PKCS#11 tokens at runtime. By default, Application Server configures a J2SE PKCS#11 provider for the NSS soft token. This section describes how to override the default configuration for the J2SE PKCS#11 provider.

In Application Server, the following default PKCS#11 configuration parameters are generated for each PKCS#11 token.

These configurations conform to the syntax described in the Java PKCS#11 Reference Guide.


Note –

The name parameter has no requirements other than that it must be unique. Certain older versions of J2SE 5.0 support alphanumeric characters only.


You can override the default configuration parameters by creating a custom configuration file. For example, you can explicitly disable the RSA Cipher and RSA Key Pair Generator in SCA–1000. For details on disabling the RSA Cipher and RSA Key Pair Generator, see http://www.mozilla.org/projects/security/pki/nss/tools.

To create a custom configuration file:

  1. Create a configuration file called as-install/mypkcs11.cfg with the following code and save the file.


    name=HW1000
    library=/opt/SUNWconn/crypto/lib/libpkcs11.so
    slotListIndex=0
    disabledMechanisms = {
    	CKM_RSA_PKCS
    	CKM_RSA_PKCS_KEY_PAIR_GEN
    }
    omitInitialize=true
  2. Update the NSS database, if necessary. In this case, update the NSS database so that it will disable RSA.

    Run the following command :


    modutil -undefault "Sun Crypto Accelerator" -dbdir AS_NSS_DB -mechanisms RSA

    The name of the algorithm on the mechanisms list differs from the one in the default configuration. For a list of valid mechanisms in NSS, see the modutil documentation on the NSS Security Tools site at http://www.mozilla.org/projects/security/pki/nss/tools.

  3. Update the server with this change by adding a property in the appropriate location, as follows:


    <property name="mytoken" value="&InstallDir;/mypkcs11.cfg"/>

    The location for the property could be one of the following:

    • If the provider is for a DAS or server instance, add the property under the associated <security-service>.

    • If the provider is for a node agent, add the property under the associated <node-agent> element in the domain.xml file.

  4. Restart the Application Server.

    The customized configurations will be in effect after the restart.