Sun Java System Application Server Enterprise Edition 8.2 Administration Guide

Configuring PKCS#11 Tokens

This section describes how to configure PKCS#11 tokens with the NSS security tool modutil. Use the following procedure to configure a PKCS#11 token.

Enter the following command (all on one line):

modutil -dbdir AS_NSS_DB -nocertdb -force -add moduleName -libfile
 absolute_path_of_pkcs11_library -mechanisms list_of_security_mechanisms

where, AS_NSS_DB is the NSS database directory (same as AS_DOMAIN_CONFIG when you use the Domain Administration Server (DAS))

For example, to configure a hardware accelerator token, enter the following (all on one line):

modutil -dbdir AS_NSS_DB -nocertdb -force -add "Sun Crypto Accelerator" -libfile
 /opt/SUNWconn/crypto/lib/ -mechanisms RSA:DSA:RC4:DES

The hardware accelerator in this example is a SCA–1000 cryptographic accelerator. The corresponding PKCS#11 library, by default, is located in /opt/SUNWconn/crypto/lib/

The mechanisms must be a complete list of the cryptographic mechanisms that are available in the token. To use just a few of the available cryptographic mechanisms, see Configuring J2SE 5.0 PKCS#11 Providers. For a list of all supported mechanisms, see the modutil documentation on the NSS Security Tools site at

The examples that follow assume that the token name specified at token installation time is mytoken.

To verify that the hardware accelerator is configured properly, enter the following command:

modutil -list -dbdir AS_NSS_DB

The standard output will look similar to the following:

Using database directory /var/opt/SUNWappserver/domains/domain1/config ...

Listing of PKCS#11 Modules
  1. NSS Internal PKCS#11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services                            
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services                  
        token: NSS Certificate DB

  2. Sun Crypto Accelerator
        library name: /opt/SUNWconn/crypto/lib/
         slots: 1 slot attached
        status: loaded

         slot: Sun Crypto Accelerator:mytoken
        token: mytoken