Proxy Server supports the following methods of using external cryptographic modules such as smart cards or token rings:
PKCS #11
FIPS-140
You must add the PKCS #11 module before activating the FIPS-140 encryption standard.
This section contains the following topics:
Proxy Server supports Public Key Cryptography Standard (PKCS) #11, which defines the interface used for communication between SSL and PKCS #11 modules. PKCS #11 modules are used for standards-based connectivity to SSL hardware accelerators. Imported certificates and keys for external hardware accelerators are stored in the secmod.db file, which is generated when the PKCS #11 module is installed. The file is located in the server-root/alias directory.
You can install PKCS #11 modules in the form of .jar files or object files using the modutil tool.
 To Install PKCS #11 modules using the Tool modutil
To Install PKCS #11 modules using the Tool modutil
Make sure that all servers, including the Administration Server, have been stopped.
Go to the server-root/alias directory containing the databases.
Add server-root/bin/proxy/admin/bin to your PATH.
Locate modutil in server-root/bin/proxy/admin/bin.
Set the environment.
On UNIX: setenv
LD_LIBRARY_PATH server-root/bin/proxy/lib:${LD_LIBRARY_PATH}
On Windows, add it to the PATH
LD_LIBRARY_PATH server-root/bin/proxy/bin
You can find the PATH for your computer listed underserver-root/proxy-admserv/start.
In a terminal window, type modutil.
The options will be listed.
Perform the actions required.
For example, to add the PKCS #11 module in UNIX, enter:
modutil -add (name of PKCS#11 file) -libfile (your libfile for PKCS #11) -nocertdb -dbdir . (your db directory)
Using pk12util enabless you to export certificates and keys from your internal database and import them into an internal or external PKCS #11 module. You can always export certificates and keys to your internal database, but most external tokens will not allow you to export certificates and keys. By default, pk12util uses certificate and key databases named cert8.db and key3.db.
 To Export a Certificate and Key From an Internal Database
To Export a Certificate and Key From an Internal DatabaseGo to the server-root/alias directory containing the databases.
Add server-root/bin/proxy/admin/bin to your PATH.
Locate pk12util in server-root/bin/proxy/admin/bin.
Set the environment.
On UNIX:
setenv LD_LIBRARY_PATH/server-root/bin/proxy/lib:${LD_LIBRARY_PATH}
On Windows, add it to the PATH
LD_LIBRARY_PATH server-root/bin/proxy/bin
You can find the PATH for your computer listed under: server-root/proxy-admserv/start.
In a terminal window, type pk12util.
The options will be listed.
Perform the actions required.
For example, in UNIX type
pk12util -o certpk12 -n Server-Cert [-d /server/alias] [-P https-test-host]
Type the database password.
Type the pkcs12 password.
 To Import a Certificate and Key Into an Internal or
External PKCS #11 Module
To Import a Certificate and Key Into an Internal or
External PKCS #11 ModuleGo to the server-root/alias directory containing the databases.
Add server-root/bin/proxy/admin/bin to your PATH.
Locate pk12util in server-root/bin/proxy/admin/bin.
Set the environment.
For example:
In a terminal window, type pk12util.
The options will be listed.
Perform the actions required.
For example, in UNIX enter:
pk12util -i pk12_sunspot [-d certdir][-h “nCipher”][-P https-jones.redplanet.com-jones-]
-P must follow -h and must be the last argument.
Type the exact token name including capital letters and spaces between quotation marks.
Type the database password.
Type the pkcs12 password.
If you install a certificate for your server into an external PKCS #11 module, for example, a hardware accelerator, the server will not be able to start using that certificate until you edit the server.xml file or specify the certificate name as described below.
The server always tries to start with the certificate named Server-Cert. However, certificates in external PKCS #11 modules include one of the module’s token names in their identifier. For example, a server certificate installed on an external smartcard reader called smartcard0 would be named smartcard0:Server-Cert.
To start a server with a certificate installed in an external module, you must specify the certificate name for the listen socket on which it runs.
 To Select the Certificate Name for a Listen Socket
To Select the Certificate Name for a Listen SocketIf security is not enabled on the listen socket, certificate information will not be listed. To select a certificate name for a listen socket, you must first ensure that security is enabled on the listen socket. For more information, see Enabling Security for Listen Sockets.
Access either the Administration Server or the Server Manager and click the Preferences tab.
Click the Edit Listen Sockets link.
Click the link for the listen socket that you want to associate with a certificate.
Select a server certificate from the Server Certificate Name drop-down list for the listen socket and click OK.
The list contains all internal and external certificates installed.
You could also require the server to start with that server certificate instead, by manually editing the server.xml file. Change the servercertnickname attribute in the SSLPARAMS to:
$TOKENNAME:Server-Cert
To find what value to use for $TOKENNAME, go to the server’s Security tab and select the Manage Certificates link. When you log in to the external module where Server-Cert is stored, its certificates are displayed in the list in the $TOKENNAME:$NICKNAME form.
If you did not create a trust database, one will be created for you when you request or install a certificate for an external PKCS #11 module. The default database created has no password and cannot be accessed. Your external module will work, but you will not be able to request and install server certificates. If a default database has been created without a password, use the Create Database page on the Security tab to set the password.
The PKCS #11 APIs enable communication with software or hardware modules that perform cryptographic operations. Once PKCS #11 is installed on your Proxy Server, you can configure the server to be FIPS-140 compliant. FIPS stands for Federal Information Processing Standards. These libraries are included only in SSL 3.0.
 To Enable FIPS-140
To Enable FIPS-140Install the plug-in following the FIPS-140 instructions.
Access either the Administration Server or the Server Manager and click the Preferences tab.
Click the Edit Listen Sockets link.
For a secure listen socket, the Edit Listen Sockets page displays the available security settings.
To work with FIPS-140, ensure that security is enabled on the selected listen socket. For more information, see Enabling Security for Listen Sockets.
Select Enabled from the SSL Version 3 drop-down list, if not already selected.
Select the appropriate FIPS-140 cipher suite and click OK: