For Web Server's SSL subsystem (NSS) to use external PKCS#11 token(s), you need to configure NSS with the modutil command to make it aware of the token(s). The Solaris libpkcs11 softtoken is a PKCS#11 compliant token which can be used with NSS. As an additional benefit on UltraSPARC-T1, systems using Solaris 10's libpkcs11 will make use of the platform crypto acceleration support.
Before using the libpkcs11 provider, initialize its password with pktool:
% pktool setpin
Run the modutil command without any arguments for usage information. For example, to add the Solaris 10 libpkcs11 library as a PKCS11 token in NSS,
Ensure that SSL support has been initialized for the Web Server instance(s). This can be done through the Admin GUI.
Run the following command:
% modutil -dbdir $ALIASDIR -dbprefix $PREFIX -add libpkcs -libfile /usr/lib/libpkcs11.so -mechanisms RSA where,
$ALIASDIR is the path to the alias directory in the install root where the NSS db files are located.
$PREFIX is the prefix used by the key3/cer8 db files in the alias directory and is of the form https-$INSTANCENAME-.
Note the -mechanisms flag which makes this token the preferred initial provider for the given algorithms.
Run the modutil command without any arguments for a list of all possible mechanisms from which to choose.
For further details on configuring NSS, see manpages and references:
libpkcs11(3LIB): http://docs.sun.com/app/docs/doc/816-5173/6mbb8adup?a=view
pkcs11_softtoken(5): http://docs.sun.com/app/docs/doc/816-5175/6mbba7f35?a=view
pktool(1): http://docs.sun.com/app/docs/doc/816-5165/6mbb0m9oi?q=pktool&a=view
modutil: http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html