Solaris PKCS #11 Support

For Web Server's SSL subsystem (NSS) to use external PKCS#11 token(s), you need to configure NSS with the modutil command to make it aware of the token(s). The Solaris libpkcs11 softtoken is a PKCS#11 compliant token which can be used with NSS. As an additional benefit on UltraSPARC-T1, systems using Solaris 10's libpkcs11 will make use of the platform crypto acceleration support.

Before using the libpkcs11 provider, initialize its password with pktool:

% pktool setpin

Run the modutil command without any arguments for usage information. For example, to add the Solaris 10 libpkcs11 library as a PKCS11 token in NSS,

• Ensure that SSL support has been initialized for the Web Server instance(s). This can be done through the Admin GUI.

• Run the following command:

  % modutil -dbdir $ALIASDIR -dbprefix $PREFIX -add libpkcs -libfile /usr/lib/libpkcs11.so -mechanisms RSA where,

  • $ALIASDIR is the path to the alias directory in the install root where the NSS db files are located.

  • $PREFIX is the prefix used by the key3/cer8 db files in the alias directory and is of the form https-$INSTANCENAME-.

  Note the -mechanisms flag which makes this token the preferred initial provider for the given algorithms.

  Run the modutil command without any arguments for a list of all possible mechanisms from which to choose.

For further details on configuring NSS, see manpages and references:

• libpkcs11(3LIB): http://docs.sun.com/app/docs/doc/816-5173/6mbb8adup?a=view

• pkcs11_softtoken(5): http://docs.sun.com/app/docs/doc/816-5175/6mbba7f35?a=view

• pktool(1): http://docs.sun.com/app/docs/doc/816-5165/6mbb0m9oi?q=pktool&a=view

• modutil: http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html