Solaris PKCS #11 Support

For Web Server's SSL subsystem (NSS) to use external PKCS#11 token(s), you have to configure NSS with the modutil command to make it aware of the token(s). The Solaris libpkcs11 softtoken is a PKCS#11 compliant token which can be used with NSS. As an additional benefit on UltraSPARC-T1, systems using Solaris 10's libpkcs11 will make use of the platform crypto acceleration support.

Run the modutil command without any arguments for usage information. For example, to add the Solaris 10 libpkcs11 library as a PKCS11 token in NSS,

• Ensure that SSL support has been initialized for the Web Server instance(s). You can do this using the Administration GUI.

• Run the following command:

  % modutil -dbdir $ALIASDIR -dbprefix $PREFIX -add libpkcs -libfile /usr/lib/libpkcs11.so -mechanisms RSA

  where,

  • $ALIASDIR is the path to the alias directory in the install root where the NSS database files are located.

  • $PREFIX is the prefix used by the key3/cer8 database files in the alias directory and is of the form https-$INSTANCENAME-.

  Note the -mechanisms flag which makes this token the preferred initial provider for the given algorithms.

  Run the modutil command without any arguments for a list of all possible mechanisms.

Before using the libpkcs11 provider, initialize its password with pktool:

% pktool setpin

For further details on configuring NSS, see man pages and references:

• libpkcs11(3LIB): http://docs.sun.com/app/docs/doc/816-5173/6mbb8aduq?a=view

• pkcs11_softtoken(5): http://docs.sun.com/app/docs/doc/816-5175/6mbba7f37?a=view

• pktool(1): http://docs.sun.com/app/docs/doc/816-5165/6mbb0m9oj?a=view

• modutil: http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html