Enterprise Server relies on J2SE PKCS#11 providers to access keys and certificates that are located in PKCS#11 tokens at runtime. By default, Enterprise Server configures a J2SE PKCS#11 provider for the NSS soft token. This section describes how to override the default configuration for the J2SE PKCS#11 provider.
In Enterprise Server, the following default PKCS#11 configuration parameters are generated for each PKCS#11 token.
Configuration for the default NSS soft token:
| name=internal
library=${com.sun.enterprise.nss.softokenLib}
nssArgs="configdir='${com.sun.appserv.nss.db}'
 certPrefix='' keyPrefix='' secmod='secmod.db'"
slot=2
omitInitialize = true | 
Configuration for the SCA 1000 hardware accelerator:
| name=HW1000 library=/opt/SUNWconn/crypto/lib/libpkcs11.so slotListIndex=0 omitInitialize=true | 
These configurations conform to the syntax described in the Java PKCS#11 Reference Guide.
The name parameter has no requirements other than that it must be unique. Certain older versions of J2SE 5.0 support alphanumeric characters only.
You can override the default configuration parameters by creating a custom configuration file. For example, you can explicitly disable the RSA Cipher and RSA Key Pair Generator in SCA–1000. For details on disabling the RSA Cipher and RSA Key Pair Generator, see http://www.mozilla.org/projects/security/pki/nss/tools.
To create a custom configuration file:
Create a configuration file called as-install/mypkcs11.cfg with the following code and save the file.
| name=HW1000
library=/opt/SUNWconn/crypto/lib/libpkcs11.so
slotListIndex=0
disabledMechanisms = {
	CKM_RSA_PKCS
	CKM_RSA_PKCS_KEY_PAIR_GEN
}
omitInitialize=true | 
Update the NSS database, if necessary. In this case, update the NSS database so that it will disable RSA.
Run the following command :
| modutil -undefault "Sun Crypto Accelerator" -dbdir AS_NSS_DB -mechanisms RSA | 
The name of the algorithm on the mechanisms list differs from the one in the default configuration. For a list of valid mechanisms in NSS, see the modutil documentation on the NSS Security Tools site at http://www.mozilla.org/projects/security/pki/nss/tools.
Update the server with this change by adding a property in the appropriate location, as follows:
| <property name="mytoken" value="&InstallDir;/mypkcs11.cfg"/> | 
The location for the property could be one of the following:
If the provider is for a DAS or server instance, add the property under the associated <security-service>.
If the provider is for a node agent, add the property under the associated <node-agent> element in the domain.xml file.
Restart the Enterprise Server.
The customized configurations will be in effect after the restart.