IBMPKCS11Impl Provider Restrictions
- In 1.4.2, the IBMPKCS11Impl provider used a static variable for the Provider Name, which allowed
initialization of only one IBMPKCS11Impl provider at a time. The last initialization of the
IBMPKCS11Impl provider determined which IBMPKCS11Impl provider objects were supported. In 5.0 and
later, this behavior was changed. You might have multiple providers if a configuration file was used
for each provider and you could give a unique name to each provider. If the provider is initialized
by using the old 1.4.2 way, and IBMPKCS11Impl is already in the provider list then when an
application initializes, a new IBMPKCS11Impl provider is added to the provider list. When an
application requests for a cryptographic function through the provider list, the provider object
that is in the provider list is initialized from the java.security file. Such a provider object
initialization might result in an exception and display the following exception
message:
No such alg : java.security.NoSuchAlgorithmException: no such algorithm: xxxxx for provider IBMPKCS11Impl
The IBMPKCS11Impl provider can come before the IBMJCE provider in the provider list and IBMJCE might be required to be in the provider list for JCE framework jar verification. If IBMPKCS11Impl is in the provider list before IBMJCE, then you might see a
java.lang.SecurityException: “Cannot set up certs for trusted CAs”
message somewhere in the exception stack trace. To correct this exception, you can try updating the configuration file for your provider so that all DSA mechanisms are turned off. - IBMPKCS11Impl provider compatibility testing is done with a cryptographic card before it is added to the list of supported cards in the IBM PKCS11 Cryptographic Provider topic, Table 1. That testing is ordinarily limited to testing the card with its default configuration. It is not possible to ensure IBMPKCS11Impl compatibility with every possible configuration setting that each tested card offers. Therefore, the IBMPKCS11Impl provider might not be compatible with some configuration choices.