Changes from software JCE to the PKCS#11 Implemention

Most applications will be able to run with few changes. Because the IBMPKCS11Impl provider is based on the JCE Framework, the interfaces an application uses to interact with the provider have not changed. See the Java™ Cryptography Extension 1.2.1 API Specification & Reference for more information. However, there are changes related to the creating keys. PKCS#11 defines the key attributes that can restrict functions that a key can do and this is reflected in the provider. Also, the list of supported algorithms is much smaller than the software provider IBMJCE. This is of course is limited to what the actual hardware device supports. The largest change that an application has to make is that the IBMPKCS11Impl provider must be initialized unlike the software IBMJCE provider, (see section Initialization of the IBMPKCS11Impl Provider for more information). The other task is to make sure that this provider is in the provider list either explicitly or added using API calls to the provider list just like a software provider. After the PKCS#11 provider (IBMPKCS11Impl) is selected and initialized, none of the JCE interfaces needs to be changed to take advantage of the hardware capabilities. Keys generated by a software provider are automatically converted for use by this provider, if the hardware device supports this. Therefore, an existing application can be easily migrated from the software JCE environment (such as IBMJCE) into the hardware-capable PKCS#11 environment (IBMPKCS11Impl).

If the provider was initialized using a configuration file then the attributes specified in the configuration file are used for key pair generation, if none are specifed than the attributes default to what ever the device defaults to. If the provider was not initialized using a configuration file, than key pair generation has default attribute values, if none are specified. This allows applications that where written to a software JCE to be functional with this PKCS#11 provider with no changes. Note: The default attribute values do not work with all devices.

The following section on Specific Changes and Requirements is intended to provide detail for advanced application programmers. It might also provide some information on the changes to key pair generation and key representation, but an in-depth understanding is probably not required for the typical application developer.