Configuring the IBMPKCS11Impl provider

Edit online

The IBMPKCS11Impl provider maintains a Java™ Security properties file.

Within this file there must be a pointer to a file holding the PKCS#11 token configuration pointing to the ICA token.

For more details, see:

https://www.ibm.com/support/pages/java-sdk/

Select your IBM WebSphere Application Server (WAS) Java version. To check which Java version you have, enter the following command:

/opt/IBM/WebSphere/AppServer/java/jre/bin/java -version

Then search for the topic PKCS 11 Implementation Provider. This section contains a detailed description about the Java PKCS 11 Implementation Provider.

The PKCS#11 token configuration file does not follow a naming scheme, hence any filename can be chosen and needs to be specified in the Java Security properties file.

Example configuration file used for this scenario for a CEX3 feature:

# cat /etc/cex3config.cfg 
name = IBMICATOK 
description = config for IBM Crypto Express 3 (configured as an ICA token) 
library = /usr/lib/pkcs11/PKCS11_API.so64 
slotListIndex = 0 
disabledMechanisms = { 
CKM_MD5 
CKM_SHA_1 
CKM_MD5_HMAC 
CKM_SHA_1_HMAC 
CKM_SSL3_MASTER_KEY_DERIVE 
CKM_SSL3_KEY_AND_MAC_DERIVE 
CKM_SSL3_PRE_MASTER_KEY_GEN 
}

where:

name
PKCS#11 (openCryptoki) cryptographic ICA token label given before
description
This string is returned by the provider instance's Provider.getInfo() method
library
Pathname of PKCS#11 implementation library

/usr/lib/pkcs11/PKCS11_API.so - 32-bit library for 32-bit JVMs

/usr/lib/pkcs11/PKCS11_API.so64 - 64-bit library for 64-bit JVMs

slotListIndex
Slot index of the PKCS#11 cryptographic ICA token
disabledMechanisms
List of PKCS#11 mechanisms to disable
Note: The PKCS#11 library path is valid for a Novell SLES11 SP2 distribution. For other distributions the PKCS#11 library path may differ.

The next step is to point from the Java Security properties file to the token configuration file. The Java Security properties file java.security is located in the following directory path:

/opt/IBM/WebSphere/AppServer/java/jre/lib/security/java.security

In the providers list section add the location of the token configuration file after the IBMPKCS11Impl provider in the list.

# 
# List of providers and their preference orders (see above): 
# 
#security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS 
security.provider.1=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl /etc/cex3config.cfg 
security.provider.2=com.ibm.crypto.provider.IBMJCE 
security.provider.3=com.ibm.jsse.IBMJSSEProvider 
security.provider.4=com.ibm.jsse2.IBMJSSEProvider2 
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider 
security.provider.6=com.ibm.security.cert.IBMCertPath 
security.provider.7=com.ibm.security.cmskeystore.CMSProvider
...
Note:
  1. There must be no carriage return/line feed between the provider name IBMPKCS11Impl and the token configuration file path name! Otherwise the configuration file is not recognized.
  2. The IBMPKCS11Impl provider should be listed as the first provider in the list. This ensures that the IBMPKCS11Impl provider is the first one that is asked to service a specific cryptographic request.