SSL Server using Hardware Cryptography through a IBMPKCS11Impl provider

This example shows the server side of a secure socket where the key required by the server is in a hardware cryptography IBMPKCS11Impl type keystore. Using hardware cryptography requires a configuration file that is specific for the hardware crypto card being used. See the IBM PKCS11 Implementaiton Provider for the JSSE configuration files for the different cards. The IBM PKCS11 Implementation Provider also provides details for the setup and creation of the hardware key.

Set up to use the IBMPKCS11Impl provider using the configuration file and then add to the Java™ Provider List. The creation of the key on the hardware cryptography card is not shown.

//***************************************************************************

// Substitute actual hardware and configuration information
String password = "12345678";
String dlllocation = "/usr/lib/pkcs11/PKCS11_API.so";
String slotnumber = 0;
String configname = "/home/test/cfg/4960.cfg";

//*****************************************************************************

// Set up Crypto Card hardware provider.
com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl p1 = new com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl(configname);

// Must add the hardware crypto provider before IBMJCE in the Java Provider List
// but after the Oracle provider on Solaris and HP systems.
Security.insertProviderAt(p1,2);

// Add the IBMJSSE2 Provider to the Java Provider list
Security.addProvider(new com.ibm.jsse2.IBMJSSEProvider2());

// Login to the card
char [] passwd = new char[password.length()];

password.getChars(0,password.length(),passwd,0);

NullPrompter np = new NullPrompter(dlllocation + ":" + slotnumber,passwd);
p1.login(null,np);

// Get a keystore of type PKCS11IMPLKS. The name of keystore
// is not revelant for a PKCS11IMPLKS keystore.
KeyStore ks = KeyStore.getInstance("PKCS11IMPLKS");
ks.load(null, null);
// Create a KeyManagerFactory that implements the X.509 key management
// algorithm using the IBMJSSE2 provider.
KeyManagerFactory kmf = KeyManagerFactory.getInstance("IbmX509","IBMJSSE2");

// already logged into card. Password not required.
kmf.init(ks, null);

// Initialize the SSLContext with the KeyManagerFactory and the default
// TrustManager. Because there is no client authentication, no trusted
// certificates are required. SSL_TLS will allow the server to handshake
// using SSLv3 or TLSv1 protocol.
sslContext = SSLContext.getInstance("SSL_TLS","IBMJSSE2");
sslContext.init(kmf.getKeyManagers(), null, null);
// Create an SSL socket over port 8050
SSLServerSocketFactory factory = sslContext.getServerSocketFactory();
SSLServerSocket ssl_server_sock = (SSLServerSocket)factory.createServerSocket( 8050);
// rest not shown