Configuring JSSE to use Smartcards as Keystores and Trust Stores
Support for the IBMPKCS11Impl provider also enables access to Smartcards as a keystore. See the
Customization section for details on how to configure the
type and location of the keystores to be used by JSSE. To use a Smartcard as a keystore or trust
store, set the
javax.net.ssl.trustStoreType system properties, respectively, to
PKCS11IMPLKS, and set the
javax.net.ssl.trustStore system properties, respectively, to
To specify the use of a specific provider, use the
javax.net.ssl.trustStoreProvider system properties (e.g.,
IBMPKCS11Impl-joe). By using these properties, you can configure an application
that previously depended on these properties to access a file-based keystore to use a Smartcard
keystore with no changes to the application.
Some applications request the use of keystores programmatically.
These applications can continue to use the existing APIs to instantiate
Keystore and pass it to its key manager and trust
manager. If the
Keystore instance refers to a PKCS11IMPLKS
keystore backed by a Smartcard, then the JSSE application will have
access to the keys on the Smartcard.
The PKCS11Impl provider must be configured with the proper configuration file specific to the hardware cryptographic device and JSSE before any other JCA/JCE providers in the provider list.