Migrating applications

Most applications originally written for JCE will be able to run as is with a few setup changes. The biggest change that an application has to make is to ensure that the IBMPKCS11Impl provider is initialized. Secondly, make sure that the IBMPKCS11Impl provider is in the provider list either explicitly or added using API calls to the provider list. Once the PKCS#11 provider (IBMPKCS11Impl) is selected, and initialized, none of the JCE API calls need to be changed to take advantage of the hardware capabilities. This provider automatically converts keys generated by a software provider, if the hardware device supports this conversion. Therefore, an existing application can be easily migrated from the software JCE environment (like IBMJCE) into the hardware-capable PKCS#11 environment (IBMPKCS11Impl).

The IBMPKCS11Impl provider provides default attribute values for key pair generation to initialize the provider. The default attribute values can be modified by putting the attribute value in the configuration file. This allows most applications to generate keys on hardware devices without having to modify their code. In this way, multiple hardware devices are easily supported.

Note: A PKCS11KeySpec is only valid on the system where the key was originally generated. The PKCS11KeySpec is only made up of the PKCS11Object. If the keys are SENSITIVE, the keys are represented in such a way that they cannot be moved to another system. Also, some hardware devices do not support the simple form of RSAPrivateKey RSAPrivateKeySpec. However, they usually will support the CRT form, using RSAPrivateCrtKeySpec.