Using Configuration File

To install the provider statically, add the provider to the Java™ Security properties file ($JAVA_HOME/lib/security/java.security) with the configuration file's full pathname after the provider name. For example:

security.provider.6=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl /opt/foo/cfg/pkcs11.cfg

The pkcs11.cfg is the full pathname of configuration file that has the PKCS library, name, description, attributes, etc. The pathname is platform dependent. For example, /opt/foo/cfg/pkcs11.cfg might be the pathname on AIX® or Linux®, while c:\foo\pkcs11.cfg might be the one on Windows. See Configuration file section for detailed information. When the system loads the provider, it will automatically initialize it with the information from the configuration file.

Here is the old syntax of adding the provider to Java Security properties file:

security.provider.6=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl

Without the configuration file information, the system loads an empty provider with no algorithms associated with it. You must programmatically initialize it before you are able to explore its cryptographic capabilities. You can initialize it by calling com.ibm.crypto.pkcs11imppl.provider.IBMPKCS11Impl.Init(String, char[]).

Alternatively, you can dynamically install the provider using configuration file. Here are the code snippets:

//create a new instance of IBMPKCS11Impl using the configuration file.
Provider p = new com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl("D:\\pkcs11impl\\luna.cfg");
//add the provider to the system
Security.addProvider(p1);

User login is a requirement to access the private information on the token such as the private keys and secret keys. Some crypto devices may require user login before utilizing their crypto operations. The purpose of com.ibm.crypto.pkcs11imppl.provider.IBMPKCS11Impl.Init(String, char[]) is two folded: it tells the provider where to locate the configuration file, and it is a way for users to put in their PIN for authentication. Once authentication is successful, this provider is fully initialized and the application will have complete access to the crypto device and utilize its capabilities. Alternatively, you can use com.ibm.crypto.pkcs11imppl.provider.IBMPKCS11Impl .login(Subject, CallbackHandler) to supply the PIN. The CallbackHandler must support a PasswordCallback. You only need to provide the PIN once for authentication. Once you login, you don't have to do it again until you logout of the provider.