PKCS#11
Public Key Cryptography Standards #11 (PKCS#11) is implemented by using the SunPKCS11 provider with IBM modifications for the z/OS® operating system. This security provider uses the Java™ Cryptography Architecture (JCA) and Java Cryptography Extension (JCE) frameworks to add the capability to use hardware cryptographic devices through PKCS#11 interfaces.
Cryptographic hardware support for PKCS#11 is provided by the z/OS Integrated Cryptographic Service Facility (ICSF), which includes the PKCS#11 C APIs on z/OS for its implementation of the PKCS#11 standard. You must have ICSF running on a system with a supported cryptographic hardware configuration as described in Summary of callable service support by hardware configuration in the documentation for your version of z/OS.
The SunPKCS11 provider is described in the PKCS#11 Reference Guide in the Oracle documentation. Information about the use of the SunPKCS11 provider on z/OS, such as the required ICSF configuration, is available in Configuring for PKCS#11 support. The following list summarizes the IBM modifications to the SunPKCS11 provider:
library
configuration attribute-
The
.library
attribute in the PKCS#11 configuration file specifies the path and name of the PKCS#11 implementation file. For the IBM PKCS#11 implementation, you specify either the absolute path name of the z/OS UNIX PKCS#11 XPLINK DLL file or the member name of the MVS partitioned data set that contains the XPLINK ICSF C API DLL. For more information, see Configuring for PKCS#11 support tokenLabel
configuration attribute-
The IBM modifications add a
tokenLabel
attribute to the PKCS#11 configuration file. This attribute associates a slot with an instance of the PKCS#11 provider. You should use thetokenLabel
attribute instead of theslot
orslotListIndex
attributes. For more information about thetokenLabel
attribute, see Configuring for PKCS#11 support. - Network Security Services attributes are not supported
- Network Security Services (NSS) is not available on the z/OS operating system so the NSS attributes listed in Accessing NSS in the Oracle documentation are not supported.