Configuring JSSE to use Smartcards as Keystores and Trust Stores

Support for the IBMPKCS11Impl provider also enables access to Smartcards as a keystore. See the Customization section for details on how to configure the type and location of the keystores to be used by JSSE. To use a Smartcard as a keystore or trust store, set the javax.net.ssl.keyStoreType and javax.net.ssl.trustStoreType system properties, respectively, to PKCS11IMPLKS, and set the javax.net.ssl.keyStore and javax.net.ssl.trustStore system properties, respectively, to NONE. To specify the use of a specific provider, use the javax.net.ssl.keyStoreProvider and javax.net.ssl.trustStoreProvider system properties (e.g., IBMPKCS11Impl-joe). By using these properties, you can configure an application that previously depended on these properties to access a file-based keystore to use a Smartcard keystore with no changes to the application.

Some applications request the use of keystores programmatically. These applications can continue to use the existing APIs to instantiate a Keystore and pass it to its key manager and trust manager. If the Keystore instance refers to a PKCS11IMPLKS keystore backed by a Smartcard, then the JSSE application will have access to the keys on the Smartcard.

The PKCS11Impl provider must be configured with the proper configuration file specific to the hardware cryptographic device and JSSE before any other JCA/JCE providers in the provider list.