beautypg.com

Working with private keys and certificates, Configuring j2se 5.0 pkcs#11 providers, Configuring j2se – Sun Microsystems GLASSFISH ENTERPRISE 820433510 User Manual

Page 124

background image

Working With Private Keys and Certificates

Use certutil to create self-signed certificates and to import or export certificates. To import or
export private keys, use the pk12util utility. For more details, see

“Using Network Security

Services (NSS) Tools” on page 116

Caution –

In Enterprise Server, do not modify the NSS password directly with the NSS tools

certutil

and modutil. If you do so, security data in Enterprise Server might be corrupted.

Configuring J2SE 5.0 PKCS#11 Providers

Enterprise Server relies on J2SE PKCS#11 providers to access keys and certificates that are
located in PKCS#11 tokens at runtime. By default, Enterprise Server configures a J2SE PKCS#11
provider for the NSS soft token. This section describes how to override the default
configuration for the J2SE PKCS#11 provider.

In Enterprise Server, the following default PKCS#11 configuration parameters are generated for
each PKCS#11 token.

Configuration for the default NSS soft token:

name=internal

library=${com.sun.enterprise.nss.softokenLib}

nssArgs=

"configdir=’${com.sun.appserv.nss.db}’

certPrefix=’’ keyPrefix=’’ secmod=’secmod.db’

"

slot=2

omitInitialize = true

Configuration for the SCA 1000 hardware accelerator:

name=HW1000

library=/opt/SUNWconn/crypto/lib/libpkcs11.so

slotListIndex=0

omitInitialize=true

These configurations conform to the syntax described in the Java PKCS#11 Reference Guide.

Note –

The name parameter has no requirements other than that it must be unique. Certain

older versions of J2SE 5.0 support alphanumeric characters only.

You can override the default configuration parameters by creating a custom configuration file.
For example, you can explicitly disable the RSA Cipher and RSA Key Pair Generator in
SCA–1000. For details on disabling the RSA Cipher and RSA Key Pair Generator, see

http://www.mozilla.org/projects/security/pki/nss/tools

.

Using Hardware Crypto Accelerator With Enterprise Server

Sun GlassFish Enterprise Server 2.1 Administration Guide • December 2008

124