HSM pwd end-to-end encryption
17.4.1.1.5. Password end-to-end encryption with HSM in the JSP-Loginapp

Follow the instructions on 10.2.1.5. End-to-End Encryption of passwords for the basic configuration of password end-to-end Encryption.

Instead of using a Java Keystore, use the HSM Keystore plugin.

Private Keys are not correctly read by the SunPKCS11 security provider. Only private keys with associated certificate chains are read (see also the official documentation, Appendix B, "Read Only Access").

A workaround is to either generate a certificate for the given key or generate a certificate with the private key instead of using a private key.

Further information and links