Using the PKCS #11 SP
Using the PKCS #11 security provider

When launching Airlock IAM the path to the java.security file must be specified in JAVA_OPTS.

#in instances/<instance-name>/instance.properties use (or add to existing Java options)
iam.java.opts = -Djava.security.properties=/opt/airlock/java.security

Configuring PKCS #11

Supported Use-Cases

PKCS #11 is supported in for two use cases:

  • Encrypting password hashes
  • Password end-to-end encryption

HSM Keystore plugin configuration

The HSM Keystore plugin is used where the HSM is involved. The most important settings are:

 Property
Example
Description
Security Provider Name
SunPKCS11-Luna
If a SunPKCS11 security provider is used, the provider is SunPKCS11-<Token Name>, where <Token Name> is the name given in the configuration file in step 1.
Keystore Type
PKCS11
PKCS11 is the type used if the SunPKCS11 security provider is used. If another provider is used, check the documentation of the provider for the keystore type.
Keystore Password
 
The password (if needed) to login to the HSM slot. If a connection was already established another way on the system, this can be empty.

The key store password can't be changed once the configuration is activated. The JVM caches the security provider until restart.

Thus, even configuration validation will also not reflect the password change. If the key store password has to be changed, a restart of IAM is required.

Further information and links