Using the PKCS #11 security provider

When launching Airlock IAM the path to the java.security file must be specified in JAVA_OPTS.

#in instances/<instance-name>/instance.properties use (or add to existing Java options)
iam.java.opts = -Djava.security.properties=/opt/airlock/java.security

Configuring PKCS #11

Supported Use-Cases

PKCS #11 is supported in for two use cases:

  • Encrypting password hashes
  • Password end-to-end encryption

HSM Keystore plugin configuration

The HSM Keystore plugin is used where the HSM is involved. The most important settings are:

 Property

Example

Description

Security Provider Name

SunPKCS11-Luna

If a SunPKCS11 security provider is used, the provider is SunPKCS11-<Token Name>, where <Token Name> is the name given in the configuration file in step 1.

Keystore Type

PKCS11

PKCS11 is the type used if the SunPKCS11 security provider is used. If another provider is used, check the documentation of the provider for the keystore type.

Keystore Password

The password (if needed) to login to the HSM slot. If a connection was already established another way on the system, this can be empty.

The key store password can't be changed once the configuration is activated. The JVM caches the security provider until restart.

Thus, even configuration validation will also not reflect the password change. If the key store password has to be changed, a restart of IAM is required.

Further information and links