Configuring the JVM for PKCS #11

PKCS #11 support is enabled in Java by first configuring a security provider with a configuration file for the specific HSM in use.

Create a Sun PKCS #11 security provider configuration

Technically Airlock IAM is not limited to the SunPKCS11 security provider but can use any JCA/JCE compliant security provider. However, other security providers are not tested by Airlock IAM.

Create a new file named /opt/airlock/java.security referencing the HSM-specific .cfg file.

conf/security/java.security

security.provider.13=SunPKCS11 /opt/airlock/luna.cfg

The "13" is there because in the Java which is bundled with Airlock IAM, there are 12 default security providers. You may double check this by looking at jdk-11/conf/security/java.security.

Do not configure both a custom HSM provider and the SunPKCS11-provider. During testing this has lead to errors and disconnects.

Create a Java PKCS #11 configuration file for the HSM

Create a Java PKCS #11 configuration file for the HSM. A short example is given below, for detailed documentation see the Java PCKS #11 Documentation or the documentation of your HSM.

luna.cfg

name = Luna
library = /opt/luna/libs/cryptoki.so
description = Luna config
slot = 1

The "name" is an identifier can be freely chosen. "library" must point to the PKCS #11 library of the HSM. "description" can be any description and is optional. The "slot" identifies the slot number where the keys for Airlock IAM are stored on the HSM. Alternatively, the index of the slot can be configured with "slotListIndex". This file must be stored somewhere where the JVM can read it.