Using the PKCS #11 security provider

When launching Airlock IAM the path to the file must be specified in JAVA_OPTS.

#in instances/<instance-name>/ use (or add to existing Java options) =

Configuring PKCS #11

Supported Use-Cases

PKCS #11 is supported in for two use cases:

  • Encrypting password hashes
  • Password end-to-end encryption

HSM Keystore plugin configuration

The HSM Keystore plugin is used where the HSM is involved. The most important settings are:




Security Provider Name


If a SunPKCS11 security provider is used, the provider is SunPKCS11-<Token Name>, where <Token Name> is the name given in the configuration file in step 1.

Keystore Type


PKCS11 is the type used if the SunPKCS11 security provider is used. If another provider is used, check the documentation of the provider for the keystore type.

Keystore Password

The password (if needed) to login to the HSM slot. If a connection was already established another way on the system, this can be empty.

The key store password can't be changed once the configuration is activated. The JVM caches the security provider until restart.

Thus, even configuration validation will also not reflect the password change. If the key store password has to be changed, a restart of IAM is required.

Further information and links

  • Password hash encryption with HSM
    • Configuration in the Loginapp UI: In the Password Repository of the Username Password Authentication Step of the affected authentication flow, use the Encrypted Password Hash plugin.
  • Password end-to-end encryption with HSM