PKCS #11 support is enabled in Java by first configuring a security provider with a configuration file for the specific HSM in use.
Create a Sun PKCS #11 security provider configuration
Technically Airlock IAM is not limited to the SunPKCS11 security provider but can use any JCA/JCE compliant security provider. However, other security providers are not tested by Airlock IAM.
Create a new file named /opt/airlock/java.security
referencing the HSM-specific .cfg
file.
conf/security/java.security
security.provider.13=SunPKCS11 /opt/airlock/luna.cfg
The "13" is there because in the Java which is bundled with Airlock IAM, there are 12 default security providers. You may double check this by looking at jdk-11/conf/security/java.security.
Do not configure both a custom HSM provider and the SunPKCS11-provider. During testing this has lead to errors and disconnects.
Create a Java PKCS #11 configuration file for the HSM
Create a Java PKCS #11 configuration file for the HSM. A short example is given below, for detailed documentation see the Java PCKS #11 Documentation or the documentation of your HSM.
luna.cfg
name = Luna library = /opt/luna/libs/cryptoki.so description = Luna config slot = 1
The "name
" is an identifier can be freely chosen. "library
" must point to the PKCS #11 library of the HSM. "description
" can be any description and is optional. The "slot
" identifies the slot number where the keys for Airlock IAM are stored on the HSM. Alternatively, the index of the slot can be configured with "slotListIndex
". This file must be stored somewhere where the JVM can read it.