Configure SunPKCS11 to use the Futurex PKCS11 module

1min
This section shows how to configure the SunPKCS11 provider to use the  PKCS #11 module, providing separate instructions for Linux and Windows. The SunPKCS11 provider, an integral part of the Java Cryptography Architecture (JCA), enables Java applications to access cryptographic services through the PKCS #11 API.
Choose one of the following operating systems and perform the instructions:
Linux
Windows
1
Locate the Futurex PKCS #11 library:
Confirm the location of the libfxpkcs11.so file available on your system. Note its full path for later use. For example, it might be located at /usr/local/bin/fxpkcs11/libfxpkcs11.so.
2
Create a SunPKCS11 configuration file:
The SunPKCS11 provider uses a configuration file to load the  PKCS #11 module. Perform the following steps:
Create a file named pkcs11.cfg (or any name you prefer, with a .cfg extension). You can save this file anywhere, but a standard location would be something like /usr/local/etc/pkcs11.cfg. 
Add the following content to the file, adjusting the library path to indicate the installation location for the  PKCS #11 library on your system:
Text
name = Futurex
library = /usr/local/bin/fxpkcs11/libfxpkcs11.so
slotListIndex = 0

# PRIVATE KEY
attributes(generate,CKO_PRIVATE_KEY,*) = {
    CKA_SIGN = true
    CKA_VERIFY = true
    CKA_TOKEN = true
    CKA_PRIVATE = true
    CKA_SENSITIVE = true
    CKA_EXTRACTABLE = false
}
name = Futurex
library = /usr/local/bin/fxpkcs11/libfxpkcs11.so
slotListIndex = 0

# PRIVATE KEY
attributes(generate,CKO_PRIVATE_KEY,*) = {
    CKA_SIGN = true
    CKA_VERIFY = true
    CKA_TOKEN = true
    CKA_PRIVATE = true
    CKA_SENSITIVE = true
    CKA_EXTRACTABLE = false
}
﻿
name: Specify a friendly name for the  PKCS #11 provider.
library: Specify the full path to the  PKCS #11 module.
slotListIndex: Specify the default  PKCS #11 slot number.
3
Register the library with Java:
Open the the java.security file.
Shell
vim $JAVA_HOME/conf/security/java.security
vim $JAVA_HOME/conf/security/java.security
﻿
Add the following line with the path of the pkcs11.cfg file you just created to the SunPKCS11 security provider line. Then save the file.
Text
security.provider.12=SunPKCS11 /[pathTo]/pkcs11.cfg
security.provider.12=SunPKCS11 /[pathTo]/pkcs11.cfg
﻿
4
Verify the configuration:
Run the following Java keytool command in a terminal to verify that you configured the SunPKCS11 provider correctly to interact with the  PKCS #11 library:
Shell
keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex 
keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex 
﻿
If successful, you should see a line similar to the following one: Your keystore creation contains [number] entries.
1
Locate the JDK installation directory:
Find the path to your JDK installation. This is typically something similar to C:\Program Files\Java\jdk-<version>.
2
Create a configuration file for SunPKCS11:
The SunPKCS11 provider uses a configuration file to load the  PKCS #11 module. Create a file named pkcs11.cfg (or any other name you prefer, with a .cfg extension).
Add the following content to the file, adjusting the library path to point to where you installed the  PKCS #11 library on your system:
Text
name = Futurex
library = C:/Program Files/Futurex/fxpkcs11/fxpkcs11.dll
slotListIndex = 0

# PRIVATE KEY
attributes(generate,CKO_PRIVATE_KEY,*) = {
    CKA_SIGN = true
    CKA_VERIFY = true
    CKA_TOKEN = true
    CKA_PRIVATE = true
    CKA_SENSITIVE = true
    CKA_EXTRACTABLE = false
}
name = Futurex
library = C:/Program Files/Futurex/fxpkcs11/fxpkcs11.dll
slotListIndex = 0

# PRIVATE KEY
attributes(generate,CKO_PRIVATE_KEY,*) = {
    CKA_SIGN = true
    CKA_VERIFY = true
    CKA_TOKEN = true
    CKA_PRIVATE = true
    CKA_SENSITIVE = true
    CKA_EXTRACTABLE = false
}
﻿
3
Register the library with Java:
Open the the java.security file in a text editor. The file is usually located at %JAVA_HOME%\conf\security\java.security
Add the following line with the path of the pkcs11.cfg file you just created to the SunPKCS11 security provider line. Then save the file.
Use double back slashes for the path.
Text
security.provider.12=SunPKCS11 C:\\[pathTo]\\pkcs11.cfg
security.provider.12=SunPKCS11 C:\\[pathTo]\\pkcs11.cfg
﻿
4
Verify the configuration:
Open a command prompt, and run the following java keytool command to verify that you configured the SunPKCS11 provider correctly to interact with the  PKCS #11 library:
Shell
keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
If successful, you should see a line similar to the following one: Your keystore contains [number] entries.
﻿
﻿
﻿
Configure the JAVA_HOME environment variable
Create Java KeyStore