Configure SunPKCS11 to use the Futurex PKCS #11 module

1min
This section explains configuring the SunPKCS11 provider to use the  PKCS #11 module. The SunPKCS11 provider, an integral part of the Java Cryptography Architecture (JCA), allows Java applications to access cryptographic services through the PKCS #11 API. Select one of the following operating systems and follow the instructions:
Linux
Windows
1
Locate the Futurex PKCS #11 library:
Confirm the location of the libfxpkcs11.so file available on your system. Note its full path for later use. For example, it might be located at /usr/local/bin/fxpkcs11/libfxpkcs11.so.
2
Create a SunPKCS11 configuration file:
The SunPKCS11 provider uses a configuration file to load the  PKCS #11 module. Perform the following steps:
Create a file named pkcs11.cfg (or any name you prefer, with a .cfg extension). You can save this file anywhere, but a standard location would be similar to /usr/local/etc/pkcs11.cfg. 
Add the following content to the file, adjusting the library path to indicate the installation location for the  PKCS #11 library on your system:
Adjust the values for the following parameters in the file:
name: Specify a friendly name for the  PKCS #11 provider.
library: Specify the full path to the  PKCS #11 module.
slotListIndex: Specify the default  PKCS #11 slot number.
Text
name = Futurex
library = /usr/local/bin/fxpkcs11/libfxpkcs11.so
slotListIndex = 0

# PRIVATE KEY
attributes(generate,CKO_PRIVATE_KEY,*) = {
CKA_SIGN = true
CKA_VERIFY = true
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_SENSITIVE = true
CKA_EXTRACTABLE = false
}
name = Futurex
library = /usr/local/bin/fxpkcs11/libfxpkcs11.so
slotListIndex = 0

# PRIVATE KEY
attributes(generate,CKO_PRIVATE_KEY,*) = {
CKA_SIGN = true
CKA_VERIFY = true
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_SENSITIVE = true
CKA_EXTRACTABLE = false
}
﻿
3
Register the library with Java:
Open the java.security file.
Shell
vim $JAVA_HOME/conf/security/java.security
vim $JAVA_HOME/conf/security/java.security
﻿
Add the following line with the path of the pkcs11.cfg file you just created to the SunPKCS11 security provider line. Then, save the file.
Text
security.provider.12=SunPKCS11 /[pathTo]/pkcs11.cfg
security.provider.12=SunPKCS11 /[pathTo]/pkcs11.cfg
﻿
4
Verify the configuration:
Run the following Java keytool command in a terminal to verify that you configured the SunPKCS11 provider correctly to interact with the  PKCS #11 library:
Shell
keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex 
keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex 
﻿
If successful, you should see a line similar to the following one: 
Your keystore creation contains [number] entries.
1
Locate the JDK installation directory:
Find the path to your JDK installation. This is typically something similar to C:\Program Files\Java\jdk-<version>.
2
Create a configuration file for SunPKCS11:
The SunPKCS11 provider uses a configuration file to load the  PKCS #11 module. Create a file named pkcs11.cfg (or any other name you prefer, with a .cfg extension).
Add the following content to the file, adjusting the library path to point to where you installed the  PKCS #11 library on your system:
name: Specify a friendly name for the  PKCS #11 provider.
library: Specify the full path to the  PKCS #11 module.
slotListIndex: Specify the default  PKCS #11 slot number.
Text
name = Futurex
library = C:/Program Files/Futurex/fxpkcs11/fxpkcs11.dll
slotListIndex = 0

# PRIVATE KEY
attributes(generate,CKO_PRIVATE_KEY,*) = {
    CKA_SIGN = true
    CKA_VERIFY = true
    CKA_TOKEN = true
    CKA_PRIVATE = true
    CKA_SENSITIVE = true
    CKA_EXTRACTABLE = false
}
name = Futurex
library = C:/Program Files/Futurex/fxpkcs11/fxpkcs11.dll
slotListIndex = 0

# PRIVATE KEY
attributes(generate,CKO_PRIVATE_KEY,*) = {
    CKA_SIGN = true
    CKA_VERIFY = true
    CKA_TOKEN = true
    CKA_PRIVATE = true
    CKA_SENSITIVE = true
    CKA_EXTRACTABLE = false
}
﻿
3
Register the library with Java:
Open the the java.security file in a text editor. The file is usually located at %JAVA_HOME%\conf\security\java.security
Add the following line with the path of the pkcs11.cfg file you just created to the SunPKCS11 security provider line. Then, save the file.
Use double back slashes for the path.
Text
security.provider.12=SunPKCS11 C:\\[pathTo]\\pkcs11.cfg
security.provider.12=SunPKCS11 C:\\[pathTo]\\pkcs11.cfg
﻿
4
Verify the configuration:
Open a command prompt, and run the following java keytool command to verify that you configured the SunPKCS11 provider correctly to interact with the  PKCS #11 library:
Shell
keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
If successful, you should see a line similar to the following one: Your keystore contains [number] entries.
﻿
﻿
Updated 18 Sep 2024
Did this page help you?
Configuring environment variables for Apache Tomcat
Configure the Vectera Plus