WorkingWith Private Keys and Certicates
Use certutil to create self-signed certicates and to import or export certicates. To import or
export private keys, use the pk12util utility. For more details, see
“Using Network Security
Services (NSS) Tools” on page 116
Caution – In Enterprise Server, do not modify the NSS password directly with the NSS tools
certutil and modutil. If you do so, security data in Enterprise Server might be corrupted.
Conguring J2SE 5.0 PKCS#11 Providers
Enterprise Server relies on J2SE PKCS#11 providers to access keys and certicates that are
located in PKCS#11 tokens at runtime. By default, Enterprise Server congures a J2SE PKCS#11
provider for the NSS soft token. This section describes how to override the default
conguration for the J2SE PKCS#11 provider.
In Enterprise Server, the following default PKCS#11 conguration parameters are generated for
each PKCS#11 token.
■
Conguration for the default NSS soft token:
name=internal
library=${com.sun.enterprise.nss.softokenLib}
nssArgs="configdir=’${com.sun.appserv.nss.db}’
certPrefix=’’ keyPrefix=’’ secmod=’secmod.db’"
slot=2
omitInitialize = true
■
Conguration for the SCA 1000 hardware accelerator:
name=HW1000
library=/opt/SUNWconn/crypto/lib/libpkcs11.so
slotListIndex=0
omitInitialize=true
These congurations conform to the syntax described in the Java PKCS#11 Reference Guide.
Note – The name parameter has no requirements other than that it must be unique. Certain
older versions of J2SE 5.0 support alphanumeric characters only.
You can override the default conguration parameters by creating a custom conguration le.
For example, you can explicitly disable the RSA Cipher and RSA Key Pair Generator in
SCA–1000. For details on disabling the RSA Cipher and RSA Key Pair Generator, see
http://www.mozilla.org/projects/security/pki/nss/tools .
UsingHardwareCrypto AcceleratorWithEnterpriseServer
SunGlassFishEnterpriseServer2.1AdministrationGuide • December2008124