Sun Microsystems 820433510 Server User Manual


 
WorkingWith Private Keys and Certicates
Use certutil to create self-signed certicates and to import or export certicates. To import or
export private keys, use the pk12util utility. For more details, see
“Using Network Security
Services (NSS) Tools” on page 116
Caution In Enterprise Server, do not modify the NSS password directly with the NSS tools
certutil and modutil. If you do so, security data in Enterprise Server might be corrupted.
Conguring J2SE 5.0 PKCS#11 Providers
Enterprise Server relies on J2SE PKCS#11 providers to access keys and certicates that are
located in PKCS#11 tokens at runtime. By default, Enterprise Server congures a J2SE PKCS#11
provider for the NSS soft token. This section describes how to override the default
conguration for the J2SE PKCS#11 provider.
In Enterprise Server, the following default PKCS#11 conguration parameters are generated for
each PKCS#11 token.
Conguration for the default NSS soft token:
name=internal
library=${com.sun.enterprise.nss.softokenLib}
nssArgs="configdir=’${com.sun.appserv.nss.db}’
certPrefix=’’ keyPrefix=’’ secmod=’secmod.db’"
slot=2
omitInitialize = true
Conguration for the SCA 1000 hardware accelerator:
name=HW1000
library=/opt/SUNWconn/crypto/lib/libpkcs11.so
slotListIndex=0
omitInitialize=true
These congurations conform to the syntax described in the Java PKCS#11 Reference Guide.
Note The name parameter has no requirements other than that it must be unique. Certain
older versions of J2SE 5.0 support alphanumeric characters only.
You can override the default conguration parameters by creating a custom conguration le.
For example, you can explicitly disable the RSA Cipher and RSA Key Pair Generator in
SCA–1000. For details on disabling the RSA Cipher and RSA Key Pair Generator, see
http://www.mozilla.org/projects/security/pki/nss/tools .
UsingHardwareCrypto AcceleratorWithEnterpriseServer
SunGlassFishEnterpriseServer2.1AdministrationGuide • December2008124