PKCS11 Key Manager Provider

The PKCS11 Key Manager Provider enables the server to access the private key information through the standard PKCS #11 interface, as used by hardware security modules (HSMs) and cryptographic accelerators.

Parent Component Relations from This Component Properties dsconfig Usage

Parent Component

The PKCS11 Key Manager Provider component inherits from the Key Manager Provider

Relations from This Component

The following components have a direct aggregation relation from PKCS11 Key Manager Providers:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  pkcs11-max-cache-duration
 enabled
 pkcs11-provider-class
 pkcs11-provider-configuration-file
 pkcs11-key-store-type
 key-store-pin
 key-store-pin-file
 key-store-pin-passphrase-provider

Basic Properties

description

Description
A description for this Key Manager Provider
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the Key Manager Provider is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

pkcs11-provider-class

Description
The fully-qualified name of the Java security provider class that implements support for interacting with PKCS #11 tokens. If this is not provided, then the server will attempt to automatically determine the appropriate provider class.
Default Value
The server will attempt to automatically determine the appropriate provider class.
Allowed Values
The fully-qualified name of a Java class that extends or implements java.security.Provider
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

pkcs11-provider-configuration-file

Description
The path to the file to use to configure the security provider that implements support for interacting with PKCS #11 tokens. If this is not provided, then it will be assumed that either the provider does not require any configuration, or that the appropriate settings have already been specified in the JVM configuration.
Default Value
No provider configuration file will be used.
Allowed Values
A filesystem path
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

pkcs11-key-store-type

Description
The key store type to use when obtaining an instance of a key store for interacting with a PKCS #11 token. If this is not provided, then a default key store type of "PKCS11" will be used.
Default Value
PKCS11
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

key-store-pin

Description
Specifies the PIN needed to access the PKCS11 Key Manager Provider.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.

key-store-pin-file

Description
Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the PKCS11 Key Manager Provider.
Default Value
None
Allowed Values
A filesystem path
Multi-Valued
No
Required
No
Admin Action Required
None. Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.

key-store-pin-passphrase-provider

Description
The passphrase provider to use to obtain the clear-text PIN needed to access the PKCS11 Key Manager Provider.
Default Value
None
Allowed Values
The DN of any Passphrase Provider.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


Advanced Properties

pkcs11-max-cache-duration (Advanced Property)

Description
The maximum length of time that data retrieved from PKCS #11 tokens may be cached for reuse. Caching might be necessary if there is noticable latency when accessing the token, for example if the token uses a remote key store. A value of zero milliseconds indicates that no caching should be performed.
Default Value
0 ms
Allowed Values
A duration. Lower limit is 0 milliseconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Key Manager Providers:

dsconfig list-key-manager-providers
     [--property {propertyName}] ...

To view the configuration for an existing Key Manager Provider:

dsconfig get-key-manager-provider-prop
     --provider-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Key Manager Provider:

dsconfig set-key-manager-provider-prop
     --provider-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new PKCS11 Key Manager Provider:

dsconfig create-key-manager-provider
     --provider-name {name}
     --type pkcs11
     --set enabled:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Key Manager Provider:

dsconfig delete-key-manager-provider
     --provider-name {name}