The PKCS11 Key Manager Provider enables the server to access the private key information through the standard PKCS #11 interface, as used by hardware security modules (HSMs) and cryptographic accelerators.
The PKCS11 Key Manager Provider component inherits from the Key Manager Provider
The following components have a direct aggregation relation from PKCS11 Key Manager Providers:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | pkcs11-max-cache-duration |
| enabled | |
| pkcs11-provider-class | |
| pkcs11-provider-configuration-file | |
| pkcs11-key-store-type | |
| key-store-pin | |
| key-store-pin-file | |
| key-store-pin-passphrase-provider |
| Description | A description for this Key Manager Provider |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the Key Manager Provider is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The fully-qualified name of the Java security provider class that implements support for interacting with PKCS #11 tokens. If this is not provided, then the server will attempt to automatically determine the appropriate provider class. |
| Default Value | The server will attempt to automatically determine the appropriate provider class. |
| Allowed Values | The fully-qualified name of a Java class that extends or implements java.security.Provider |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
pkcs11-provider-configuration-file
| Description | The path to the file to use to configure the security provider that implements support for interacting with PKCS #11 tokens. If this is not provided, then it will be assumed that either the provider does not require any configuration, or that the appropriate settings have already been specified in the JVM configuration. |
| Default Value | No provider configuration file will be used. |
| Allowed Values | A filesystem path |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The key store type to use when obtaining an instance of a key store for interacting with a PKCS #11 token. If this is not provided, then a default key store type of "PKCS11" will be used. |
| Default Value | PKCS11 |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the PIN needed to access the PKCS11 Key Manager Provider. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed. |
| Description | Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the PKCS11 Key Manager Provider. |
| Default Value | None |
| Allowed Values | A filesystem path |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed. |
key-store-pin-passphrase-provider
| Description | The passphrase provider to use to obtain the clear-text PIN needed to access the PKCS11 Key Manager Provider. |
| Default Value | None |
| Allowed Values | The DN of any Passphrase Provider. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
pkcs11-max-cache-duration (Advanced Property)
| Description | The maximum length of time that data retrieved from PKCS #11 tokens may be cached for reuse. Caching might be necessary if there is noticable latency when accessing the token, for example if the token uses a remote key store. A value of zero milliseconds indicates that no caching should be performed. |
| Default Value | 0 ms |
| Allowed Values | A duration. Lower limit is 0 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Key Manager Providers:
dsconfig list-key-manager-providers
[--property {propertyName}] ...
To view the configuration for an existing Key Manager Provider:
dsconfig get-key-manager-provider-prop
--provider-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Key Manager Provider:
dsconfig set-key-manager-provider-prop
--provider-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new PKCS11 Key Manager Provider:
dsconfig create-key-manager-provider
--provider-name {name}
--type pkcs11
--set enabled:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Key Manager Provider:
dsconfig delete-key-manager-provider
--provider-name {name}