Current Position:Home > Kssl configuration with Sun Software PKCS#11 softtoken

Kssl configuration with Sun Software PKCS#11 softtoken

Update:11-30Source: network consolidation
I need to understand what changed in Solaris 10 10/08 s10s_u6wos_07b SPARC with regard to the crypto framework.
I want to configure kernel SSL proxy (kssl) to use the certificate stored in the PKCS#11 keystore. First, I generated a certificate labelled "mycert" with the pktool command. Next I ran the ksslcfg command as follows:
ksslcfg create -f pkcs11 -C "mycert" -T "Sun Software PKCS#11 softtoken" -x 51000 -p /tmp/pwd 443
The service log indicated :
"no matching PKCS#11 token found"
I had to dig through the kssladm source code in OpenSolaris to find this piece:
The code iterates through the list of tokens, then compares labels with the one provided by the user. Since I specified what the Sun documentation says "Sun Software PKCS#11 softtoken" I would expect it to find it, but it does not. Pktool indicates that the label is present:
% pktool tokens
Token Label Manuf ID Serial No PIN State
Sun Software PKCS#11 softtoken Sun Microsystem user set
I then ran the kssladm manually and specified the -v (verbose) option, so it would print the labels it actually found. It turned out that the only token it finds has a label "Sun Metaslot ".
My question is: is this now the recommended label to be used instead of the "Sun Software PKCS#11 softtoken"? If it is then why does pktool still shows it? Is this a bug in this particular Solaris release? Would appreciate any insight.

The Best Answer

You need to use the trustanchors nssModule, read the JavaTM PKCS#11 Reference Guide at --
For example, you can write your config file like this --