Current Position:Home > Kssl configuration with Sun Software PKCS#11 softtoken

Kssl configuration with Sun Software PKCS#11 softtoken

Update:11-30Source: network consolidation
Advertisement
I need to understand what changed in Solaris 10 10/08 s10s_u6wos_07b SPARC with regard to the crypto framework.
I want to configure kernel SSL proxy (kssl) to use the certificate stored in the PKCS#11 keystore. First, I generated a certificate labelled "mycert" with the pktool command. Next I ran the ksslcfg command as follows:
ksslcfg create -f pkcs11 -C "mycert" -T "Sun Software PKCS#11 softtoken" -x 51000 -p /tmp/pwd 443
The service log indicated :
"no matching PKCS#11 token found"
I had to dig through the kssladm source code in OpenSolaris to find this piece:
http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_create.c?&r=898.
The code iterates through the list of tokens, then compares labels with the one provided by the user. Since I specified what the Sun documentation says "Sun Software PKCS#11 softtoken" I would expect it to find it, but it does not. Pktool indicates that the label is present:
% pktool tokens
Token Label Manuf ID Serial No PIN State
Sun Software PKCS#11 softtoken Sun Microsystem user set
I then ran the kssladm manually and specified the -v (verbose) option, so it would print the labels it actually found. It turned out that the only token it finds has a label "Sun Metaslot ".
My question is: is this now the recommended label to be used instead of the "Sun Software PKCS#11 softtoken"? If it is then why does pktool still shows it? Is this a bug in this particular Solaris release? Would appreciate any insight.
Thanks
Leonti

The Best Answer

Advertisement
You need to use the trustanchors nssModule, read the JavaTM PKCS#11 Reference Guide at --
http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#Config
For example, you can write your config file like this --
name=NSS
nssSecmodDirectory=path_of_your_dbs
nssLibraryDirectory=path_of_dll_or_so
nssModule=trustanchors