This discussion is archived
4 Replies Latest reply: Nov 18, 2011 4:06 AM by 900775 RSS

PKCS#11 with NSS

900775 Newbie
Currently Being Moderated
Hello to ALL Saviours,


From past 5 days i am struggling with cryptography problem. Let me explain my problem statement.

I have to test Intel AES-NI feature on Westmere EP series processor with a JAVA Application.

My Environment Setup:-

Application server: Apache Tomcat 6.0.33
Database: Derby
Application: JPetStore
JAVA: jdk1.6.0_23
Network Security Services(NSS): 3.12.10
OS: CentOS 6.0 x86-64

Steps i have followed to make it work.

1. Setup the application running perfectly fine on 8443 port. Created a key using "keytool -genkey -alias tomcat -keyalg RSA".

2. Checked the property of page of my application. Output is "TLS 1.0, AES with 128 bit encryption (High); RSA with 1024 bit exchange".

3. I have compiled the NSS and put all *.so files into the existing JDK ($JAVA_HOME/jre/lib/amd64).

4. Update jre/lib/security/java.security AS "security.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg"

5. put nss.cfg to ($JAVA_HOME/jre/lib/security).

#Content of nss.cfg
name=NSS
nssLibraryDirectory=${java.home}/lib/amd64
nssDbMode=noDb
attributes=compatibility

6. Started the Application again. Application running fine without any error in CATALINA.out.

Problem Statement:-

I have generated a load of 20 virtual users and collected the Throughput. In both the cases (With and Without PKCS#11-NSS Implemented) i am getting same Results.

I am not sure whether i am missing some steps or done something mis-configuration.

Help is appreciated because i am in need of it badly.

Please suggest your views.
  • 1. Re: PKCS#11 with NSS
    handat Expert
    Currently Being Moderated
    NSS doesn't use the JKS store file but instead uses either a hardware token or its own softstore (cert8.db & key3.db). You need to generate the certificate using the certutil tool and update Tomcat server.xml config and set keystoreType.

    Edited by: handat on Nov 18, 2011 1:13 PM

    Edited by: handat on Nov 18, 2011 1:24 PM
  • 2. Re: PKCS#11 with NSS
    EJP Guru
    Currently Being Moderated
    4. Update jre/lib/security/java.security AS "security.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg"

    5. put nss.cfg to ($JAVA_HOME/jre/lib/security).
    These are two different places for nss.cfg. Reconcile them.
  • 3. Re: PKCS#11 with NSS
    900775 Newbie
    Currently Being Moderated
    my jdk folder resides on $HOME that is the only reason i have mentiond $JAVA_HOME (pointing to jdk directory in my home).

    $HOME/jdk/jre/lib/security

    and, when i am writing $java.home/lib/security it means the same path of nss.cfg file. both are accessible. no error because of them.
  • 4. Re: PKCS#11 with NSS
    900775 Newbie
    Currently Being Moderated
    handat wrote:
    NSS doesn't use the JKS store file but instead uses either a hardware token or its own softstore (cert8.db & key3.db). You need to generate the certificate using the certutil tool and update Tomcat server.xml config and set keystoreType.

    Edited by: handat on Nov 18, 2011 1:13 PM

    Edited by: handat on Nov 18, 2011 1:24 PM
    I am using keytool to generate the PKCS11 keystore, but it is giving some error "keytool error: java.security.KeyStoreException: token write-protected".

    I have used nssDbMode=noDb option in nss.cfg file. so do i have to still generate the db file.

    Can you please give me snapshot of server.xml file in tomcat.

    I have configured it as:-

    <Connector port="8443"
    minSpareThreads="5"
    maxSpareThreads="75"
    enableLookups="true"
    disableUploadTimeout="true"
    acceptCount="100"
    maxThreads="200"
    scheme="https"
    secure="true"
    SSLEnabled="true"
    clientAuth="false"
    sslProtocol="TLS"
    keystoreType="PKCS11"
    ciphers="TLS_RSA_WITH_AES_128_CBC_SHA"
    />


    Appreciate for the response.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points