4 Replies Latest reply: Nov 18, 2011 6:06 AM by 900775 RSS

    PKCS#11 with NSS

    900775
      Hello to ALL Saviours,


      From past 5 days i am struggling with cryptography problem. Let me explain my problem statement.

      I have to test Intel AES-NI feature on Westmere EP series processor with a JAVA Application.

      My Environment Setup:-

      Application server: Apache Tomcat 6.0.33
      Database: Derby
      Application: JPetStore
      JAVA: jdk1.6.0_23
      Network Security Services(NSS): 3.12.10
      OS: CentOS 6.0 x86-64

      Steps i have followed to make it work.

      1. Setup the application running perfectly fine on 8443 port. Created a key using "keytool -genkey -alias tomcat -keyalg RSA".

      2. Checked the property of page of my application. Output is "TLS 1.0, AES with 128 bit encryption (High); RSA with 1024 bit exchange".

      3. I have compiled the NSS and put all *.so files into the existing JDK ($JAVA_HOME/jre/lib/amd64).

      4. Update jre/lib/security/java.security AS "security.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg"

      5. put nss.cfg to ($JAVA_HOME/jre/lib/security).

      #Content of nss.cfg
      name=NSS
      nssLibraryDirectory=${java.home}/lib/amd64
      nssDbMode=noDb
      attributes=compatibility

      6. Started the Application again. Application running fine without any error in CATALINA.out.

      Problem Statement:-

      I have generated a load of 20 virtual users and collected the Throughput. In both the cases (With and Without PKCS#11-NSS Implemented) i am getting same Results.

      I am not sure whether i am missing some steps or done something mis-configuration.

      Help is appreciated because i am in need of it badly.

      Please suggest your views.
        • 1. Re: PKCS#11 with NSS
          handat
          NSS doesn't use the JKS store file but instead uses either a hardware token or its own softstore (cert8.db & key3.db). You need to generate the certificate using the certutil tool and update Tomcat server.xml config and set keystoreType.

          Edited by: handat on Nov 18, 2011 1:13 PM

          Edited by: handat on Nov 18, 2011 1:24 PM
          • 2. Re: PKCS#11 with NSS
            EJP
            4. Update jre/lib/security/java.security AS "security.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg"

            5. put nss.cfg to ($JAVA_HOME/jre/lib/security).
            These are two different places for nss.cfg. Reconcile them.
            • 3. Re: PKCS#11 with NSS
              900775
              my jdk folder resides on $HOME that is the only reason i have mentiond $JAVA_HOME (pointing to jdk directory in my home).

              $HOME/jdk/jre/lib/security

              and, when i am writing $java.home/lib/security it means the same path of nss.cfg file. both are accessible. no error because of them.
              • 4. Re: PKCS#11 with NSS
                900775
                handat wrote:
                NSS doesn't use the JKS store file but instead uses either a hardware token or its own softstore (cert8.db & key3.db). You need to generate the certificate using the certutil tool and update Tomcat server.xml config and set keystoreType.

                Edited by: handat on Nov 18, 2011 1:13 PM

                Edited by: handat on Nov 18, 2011 1:24 PM
                I am using keytool to generate the PKCS11 keystore, but it is giving some error "keytool error: java.security.KeyStoreException: token write-protected".

                I have used nssDbMode=noDb option in nss.cfg file. so do i have to still generate the db file.

                Can you please give me snapshot of server.xml file in tomcat.

                I have configured it as:-

                <Connector port="8443"
                minSpareThreads="5"
                maxSpareThreads="75"
                enableLookups="true"
                disableUploadTimeout="true"
                acceptCount="100"
                maxThreads="200"
                scheme="https"
                secure="true"
                SSLEnabled="true"
                clientAuth="false"
                sslProtocol="TLS"
                keystoreType="PKCS11"
                ciphers="TLS_RSA_WITH_AES_128_CBC_SHA"
                />


                Appreciate for the response.