Document toolboxDocument toolbox

PGW officer and RA keystores

PKCS#11 based keystores for officer and RA tokens

Apart from PKCS#12 keystores, Protocol Gateway also supports PKCS#11 based keystores for officer and RA tokens. In order to use PKCS#11 keystores with PGW, the library file jpkcs11.dll (or libjpkcs11.so in a Linux based host) must be made available to the application server hosting Protocol Gateway. This library file is distributed with the Certificate Manager server.

For Windows operating systems, the jpkcs11.dll library file needs to be copied from the Certificate Manager bin directory to a path specified in the variable java.library.path used by the web application server hosting Protocol Gateway.

For Linux based operating systems, the libjpkcs11.so library file needs to be copied to a path pointed out by LD_LIBRARY_PATH environment variable for the web application server hosting Protocol Gateway. Please refer to the documentation of your web application server for setting the LD_LIBRARY_PATH environment variable accordingly. Copying the library file to any of the paths indicated by the variable java.library.path, where the web application server hosting Protocol Gateway can find it, is also possible.

The PKCS#11 specific parameters are documented in the cm-gateway.properties configuration file. While they apply globally for all handlers in all protocols running in PGW, they can also be configured per protocol as default values for all handlers or individually on each handler:

default.officer.pkcs11 = {ProgramFiles}/Personal/Bin/personal.dll default.officer.certificate.subject = Company CA default.officer.password = abcd1234
handler.1.officer.pkcs11 = {ProgramFiles}/Personal/Bin/personal.dll handler.1.officer.certificate.subject = Enterprise CA handler.1.officer.password = abcd1234



PKCS#11 and PKCS#12 related parameters for an officer or RA keystore cannot be mixed on the same handler. For example, a PKCS#12 keystore cannot be used in cm-gateway.properties while at the same time using a PKCS#11 keystore for a handler in any of the protocols, as the PKCS#12 related parameters from cmgateway.properties will apply globally to the handlers defined in each protocol and conflict with the PKCS#11 related parameters.

The PKCS#11 keystore can also be used for RA tokens. An example on how to configure RA tokens from a PKCS#11 keystore can be found in Use CMP or SCEP protocol in CA mode.



Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions