000026057 - Support for PKCS 11 in RSA BSAFE Cert-J and Crypto-J

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026057
Applies ToRSA BSAFE Cert-J
IssueSupport for PKCS 11 in RSA BSAFE Cert-J and Crypto-J
The end user wishes to use PKI credentials within a Java Application.  However, these credentials are stored in a device which is only accessible via a Third Party vendors PKCS11 library.
CausePKCS 11 is a standard which defines a C language API for talking to cryptographic tokens.  However, it can also be used for talking to any real or virtual(software) devices.  As the API is written in C and needs to be compiled for each operating system, it cannot be directly accessed by the Java Vertual Machine without the aid of a Java Native Interface (JNI).
ResolutionRSA BSAFE Crypto-J version 3.2 and above implements a native interface to any third party PKCS11 compliant library, allowing a customer to access a PKCS11 device without the need to write their own JNI.  Crypto-J does this through the JSAFE_PKCS11SessionSpec class, which is an extension of JSAFE_SessionSpec.

RSA BSAFE Cert-J version 2.0 and above has a database provider, PKCS11DB, that uses the native pkcs11 support provided by Crypto-J 3.2.   Using PKCS11DB, the certificates and keys held in the PKCS11 device can be accessed through standard database operations.
Legacy Article IDa4122