Mark Thomas wrote: > Tk, Pramod (NSN - IN/Bangalore) wrote: >> Hello, >> >> I have configured apache-tomcat-6.0.20 for PKCS11 to use the keystore >> present on HSM(Hardware security Module) which is SCA6000 in my case. > > I think you have found a bug but confirming this and then fixing it is > going to be somewhat complicated by not having access to a hardware > keystore.
Scratch that. I have looked at the code some more and I see what the problem is. The KeyManager interface provides no mechanism for specifying a default alias. Therefore, if you specify an alias Tomcat has to wrap each KeyManager to ensure that the correct alias is returned. This wrapper is Tomcat code, not part of JSSE, and therefore not part of the FIPS accreditation. Hence you see the error. I can't see any way to code around this problem. With no alias, the KeyManager is not wrapped but you get a random key. Looking at the features of the SCA6000 [1], one of them is multiple keystores. You'll need to configure a dedicated keystore for Tomcat with the single key and not specify the alias in the connector. Mark [1] http://www.sun.com/products/networking/sslaccel/suncryptoaccel6000/features.xml#anchor3 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
