Disabling PKCS11 solaris implementation

Question

I am performance testing an application which performs poorly when SunPKCS11-Solaris is enabled. The app is deployed in WebLogic which runs on Solaris. I have found that disabling SunPKCS11 by sun.security.pkcs11.enable-solaris=false fixed our problem but I am not sure what the other impacts of that switch are. Does anybody know what sun.security.pkcs11.enable-solaris switch does?

The other thing that puzzles me is we do use PKCS11 in our certificates but they work fine after disabling SunPKCS-Solaris with the switch above, so I am wondering if there are other providers available to the VM.

Answer 1

Farzad -

Java can use any number of providers to accomplish the same task, and is highly configurable. You can disable entire providers or just certain algorithms in that provider. I believe they are listed in the configuration file in preference order.

Depending on what tasks you're trying to do, the ucrypto provider on Solaris should be faster (but it is not as complete as the PKCS#11 provider, so may not have the algorithms, etc, that you need).

Depending on which JDK, OS and hardware platform you're on, the PKCS#11 provider may be faster than JavaNative. In other cases, JavaNative will be faster. Please note that Java's configuration file has to work across multiple Solaris OS versions, for example, Solaris 10u11, Solaris 11.2 and Solaris 11.3, and on multiple hardware platforms that vary in crypto capabilities. As it is a generic file, it is not always perfectly tuned for your specific scenario.

If you are trying to utilize a hardware keystore installed on Solaris, like nCipher or SCA6000, you would likely need to go through PKCS#11.

Hope that helps,

Valerie