All - I am trying to get a fips compliant NSS java security provider installed on my system.
I am having troubles getting NSS configured. I currently have the following in my configuration file name = NSS nssLibraryDirectory = /usr/lib64 nssDbMode = noDb When I start my application I get java.io.IOException: FIPS mode: KeyStore must be from provider SunPKCS11-NSS We do have this configuration set when running our application - is the jks causing problems? -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.trustStoreType=jks In order to attempt to troubleshoot I have created a new directory /etc/pki/nss/fips and ran certutil -N -d . and modutil -fips true -dbdir . If I change my configuration file from above to name = NSS nssLibraryDirectory = /usr/lib64 nssSecmodDirectory = /etc/pki/nssdb/fips I get another weird error - which makes me think the configuration is bad? java.security.ProviderException: Crypto provider not installed: SunPKCS11-NSS Can I use a jks keystore and trustkeystore with NSS? Any help would be appreciated! Thanks, Anna. --- On Tue, 2/2/10, David Stutzman <dstutz.m...@nospam.dstutz.com> wrote: From: David Stutzman <dstutz.m...@nospam.dstutz.com> Subject: Re: Mozilla-JSS in FIPS compliant mode To: dev-tech-crypto@lists.mozilla.org Date: Tuesday, February 2, 2010, 4:27 AM On 2/1/2010 1:39 PM, Anna Gellatly wrote: > Thanks for responding David - > If the Mozilla JCA isn't JSS compatible then I'm barking up the wrong tree. > I see you included the pkcs#11 java doc but how do you ensure sun's > PKCS#11 uses nss? I see that you need to set the configuration > directives - but I have no idea how to "set configuration directives"? > Are they talking java vm command line option setting? > Does nss have a document that shows how to set these directives? > Anna. The rest of that document below explains how to configure any PKCS#11 device. NSS is just a special case that they have added some extras for. > >http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#NSS Dave -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
