tag:blogger.com,1999:blog-911362440608327300.post4078602972114803953..comments2023-05-31T01:32:58.482-07:00Comments on Under The Elytron: FIPS-compliant Credential StoresPeter Skopekhttp://www.blogger.com/profile/06962497649095525396noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-911362440608327300.post-52127014108196372222021-08-16T03:57:50.395-07:002021-08-16T03:57:50.395-07:00I'd like to add more information, as it pertai...I'd like to add more information, as it pertains to JBoss 7.4. This is poorly documented, but direct from the red hat helpdesk.<br /><br />Query :<br /><br />Is there a way of using a credential store with a different Algorithm?<br />Or is there a way of creating a credential store that is an PKCS11 NSSDB?<br /><br />Answer :<br /><br />You can add the line : implementation-properties={keyStoreType=PKCS11}<br /><br />So the command to create PKCS11 keystore becomes :<br /><br />/opt/jboss-eap/bin/jboss-cli.sh --connect --commands="/subsystem=elytron/credential-store=credential-store:add(location=../credential-stores/credential-store.pfx, relative-to=jboss.server.data.dir,implementation-properties={"keyStoreType"=>"PKCS11","keyAlias"=>""},credential-reference={clear-text=credential-store-pw},create=true)"<br /><br />Query:<br /><br />Can I use the SAME NSSDB that I'm using as a certificate store, or should I create a separate one?<br /><br />Answer:<br /><br />If you run the command : <br /><br />modutil -list -dbdir <br /><br />it should list PKCS #11 Modules, if it lists the PKCS #11 Modules , then there is no need to create a separate one .<br /><br />You your get the db dir from : nss.fips.cfg file which is in /conf/security .Inside the file search for the value for the key : nssSecmodDirectory , that's the db directory.<br /><br />Pete Larsonhttps://www.blogger.com/profile/16195835748532443080noreply@blogger.com