Compatibility
The nCipherKM JCA/JCE CSP supports both module-protected keys and OCS-protected keys. The CSP currently supports 1/N OCSs and a single protection type for each nCipherKM JCE KeyStore.
You can use the nCipherKM JCA/JCE CSP with Security Worlds that comply with FIPS 140 at either Level 2 or Level 3.
In a Security World that complies with FIPS 140 Level 3, it is not possible to import keys generated by other JCE providers. |
The nCipherKM JCA/JCE CSP supports load-sharing for keys that are stored in the nCipherKM KeyStore. This feature allows a server to spread the load of cryptographic operations across multiple connected modules, providing greater scalability.
We recommend that you use load-sharing unless you have existing code that is designed to run with multiple modules. To share keys with load-sharing, you must create a 1/N OCS with at least as many cards as you have modules. All the cards in the OCS must have the same passphrase. |
The nCipherKM JCA/JCE CSP does not support HSM Pool mode. If you want to use HSM Pool mode with a Java application that only uses module protected keys, one option may be to use the Sun PKCS #11 provider to access the nShield PKCS #11 library instead of using nCipherKM JCA/JCE CSP. |
Keys generated or imported by the nCipherKM JCA/JCE CSP are not recorded into the Security World until:
-
The key is added to an nCipherKM KeyStore (by using a call to
setKeyEntry()
orsetCertificateEntry()
). -
That nCipherKM KeyStore is then stored (by using a call to
store()
).
The passphrase used with the KeyStore must be the passphrase of the card from the OCS that protects the keys in the KeyStore.