> You're saying you need Linux support from PKCS11 hardware devices, and > haven't found any?
Rainbow is a fairly good example. They have a working PKCS11 library for Linux but they won't give it to you without some real begging and no support. More importantly, it turns out in Rainbow's case they single thread access to their cards, so the potential gains for Java are nicely throttled anyway. Something to keep in mind, since they'll happily sell you a higher end card that just has multiple processing units on it that will go unused by any one process. ;-) > We're just now beginning to explore hardware > acceleration options for Java JCE, and I've heard rumblings of great > performance gains using PCI cards such as Eracom's ProtectServer line. The > line I was sold was "all you do is point your VM at the new JCE provider in > your java.security - it's just that easy." It's something you can get working, but it's definitely not a fully portable solution. Windows and Solaris tend to be very well supported, Linux definitely less so. Of course, check with the company, but also be prepared for clueless marketing reps and a lot of half-true information. It's definitely not something you just drop in unless you do your homework first. Also, it's normally the case that the hardware alone will not give you Java support. You need a JCE that can talk to your card. Sometimes the hardware company can sell you one, plus there are other companies like Phaos that support PKCS11. But that's usually a $2000+ investment + maintenance on top of the card. What you'll tend to find is Linux is well-supported for OpenSSL engine use, but not for PKCS11. So I eventually felt that if I wanted a decent amount of flexibility for myself, the OpenSSL route was less of a lock-in. I figure I can run on Windows with Java 1.5 and the PKCS11 support there, and use the OpenSSL bridge on Linux, and keep my software costs at zero. Feel free to let me now how it goes. We're in the process of growing our install base for Shibboleth and eventually campuses are going to run up against the need to scale the signing operations, so we're collecting possible solutions we can document for people. -- Scott
