PKCS#11 and P7M

Similar Messages

• PKC or OKC ???

  What exactly is the difference between PKC and OKC?
  Seems to be a lot of confusion out there. What are the cold hard facts?
  The WLC FAQ says
     "PKC is a feature enabled in Cisco 2006/410x/440x ..."
  The Debug Guide says
     "The WLC only supports OKC..."
  Wireless LAN Controller (WLC) Design and Features FAQ
  http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml
  Q. What is PKC and how does it work with the Wireless LAN Controller (WLC)?
  A. PKC stands for Proactive Key Caching. It was designed as an extension to the 802.11i IEEE standard. PKC is a feature enabled in Cisco 2006/410x/440x Series Controllers which permits properly equipped wireless clients to roam without full re-authentication with an AAA server.
  WLC Debug and Show Commands
  http://www.cisco.com/en/US/partner/products/ps6366/products_tech_note09186a0080b3e118.shtml#pmkid
  PMKID Caching Fails
  Check if the client supports opportunistic key cache (OKC).
  Note: OKC is not the same as proactive key cache (PKC) as specified in 802.11I. The WLC only supports OKC.

  I would like to add to this and perhaps add some insight to your question. I know this thread is a bit old...
  OKC / PKC  are the same thing.
  OKC / PKC-- When a supplicant does its first 802.1X authentication a PMK is created. This PMK is cached on the WLC for all the APs to use on that WLC to negate the need of the supplicant having to do a 802.X auth each time a supplicant roams from AP to AP.
  Example.
  A supplicant and 5 aps. The client roams to the first AP and does a full 802.1X auth. This PMK is then saved on the WLC and is reused for the others APs. The client roams to another AP, the same PMK is used, but a different PTK is generated.
  So you can see the client ever hits the radius server 1 time.
  With autonomous APs there is PMK caching ... Not supported on the WLCs as I understand but will mention anyway.
  Works differently. The supplicant would 802.1X auth to each AP, but it will create a PMKSA (PMKID) for each ap. So should that supplicant roam back to that AP (reassociate) then it would negate the supplicant from having to do a full 802.1X to that specific AP.
  Example.
  A supplicant roams to 5 access points. For the first time when the client roams to each of the 5 APs the client will do a full 802.1X auth. So thats a total of 5 802.1X auths. Should that client roam back to the otehr APS. There is no full 802.1X auth. Because it is cached in the PMKID.
  So you can see the client has to hit the radius server 5 times (atleast once) for each ap.
  OKC/PKC needs to be supported by the client as well. 80211.r is a close reletiave to OKC. I understand Apple will support 802.11r in ios5. The WLC will support 802.11r fully in 7.2 code.
  I hope this helps ...

• Re-Authentication at ACS server happens when a Teklogix Hand Held Roams

  Re-Authentication at ACS server happens when a Teklogix Hand Held roams. The setup is using WPA2 / PKC and instead of the WLC re-authenticating the Hand Held Teklogix Client as it roams, the re-authentication happens at the ACS Server. Is this Normal behaviour. WLC is running 4.0.179.8 code.

  thats an extremely old code... I would prob upgrade t0 the last 4.0 code...
  but if the client supports WPA2 PKC, it should not re-auth the client back to the radius server.

• Encrypt pdf with trusted certificates on acrobat pro xi

  Hi all,
  I'm supporting a user who used to encrypt documents with trusted identities (*.fdf) on Acrobat X.
  Now on Acrobat XI, when trying to encrypt a document, he can't used trusted identities. It seems like Acrobat XI only allow encryption from Digital ID (imported from *.pfx)
  Is this correct? Any way we can encrypt on Acrobat XI with trusted identities?
  Thanks.
  Welly

  Hi Welly,
  A digital ID (a P12 or PFX file) consists of three parts; a Public-Key Certificate, the public key, and the private key. The Public-Key Certificate (PKC) is the textual portion that you see in a certificate viewer and contains stuff like the user's name (aka the Subject), the issuers name, validity dates, serial number. etc. The two keys (public and private) have a symbiotic relationship when what one key locks (encrypts) only the corresponding other key can unlock (decrypt). Either key can be used to lock (encrypt) data, but whichever is used the data has to be unlocked (decrypted) using the other key.
  If the file doesn't contain the private key, but just has the PKC and the public key then that is known as a certificate file. Certificate files can be shared with the world, where as a digital ID file is only for use by one person. A certificate file can be view by anyone, but a digital ID file is either password or PIN protected.
  That said, when it comes to encrypting a PDF file using Certificate Security the file is encrypted using one or more certificate files, and only the certificate file is used. However, during the encryption process Acrobat asks the user to select one of their own digital IDs to use in order to keep from locking them out of the file. In reality Acrobat only want access to the public-key portion of the file for the encryption process, but it asks the user to select their digital ID to start. You can elect not to use your own digital ID and skip to the portion where you select the public key certificate of the recipients, and if you know to do so you can select your own, but when it comes time to get back into the file you have to have the private key to decrypt the file and that means you have to have access to the digital ID file. It doesn't make a lot of sense that you would encrypt the file for yourself and not already have the digital ID loaded.
  As far and certificate files go, they can be shared in either the FDF format, the CER file format, or the P7B file format. The format of the file is just the transport mechanism to distribute the public key.
  Steve

• Signing a Document using Custom PKCS#11 and Hardware Token

  I am using a custom PKCS#11 dynamic library and a hardware token to sign a document in Adobe Acrobat 10. I encountered this error when I used the Standard Text as the Appearance of the Signature.
  Creation of this signature could not be completed. Unknown error Support Information: CDSHandler-657
  If I use a custom appearance, the signing is successful.
  Do I need to set anything else before signing the document? Everything works fine on Adobe Acrobat 11. I am using a Mac OS X 10.9 machine. The same error is encountered in Windows 7.
  Is this a known issue in Adobe Acrobat 10?

  My bad, actually I was not using Adobe SDK. I just loaded my custom PKCS module and tried to sign the document. Have you encountered this error?

• Problem with Sun PKCS#11 Provider and Ativcard smart card.

  Hi,
  I'm trying to make a signature with a smartcard.
  I have no problem signing with my card in applications such as Microsoft Office, Outlook (they probably use CAPICOM or MS CryptoAPI).
  There is only one certificate on my card with non extractable pair of keys.
  When I`m using Java based application I have the following problem:
  I have Java 1.5.0 installed, and according to the reference guide on:
  http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
  I configured "Sun PKCS#11 Provider".
  In file:
  %JAVA_HOME%/lib/security/java.security I inserted the following lines:
  # Configuration for security providers 1..6 omitted
  security.provider.7=sun.security.pkcs11.SunPKCS11 C:/pkcs11.cfg
  In my case (I`m using ActivCard) The file "C:/pkcs11.cfg" contains:
  name = ActivCard
  library = c:\windows\system32\acpkcs211.dll
  After that I try tu use configured provider with keytool.exe from jsdk.
  In cmdline:
  c:\Program Files\Java\jdk1.5.0_06\bin>keytool.exe -keystore NONE -storetype PKCS11 -list
  Enter keystore password:  1111
  Keystore type: PKCS11
  Keystore provider: SunPKCS11-ActivCard
  Your keystore contains 1 entry
  Cinek's dp ID, keyEntry,
  Certificate fingerprint (MD5): 36:19:DD:01:2E:A2:C5:F6:51:44:03:74:14:D5:62:C0
  So till now everything looks ok. Certificate is accessible.
  But when I trying to use jarsigner.exe to sign something:
  c:\Program Files\Java\jdk1.5.0_06\bin>jarsigner.exe -keystore NONE -storetype PKCS11 D:\Applet.jar "Cinek's dp ID"
  Enter Passphrase for keystore: 1111
  jarsigner error: java.lang.NullPointerException
  I`ve got the java.lang.NullPointerException !
  To find reason of the exception I`ve written simple application, which signs a byte array:
  import java.security.KeyStore;
  import java.security.PrivateKey;
  import java.security.PublicKey;
  import java.security.Signature;
  import java.security.cert.Certificate;
  import java.util.Enumeration;
  public class Main {
       public static void main(String[] args) throws Exception {
            PrivateKey privkey = null;
            char[] pin = { '1', '1', '1', '1' };
            KeyStore smartCardKeyStore = KeyStore.getInstance("PKCS11");
            smartCardKeyStore.load(null, pin);
            Enumeration aliasesEnum = smartCardKeyStore.aliases();
            if (aliasesEnum.hasMoreElements()) {
                 String alias = (String) aliasesEnum.nextElement();
                 privkey = (PrivateKey) smartCardKeyStore.getKey(alias, null);
                 byte[] aDocument = new byte[100];
                 Signature signatureAlgorithm = Signature.getInstance("SHA1withRSA");
                 signatureAlgorithm.initSign(privkey);
                 signatureAlgorithm.update(aDocument);
                 byte[] digitalSignature = signatureAlgorithm.sign();
  When I`ve run this application in last line in method signatureAlgorithm.sign() I got:
  Exception in thread "main" java.lang.NullPointerException
       at java.math.BigInteger.modPow(Unknown Source)
       at sun.security.rsa.RSACore.crtCrypt(Unknown Source)
       at sun.security.rsa.RSACore.rsa(Unknown Source)
       at sun.security.rsa.RSASignature.engineSign(Unknown Source)
       at java.security.Signature$Delegate.engineSign(Unknown Source)
       at java.security.Signature.sign(Unknown Source)
       at Main.main(Main.java:31)
  In debug, before this exception variables are:
  alias= "Cinek's dp ID"
  privkey =
  SunPKCS11-ActivCard RSA private key, 1024 bits (id 192168768, token object, not sensitive, extractable)
    modulus:          112271510887039102410124262012976131016781096451891854145879061791454872222254764386718257162446565027910080375427552248069203548913907633164297672417327888344423061606707834842776634133861005271620794248782338105033496749719965719732501903618453514554701005390412127008091861831421936757053019877456102263703
    public exponent:  65537
    private exponent: null
    prime p:          null
    prime q:          null
    prime exponent p: null
    prime exponent q: null
    crt coefficient:  null
  As you can see, private key has extractable attribute set, what is wrong. Attribute is set and key has no values.
  I think that can be the reason of NullPointerException. (Maybe when extractable = true, sign() methods expects key values filled).
  So, I can not sign anything.
  I tryed to add some additional attributes to file "C:/pkcs11.cfg":
  attributes(*,CKO_PRIVATE_KEY,*) = {
    CKA_EXTRACTABLE = false
  but with no effect. Key was still extractable.
  Can you help me to solve this problem?
  PS. I`m using acpkcs211.dll (v3.2.102.0) as an implementation of PKCS#11. (Activcard says that it is PKCS#11 v2.11 implementation)
  PS2. Sorry for my english

  Can I ask you one question?
  Which driver did you specify? I mean the smarcard reader driver or the smartcard itself driver?
  If the second, does it come along with the card? because as far as I know I just got the smart card but no software at all (apart the smartcard reader driver).
  Can you help me out with this?
  thanks in advance,
  Marco

• What is the difference between a pki digital certificate received in pkcs7 format and what iplanet refers to as a pkcs#11 module?

   

  A lot of NSS-related jargon is defined on mozilla.org, including the different PKCS standards:
  http://mozilla.org/docs/jargon.html#PKCS5
  To summarize (and simplify), PKCS #7 is a standard for digital certificates while PKCS #11 is a standard for communicating with cryptographic devices (e.g. SSL hardware accelerators).

• PKCS support in Java, especially PKCS#7 encoding and decoding

  Hi,
  Is there anybody knowing about PKCS support in JDK2 ?
  I'd like to store a signature encoded in PKCS#7 format and read it back and decrypt it.
  As far as I understood there is no such API I can use.
  Thanx in advance
  andras

  hi ,
  my problem that i have signed my file using MD5withRSA algorithm
  i have stored the signature in another file (file signed) and the public key in another file too.
  so a have 3 files: the source file which it was signed, the signature file and the public key file.
  i want to store all this structure in ( only) one file in pkcs#7 format .
  later i wuil verify the signature another time.
  please if you can help me for the storage of the signed file in pkcs7 format ( the java code for storage, if possible)
  thanks

• PKCS#11 driver dll and Java

  Hello!
  I'm trying to use a smartcard to do some signing and this needs to be done using Java. I have read about the SUN PKCS#11 provider and thought that this would work. However as it turns out my card vendor refuses to provide me with a pkcs#11 .dll and without a dll the sun provider won't work. I have although recieved a .lib and a couple of .h files for this specific PKCS#11 implementation. The vendor also has provided me with a windows service to communicate with the card, I have tested this application and it works fine however I need to do this communication with Java, if it is not possible maybe I will have to resort to JNI?
  What I'm courios about is if there is some generic .dll for PKCS#11 operations? The card is a Java Card which has applets conforming to standards. Would it for instance be possible to use a completly different vendors .dll for the operations that I would like to perform.
  I really really need an answer.
  P.S switching card vendor is not an option D.S
  Kind regards
  Henrik Grankvist

  Hi ejp, thank you for answering.
  The problem for me could be a little more easier: I mean, actually my card provider ships the dll, but I would like to cover as many kinds of cards as I can with the application on which I'm working.
  I may use several ways to download the specific dll to the user's PC, but still I should know if I can redistribute this dlls. Is there a way to know which drivers I can redistribute without having licensing problems? Do you know any sort of drivers database on which I could look for?
  Thank you everybody,
  regards.

• Pkcs#11 and smart card reader

  Hi everybody,
  In my applet code
  i'm trying to implement "attached signature" reading keystore from a smartcard.
  I'm using SunPKCS11 provider and infocamere smart card, so i load SunPKCS11.dll for PKCS#11 standard.
  my code is:
  String pkcs11ConfigFile = "c:\\smartcards\\config\\SI_PKCS11.cfg";
  Provider pkcs11Provider = new sun.security.pkcs11.SunPKCS11(pkcs11ConfigFile);
  Security.addProvider(pkcs11Provider);
  where SI_PKCS11.cfg file contains 2 lines like follow:
  name = test
  library = C:\WINNT\system32\SI_PKCS11.dll
  when I try to sign without smart card in the device reader i catch "PKCS#11 not found" exception, while when I try with smart card inside the device the applet stop on loading the provider and it doesn't continue without any errors in java console. Can anyone help me?
  thanks a lot for every answer
  best reagards

  I should add that I am using Windows 7 and my CSS version is 8.3, I can also verify my smart card works for other applications, only thinkvantage CSS 8.3 does not work.

• Eracom CSA 8000 and SUN PKCS#11 API

  I'm trying to use Eracom as a cryptographic accelerator for using with JSSE in establishment of SSL connections. I'm using its software version that I haven't installed the hardware but they both have the same functionalities and both uses PKCS11 as their interface to actual operations. The problem is that I have a token contains many entries includes secret keys, Private keys and certificates. But when I construct a keystore in my program in does not contain any entries. I looked at the log created by Eracom and noticed that it does not log in at all. However some of those entries are public and can be seen with Cryptoki Token Browser a GUI for working with tokens.
  I used that graphical interface and logged in as security officer. Then I generated a RSA keypair with subject set to 'CN=myserver'. I used Derive Key on public key to generate a certificate request and in turn prepared a certificate based on that request and imported that certificate using Create Object option. In this case it works it lists it as an entry and uses it in SSL server.

  You need to use the trustanchors nssModule, read the JavaTM PKCS#11 Reference Guide at --
  http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#Config
  For example, you can write your config file like this --
  name=NSS
  nssSecmodDirectory=path_of_your_dbs
  nssLibraryDirectory=path_of_dll_or_so
  nssModule=trustanchors

• XML Digital Signature and sun PKCS#11

  Hi,
  I am trying to use xmldsig/xmlsec from Java Web Services Developer's Pack to do signing of XML documents. My goal is to use the keys from the card via sunpkcs11 to perform this signature.
  At this stage, i'm able to get the correct key from the card via sun pkcs 11 (J2SE 5) and able to sign some data with it.
  However, when i try to sign a xml document via xmldsig, i get the error which i believe to occur while trying to read the private key from the card as a string, which results in a "not a byte[]" exception.
  At this stage, are there any ways to configure the xmldsig/xmlsec to use the pkcs11 provider?
  I understand that the current implementation of XML Digital signature is using apache XML libraries. Is the source code for the wsdp downloadable from SUN?
  If not, will it be possible to make use of the open-source apache XML jars, set it up for pkcs11 and use it instead?
  Finally, has anyone done what I'm trying to do? Will be glad to know
  Thank u in advance,
  Louis

  Hello
  Did you resolve yout problem, because i have the same when i try to sign message
  String testData = "Hello World";
  p11KeyStore = KeyStore.getInstance("PKCS11");
  p11KeyStore.load(null, new char[] {'1', '2', '3', '4'});
  sig = Signature.getInstance("SHA1withRSA");
  sig.initSign( (PrivateKey) p11KeyStore.getKey(myAlias, null));
  sig.update(testData.getBytes());
  signatureBytes = sig.sign()
  This code fails and i get java.lang.RuntimeException: Not a byte[]
       at sun.security.pkcs11.wrapper.CK_ATTRIBUTE.getBigInteger(CK_ATTRIBUTE.java:168)
       at sun.security.pkcs11.P11Key$P11RSAPrivateKey.fetchValues(P11Key.java:419)

• X.509 and PKCS#11 provider

  Sorry if I'm asking the stupid question, but there is something in JCE PKCS#11 provider architecture that I'm missing.
  Let's say I have some hardware crypto module (e.g. SUN SCA-6000) and want to be sure that all crypto work is done in it. So I would configure PKCS#11 provider as the 1st (highest priority) entry in java.security file (and configure PKCS#11 to use my hardware crypto module).
  Now, let's say I need to work with some X.509 certificate. When I check the supported algorithms of PKCS#11 and SUN providers, it looks like CertificateFactory.X509 algorithm is supported only by SUN provider, and not by PKCS#11 provider.
  http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#ALG
  http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SUNProvider
  So I wonder what does this essentially mean? Does it mean that even though I configured my HCM PKCS#11 provider, some crypto work is still done in other software modules (e.g. SUN provider)? Or may be SUN provider just "decomposes" these "high-level" algorithms to more "primitive" ones (e.g. Signature.SHA1withRSA) and essentially "proxies" all work to whatever provider supports these "primitive" algorithms - i.e. essentially to my HCM PKCS#11 provider?
  Regards,
  Alex

  This is not a stupid question. Any question involving cryptography isn't stupid IMO, and one that includes hardware security modules (HSM) is even less stupid. :-)
  That said, sabre150 has provided some information, and I'll try to add a little more from my experience.
  HSM's are used primarily to perform "raw" cryptographic operations in highly constrained environments for security reasons - the goal is to ensure that symmetric keys (DES, 3DES, AES) or the private-keys of asymmetric key-pairs (RSA, DSA, EC) do not come out of the HSM into the main memory of the computer. This ensure that attackers cannot snoop the secrets from main memory.
  So, the CertificateFactory in JCE is primarily used to do cryptographic operations with the digital certificate; however any operation involving just the digital certificate - and not its corresponding private-key - involves just the public-key in the certificate, the certificate attributes or certificate extensions. Since ALL information in a digital certificate is public information, there is no reason to waste HSM resources to perform X509 operations inside the security module. Not only is there nothing to protect in those operations, but as sabre150 pointed out, some old HSM's may not be able to handle them very well.
  However, some HSM's are not just for security, but they also perform crypto-acceleration. This means that they can speed up raw cryptographic processing, and there is a benefit from having them perform even the public-key operations inside the HSM. However, the PKCS11 libraries will typically send in only the "raw" crypto operation into the HSM, leaving all the certificate-parsing work outside.
  One final point: in order to make sure that you are definitely performing all secret operations inside an HSM, make sure you explicitly name the specific HSM provider for your crypto operations, otherwise the JVM may silently use a software module to perform the operation (if possible) and expose your secret in main memory.
  Hope that helps.

• PKCS#11 Provider unable to fetch asymmetric keys and certificates

  Hi,
  I'm facing a problem while getting keys and certificate from Eracom HSM (ProtectServer Orange:38039 Model: PSO:PL50) using Sun PKCS#11 Provider. It gets only the symmetric keys but NEVER gets the asymmetric keys.
  My code snippet and configuration file are:
       Java Code:
       java.io.InputStream is = new java.io.FileInputStream("pkcs11.cfg");
  sun.security.pkcs11.SunPKCS11 pkcs11_provider = new sun.security.pkcs11.SunPKCS11(is);
  System.out.println("Provider Name : " + pkcs11_provider.getName());
  java.security.Security.addProvider(pkcs11_provider);
  KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11_provider);
  ks.load(null, "password".toCharArray());
  java.util.Enumeration obj_enumeration = ks.aliases();
  while (obj_enumeration.hasMoreElements()) {
  String str_certAlias = (String) obj_enumeration.nextElement();
  System.out.println("Alias : " + str_certAlias);
       pkcs11.cfg:
       name = Eracom
       library = G:\Eracom\cryptoki.dll
       slot = 0
       attributes(*, CKO_PRIVATE_KEY, *) = {
       CKA_TOKEN = false
       CKA_SENSITIVE = false
       CKA_EXTRACTABLE = true
       CKA_DECRYPT = true
       CKA_SIGN = true
       CKA_SIGN_RECOVER = true
       CKA_UNWRAP = true
       attributes(*, CKO_PUBLIC_KEY, *) = {
       CKA_ENCRYPT = true
       CKA_VERIFY = true
       CKA_VERIFY_RECOVER = true
       CKA_WRAP = true
  I also ran my program without specifying any attributes in configuration file, also tried many other combination, but in all cases (with or without attributes) only symmetric keys are loaded from HSM. I am able to get all keys (symmteric and asymmteric) and certificates from the same HSM using IAIK PKCS#11 Provider. Though, the Sun PKCS#11 Provider is working fine with SmartCard tokens (Rainbow, Alladin etc.)
  Any help to resolve my problem would be highly appreciated.
  Thanks in advance.

  I recently had a problem with ECDSA and the PKCS#11 library of nCipher. Here's info from one of their engineers about the PKCS11 library:
  "There are two separate issues - one is that our current pkcs11
  release doesn't support ECDSA signature with SHA-2 hashes
  (the v11.00 firmware adds support for it, but the main release version of
  the pkcs11 library hasn't been updated to take advantage of it yet).
  There is a hotfix version that does support SHA-2 hashes with some
  restrictions, talk to [email protected] for details, and V11.10
  should be out soon and have that merged in.
  But the issue with setting CKA_SIGN is that our underlying HSM API
  allows elliptic curve keys to be either key exchange (ECDH) or
  signature (ECDSA) keys, but not both at one.
  At the PKCS #11 level, if you specify CKA_DERIVE=true and let
  CKA_SIGN default, it will default to false, and vice versa.
  If you specify both CKA_DERIVE=true and CKA_SIGN=true, then we
  return CKR_TEMPLATE_INCONSISTENT because we can't do both with
  the same key. (However, the tests using C_GetMechanismInfo will
  show that we can do both mechanisms, because we can - so long
  as you use different keys, even though they have the same PKCS#11
  type.)
  I can't comment on when or how that will be changed."
  I was using the PKCS#11 library through NSS when I ran into the problem, but I imagine Java would run into similar problems also using the PKCS#11 library. I was able to generate keypairs but not create a CSR (which required making a signature, which required SHA-2).
  Can you just use the java classes to speak to the netHSM? I've never directly written code to do so myself, but I have used Corestreet's OCSP product that uses the java classes to speak to the nCipher HSMs (though not using EC). It might work better than going through the PKCS#11 layer. There should be a java directory under NFAST_HOME that contains some jars.
  Please post back if you figure anything out as I'll probably be playing with this stuff myself soon.
  Dave

• Generating key pair on PKCS#11token and save it there

  Hello,
  again i'm completely lost in this PKCS11 jungle.
  What i want to do:
  Generating key pair on crypto pkcs11 token and store it there.
  In the moment i've tried eg:
  sun.security.pkcs11.SunPKCS11 p = new sun.security.pkcs11.SunPKCS11(configName);
  Security.addProvider(p);
  Builder builder = KeyStore.Builder.newInstance("PKCS11", p, new KeyStore.CallbackHandlerProtection(new UserInputDialog(new JDialog(),"test","test")));
  KeyStore ks = builder.getKeyStore();
  ks.load(null,null);
  KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA", p);
  gen.initialize(1024);
  KeyPair kp = gen.generateKeyPair();
             Here access to token works. The callback PIN dialog comes up and i can login.
  But i'm not sure whether the key are generated on this PKCS11. And they are not stored there.
  How i can generate keys are stored there.
  (like with keytool -genkeys ). In keytool case a certificate is stored.
  ... every little hint, also to some documentation i've not seen, is very welcome ...
  Thank You !
  Regards
  Thomas
  .

  First, you need to get a KeyStore representation of the PKCS#11 token with code similar to this, I'm using NSS as the PKCS#11 token in this example:
  Provider nss = new sun.security.pkcs11.SunPKCS11(configFile);
  Security.insertProviderAt(nss, 1);  //you may not want it at highest priority
  KeyStore ks = KeyStore.getInstance("PKCS11", nss);
  ks.load(null, password);From the testing I've done in the past with various tokens, when you generate an asymmetric keypair (e.g. RSA like you are) specifying the PKCS11 provider, it creates it right on the token automatically and code like below is not needed.
  To store the key in the keystore, use code similar to this, I'm using NSS again and storing a symmetric key:
  KeyGenerator kg = KeyGenerator.getInstance("DESede",nss);
  SecretKey tripleDesKey = kg.generateKey();
  KeyStore.SecretKeyEntry skEntry = new KeyStore.SecretKeyEntry(tripleDesKey);
  ks.setEntry(randAlias, skEntry, new KeyStore.PasswordProtection(password));