-
Notifications
You must be signed in to change notification settings - Fork 27
Configuration Performance Tuning with Extensions
NSS can be used with PKCS11 to provide a native code interface for encryption functions. The SDK will detect if libnss is installed via PKCS11 and prefer it over the Legion of the Bouncy Castle library if it is available.
To add libnss support to your JVM, you will need to locate libnss on your system. Then you will need to add a configuration file that will be referenced by your JVM. There is documentation on the install process available online, but not much guidance on what to do per distro / operating system.
Below is a list of distros / operating systems and the packages and locations of libnss.
Ubuntu
Debian Package: libnss3
Library Location: /usr/lib/x86_64-linux-gnu
CentOS
Yum Package: nss
Library Location: /usr/lib64
MacOS
Homebrew Package: nss
Library Location: /usr/local/opt/nss/lib
SmartOS
Pkgsrc Package: nss
Library Location: /opt/local/lib/nss
Once you have installed libnss and have located it's path, you will need to add a configuration
file to your system. The path doesn't matter, but for the example's sake, we will give it a
path of /etc/nss.cfg.
The file would have the following contents if you were on Ubuntu:
name = NSS
nssLibraryDirectory = /usr/lib/x86_64-linux-gnu
nssDbMode = noDb
attributes = compatibility
Make sure that the name field is NSS because the SDK will only use the library if that specific
name is set. Next, edit the following file: $JAVA_HOME/jre/lib/security/java.security
Find the lines specifying security providers. It should look something like:
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
Now, add a line in front of the first provider and make it provider number one, then appropriately increment the other providers:
security.provider.1=sun.security.pkcs11.SunPKCS11 /etc/nss.cfg
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=sun.security.ec.SunEC
security.provider.5=com.sun.net.ssl.internal.ssl.Provider
security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
Once this is complete, you should now have libnss providing your cryptographic functions.
The Java Manta SDK uses Timothy W Macinta's Fast MD5 implementation internally to perform MD5 checksum operations. By default, the SDK uses the pure Java MD5 implementation which is faster than the default JDK implementation for large amounts of data. If the default performance provided by the SDK is insufficient, native MD5 implementation libraries can be loaded via JNI.
To get a native library for your system, download the library and choose the share object library that is appropriate for
your system (hint: they are contained in the ./build/ directory). The easiest
way to get up and running is to copy the library to a path that makes sense
for your application and provide a path to the library using the com.twmacinta.util.MD5.NATIVE_LIB_FILE system
property. For example, on amd64 architecture running linux and assuming the contents
have been extracted to /opt/myapp/lib you would use the following invocation
to run your application with native MD5 support:
$ java -Dcom.twmacinta.util.MD5.NATIVE_LIB_FILE=/opt/myapp/lib/arch/linux_amd64/MD5.so -jar /opt/myapp/app.jar
You can also place multiple files in a directory structure and have the FastMD5 library automatically choose the right library for your platform. The details for getting are best described in the FastMD5 Javadocs.