About the keystore provider framework

DataStax Enterprise database uses Java Cryptography API to implement SSL providers.

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra.yaml
Tarball installations installation_location/resources/cassandra/conf/cassandra.yaml

DataStax Enterprise (DSE) database uses Java Cryptography API to implement SSL providers. The Java Cryptography API (JCA) is a plug-able architecture that abstracts the actual cryptography implementation from the algorithm requested. To support swapping out different implementations, DSE database uses Cipher.getInstance("AES").

The JCA architecture Provider allows multiple implementations to register using a different service provider interfaces (SPI). The database comes with a PKCS12 provider and supports installation of additional providers, such as PKCS11.

The DSE database server keystore type parameter in cassandra.yaml determines which SPI to use.

For example, the class com.sun.net.ssl.internal.ssl.Provider implements sun.security.ssl.SunJSSE that registers the PKCS12 SPI with the Provider. The sun.security.pkcs12.PKCS12KeyStore class extends java.security.KeyStoreSPI, which is the JCA abstraction of KeyStore. The following shows the implementation:
put("KeyStore.PKCS12","sun.security.pkcs12.PKCS12KeyStore");

Difference between PKCS11 and PKCS12

PKCS 11 and PKCS 12 are part of the RSA Public Key Cryptography Standards for storing private key and certificate information:
  • PKCS12 - Local files
  • PKCS11 - External devices

Both sun.security.pkcs11.SunPKCS11 and sun.security.ssl.SunJSSE providers register implementations for java.security.KeyStoreSPI. PKCS11 registers the sun.security.pkcs11.P11KeyStore. PKCS11 provides more than private key certificate storage.

PKCS11 details

The PKCS11 standard comes with a series of C header files, which are implemented by various hardware providers. For example, lingua franca for hardware is C, so Java has to provide a JCA wrapper for it with JNI. Essentially sun.security.pkcs11.SunPKCS11 is a JNI wrapper that makes calls to the native module (.so, .dll) which implement the PKCS11 C header files.
Tip: See PKCS11 Standard.