If you know that you’re going to be using a PKCS #11, you can enable PKCS #11 support when running setup or manage-profile setup.
  • Run setup or manage-profile setup with the following important arguments:
    Indicates that you want to configure the server to use a PKCS #11 token to access the listener certificate.
    --pkcs11ProviderConfigFile <path>
    Specifies the path to the provider configuration file that tells the JVM how to access the PKCS #11 token.
    --keyStorePasswordFile <path>
    Specifies the path to the file containing the user PIN needed to interact with the PKCS #11 token.
    $ ./setup \
         --no-prompt \
         --noPropertiesFile \
         --acceptLicense \
         --localHostName demo.example.com \
         --ldapPort 1389 \
         --ldapsPort 1636 \
         --httpsPort 1443 \
         --usePKCS11KeyStore \
         --pkcs11ProviderConfigFile config/path/to/provider.conf \
         --keyStorePasswordFile /path/to/pkcs11/user.pin \
         --encryptDataWithPassphraseFromFile config/encryption-settings.pin \
         --baseDN dc=example,dc=com \
         --rootUserDN "cn=Directory Manager" \
         --rootUserPasswordFile config/pre-encoded-root-user-password.txt \
         --instanceName demo-instance \
         --location demo-location
    Ping Identity Directory Server
    Initializing ..... Done
    Configuring Directory Server .....
    Server tools will be configured with a minimal heap size due to limited system memory
    available. If out of memory errors occur, it will be necessary to increase tool memory
    settings in java.properties and run dsjavaproperties for the changes to take effect.
    Configuring Directory Server ..... Done
    Configuring Certificates ..... Done
    Starting Directory Server ..... Done
    Access product documentation from docs/index.html

    If you don't specify any trust store-related properties, then setup automatically generates a trust store populated with just the listener certificate, which works if the token is configured with a self-signed certificate, or if you’re using a certificate signed by an authority that is already included in the JVM’s default trust store.

    However, if you’re using a certificate signed by a private authority, then you likely want to either provide an existing trust store, such as in JKS or PKCS #12 format, or you want to use the --trustedCertificatePEMFile argument to specify the paths to PEM files for any appropriate issuer certificates that you want to include in the trust store.