Integrating SafeNet Luna PCI 3000 with WSS4J

Because of the need to integrate Luna PCI HSM Cryptographic accelerator card with WS-Security for WS-Signature operations for improving speed I had to customize a couple of things in the configuration of WSS4J, I will take Axis2 Configuration as example but it applies to CXF too as it uses WSS4J for WS-Security operations.

First of all Luna JSP (Java Service Provider) should be installed, with Luna JCE and JCA correctly installed in the JRE and file with the apaaaaapropiate Luna providers in this position:


As I’m using a policy based WS-Security configuration. I had to modify policy as follows:

<ramp:RampartConfig xmlns:ramp="">
<ramp:user>SDE Server</ramp:user>

<ramp:crypto provider="example.MyMerlin">
<ramp:property name="">Luna</ramp:property>
<ramp:property name=""></ramp:property>
<ramp:property name=""></ramp:property>



Where ramp:user is the alias in the HSM for the signing certificate and example.MyMerlin is as follows:

package example;

import com.chrysalisits.crypto.LunaPrivateKeyRsa;
import com.chrysalisits.crypto.LunaSession;
import com.chrysalisits.crypto.LunaTokenObject;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

import java.util.Properties;

* Creado por: jaime
* 13/02/12
public class MyMerlin extends Merlin {

public static final int PRIVATE_KEY_HANDLE = 71;

public MyMerlin(Properties properties, ClassLoader loader) throws CredentialException, IOException {
super(properties, loader);

public MyMerlin(Properties properties) throws CredentialException, IOException {

private static Log log = LogFactory.getLog(MyMerlin.class);

public PrivateKey getPrivateKey(String alias, String password) throws Exception {
return new LunaPrivateKeyRsa(new LunaTokenObject(PRIVATE_KEY_HANDLE, LunaSession.GetNewInstance()));


Where the constant PRIVATE_KEY_HANDLE should be set the value of the handle id of the private key used for signing. ramp:user set in the first configuration won’t be enough as the Luna JCA Keystore implementation maps only to the certificate and not the private key. This is not a really clean solution but to the time it works.

You can always get the handle id using Luna software:

cmu list 

You will need too to place calls to:




in the correct places in your app so your application becomes logged to the HSM.

Any question I’ll be glad to help you as this problem took me more than a week to get resolved.

One point worths to note is that the improvement in speed wasn’t as good as I expected, I suppose that because of the work done by Axis2/Rampart to create Ws-Security XML is more than the work needed to create the actual signature

Leave a Reply

Your email address will not be published. Required fields are marked *