Java applications use a provider-based model for cryptographic services. The Java Cryptography Extension (JCE) framework discovers providers at runtime and delegates operations to them. Kron PAM uses the SunPKCS11 built-in provider, which itself requires a vendor-supplied backing library to communicate with the specific hardware. The CryptoServerJCE.jar file extends this capability with Utimaco-specific classes and ensures that the Utimaco u.trust GP HSM is correctly recognised by the JVM.
Copy the JAR to the Kron PAM library directory and set ownership and permissions so that only the pamuser service account can read it. This limits the attack surface in case of a filesystem-level intrusion:
[pamuser@KronPAM_Instance]# cp CryptoServerJCE.jar /pam/kron/lib/CryptoServerJCE.jar
[pamuser@KronPAM_Instance]# chown pamuser:pamuser /pam/kron/lib/CryptoServerJCE.jar
[pamuser@KronPAM_Instance]# chmod 600 /pam/kron/lib/CryptoServerJCE.jar
Verify that the permissions are set correctly before proceeding:
[pamuser@KronPAM_Instance]# ls -ltr /pam/kron/lib/CryptoServerJCE.jar
-rw-------. 1 pamuser pamuser 2637958 2026-05-07 11:21 /pam/kron/lib/CryptoServerJCE.jar
Do not set this file world-readable (mode 644 or higher). The JCE provider JAR contains code paths that reference HSM credentials. Restricting access to pamuser reduces the risk of credential extraction through classpath inspection or bytecode analysis.