The Load Balancer plugin for Glassfish doesn't work in Apache when using Sun's
PKCS11 crypto device.
ie. Set Apache's httpd.conf to have SSLCryptoDevice pkcs11, and
mod_loadbalancer.so fails to initialize:
[Thu May 24 15:00:46 2007] [notice] Initializing lbplugin BuildId: A692342-271111
[Thu May 24 15:00:51 2007] [alert] ERROR:NSS could not be initialized; The issue
may be missing security DB files under /opt/apache/sec_db_files; Please ensure
that secmod.db, key3.db and cert7.db files are present under
/opt/apache/sec_db_files; Refer documentation for more details; Aborting Plugin
[Thu May 24 15:00:51 2007] [notice] Apache/2.0.55 (Unix) mod_ssl/2.0.55
OpenSSL/0.9.7d configured – resuming normal operations
This works fine when not using the SSLCryptoDevice directive.
ie: when using Apache's builtin SSL engine.
One implication is that its not possible to use the SSL hardware accelerator on
T1000 and T2000 servers, as they require Apache to use the pkcs11
SSLCryptoDevice setting. This is a pretty major drawback for running Glassfish
on these boxes since their SSL engine is pretty poor, hence the builtin SSL
accelerator, which should be used.
Could this (just) be a problem with the NSS database file provided not having
referencs to the pkcs11 device?
The error message is also erroneous as it complains about cert7.db, which I
believe was replaced with cert8.db long ago.