JSS 4.5 Support for PKCS11 KeyStore
From Dogtag
Overview
In order to run Tomcat 8.5+ with SSL server certificate and key stored in HSM, the Tomcat HTTP NIO connector needs to be configured with PKCS #11 keystore using JSS as keystore provider.