changes to the installed image JDK / JRE brings run-time images that consist of directories, including -
conf - contains .properties, .policy and other types of files intended for editing by developers, developers and end users. These files were previously located in the lib directory or its subdirectories.
The java.security file in JDK9 (located under .../Home/conf/security ) lists the SunPKCS11 provider among the default list of providers.
security.provider.13=SunPKCS11
# The SunPKCS11 configuration in the reference guide contains information on how to add a provider that is present in the jdk.crypto.cryptoki JDK module.
So, ideally, there should be no need to configure the path to the sunpkcs11 provider in Java9.
Addendum and an example of how providers are combined into modules, to it from JEP 220: Modular runtime images
Security policy files and other uses of the CodeSource API can use jrt URLs to refer to specific modules in order to grant permissions. Now you can identify the cryptography provider with an elliptic curve, for example, at the jrt URL
jrt:/jdk.crypto.ec
Other modules that are currently granted all permissions, but do not actually require them, may be trivially de-privileged, i.e. exactly the permissions they require.