Using Java 17 requires an application server that supports it, such as WildFly 26+.
If installing EJBCA Community Edition on Java 17, the PKCS11CryptoToken does not work due to the access-control boundaries defined by the JDK module system. To overcome the issue and avoid getting exceptions while creating the PKCS#11 token in EJBCA, the Java process that runs the application server is passed the JAVA_OPTS parameter "--add-exports=jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED"
The following shows an example of adding the JAVA_OPTS parameter to a typical WildFly installation: