Technical Note on PKCS#11
Contents
1. PDF Tools AG Premium PDF Technology Technical Note on PKCS 11 Version 2 0 Page 14 of 17 July 7 2015 3 The trust chain of all signing certificates is available a Get the certificate s ISSUER b Verify that a certificate of that name exists c Proceed with 3a until the root certificate where the certificate s issuer is the certificate itself 4 All your trusted certificates are available necessary for signature validation only 4 2 pkcs11 tool There is another cryptographic toolset available for Linux opensc http vww opensc project org opensc opensc comes ready to use with several Linux distributions If this is not the case for a particular platform you have the option to make the binaries from the source distribution kit The tool of interest for our purposes is pkcs11 tool Usage For a quick introduction have a look at the usage listing of pkcs11 tool Usage pkcs11 tool OPTIONS Options show info I Show global token information list slots L List slots available on the token list mechanisms M List mechanisms supported by the token list objects 0 Show objects on token sign S Sign some data hash h Hash some data mechanism m lt arg gt Specify mechanism use M for a list of supported mechanisms login 1 Log into the token first not needed when using pin pin p lt arg gt Supply User PIN on the command line if used in scripts careful so pin2. TOOLS COM Premium PDF Technology Technical Note on PKCS 11 Version 2 0 Background Setup Configuration Trouble Shooting Contact pdfsupport pdf tools com Owner PDF Tools AG Kasernenstrasse 1 8184 Bachenb lach Switzerland http www pdf tools com Copyright 2000 2015 Technical Note on PKCS 11 Version 2 0 Page 2 of 17 July 7 2015 1 Contents Contents Introduction 2 1 Interoperability Support 1 EKEKSKEEEKERRKEREKEESREEEEERKEREKEEENEEEEERRREREKEEENEEEEERRREERKEEENEEEEERRRREEKEEEEEEEER REN 4 2 2 Terms and definitions cccccccccececeecccnee eee eeeeeeeecceeeeeeeeeeeeeccceeeeeeeeesseccceeeeeeeeeeeeeciieeeeeeeeetee 4 2 3 Abbreviations JEDDDDDEDE ttt ttt ttttEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE 5 2 4 PKCS 11 Object Gtruchure cccccccceceee cece eee eeeceeeeeeeeeeeeeecaaeeeeeeeeeseeccaeeeeeeeeeeseensieeeeeeeettee 5 Te Ge 5 Private K p uran 5 Une TTT 6 le 6 Test Centificate TEE 6 3 Installation Instructions 7 3 1 USB Token or Smart Card e g SuisselD sssnssennnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nn 7 WAAI aan 7 ERT TEE 7 Certificate Installation and Management 7 Use of the DeViCG isis cicacasxssce rece Heeres ren 7 Provider Configuration for 3 HeightS Products 7 3 2 HSM e g SafeNet Luna or Protect Genver nenn 8 HSM Installation eenneneeeeeeeeeeeeeeeeeeeeetittttttttttttt ttnt a stt t EErEE EEA AtEEEEEEEEENSEEEEEEEEEEEAE EEE EEEE n nnne enee
3. lt arg gt Supply SO PIN on the command line if used in scripts careful init token Initialize the token its label and its SO PIN use with label and so pin init pin Initialize the User PIN use with pin change pin c Change your User PIN keypairgen k Key pair generation key type lt arg gt Specify the type and length of the key to create for example rsa 1024 write object w lt arg gt Write an object key cert to the card read object r Get object s CKA VALUE attribute use with type application id lt arg gt Specify the application id of the data object use with type data type y lt arg gt Specify the type of object e g cert privkey pubkey id d lt arg gt Specify the id of the object label a lt arg gt Specify the label of the object slot lt arg gt Specify number of the slot to use slot label lt arg gt Specify label of the slot to use set id e lt arg gt Set the CKA_ID of an object lt args gt the new CKA_ID attr from lt arg gt Use lt arg gt to create some attributes when writing an object input file i lt arg gt Specify the input file output file o lt arg gt Specify the output file module lt arg gt Specify the module to load test t Test best used with the login or pin option PDF Tools AG Premium PDF Technology Technical Note on PKCS 11 Version 2 0 Page 15 of 17 July 7 2015 moz cert z lt arg gt T
4. 8 Client Installation ccceccccceeeeeeeeeeeeeeccneeeeeeeeeeeeecaaaeeeeeeeeeceeeaaaeeeeeeeeeseecccaeeeeeeesesteesssieeeeeess 8 Certificate Installation and Management 8 Provider Configuration for 3 HeightS Products 9 3 3 openCryptoki soft Store on LINUX ees Seene Z ss ERER tars ran ade ter anden 9 EEE e 9 Initial Configuration E 9 Certificate Installation and management 10 Provider Configuration for 3 HeightS Produce 10 3 4 PKCS 11 softtoken on Gate nr nnrennnnrnnnn nn nnnnentrrnnnn nn nnnneennrrrnnnnn 11 Verification of PKCS 11 softtoken rrrrnnrrnnnnnnnrnnrnvrrrnnnnnnnrnnnn nn nnnnnnnnnnnnnnnnnnnnnnnrnnnnnnnnnnn 11 initial Oo 110 81 e E 11 Certificate Installation and management 11 Provider Configuration for 3 Heights Produce 11 4 Tools 12 4 1 cticert Certificate Store Utility for PKCS 11 00 2 2 cece cecece cece eeeeceneeeeeeeeeeeecaaeeeeeeeeeeeeenneeeetees 12 EET Ei N eat 12 USage NN a a a 12 Identify the id Of areltuueueegeeegeeee SrEuEegeecEEKEKESESE ENEE i i E 13 Import a soft certificate PKOSH1Z iriiria nn EE ER 13 Import certificates of the trust chan 13 PDF Tools AG Premium PDF Technology Technical Note on PKCS 11 Version 2 0 Page 3 of 17 July 7 2015 Verify the PKCS 11 object struchre nennen 13 e Ce hee EE 14 GE E 14 impon a Trusted e ue TE 15 Import EE 15 5 Trouble Shooting Tips 16 5 1 Return Values versus Error Codes seision AAE AAE A aAA AEE 16 5 2 Eror C
5. July 7 2015 3 Installation Instructions The following sections describe installation instructions for different types of PKCS 11 devices 3 1 USB Token or Smart Card e g SuisselD Installation In order to use your USB Token you have to install its middleware driver first Make sure you install PKCS 11 support as well Initial Configuration Follow the installation instructions provided with the USB Token Certificate Installation and Management On USB tokens and smart cards it is usually not possible to install or modify certificates On some USB Tokens the certificates of the trust chain are not installed In this case consult the chapter on PKCS 11 cryptographic providers in the user manual of you 3 Heights product There is a section describing the use of PKCS 11 stores with missing issuer certificates Use of the Device On Windows the device must always be used in an interactive session for two reasons First the middleware requires the user to enter the pin interactively to create a qualified electronic signature Second USB tokens and smart cards are managed by Windows such that the device is available only to the user currently using the computer s console So services remotely logged in users and applications running in locked sessions have no access to the device This issue can be overcome by using the 3 Heights Signature Creation and Validation Service which is available from www pdf tools com Pro
6. s g Set the ID of the certificate cmu setAttribute handle XX id 3c62ddcee4267 1f1fae3fdc69 f7d89ffe18326 Set the ID of the private key cmu setAttribute handle XX id 3c62ddcee4267 1f1fae3fdc69 f7d89ffe18326 Import all certificates of the trust chain O PDF Tools AG Premium PDF Technology Technical Note on PKCS 11 Version 2 0 Page 9 of 17 July 7 2015 cmu import inputFile cal cer label CA Certificate XX cmu import inputFile ca2 cer label CA Certificate XX Use the cticert tool to list the contents on your HSM Verify that all certificates of the trust chain have been imported and the private key of your signing certificate can be found The public key is part of the certificate So the separate public key object not needed anymore and may be deleted cmu delete handle XX Provider Configuration for 3 Heights Products The Provider configuration string used in 3 Heights Products should be Provider lt PKCS11Library gt lt slotid gt lt pin gt Where e PKCS11Library Is the PKCS 11 library of your HSM s middleware It is recommended to specify an absolute path to the library o SafeNet Luna The library is typically called cryptoki dll or libCryptoki2_64 so e lt slotid gt Is the id of the slot If you are uncertain about which slotid to use list your slots using cticert e lt pin gt Is your user PIN for the HSM partition 3 3 openCr
7. Technology Technical Note on PKCS 11 Version 2 0 Page 16 of 17 July 7 2015 5 Trouble Shooting Tips With most issues it is a good idea to verify the PKCS 11 Object Structure the cticert tool as described in chapter Verify the PKCS 11 object structure 5 1 Return Values versus Error Codes Many functions in the PDF Tools AG software return a Boolean value e The return value indicates whether the function generally completed successfully or not e The property ErrorCode provides additional information about the result of the previous function call The return value is more important than the error code A function that returns false always indicates an error If the return value is true and in error code is different from 0 the error code describes a warning which does not invalidate the process per se e g applying a digital signature but may still be of importance e g OSCP server not available A complete list of all errors is available as part of the documentation of the software C pdferror h Java NativeLibrary java ERRORCODE NET libpdfNET Pdftools Pdf PDFErrorCode Error messages and possible reasons in relation with HSM are described in the next chapter 5 2 Error Codes and Possible Causes SIG_CREA_E_SESSION 0x8A130101 e PKCS 11 library e g DLL not found specify correct library in provider string Try using an absolute path to the library e The platform of the library is different to the appl
8. d S and Possible Causis Lnr ae AN 16 SIG CREA E SESSION 0x8A130101 rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrsrrsrrrrerssrrsrsrsrssrrrsrsrsseen 16 SIG CREA E STORE 0X8A130102 ann 16 SIG CREA E GERT 0x84130103 anna aaa a a 16 SIG CREA E INVCERT 0x8A13010B cca 17 SIG CREA E OCSP 0x8A130104 SIG_CREA_E_CRL 0x8A130108 SIG CREA E TGb Ox AT20DTOE cece cece eee e eee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeenens 17 SIG CREA E PRIVKEY Ox A 20106 17 O PDF Tools AG Premium PDF Technology Technical Note on PKCS 11 Version 2 0 Page 4 of 17 July 7 2015 2 Introduction PKCS 11 is a widely used standard for providing extensive support in the area of digital signatures including cryptographic algorithms and storage for certificates and keys PDF Tools products rely on the PKCS 11 infrastructure for creating and verifying digital signatures It constitutes the preferred infrastructure when dealing with hardware tokens and hardware security modules HSMs For applications using soft certificates there exist suitable software token implementations such as openCryptoki for Linux or the standard PKCS 11 softtoken on Solaris platforms This how to manual explains how to prepare a PKCS 11 soft token infrastructure for use with PDF Tools products This document acts as a guide to help with the following subjects 1 Prepare a PKCS 11 provider so it can be used with software of PDF Tools AG such as the 3 Heights PDF Secu
9. d to use the tools provided with your cryptographic device When creating objects such as certificates and key material take special care to meet the requirements explained in chapter PKCS 11 Object Structure 4 1 cticert Certificate Store Utility for PKCS 11 For trouble shooting of issues or if your cryptographic device does not come with apt tools the cticert tool is helpful The tool s features include e List slots of a token e List certificates and their properties e Import certificates including their private keys e Export certificates e Delete certificates and other objects Installation The cticert tool can be downloaded from the website of PDF Tools AG e Log in to your personal customer area on www pdf tools com e Goto Utilities useful tools e Download the certificate store utility for PKCS 11 e Extract the archive to an apt installation directory e Run the usage of the tool and verify that its version matches the version of your 3 Heights product you use to create signatures The tool requires no additional installation or a license key Usage The usage of the tool is printed if cticert is executed with no arguments Certificate Store Utility for PKCS 11 Version 4 5 24 1 of Jul 2 2015 Import export and list certificates cticert options options cp prov Provider interface library slot number and pin number cps name str Set provider property bag string di Delete certificate numbe
10. est Mozilla like keypair gen and cert req lt arg gt certfile verbose v Verbose operation Use several times to enable debug output Import a Trusted Certificate You generally want to store the certificates needed for signature creation or validation purposes as trusted in the PKCS 11 store Starting with a basic certificate file you need to convert it into the DER encoding and have it marked as trusted prior to using the pkcs11 tool s certificate import feature openssl x509 trustout lt certificate cer gt trusted cer openssl x5 9 outform DER lt trusted cer gt certificate DER pkcs11 tool module libopencryptoki so y cert w certificate DER label NAME id lt ID gt 1 Tip always specify a label and the correct ID This will permit you to selectively delete or update an entry Import Private Key Unless the private key is already stored in DER formatted file you need to convert it accordingly openssl rsa outform DER out private key DER lt private key pem The DER encoded private key is imported into the store as follows pkcs11 tool module libopencryptoki so y privkey w private key DER label NAME id lt ID gt pin PIN 1 Note that it is important to specify the ID value identical to the ID of the corresponding certificate as this is the relevant criterion for matching the two objects in the store for the purpose of creating signatures PDF Tools AG Premium PDF
11. file is imported which includes the signing certificate the private key and all certificates of the trust chain If you get a cryptic error message you have most likely specified the wrong password for your PKCS 12 file After importing use cticert to list the certificates Verify that all certificates of the trust chain are available If not proceed with importing the missing certificates If importing a certificate fails try to add the following option to the command above cps CRYPTOKI_VERSION 513 This will use PKCS 11 attributes of version 2 01 0x201 513 only By default these attributes are used that a token claims to support But the PKCS 11 version reported by some tokens is not correct Import certificates of the trust chain For certificates of the trust chain or trusted certificates no private key is required Certificates of the trust chain can usually be downloaded from your CA s website Certificates must be available as X 509 files that are either DER or PEM encoded Use the following command to import each certificate of the trust chain cticert cp lt PKCS11Library gt lt slotid gt lt USERPIN gt i lt CERTIFICATE gt Verify the PKCS 11 object structure List all objects of a slot cticert cp lt PKCS11Library gt lt slotid gt lt USERPIN gt l v Verify that 1 All signing certificates are available and valid 2 The signing certificates have a private key
12. hat want to use openCryptoki must belong to the group pkcs11 Start the service rcpkcsslotd start Token configuration The token is configured using the following tool pkcsconf or on some installations pkcsconf Token initilization Initialize the token and use slotid 0 pkcsconf I c Enter the SO PIN Enter a unique token label zlinux64bit The default value of the SO security officer PIN is 87654321 Initialize the user PIN e g to 123456 pkcsconf u c Enter the new user PIN Re enter the new user PIN PINs can be changed SO PIN pkcsconf P c User PIN pkcsconf p c Certificate Installation and management openCryptoki does not comprise the utilities that you need to manage certificates and keys in the PKCS 11 store Certificates can be installed listed and deleted using the tool cticert Refer to the separate chapter on this tool for more information Provider Configuration for 3 Heights Products The Provider configuration string used in 3 Heights Products should be Provider libopencryptoki so lt slotid gt lt user pin gt Where e libopencryptoki so is the PKCS 11 library This assumes that the library is on your library path If not the library should be specified as an absolute path PDF Tools AG Premium PDF Technology Technical Note on PKCS 11 Version 2 0 Page 11 of 17 J
13. ication s 32 bit vs 64 bit specify correct library in provider string e The library does not have a PKCS 11 interface specify correct library in provider string e Initialization of the library failed due to too many applications and or threads access the library concurrently e The slot number is invalid Identify the id of a slot SIG_CREA_E_STORE 0x8A130102 e This error does not occur in combination with PKCS 11 Microsoft CryptAPI only SIG_CREA_E_CERT 0x8A130103 e Certificate not found in the defined slot number Identify the id of a slot and verify your certificate selection parameters using the dedicated chapter in the user manual PDF Tools AG Premium PDF Technology Technical Note on PKCS 11 Version 2 0 Page 17 of 17 July 7 2015 SIG_CREA_E_INVCERT 0x8A13010B The certificate has expired or is not yet valid Obtain a valid signing certificate The certificate s key usage does not allow signature creation Obtain a valid signing certificate The downloaded OCSP response or CRL indicates that the certificate has been revoked Obtain a valid signing certificate SIG_CREA_E_OCSP 0x8A130104 SIG CREA E CRL 0x8A130108 SIG CREA E TSP 0x8A130105 Failed to establish an HTTP connection see requirements Check your HTTP connection and firewall rules see dedicated chapter in user manual The server of the issuer is not available Verify the servers are a
14. ll available The response returned is invalid Contact your CA SIG CREA E PRIVKEY 0x8A130106 The private key is not installed in the slot number or does not match the certificate Verify the PKCS 11 object structure Your PIN is incorrect Double check your pin Your certificate has been locked Some devices lock a certificate after a wrong PIN has been entered a number of times Consult your device s user manual for instructions on how to resolve this The signature algorithm of the certificate is unknown Try to set the provider session property MessageDigestAlgorithm to SHA 1 and check your certificate uses RSA keys O PDF Tools AG Premium PDF Technology
15. oken So this might be separate partitions on a HSM PDF Tools AG Premium PDF Technology Technical Note on PKCS 11 Version 2 0 Page 5 of 17 July 7 2015 Alternatively this might be different USB tokens of the same type The slot contains cryptographic objects and protects against unauthorized access PIN A secret number which is required to access the slot on the token 2 3 Abbreviations CA Certification Authority CMS Cryptographic Message Syntax CRL Certificate Revocation List CSP Cryptographic Service Provider HSM Hardware Security Module OCSP Online Certificate Status Protocol PKCS Public Key Cryptography Standards QES Qualified Electronic Signature TSA Time Stamp Authority TSP Time Stamp Protocol PIN Personal Identification Number 2 4 PKCS 11 Object Structure This section describes the objects and their organization within a PKCS 11 store such that they can be used for signature creation and validation by the 3 Heights Product line of PDF Tools AG Certificate For the creation of a signature a valid signing certificate must be installed The certificate shall not be marked as private CKA PRIVATE FALSE The German Federal Network Agency requires the following algorithms and key strengths for qualified digital signatures valid until the year 2017 Hash SHA 256 RSA 2048 Bit We suggest therefore using certificates that meet these requirements Private Key For the creation of a signature a
16. private key is required The key must be associated to the certificate same value for CKA_ID The private key must be marked as private CKA_PRIVATE TRUE to ensure the signature can only be applied in combination with providing a PIN The key must be suitable for signature creation CKA SIGN TRUE The private key is not required for signature validation PDF Tools AG Premium PDF Technology Technical Note on PKCS 11 Version 2 0 Page 6 of 17 July 7 2015 Trust Chain Embedding of the trust chain in the signature requires all certificates of the issuer certificate authority up to and including the root certificate They must be installed in the same slot as the signing certificate itself Certificates must not be marked private CKA_PRIVATE FALSE and the subject attribute CKA_SUBJECT should be set to the certificate s subject For signature validation all certificates in the keystore are regarded as trusted Slot The number of the slot containing the objects must be known It will be required by the signature software Test Certificate A test certificate should be available which can be used to test the signature software While it would be possible to use a simple self signed certificate for testing it is recommended to use a test certificate that is similar to the signing certificate used in production PDF Tools AG Premium PDF Technology Technical Note on PKCS 11 Version 2 0 Page 7 of 17
17. r i i file Import X 509 certificate PEM or DER or PKCS 12 file p passwd Password for PKCS 12 file t Mark imported certificate trusted requires SO login and PKCS 11 version 2 11 or later lb label Set label of imported certificate 1 List all certificates get certificate numbers ls lib List all available slots tokens of interface library List certificates of tokens in combination with 1 c i Clear store 1 expired certificates 2 certificates with private keys PDF Tools AG Premium PDF Technology Technical Note on PKCS 11 Version 2 0 Page 13 of 17 July 7 2015 4 all certificates 8 all token objects certs keys x file cer i Export X 589 certificate number i to file V Verbose mode error codes 8 success 1 invalid provider cannot open input file 2 cannot create output file 3 parameter switch error Identify the id of a slot All slots of a token can be listed as follows cticert ls lt PKCS11Library gt Unfortunately many tokens have slot descriptions that are not useful to identify a particular slot Therefore the cticert can list all slots and all their certificates cticert ls lt PKCS11Library gt 1 Import a soft certificate PKCS 12 A soft certificate can be imported using the following command cticert cp lt PKCS11Library gt lt slotid gt lt USERPIN gt i lt PKCS12FILE gt p lt PKCS12PASSWORD gt All content of the
18. rity or the 3 Heights PDF to PDF A Converter Some useful tools for working with a PKCS 11 provider are described In case an issue occurs during the installation configuration or in production there is a trouble shooting guide 2 1 Interoperability Support The following cryptographic token interface PKCS 11 products have been successfully tested e SafeNet Protect Server e SafeNet Luna e SafeNetAuthentication Client e IBM OpenCrypTokl e CryptoVision e Siemens CardOS e Gemalto IDBridge CT30 and others The PKCS 11 interface is a widely used standard and an interface offered by most cryptographic devices As a result cryptographic devices not contained in the list above are likely to work as well 2 2 Terms and definitions Signature Cryptographic procedure to ensure the integrity and or authenticity of a document The signature is embedded in the PDF document in the form of a CMS PKCS 7 message Certificate A certificate is an electronic confirmation of the identity of a natural or legal person Key The certificate contains a public key for the validation of the signature The public key must match a private key which is used for the creation of the signature Token The token is a logical view of a cryptographic device defined by the PKCS 11 library All devices slots managed by the same PKCS 11 library are part of the same token Note that this is not the same as an USB token Slot A plug in position inside a t
19. uly 7 2015 e lt slotid gt Is the id of the slot you have created If you are uncertain about which slotid to use list your slots using cticert e lt user pin gt Is your user PIN for the slot 3 4 PKCS 11 softtoken on Solaris Verification of PKCS 11 softtoken The PKCS 11 soft token comes pre installed on Solaris platforms Use the following commands to verify proper functioning and availability of the documentation man pkcs11_softtoken man pktool pktool help pktool tokens Initial Configuration Initialize the ibpkcs11 provider s password with pktool pktool setpin Certificate Installation and management Certificates can be installed listed and deleted using the tool cticert Refer to the separate chapter on this tool for more information Provider Configuration for 3 Heights Products The Provider configuration string used in 3 Heights Products should be Provider libpkcs11 so lt slotid gt lt pin gt Where e libpkcsi1 so is the PKCS 11 library for the Solaris softtoken e lt slotid gt Is the id of your slot If you are uncertain about which slotid to use you can list your slots using cticert e lt pin gt Is your pin for the slot PDF Tools AG Premium PDF Technology Technical Note on PKCS 11 Version 2 0 Page 12 of 17 July 7 2015 4 Tools For management tasks of your tokens and the objects contained therein it is recommende
20. uter as where the signature software is used The client software also installs a DLL for the PKCS 11 interface The name of the library e g cryptoki dll and the path on the file system must be known for the configuration of the signature software Certificate Installation and Management The steps below describe the setup of a SafeNet Luna SA using the CMU tool Even if your HSM does not support the CMU tool you can follow the same steps with your HSMs management software Generate a new key pair cmu gen modulusBit 2048 publicExp 65537 sign 1 verify 1 labelPublic Public Key X labelPrivate Private Key X Create a new certificate signing request CSR Use the handles of the newly created keys cmu requestCert privatehandle XXX publichandle XXX C CH OU My Unit 0 My Organization CN My Signing Certificate S outputFile cert req Submit the CSR to your certificate authority CA Download your new certificate and all certificates of the trust chain Import the signing certificate into the keystore cmu import inputFile certificate cer label My Signing Certificate X List all objects and their handles cmu list display handle class label Associate the signing certificate with its private key using the CKA_ D attribute First a unique ID must be chosen For example the certificate s fingerprint is suitable openssl x509 in certificate cer fingerprint noout sed e
21. vider Configuration for 3 Heights Products The Provider configuration string used in 3 Heights Products should be Provider lt PKCS11Library gt lt slotid gt lt pin gt Where e PKCS11Library Is the PKCS 11 library of your USB token s middleware It is recommended to specify an absolute path to the library o SuisselD The library is typically called cvP11 dll or libcvP11 so o Gemato IDBridge CT30 The library is called iidp11 dll and located middleware s installation directory e g C Program Files x86 Buypass Access iidp11 dIl o Other Gemato hardware The library is usually called gclib dill and located in the bin directory of the middleware s installation directory e g XXXX Gemalto Classic Client BIN gclib dll e lt slotid gt Is the id of the slot If you are uncertain about which slotid to use list your slots using cticert e lt pin gt Is your user PIN for the USB Token PDF Tools AG Premium PDF Technology Technical Note on PKCS 11 Version 2 0 Page 8 of 17 July 7 2015 3 2 HSM e g SafeNet Luna or Protect Server HSM Installation The HSM must support the PKCS 11 interface The manual of the manufacturer states if this interface is supported The interface is normally provided in the form of a library DLL on Windows or shared object on Unix systems as part of the client software Client Installation The client software of the HSM must be installed on the same comp
22. yptoki soft store on Linux Installation IBM uses openCryptoki to support its cryptographic hardware You can disregard any platform requirements related to IBM hardware as you are only interested in the software token that comes along as a bundled feature The following links provide extensive information about openCryptoki http www ibm com developerworks linux library S pkcs http sourceforge net projects opencryptoki Please check if your Linux distribution already contains a binary package of openCryptoki If so this is the preferred way to install it on your platform Alternatively you can download the source kit and compile it for your Linux platform For convenient use create a symbolic link in usr lib to the libopencryptoki so shared library as appropriate for the installation location you have chosen Also make sure that the slot daemon sbin pkcsslotd is started at system startup Initial Configuration Make sure to complete the initial configuration using the pkcsconf tool as documented on the IBM web page Note that some of these initial steps might have been executed by your distribution s package manager already PDF Tools AG Premium PDF Technology Technical Note on PKCS 11 Version 2 0 Page 10 of 17 July 7 2015 Execute the setup script sudo pkcs11_startup The script does the following e Create a user group called pkcs11 e Creates the Slot configuration Note that all users t
Download Pdf Manuals
Related Search