Configuring the Support Program

Edit online

This section describes the utilities and system command used to configure the CCA Cryptographic Coprocessor Support Program software.

csufadmin

Specifies the system-access permissions that are associated with the csufkeys, csufappl, csufclu (Coprocessor Load Utility), csufcnm (Cryptographic Node Management), and csufcni (Cryptographic Node Initialization) utilities.

Default permissions restrict the use of these utilities to the root user and to users in the system group. Use the csufadmin utility to modify these permissions.

csufappl

Specifies the system-access permissions that are associated with the CCA libraries.

The default permissions restrict the use of the CCA libraries to the root user and members of the system group. Use the csufappl utility to permit other groups to use the services furnished by the CCA API.

csufkeys
Creates and identifies the file and directory names of the locations wherein the cryptographic keys and key lists are stored. The installation program defines, in the AIX object data manager (ODM), the following default directories:
  • AES key-record-list directory: /usr/lpp/csufx.4765/csufkeys/aeslist
  • AES key-storage file: /usr/lpp/csufx.4765/csufkeys/aes.keys
  • DES key-record-list directory: /usr/lpp/csufx.4765/csufkeys/deslist
  • DES key-storage file: /usr/lpp/csufx.4765/csufkeys/des.keys
  • PKA key-record-list directory: /usr/lpp/csufx.4765/csufkeys/pkalist
  • PKA key-storage file: /usr/lpp/csufx.4765/csufkeys/pka.keys

Use the csufkeys utility to change the storage locations.

Note: When you initialize key storage by using the Cryptographic Node Management utility, ensure that you specify the ODM directories that are defined by this utility.
odmget
Verifies key-storage file names with the odmget system command. You can verify the key-storage names used by the CCA Support Program by entering the odmget csufodm command. The four parameter name attributes specify the following values:
  • csuaesds: The file containing the AES key-records
  • csuaesld: The directory containing the AES key-record-list files
  • csudesds: The file containing the DES key-records
  • csudesld: The directory containing the DES key-record-list files
  • csupkads: The file containing the PKA key-records
  • csupkald: The directory containing the PKA key-record-list files

When initializing CCA key-storage with either the CNM utility or with the csnbksi CCA verb, you must use the file names that are returned from the ODM. Use the csufkeys utility to change these file names.

The DES_Key_Record_List verb, PKA_Key_Record_List verb, and the AES_Key_Record_List verb produce list files in the /usr/lpp/csufx.4765/csufkeys/deslist, /usr/lpp/csufx.4765/csufkeys/pkalist, and /usr/lpp/csufx.4765/csufkeys/aeslist directories respectively. These are the default directory names. You can modify the directory names when you install the software. The list files are created under your ownership, if you request the list service. Make sure that the files are created under the group ID as required by the installation. This can also be achieved by setting the set-group-id-on-execution bit on in these three directories. See the g+s flags in the chmod command for more information. If this procedure is not followed, errors are returned on key-record-list verbs.

To assign a default CCA Coprocessor, use the EXPORT command to set the environment variable CSU_DEFAULT_ADAPTER to CRP0n, where n = 1, 2, 3, 4, 5, 6, 7, or 8, depending on which installed CCA Coprocessor you want as the default. If this environment variable is not set when the first CCA verb of a process is called, the CCA software uses Coprocessor CRP01 as the default. If this environment variable is set to an invalid value, you will get an error until the environment variable is set to a valid value.