Adding the openCryptoki module to the nss database

Edit online

Add the openCryptoki module to the nss database and specify it as the default provider. PKCS11 modules in the database are managed by the modutil tool.

  1. Insert a statement description=<your_slot_name> immediately below stdll=libpkcs11_ica.so in file /etc/opencryptoki.conf. In the example shown below, the name ICA is used.
    
slot1
{
stdll=libpkcs11_ica.so
description=ICA
}
  2. Add the openCryptoki module (in this scenario, the name used is opencryptoki) to the nss database:
    
# modutil -dbdir /etc/httpd/nss -add opencryptoki -libfile 
      /usr/lib64/opencryptoki/PKCS11_API.so
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Module "opencryptoki" added to database.
  3. Disable all slots of the openCryptoki module and then enable only the ICA slot:
    
# modutil -dbdir /etc/httpd/nss -disable opencryptoki
# modutil -dbdir /etc/httpd/nss -enable opencryptoki -slot ICA
  4. Set OpenCryptoki to be the default provider for the required cryptographic mechanisms:
    modutil -dbdir /etc/httpd/nss -default opencryptoki -mechanisms RSA:AES:DES:RANDOM
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Successfully changed defaults.
  5. List the available cryptographic modules by entering:
    

# modutil -dbdir /etc/httpd/nss -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. opencryptoki
	library name: /usr/lib64/opencryptoki/PKCS11_API.so
	 slots: 2 slots attached
	status: loaded

	 slot: ICA
	token: myicatoken

	 slot: Linux
	token: IBM OS PKCS#11
------------------------------------------------------
  6. Display detailed information about the openCryptoki module by entering:
    
# modutil -dbdir /etc/httpd/nss -list opencryptoki
-----------------------------------------------------------
Name: opencryptoki
Library file: /usr/lib64/opencryptoki/PKCS11_API.so
Manufacturer: IBM                             
Description: Meta PKCS11 LIBRARY             
PKCS #11 Version 2.20
Library Version: 3.2
Cipher Enable Flags: None
Default Mechanism Flags: RSA:DES:AES
  Slot: ICA
  Slot Mechanism Flags: RSA:DES:AES
  Manufacturer: IBM                             
  Type: Software
  Version Number: 0.0
  Firmware Version: 0.0
  Status: Enabled
  Token Name: myicatoken                      
  Token Manufacturer: IBM Corp.                       
  Token Model: IBM ICA         
  Token Serial Number: 123             
  Token Version: 1.0
  Token Firmware Version: 1.0
  Access: NOT Write Protected
  Login Type: Login required
  User Pin: Initialized

  Slot: Linux
  Slot Mechanism Flags: RSA:DES:AES
  Manufacturer: IBM                             
  Type: Software
  Version Number: 0.0
  Firmware Version: 0.0
  Status: DISABLED (user disabled)
  Token Name: IBM OS PKCS#11                  
  Token Manufacturer: IBM Corp.                       
  Token Model: IBM SoftTok     
  Token Serial Number: 123             
  Token Version: 1.0
  Token Firmware Version: 1.0
  Access: NOT Write Protected
  Login Type: Login required
  User Pin: NOT Initialized
----------------------------------------------------------------