How to recognize tokens

Edit online
You can use the pkcsconf -t command to display information about all available tokens. You can check the slot and token information, and the PIN status at any time.

The screen from Figure 1 presents excerpts of a pkcsconf -t command output. The slot number is associated with the shown token number. The ICA token is plugged into slot 1. Therefore, you see information about the ICA token with the label IBM ICA PKCS #11 in section Token #1 Info. Accordingly, in Figure 1, you see a CCA token in slot 2, a Soft token in slot 3, and an EP11 token in slot 4.

Figure 1. Token information
$ pkcsconf -t 

Token #1 Info:
        Label: IBM ICA PKCS #11
        Manufacturer: IBM
        Model: ICA
        Serial Number:
        Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|
                         USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)                                                                                                             
        Sessions: 0/[effectively infinite]
        R/W Sessions: [information unavailable]/[effectively infinite]
        PIN Length: 4-8
        Public Memory: [information unavailable]/[information unavailable]
        Private Memory: [information unavailable]/[information unavailable]
        Hardware Version: 0.0
        Firmware Version: 0.0
        Time: 2021081811215500
Token #2 Info:
        Label: ccatok
        Manufacturer: IBM
        Model: CCA
        Serial Number:
        Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|
                         SO_PIN_TO_BE_CHANGED)                                                                                                             
        Sessions: 0/[effectively infinite]
        R/W Sessions: [information unavailable]/[effectively infinite]
        PIN Length: 4-8
        ...
Token #3 Info:
        Label: softtok
        ...
Token #4 Info:
        Label: ep11tok
        Manufacturer: IBM
        Model: EP11
        Serial Number: 93AABC7X69330380
        Flags: 0x80004D (RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|
                         SO_PIN_TO_BE_CHANGED)                                                                                                         
        ...
        Hardware Version: 7.28
        Firmware Version: 3.1
        Time: 2021081811215500

The most important information is as follows:

  • The token Label, either the default name or a name that you assigned at the initialization phase. In the example, you see that the default name icatok was replaced by IBM ICA PKCS #11 during the initialization phase. You can initialize a token and change a token label by using the pkcsconf -I command. As a result, you see the flag TOKEN_INITIALIZED in the output.
  • The Flags provide information about the token initialization status, the PIN status, and features such as RNG (random number generator). They also provide information about requirements, such as LOGIN_REQUIRED, which means that there is at least one mechanism that requires a session log-in to use that cryptographic function.

    The flag USER_PIN_TO_BE_CHANGED indicates that the User PIN must be changed before the token can be used. The flag SO_PIN_TO_BE_CHANGED indicates that the SO PIN must be changed before administration commands can be used.

  • The PIN Length range declared for this token.

For more information about the flags provided in this output, see the description of the CK_TOKEN_INFO structure in PKCS #11 Cryptographic Token Interface Base Specification Version 3.0.