The user scenario describes how to set up a Soft token on a server, which is an IBM z15® system running a Linux® operating system.
Before you begin
The server can be set up on various IBM Z® systems and with various versions of
Linux.
For the scenario illustrated here, it is assumed that you have an Ubuntu 21.04 installation on an IBM z15 machine.
Open a Linux command line on the server to
set up an openCryptoki Soft token.
Procedure
-
Install the p11-kit package (see Support of IBM-specific mechanisms - p11-kit).
This tool provides a way to load and enumerate
PKCS #11 modules and also provides a standard configuration
setup for installing
PKCS #11 modules in such a way
that they are discoverable.
To install the p11-kit package and the
p11tool, enter the following
command:
# apt install p11-kit p11-kit-modules gnutls-bins
-
Create and edit an opencryptoki.module configuration file in the shown
filepath: /etc/pkcs11/modules/opencryptoki.module
Enter the following line into this configuration file:
module: /lib64/opencryptoki/libopencryptoki.so
-
To list the available PKCS #11 modules, enter
the following command:
# p11-kit list-modules
You will see an output similar to the following:
p11-kit-trust: p11-kit-trust.so
library-description: PKCS#11 Kit Trust Module
library-manufacturer: PKCS#11 Kit
library-version: 0.23
token: System Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.23
flags:
write-protected
token-initialized
opencryptoki: /lib64/opencryptoki/libopencryptoki.so
library-description: openCryptoki
library-manufacturer: IBM
library-version: 3.16
token: soft
manufacturer: IBM
model: Soft
serial-number:
flags:
rng
login-required
user-pin-initialized
clock-on-token
token-initialized
-
To list the available tokens using the p11tool utility, enter the following
command:
# p11tool --list-tokens
You will see an output similar to the following:
Token 0:
URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Label: System Trust
Type: Trust module
Flags: uPIN uninitialized
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so
Token 1:
URL: pkcs11:model=Soft;manufacturer=IBM;serial=;token=soft
Label: soft
Type: Generic token
Flags: RNG, Requires login
Manufacturer: IBM
Model: Soft
Serial:
Module: opencryptoki: /lib64/opencryptoki/libopencryptoki.so
As you can see in the example, the Soft token is
available now as Token 1. With the shown URL, you can access this
token.
-
To start the p11-kit server to allow remote clients to access the token,
enter the following command:
# p11-kit server --provider /lib64/opencryptoki/libopencryptoki.so "pkcs11:model=Soft;manufacturer=IBM;serial=;token=soft"
As output, you will see the following generated commands:
P11_KIT_SERVER_ADDRESS=unix:path=/run/user/0/p11-kit/pkcs11-1296159; export P11_KIT_SERVER_ADDRESS;
P11_KIT_SERVER_PID=1296160; export P11_KIT_SERVER_PID;
-
To set and export the following two environment variables, copy and paste the commands from the
output from step 5 and
enter them into a command line:
# P11_KIT_SERVER_ADDRESS=unix:path=/run/user/0/p11-kit/pkcs11-1296159; export P11_KIT_SERVER_ADDRESS;
# P11_KIT_SERVER_PID=1296160; export P11_KIT_SERVER_PID;