Adjusting the openCryptoki configuration file

A preconfigured list of all available tokens that are ready to register to the openCryptoki slot daemon is required before the slot daemon can start. This list is provided by the global configuration file called opencryptoki.conf. Read this topic for information on how to adapt this file according to your installation.

Table 1 lists the maximum number of available libraries that may be in place after you successfully installed openCryptoki. It may vary for different distributions and is dependent from the installed packages.

Also, Linux™ on Z does not support the Trusted Platform Module (TPM) token library.

A token is only available, if the token library is installed, and the appropriate software and hardware support pertaining to the stack of the token is also installed. For example, the EP11 token is only available if all parts of the EP11 library software are installed and a Crypto Express EP11 coprocessor is detected.

A token needs not be available, even if the corresponding token library is installed. Display the list of available tokens by using the command:
$ pkcsconf -t
Table 1. openCryptoki libraries

The table lists the libraries in the first column and holds an explanation in the second column.

Library Explanation
/usr/lib64/opencryptoki/libopencryptoki.so openCryptoki base library
/usr/lib64/opencryptoki/stdll/libpkcs11_ica.so libica token library
/usr/lib64/opencryptoki/stdll/libpkcs11_sw.so software token library
/usr/lib64/opencryptoki/stdll/libpkcs11_tpm.so TPM token library
/usr/lib64/opencryptoki/stdll/libpkcs11_cca.so CCA token library
/usr/lib64/opencryptoki/stdll/libpkcs11_ep11.so EP11 token library
/usr/lib64/opencryptoki/stdll/libpkcs11_icsf.so ICSF token library

The /etc/opencryptoki/opencryptoki.conf file must exist and it must contain an entry for each instance of an EP11 token to make these instances available. By default, one such entry is available upon installation (see the slot 4 entry in the provided sample configuration from Figure 1).

Figure 1. Default opencryptoki.conf
version opencryptoki-3.15

# The following defaults are defined:
#       hwversion = "0.0"
#       firmwareversion = "0.0"
#       description = Linux
#       manufacturer = IBM
#
# The slot definitions below may be overriden and/or customized.
# For example:
#       slot 0
#       {
#          stdll = libpkcs11_cca.so
#          description = "OCK CCA Token"
#          manufacturer = "MyCompany Inc."
#          hwversion = "2.32"
#          firmwareversion = "1.0"
#       }
# See man(5) opencryptoki.conf for further information.
#
slot 0
{
stdll = libpkcs11_tpm.so
}

slot 1
{
stdll = libpkcs11_ica.so
}

slot 2
{
stdll = libpkcs11_cca.so
}

slot 3
{
stdll = libpkcs11_sw.so
}

slot 4
{
stdll = libpkcs11_ep11.so
confname = ep11tok.conf
}
Note:
  • The standard path for slot token dynamic link libraries (STDLLs) is: /usr/lib64/opencryptoki/stdll/.
  • The standard path for the token-specific EP11 token configuration file (in our example, ep11tok.conf) is /etc/opencryptoki/. You can change this path by using the OCK_EP11_TOKEN_DIR environment variable. For more information, read Defining an EP11 token-specific configuration file.
  • You can use the default opencryptoki.conf file only for a single EP11 token. If you want to use multiple EP11 tokens, read the information in Adding EP11 tokens to openCryptoki.
Use one of the following commands to start the slot daemon, which reads out the configuration information and sets up the tokens:
$ service pkcsslotd start 
$ systemctl start pkcsslotd.service   /* for Linux distributions providing systemd */     
For a permanent solution, specify:
$ chkconfig pkcsslotd on