Configuring the openCryptoki ica token

Edit online

openCryptoki is a PKCS#11 implementation. Using tokens and slots, the PKCS#11 standard unifies the way in which applications access cryptographic objects. The openCryptoki ica token is used to perform clear-key cryptography (where the key exists somewhere in the software stack) by exploiting z Systems® hardware.

The ica token provides access to the cryptographic hardware of z Systems in order to perform cryptographic operations. It exploits z Systems CPACF cryptographic hardware in the CPU (using 3DES/AES/SHA) and in the CEX adapters (using RSA).

To configure the openCryptoki ica token:

  1. Add to the pkcs11 group, the users who should be allowed to access the openCryptoki library:
    # usermod -aG pkcs11 root
# usermod -aG pkcs11 apache
  2. Enable the pkcsslot daemon (which manages access to the security tokens):
    # systemctl enable pkcsslotd.service
  3. Start the slot daemon:
    # systemctl start pkcsslotd.service
  4. Use the pkcsconf command to locate the slot number (slot 1 in this scenario) of OpenCryptoki's ica token. In the default configuration listing that is shown below, the ICA token is Token # 1. Your listing will probably differ from this listing. 
    # pkcsconf -t
Info:Token #1 Info:
	Label:  IBM ICA  PKCS #11               
		  Manufacturer: IBM Corp.                       
		  Model: IBM ICA         
		  Serial Number: 123             
	Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|
				 SO_PIN_TO_BE_CHANGED)
	Sessions: 0/-2
	R/W Sessions: -1/-2
	PIN Length: 4-8
	Public Memory: 0xFFFFFFFF/0xFFFFFFFF
	Private Memory: 0xFFFFFFFF/0xFFFFFFFF
	Hardware Version: 1.0
	Firmware Version: 1.0
	Time: 14:16:45
...
  5. Set a token label (myicatoken below) using the -I option. The pkcsconf tool is used to initialize the ica token in slot 1 (-c 1 below). The default SO (slot operator or security officer) pin is 87654321.
    # pkcsconf -I -c 1
Enter the SO PIN: 87654321
Enter a unique token label: myicatoken
  6. Change the default SO pin using the -P option. In the example below, the new pin is 13243546.
    # pkcsconf -P -c 1
Enter the SO PIN: 87654321
Enter the new SO PIN: 13243546
Re-enter the new SO PIN: 13243546
  7. Initialize the user pin using the -u option. In the example below, the new user pin is 25345867.
    # pkcsconf -u -c 1
Enter the SO PIN: 13243546
Enter the new user PIN: 25345867
Re-enter the new user PIN: 25345867
Note: To ensure the SO has no access to the token, you should change the user pin as soon as a user is granted access. To do so, enter:
# pkcsconf -p -c 1