Adjusting the openCryptoki configuration file
A preconfigured list of all available tokens that are ready to register to the openCryptoki slot daemon is required before the slot daemon can start. This list is provided by the global configuration file called opencryptoki.conf. Read this topic for information on how to adapt this file according to your installation.
Also, Linux™ on Z does not support the Trusted Platform Module (TPM) token library.
A token is only available, if the token library is installed, and the appropriate software and hardware support pertaining to the stack of the token is also installed. For example, the EP11 token is only available if all parts of the EP11 library software are installed and a Crypto Express EP11 coprocessor is detected.
$ pkcsconf -t
| Library | Explanation |
|---|---|
| /usr/lib64/opencryptoki/libopencryptoki.so | openCryptoki base library |
| /usr/lib64/opencryptoki/stdll/libpkcs11_ica.so | libica token library |
| /usr/lib64/opencryptoki/stdll/libpkcs11_sw.so | software token library |
| /usr/lib64/opencryptoki/stdll/libpkcs11_tpm.so | TPM token library |
| /usr/lib64/opencryptoki/stdll/libpkcs11_cca.so | CCA token library |
| /usr/lib64/opencryptoki/stdll/libpkcs11_ep11.so | EP11 token library |
| /usr/lib64/opencryptoki/stdll/libpkcs11_icsf.so | ICSF token library |
The /etc/opencryptoki/opencryptoki.conf file must exist and it must contain
an entry for each instance of an EP11 token to
make these instances available. By default, one such entry is available upon installation (see the
slot 4 entry in the provided sample configuration from Figure 1).
version opencryptoki-3.15
# The following defaults are defined:
# hwversion = "0.0"
# firmwareversion = "0.0"
# description = Linux
# manufacturer = IBM
#
# The slot definitions below may be overriden and/or customized.
# For example:
# slot 0
# {
# stdll = libpkcs11_cca.so
# description = "OCK CCA Token"
# manufacturer = "MyCompany Inc."
# hwversion = "2.32"
# firmwareversion = "1.0"
# }
# See man(5) opencryptoki.conf for further information.
#
slot 0
{
stdll = libpkcs11_tpm.so
}
slot 1
{
stdll = libpkcs11_ica.so
}
slot 2
{
stdll = libpkcs11_cca.so
}
slot 3
{
stdll = libpkcs11_sw.so
}
slot 4
{
stdll = libpkcs11_ep11.so
confname = ep11tok.conf
}
- The standard path for slot token dynamic link libraries (STDLLs) is: /usr/lib64/opencryptoki/stdll/.
- The standard path for the token-specific EP11 token configuration file (in our example,
ep11tok.conf) is /etc/opencryptoki/. You can change this
path by using the
OCK_EP11_TOKEN_DIRenvironment variable. For more information, read Defining an EP11 token-specific configuration file. - You can use the default opencryptoki.conf file only for a single EP11 token. If you want to use multiple EP11 tokens, read the information in Adding EP11 tokens to openCryptoki.
$ service pkcsslotd start $ systemctl start pkcsslotd.service /* for Linux distributions providing systemd */
$ chkconfig pkcsslotd on