Installing openCryptoki
The available tokens are part of the openCryptoki package. The package comes with manual pages (man pages) that describe the usage of the tools and the format of the configuration files. The openCryptoki package in turn is shipped with the Linux® on IBM® Z distributions. This package might be split into several packages by the distributions, thus allowing to install individual tokens separately.
$ rpm -qa | grep -i opencryptoki /* for RPM */ $ dpkg -l | grep -i opencryptoki /* for DEB */
opencryptoki must in certain
distributions be specified as openCryptoki (case-sensitive). You should see all installed openCryptoki packages. If required packages are missing, use the installation tool of your Linux distribution to install the appropriate openCryptoki RPM or DEB.
- You can update an installed version of openCryptoki with a package of a newer version. Depending on the tokens to be used, further libraries need to be installed and cryptographic adapters must be enabled. If you had built openCryptoki from the source before, you must remove any previous installation of openCryptoki (make uninstall), before you can install a distribution package for a new openCryptoki version.
- Some tokens need a token-specific library to be installed on the system as a prerequisite for usage. These are mentioned for each token in Part 4. Token specifications.
Installing from the RPM or DEB package
The openCryptoki packages are delivered by the distributors. Distributors build these packages as RPM or DEB packages for delivering them to customers.
Customers can install these openCryptoki packages by using the installation tool of their selected distribution.
- If you received openCryptoki as an RPM package, follow the RPM installation process that is described in the RPM Package Manager man page.
- If you received an openCryptoki DEB package, you can use the dpkg - package manager for Debian described in the dpkg man page.
The installation from either an RPM or DEB package is the preferred installation method.
Installing from the source package
As an alternative, for example for development purposes, you can get the latest version (inclusive latest patches) from the GitHub repository and build it yourself. But this version is not serviced. It is suitable for non-production systems and early feature testing, but you should not use it for production.
In this case, refer to the INSTALL file in the top level of the
source tree. You can start from the instructions that are provided with the subtopics of this
INSTALL file and select from the described alternatives. If you use this
installation method parallel to the installation of a package from your distributor, then you should
keep both installations isolated from each other.
- Download the latest version of the openCryptoki sources from:
https://github.com/opencryptoki/opencryptoki/releases - Decompress and extract the compressed tape archive (tar.gz - file). There is a new directory named like opencryptoki-3.xx.x.
- Change to that directory and issue the following scripts and commands:
$ ./bootstrap.sh $ ./configure $ make $ make install
The scripts or commands perform the following functions:
- bootstrap
- Initial setup, basic configurations
- configure
- Check configurations and build the makefile. You can specify several options here to overwrite
the defaults. For example, not all tokens are built as the default. To build the CCA token as an example, specify
./configure --enable_ccatok
- make
- Compile and link
- make install
- Install the libraries
Post-installation checks
After a successful installation, perform the following checks:
- Check the default global openCryptoki configuration file shipped with the package (/etc/opencryptoki/opencryptoki.conf). Delete all slot entries for tokens that you do not use. See Adjusting the openCryptoki configuration file.
- If you plan to use one or more CCA tokens or EP11 tokens, check the shipped default configuration files ccatok.conf and ep11tok.conf. Adapt them as required for your environment. Read Defining a CCA token configuration file and Defining an EP11 token configuration file.