Configuring the ICSF token - pkcsicsf utility
Use the pkcsicsf utility to add an ICSF token to openCryptoki or to list available ICSF tokens.
Adding an ICSF token to openCryptoki creates an entry in the opencryptoki.conf file for this token. It also creates a token_name.conf configuration file in the same directory as the opencryptoki.conf file, containing ICSF specific information. This information is read by the ICSF token.
The ICSF token must bind and authenticate to an LDAP server. Several SASL authentication mechanisms (Simple Authentication and Security Layer mechanisms) are supported. You must specify one of these mechanisms when listing the available ICSF tokens or when adding an ICSF token. openCryptoki currently supports adding only one ICSF token.
openCryptoki administrators can either allow the LDAP calls to utilize existing LDAP configurations, such as ldap.conf or .ldaprc for bind and authentication information. Or they can set the bind and authentication information within openCryptoki by using this utility and its options. The information is placed in the token_name.conf file to be used in the LDAP calls. When using simple authentication, the user is prompted for the RACF password when listing or adding a token.
pkcsicsf [-h] [-l|-a token name] [-b BINDDN] [-c client-cert-file] [-C CA-cert-file]
[-k privatekey] [-m mechanism] [-u URI]
Options
- -a token_name
- adds the specified ICSF token to openCryptoki.
- -b bind_name
- specifies the distinguished name to bind when using simple authentication.
- -c client_cert_file
- specifies the client certification file when using SASL authentication.
- -C CA_cert_file
- specifies the certificate authority (CA) certification file when using SASL authentication.
- -k private_key
- specifies the client private key file when using SASL authentication.
- -m auth_mechanism
- specifies the authentication mechanism to use when binding to the LDAP server. Specify either
simpleorsasl). - -l
- lists available ICSF tokens.
- -h
- shows usage information for this utility.