Customizing token access control - pkcstok_admin utility
openCryptoki provides a command line program called pkcstok_admin to enable an administrator to correctly configure user access to the token directories (including the respective token object repositories) in a way that a certain user can access the token directory of one token but not the token directory of another token.
The pkcstok_admin tool is intended to be used by an administrator with root
access only for administrative tasks for tokens and its directories. All tokens to
be managed (even the ones to be created) must have an entry in the openCryptoki configuration file
opencryptoki.conf.
In contrast to the pkcsconf utility that you can use to administrate a token on the PKCS#11 level, the pkcstok_admin utility operates on the file system level.
tokname = <token-name>andusergroup = <group-name>
Use the chown sub-command to change the owner of a token to the specified group. This changes the owner of all directories, files, shared memory segments, and so on, that belong to the token accessible by users of the specified group. When the owner is changed, it is verified that the user or owner of each file is also a member of the token-specific group. If a file was originally created by a user who is not a member of the token-specific group, then the user or owner of the file is changed to root. This prevents that a user who is not member of the token-specific group can still access token-specific files, if that user created that file.
The remove sub-command removes all files and directories of the specified token. Use this sub-command if you want to completely remove a token. Use with care, because it also removes all token objects. You must as well manually remove the corresponding slot definition in the opencryptoki.conf file.
The reset sub-command resets the token to its initial state. This also resets the token’s PINs to the factory default, and removes all token objects. Afterward, the token must be freshly initialized using pkcsconf -I, the SO PIN must be set using pkcsconf -P, and the User PIN must be initialized using pkcsconf -u. Resetting a token can be required if you forgot the SO PIN, or the SO PIN got locked due to too many invalid login attempts.
The following options are available:
- -t, --token <token_name>
- The name of the token to operate on. This option is mandatory.
- -g, --group <group_name>
- The name of the user group owning the token. This option is optional, if omitted, the group pkcs11 is assumed.
- -f, --force
- Do not ask for confirmations. Use with care!
- -h, --help
- Print this help, then exit.
- -v, --version
- Print version information, then exit.
- -V, --verbose
- Print verbose messages.