Configuration file

The configuration file is a text file that you can use to initialize the IBMPKCS11Impl provider.

The configuration file contains entries in the following format.

attribute = value

The valid values for attribute and value are described in the table at the end of this section. The two mandatory attributes are name and library. Following is a sample snippet from a configuration file.

name = Accel
library = /opt/foo/lib/libpkcs11.so

Comments are denoted by lines that start with the # (number) symbol.

If you use a configuration file to initialize your IBMPKCS11Impl provider, start with one of the sample files in this archive SamplePKCS11ConfigFiles.zip. This archive contains a sample configuration file for each of the hardware cryptographic cards that are supported by the IBMPKCS11Impl provider, assuming default configuration of the card. Choose a sample file that matches your card; if your application uses the JSSE API, use a sample file from the jsse folder of the archive. You must then change the file as appropriate for your use. Update the name, library, and slotListIndex attributes in the file to suit your environment and requirements. If you change the configuration of your hardware cryptographic card, you might need to make other updates to the configuration file.

Attribute	Value	Description
library	pathname of PKCS#11 implementation	The full path name (including extension) of the PKCS#11 implementation; the format of the path name can be platform-dependent. For example, `/opt/foo/lib/libpkcs11.so` might be the path name of a PKCS#11 implementation on AIX® or Linux®, but `C:\foo\lib\pkcs11.dll` on Windows.
name	name suffix of this provider instance	This string is concatenated with the prefix `IBMPKCS11Impl-` to produce this provider instance's name (that is, the string returned by its `Provider.getName()` method). For example, if the `name` attribute is `"Accel"`, then the provider instance's name is `"IBMPKCS11Impl-Accel"`.
description	description of this provider instance	This string is returned by the provider instance's `Provider.getInfo()` method. If none is specified, a default description is returned.
slot	slot ID	The ID of the slot that this provider instance is to be associated with. For example, you would use `1` for the slot with the ID `1` under PKCS#11. At most one of `slot` or `slotListIndex` can be specified. If neither is specified, the default is a `slotListIndex` of `0`.
slotListIndex	slot index	The slot index that this provider instance is to be associated with. It is the index into the list of all slots that are returned by the PKCS#11 function `C_GetSlotList`. For example, `0` indicates the first slot in the list. At most one of `slot` or `slotListIndex` can be specified. If none of the attributes are specified, the default is a `slotListIndex` of `0`.
tokenlabel	Token Label	The label that defines the slot that must be used. At most one of `slot` or `slotListIndex` or `tokenlabel` must be specified. If none of the attributes are specified, the default is a `slotListIndex` of `0`.
publickeyimportonly	Public Key Import Only	Setting this attribute to true causes clear private keys to not be converted to hardware. Certain hardware devices that do not allow clear private keys to be used or placed on the device. If you are using one of these devices and need to use clear keys, but only the public key, then use this flag. By default, all clear keys are converted to hardware keys.
enabledMechanisms	brace enclosed, whitespace-separated list of PKCS#11 mechanisms to enable	The list of PKCS#11 mechanisms that this provider instance must use, if they are supported by both the IBMPKCS11Impl provider and PKCS#11 token. All other mechanisms are ignored. Each entry in the list is the name of a PKCS#11 mechanism. The following example lists two PKCS#11 mechanisms. `enabledMechanisms = { CKM_RSA_PKCS CKM_RSA_PKCS_KEY_PAIR_GEN }` At most one of `enabledMechanisms` or `disabledMechanisms` can be specified. If neither is specified, the mechanisms that are enabled are the ones that are supported by both the IBM® PKCS#11 provider and the PKCS#11 token.
disabledMechanisms	brace enclosed, whitespace-separated list of PKCS#11 mechanisms to disable	The list of PKCS#11 mechanisms that this provider instance must ignore. Any mechanism that is listed is ignored by the provider, even if they are supported by the token and the IBMPKCS11Impl provider. At most one of `enabledMechanisms` or `disabledMechanisms` can be specified. If neither is specified, the mechanisms that are enabled are the ones that are supported by both the IBM PKCS#11 provider and the PKCS#11 token.
attributes	see Attributes Configuration	The `attributes` option can be used to specify more PKCS#11 attributes that can be set when creating PKCS#11 key objects. This option makes it possible to accommodate tokens that require particular attributes. For more information, see Attributes Configuration.