Start of change

Using pkcsslotd and pkcsconf to configure a PKCS#11 token

You must configure a PKCS#11 token.

About this task

Procedure

  1. Run the pkcsslotd command as root to start the daemon.
    Note: The daemon reads the /etc/opencryptoki/opencryptoki.conf file to collect information about the tokens and their slots.
    # pkcsslotd
  2. Ensure that the pkcsslotd daemon is running:
    # ps -ef | grep pkcsslotd
    root      3441     1  0 Jan28 ?        00:00:01 pkcsslotd
    
  3. Run the pkcsconf -tis command as root to see which slot is available. In this example, the default token (Label: IBM OS PKCS#11) is available in slot #3.
    # pkcsconf -tis
    PKCS#11 Info
            Version 2.20
            Manufacturer: IBM
            Flags: 0x0
            Library Description: Meta PKCS11 LIBRARY
            Library Version 3.10
    Token #3 Info:
            Label: IBM OS PKCS#11 1 
            Manufacturer: IBM Corp.
            Model: IBM SoftTok
            Serial Number: 123
            Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
            Sessions: 0/18446744073709551614
            R/W Sessions: 18446744073709551615/18446744073709551614
            PIN Length: 4-8
            Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
            Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
            Hardware Version: 1.0
            Firmware Version: 1.0
            Time: 12:35:01
    Slot #3 Info
            Description: Linux
            Manufacturer: IBM
            Flags: 0x1 (TOKEN_PRESENT) 1 
            Hardware Version: 0.0
            Firmware Version: 0.0
    
    Trouble: Refer to the following troubleshooting information in the event of an opencryptoki issue:
    • You must be able to initialize a token in an available slot. The daemon reads the /etc/opencryptoki/opencryptoki.conf file to collect information about the tokens and their slots. By default, slot 3 is configured for libpkcs11_sw.so, which is the Soft token library:
      slot 3
      {
      stdll = libpkcs11_sw.so
      }
      
      If the pkcsconf -tis command indicates that the token in slot 3 is already in use for another purpose, follow the instructions in Adjusting the openCryptoki configuration file to edit /etc/opencryptoki/opencryptoki.conf and configure another slot for the Soft token library. Give each token a unique token name in each slot. (The tokname need not match the label you give the token when you later initialize it.) For example:
      slot 3
      {
      stdll = libpkcs11_sw.so
      tokname = name-for-existing-token
      }
      :
      slot 5
      {
      stdll = libpkcs11_sw.so
      tokname = azf
      }
      
      If you edit /etc/opencryptoki/opencryptoki.conf, restart the pkcsslotd daemon.
    • If the pkcsconf -tis command generates the following errors, peform the suggested remedial actions:
      • Error: C_GetSlotList returned 0 slots

        Remedial action: Reboot the system before proceeding.

      • Error: Error initializing the PKCS11 library: 0x6 (CKR_FUNCTION_FAILED)

        Remedial action: Ensure that pkcsslotd is running and start it if needed.

      • Error:Error getting token info: 0xE0 (CKR_TOKEN_NOT_PRESENT)

        Remedial action: Ensure that you are running the pkcsconf command as root. By default, the root user is a member of the pkcsconf group and can run the pkcsconf command. If the problem persists, try commenting out all of the token types except the softtokens in opencryptoki.conf and restart pkcsslotd.

    • See the opencryptoki, opencryptoki.conf, and pkcsslotd man pages for additional information.
  4. Run the pkcsconf -I -c slot-number command as root to initialize the token. This example uses the default slot #3 for demonstration purposes. If you edited the opencryptoki.conf file to use a different slot, use that slot number in the command.
    # pkcsconf -I -c 3
    
  5. Enter the SO PIN and a token label. Remember this label, you will need it later.
    Important: The default SO PIN is 87654321. You can use the pkcsconf -P command to change this value.
    Enter the SO PIN:
    Enter a unique token label: azf
    
  6. Run the pkcsconf -tis command as root to verify that the token is created:
    # pkcsconf -tis
    PKCS#11 Info
            Version 2.20
            Manufacturer: IBM
            Flags: 0x0
            Library Description: Meta PKCS11 LIBRARY
            Library Version 3.10
    Token #3 Info:
            Label: azf 2 
            Manufacturer: IBM Corp.
            Model: IBM SoftTok
            Serial Number: 123
            Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
            Sessions: 0/18446744073709551614
            R/W Sessions: 18446744073709551615/18446744073709551614
            PIN Length: 4-8
            Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
            Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
            Hardware Version: 1.0
            Firmware Version: 1.0
            Time: 12:38:05
    Slot #3 Info
            Description: Linux
            Manufacturer: IBM
            Flags: 0x1 (TOKEN_PRESENT)
            Hardware Version: 0.0
            Firmware Version: 0.0
End of change