
Using pkcsslotd and pkcsconf to configure a PKCS#11 token
You must configure a PKCS#11 token.
About this task
Procedure
-
Run the pkcsslotd command as root to start
the daemon.
Note: The daemon reads the /etc/opencryptoki/opencryptoki.conf file to collect information about the tokens and their slots.
# pkcsslotd
-
Ensure that the pkcsslotd daemon is running:
# ps -ef | grep pkcsslotd root 3441 1 0 Jan28 ? 00:00:01 pkcsslotd
-
Run the pkcsconf -tis command as root to see
which slot is available. In this example, the default token
(Label: IBM OS PKCS#11) is available in slot #3.
# pkcsconf -tis PKCS#11 Info Version 2.20 Manufacturer: IBM Flags: 0x0 Library Description: Meta PKCS11 LIBRARY Library Version 3.10 Token #3 Info: Label: IBM OS PKCS#11 1 Manufacturer: IBM Corp. Model: IBM SoftTok Serial Number: 123 Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) Sessions: 0/18446744073709551614 R/W Sessions: 18446744073709551615/18446744073709551614 PIN Length: 4-8 Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF Hardware Version: 1.0 Firmware Version: 1.0 Time: 12:35:01 Slot #3 Info Description: Linux Manufacturer: IBM Flags: 0x1 (TOKEN_PRESENT) 1 Hardware Version: 0.0 Firmware Version: 0.0
Trouble: Refer to the following troubleshooting information in the event of an opencryptoki issue:- You must be able to initialize a token in an
available slot. The daemon reads the
/etc/opencryptoki/opencryptoki.conf
file to collect information about the tokens and
their slots. By default, slot 3 is configured for
libpkcs11_sw.so, which is the Soft token library:
If the pkcsconf -tis command indicates that the token in slot 3 is already in use for another purpose, follow the instructions in Adjusting the openCryptoki configuration file to edit /etc/opencryptoki/opencryptoki.conf and configure another slot for the Soft token library. Give each token a unique token name in each slot. (Theslot 3 { stdll = libpkcs11_sw.so }
tokname
need not match the label you give the token when you later initialize it.) For example:
If you edit /etc/opencryptoki/opencryptoki.conf, restart the pkcsslotd daemon.slot 3 { stdll = libpkcs11_sw.so tokname = name-for-existing-token } : slot 5 { stdll = libpkcs11_sw.so tokname = azf }
- If the pkcsconf -tis
command generates the following errors, peform the
suggested remedial actions:
- Error:
C_GetSlotList returned 0 slots
Remedial action: Reboot the system before proceeding.
- Error:
Error initializing the PKCS11 library: 0x6 (CKR_FUNCTION_FAILED)
Remedial action: Ensure that pkcsslotd is running and start it if needed.
- Error:
Error getting token info: 0xE0 (CKR_TOKEN_NOT_PRESENT)
Remedial action: Ensure that you are running the pkcsconf command as root. By default, the root user is a member of the pkcsconf group and can run the pkcsconf command. If the problem persists, try commenting out all of the token types except the softtokens in opencryptoki.conf and restart pkcsslotd.
- Error:
- See the opencryptoki, opencryptoki.conf, and pkcsslotd man pages for additional information.
- You must be able to initialize a token in an
available slot. The daemon reads the
/etc/opencryptoki/opencryptoki.conf
file to collect information about the tokens and
their slots. By default, slot 3 is configured for
libpkcs11_sw.so, which is the Soft token library:
-
Run the pkcsconf -I -c
slot-number command as root to initialize
the token. This example uses the default slot #3 for
demonstration purposes. If you edited the
opencryptoki.conf file to use a
different slot, use that slot number in the command.
# pkcsconf -I -c 3
-
Enter the SO PIN and a token label. Remember this label, you
will need it later.
Important: The default SO PIN is 87654321. You can use the pkcsconf -P command to change this value.
Enter the SO PIN: Enter a unique token label: azf
-
Run the pkcsconf -tis command as root to
verify that the token is created:
# pkcsconf -tis PKCS#11 Info Version 2.20 Manufacturer: IBM Flags: 0x0 Library Description: Meta PKCS11 LIBRARY Library Version 3.10 Token #3 Info: Label: azf 2 Manufacturer: IBM Corp. Model: IBM SoftTok Serial Number: 123 Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) Sessions: 0/18446744073709551614 R/W Sessions: 18446744073709551615/18446744073709551614 PIN Length: 4-8 Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF Hardware Version: 1.0 Firmware Version: 1.0 Time: 12:38:05 Slot #3 Info Description: Linux Manufacturer: IBM Flags: 0x1 (TOKEN_PRESENT) Hardware Version: 0.0 Firmware Version: 0.0
