Initializing EP11 tokens
Once the openCryptoki configuration file and the configuration files of the EP11 tokens are set up, and the pkcsslotd daemon is started, the EP11 token instances must be initialized.
Note: PKCS #11 defines
two users for each EP11 token instance: a
security officer (SO) whose responsibility is the administration of the token, and a standard user
(User) who wants to use the token to perform cryptographic operations. openCryptoki requires that for both the SO and the User a
log-in PIN is defined as part of the token initialization.
The following command provides some useful slot
information:
# pkcsconf -s
Slot #0 Info
Description: EP11 Token
Manufacturer: IBM
Flags: 0x1 (TOKEN_PRESENT)
Hardware Version: 4.0
Firmware Version: 2.11
Slot #1 Info
Description: ICA Token
Manufacturer: IBM
Flags: 0x1 (TOKEN_PRESENT)
Hardware Version: 4.0
Firmware Version: 2.10
Find your preferred token instance in the details list and select the correct slot number. This
number is used in the next initialization steps to identify your
token:
$ pkcsconf -I -c <slot> // Initialize the Token and setup a Token Label
$ pkcsconf -P -c <slot> // change the SO PIN (recommended)
$ pkcsconf -u -c <slot> // Initialize the User PIN (SO PIN required)
$ pkcsconf -p -c <slot> // change the User PIN (optional)
pkcsconf -I
- During token initialization, you are asked for a token label. Provide a meaningful name, because you might need this reference for identification purposes.
pkcsconf -P
- For security reasons, openCryptoki requires that you change the default SO PIN
(87654321) to a different
value. Use the
pkcsconf -P
option to change the SO PIN. pkcsconf -u
- When you enter the user PIN initialization you are asked for the newly set SO PIN. The length of the user PIN must be 4 - 8 characters.
pkcsconf -p
- You must at least once change the user PIN with
pkcsconf -p
option. After you completed the PIN setup, the token is prepared and ready for use.
Note: Define a user PIN that is different from 12345678, because this pattern
is checked internally and marked as default PIN. A log-in attempt with this user PIN is recognized
as not initialized.