Initializing EP11 tokens

Once the openCryptoki configuration file and the configuration files of the EP11 tokens are set up, and the pkcsslotd daemon is started, the EP11 token instances must be initialized.

Note: PKCS #11 defines two users for each EP11 token instance: a security officer (SO) whose responsibility is the administration of the token, and a standard user (User) who wants to use the token to perform cryptographic operations. openCryptoki requires that for both the SO and the User a log-in PIN is defined as part of the token initialization.

The following command provides some useful slot information:

# pkcsconf -s

Slot #0 Info
        Description: EP11 Token
        Manufacturer: IBM
        Flags: 0x1 (TOKEN_PRESENT)
        Hardware Version: 4.0
        Firmware Version: 2.11
Slot #1 Info
        Description: ICA Token
        Manufacturer: IBM
        Flags: 0x1 (TOKEN_PRESENT)
        Hardware Version: 4.0
        Firmware Version: 2.10

Find your preferred token instance in the details list and select the correct slot number. This number is used in the next initialization steps to identify your token:


$ pkcsconf -I -c <slot> // Initialize the Token and setup a Token Label

$ pkcsconf -P -c <slot> // change the SO PIN (recommended)

$ pkcsconf -u -c <slot> // Initialize the User PIN (SO PIN required)

$ pkcsconf -p -c <slot> // change the User PIN (optional)

pkcsconf -I: During token initialization, you are asked for a token label. Provide a meaningful name, because you might need this reference for identification purposes.
pkcsconf -P: For security reasons, openCryptoki requires that you change the default SO PIN (87654321) to a different value. Use the pkcsconf -P option to change the SO PIN.
pkcsconf -u: When you enter the user PIN initialization you are asked for the newly set SO PIN. The length of the user PIN must be 4 - 8 characters.
pkcsconf -p: You must at least once change the user PIN with pkcsconf -p option. After you completed the PIN setup, the token is prepared and ready for use.

Note: Define a user PIN that is different from 12345678, because this pattern is checked internally and marked as default PIN. A log-in attempt with this user PIN is recognized as not initialized.