Using an EP11 token

You can take advantage of the EP11 library functions by using the openCryptoki standard interface (PKCS #11 standard C API).

The PKCS #11 Cryptographic Token Interface Standard describes the exact API.

Applications that are designed to work with openCryptoki are also able to use the Linux® on Z EP11 enablement.

An EP11 token plugged into openCryptoki works only on IBM Z® hardware, with further prerequisites as described in this publication. You can configure multiple EP11 tokens within the global openCryptoki configuration file. Thus you can assign dedicated adapters and domains to different tokens to ensure data isolation between applications. For more information refer to Adding EP11 tokens to openCryptoki.

openCryptoki implements the PKCS #11 Baseline Provider specification. A library implementing PKCS #11 according to the standards of the Baseline Provider Clause is called a PKCS #11 Baseline Provider. Such a provider has the ability to provide information about its cryptographic services.

A PKCS #11 Baseline Provider library can be exploited by an application conforming to the Baseline Consumer Clause. Such an application is therefore called a PKCS #11 Baseline Consumer. A Baseline Consumer calls a Baseline Provider implementation of the PKCS #11 API in order to use the cryptographic functionality from that provider. Thus, at run-time, a consumer can query information about a provider, for example, about the offered cryptographic services.

For detailed information about the conformance of a PKCS #11 Baseline Consumer and of a PKCS #11 Baseline Provider read PKCS #11 Cryptographic Token Interface Profiles Version 3.0.