-
Create a directory to store the PKCS#11 configuration file.
sudo mkdir -p /opt/utimaco/PKCS11_R3
-
Navigate to the PKCS#11 sample configuration directory in the Utimaco software package and copy the configuration file.
cd <install_directory>/Software/Linux/x86-64/Crypto_APIS/PKCS11_R3/sample
sudo cp cs_pkcs11_R3.cfg /opt/utimaco/PKCS11_R3/
-
Move to the configuration directory.
cd /opt/utimaco/PKCS11_R3
-
Update the PKCS#11 configuration fileEdit the configuration file.
sudo vi /opt/utimaco/PKCS11_R3/cs_pkcs11_R3.cfg
Update the configuration as shown below.
[Global]
# For unix:
Logpath = /tmp
# Loglevel (0 = NONE; 1 = ERROR; 2 = WARNING; 3 = INFO; 4 = TRACE)
Logging = 1
Keepalive = true
# Set the Device to connect with
[CryptoServer]
# Device specifier
Device = <HSM_IP>
-
Set proper permissions (required for GoKeyless).
sudo chown -R gokeyless:gokeyless /opt/utimaco/PKCS11_R3
-
Run the following command to validate HSM connectivity and PKCS#11 configuration.
./p11tool2 ListSlots
Listing available HSM slots with p11tool2
For more information regarding the commands and command parameters, please
check the u.trust GP HSM documentation. The device may be a u.trust GP HSM
(PCIe or LAN) device.
The device line will follow one of these patterns, based on the HSM form-factor:
Device = 288@<HSM IP address> Hardware (LAN) HSM
OR
Device = /dev/cs2.0 Hardware (PCIe) HSM
To make your testing easier, you can enable the PKCS#11 log file.
That can be enabled by editing the Logging Loglevel. Set the LogPath and Logging
Loglevel to 1. For testing you may want to increase it to 4.
The added LogPath points to a writable directory, not to a file.
If you encounter problems, check the log file named cs_pkcs11_R3.log in the
LogPath defined directory. When you are done testing, you should change Logging
to 1 or 2. This will limit the logging to only critical and important messages.