Breadcrumbs

Setting Up u.trust GP HSM Se-Series

  1. Copy the downloaded software to the appropriate location on the BIG-IP machine.

  2. Create a directory /etc/utimaco. Copy the Utimaco PKCS#11 configuration file cs_pkcs11_R3.cfg into this directory. It is located in Linux/Crypto_APIS/PKCS11_R3/sample.

  3. Edit the cs_pkcs11_R3.cfg file located at “/etc/utimaco/” and update the Device value to the HSM IP.


[Global]
# For Unix:

Logpath = /tmp

# For Windows:
# Logpath = C:/ProgramData/Utimaco/PKCS11_R3
# Loglevel (0 = NONE; 1 = ERROR; 2 = WARNING; 3 = INFO; 4 = TRACE)

Logging = 1

# Prevents expiring session after inactivity of 15 minutes

KeepAlive = true

# Set the Device to connect with
#[CryptoServer]
# Device specifier

Device = <HSM_IP>

  1. Create utimaco folder under /opt directory and further create two directories: /etc/utimaco/bin and /etc/utimaco/lib.

  2. Copy pkcs11 library file libcs_pkcs11_R3.so from Linux\Crypto_APIs\PKCS11_R3\lib directory to the /opt/utimaco/lib directory and make the file executable.

image-20250814-135708.png

libcs_pkcs11_R3.so file and path


  1. Copy the csadm and p11tool2 files from Linux\Administration directory to /opt/utimaco/bin directory and make both the files executable.

image-20250814-133016.png

csadm and p11tool2 files


For detailed guidance on commands and their parameters, please refer to the Utimaco CryptoServer documentation.

The device could be a CryptoServer HSM, available in either PCIe or LAN form factors. Depending on the type, the device configuration line will follow one of these formats:

  • LAN-based HSM:
    Device = 288@ipaddress

  • PCIe-based HSM:
    Device = /dev/cs2.0

Make sure to select the appropriate format based on your specific hardware setup.

To simplify your testing process, it's recommended that you enable the PKCS#11 log file by adjusting the logging settings. Specifically:

  • Set the LogPath to a writable directory (not a specific file).

  • Set the Logging Loglevel to 1 for basic logging. Increase it to 4 for more detailed output during testing.

This will generate a log file named cs_pkcs11_R3.log within the specified LogPath directory. Reviewing this log can help with troubleshooting if you encounter issues.

Once testing is complete, it's advisable to reduce Logging Loglevel to 1 or 2 to limit output to only critical or important messages.