Configuring Utimaco PKCS#11 | Utimaco Integration Guides

Create the /etc/utimaco directory. We will copy the Utimaco PKCS#11 configuration file cs_pkcs11_R3.cfg into this directory. It is located in the CryptoServer-V4.45.3 directory Linux/x86-64/Crypto_APIS/PKCS11_R3/sample.

›_ Console
`# mkdir /etc/utimaco` `# cd <install directory>/Software/Linux/x86-` `64/Crypto_APIs/PKCS11_R3/sample` `# cp cs_pkcs11_R3.cfg /etc/utimaco` `# cd /etc/utimaco`

›_ Console

# mkdir /etc/utimaco

# cd <install directory>/Software/Linux/x86-

64/Crypto_APIs/PKCS11_R3/sample

# cp cs_pkcs11_R3.cfg /etc/utimaco

# cd /etc/utimaco

Edit the cs_pkcs11_R3.cfg file located in /etc/utimaco/ and update the device specifier entry with the IP address of the HSM device being used, e.g. 288@172.23.0.55.

If required, also make changes for e.g Logpath = /tmp, Logging = 0.

For more information regarding the commands and command parameters check the Utimaco documentation. The device may be a CryptoServer (PCIe or LAN) device. The device line will follow one of these patterns, based on the HSM form-factor:

Device = 288@<HSM IP address> Hardware (LAN) HSM

Device = /dev/cs2.0 Hardware (PCIe) HSM

To make testing easier, you can enable the PKCS#11 log file. It can be enabled by adding the entries for Logpath and Logging to the configuration file. The added Logpath points to a writable directory, not to a file. Logging can have values 0 to 4. For testing you can increase it to 4. When you are done, you should change Logging to 1 or 2. This will limit the logging to only critical and important messages.

If you encounter problems, check the log file cs_pkcs11_R3.log in the under Logpath defined directory.

Example values:

cs_pkcs11_R3.cfg

# Path to the logfile (name of logfile is attached by the API)

# For unix:

Logpath = /tmp # For windows:

#Logpath = C:/ProgramData/Utimaco/PKCS11_R3

# Loglevel (0 = NONE; 1 = ERROR; 2 = WARNING; 3 = INFO; 4 = TRACE) Logging = 4

# Maximum size of the logfile in bytes (file is rotated with a backupfile if full) Logsize = 10mb

# Created/Generated keys are stored in an external or internal database

KeysExternal = false

# If true, every session establishes its own connection

SlotMultiSession = true

# Maximum number of slots that can be used

SlotCount = 10

# If true, leading zeroes of decryption operations will be kept

KeepLeadZeros = false

# Configures load balancing mode ( == 0 ) or failover mode ( > 0 )

# In failover mode, n specifies the interval in seconds after which a reconnection attempt to the failed CryptoServer is started. FallbackInterval = 0

# Prevents expiring session after inactivity of 15 minutes KeepAlive = false

# Timeout of the open connection command in ms

ConnectionTimeout = 5000

# Timeout of command execution in ms

CommandTimeout = 60000

# List of official PKCS#11 mechanisms which should be customized

#CustomMechanisms = { CKM_AES_CBC CKM_AES_ECB }

# Enforce thread-safety by using the operating system locking primitives

#ForceOSLocking = true

#[CryptoServer]

# Device specifier (here: CryptoServer is internal PCI device)

# For unix: #Device = /dev/cs2 # For windows:

#Device = PCI:0

[CryptoServer]

# Device specifier (here: CryptoServer is CSLAN with IP address 192.168.0.1)

#Device = 192.168.0.1

#[CryptoServer]