The Utimaco PKCS#11 library does not have the HSM's network address hardcoded into it. Instead, it reads a global configuration file at runtime to determine where to find the CryptoServer appliance. This file must be created on the Kron PAM server and its path must be provided via an environment variable before any process that uses the library is started.
[pamuser@KronPAM_Instance]# mkdir -p /etc/utimaco
[pamuser@KronPAM_Instance]# mkdir -p /var/log/utimaco
Edit file /etc/utimaco/cs_pkcs11_R3.cfg. The Device parameter uses the format PORT@IP_ADDRESS.
[Global]
Logging = 1
Logpath = /var/log/utimaco
[CryptoServer]
Device = <HSM_PORT>@<HSM_IP_ADDRESS>
The Logging and Logpath settings instruct the library to write diagnostic output to /var/log/utimaco. This is valuable during initial setup and troubleshooting - if an operation fails, the log will typically identify whether the issue is a connectivity problem, an authentication failure, or a key not found error. In production environments, log rotation for this directory should be configured.
For high-availability deployments, Utimaco supports specifying multiple devices: 'Device = 3001@10.10.10.10,3001@10.10.10.20. The library will attempt the addresses in order, failing over if the primary is unreachable.