The first action before beginning any PAM configuration is to confirm that the AES key exists on the HSM and note its alias. Log in to the server where the Utimaco PKCS#11 library is accessible and run the following command. Substitute the correct PIN:
[UtimacoHSM]# pkcs11-tool --module /usr/lib64/libcs_pkcs11_R3.so --slot-index 0 --login --pin <YOUR_HSM_PIN> -O
The output should include a block similar to the following. Confirm that the key type is AES with a length of 32 bytes (256 bits), and note the label value - this is the alias you will use throughout the configuration:
Using slot with index 0 (0x0)
Secret Key Object; AES length 32
label: kronpam-master-key
ID: 01
Usage: encrypt, decrypt, verify, wrap, unwrap
Access: never extractable, local