Breadcrumbs

Setting Up Utimaco SecurityServer Software

If you have not already done so, create and request an Utimaco Support Portal Account at https://support.hsm.utimaco.com/support. This will allow you to download the software components needed for this installation.

On Linux:

  1. Copy the downloaded Utimaco SecurityServer software to the appropriate location on a Linux Server.

  2. Create a utimaco folder under the /opt directory and create 2 directories /opt/utimaco/bin and /opt/utimaco/lib.

  3. Copy the pkcs11 library file libcs_pkcs11_R3.so from the Utimaco SecurityServer software to the /opt/utimaco/lib directory and make the file executable.

  4. Copy the csadm and p11tool2 files from the Utimaco SecurityServer software to the /opt/ utimaco/bin directory and make both files executable.

  5. Create the directory /etc/utimaco. Locate the Utimaco PKCS#11 configuration file in your SecurityServer directory, Software\Linux\Crypto_APIs\PKCS11_R3\sample. Copy the Utimaco PKCS#11 configuration file cs_pkcs11_R3.cfg to /etc/utimaco directory.

  6. Set the environment variable 'CS_PKCS11_R3_CFG' to map to the cs_pkcs11_R3.cfg file.

# export CS_PKCS11_R3_CFG=/etc/utimaco/cs_pkcs11_R3.cfg

 

On Windows:

On Windows, cs_pkcs11_R3.cfg will be automatically created and available in the C: \ProgramData\UtimacoPKCS11_R3 folder as part of the SecurityServer software installation. Edit the cs_pkcs11_R3.cfg file and make the appropriate changes to the file. A sample cs_pkcs11_R3.cfg file is mentioned below.

 library = C:\oracle\extapi\64\hsm\utimaco\6.1.1.0\cs_pkcs11_R3.dll
 slot = 0
 pin = Oracle123
 [Global]
 # For Unix:
 Logpath = /tmp
 # For Windows:
 # Logpath = C:/ProgramData/Utimaco/PKCS11_R3
 # Loglevel (0 = NONE; 1 = ERROR; 2 = WARNING; 3 = INFO; 4 = TRACE)
 Logging = 1
 # Prevents expiring session after inactivity of 15 minutes
 KeepAlive = true
 # Set the Device to connect with
 #[CryptoServer]
 # Device specifier
 Device = <HSM_IP>

For detailed guidance on commands and their parameters, please refer to the Utimaco SecurityServer documentation. The device could be a u.trust GP HSM Se-Series, available in either PCIe or LAN form factors. Depending on the type, the device configuration line will follow one of these formats:

  • LAN-based HSM: Device = 288@ipaddress

  • PCIe-based HSM: Device = /dev/cs2.0

Make sure to select the appropriate format based on your specific hardware setup.

library specifies the path where the cs_pkcs11_R3.dll file is located.

Slot indicates the slot number associated with the created USER.

Pin represents the password assigned to the USER.

To simplify your testing process, it's recommended that you enable the PKCS#11 log file by adjusting the logging settings. Specifically:

  • Set the LogPath to a writable directory (not a specific file).

  • Set the Logging log level to 1 for basic logging. Increase it to 4 for more detailed output during testing.

This will generate a log file named cs_pkcs11_R3.log within the specified LogPath directory. Reviewing this log can help with troubleshooting if you encounter issues. Once testing is complete, it's advisable to reduce Logging log level to 1 or 2 to limit output to only critical or important messages.