PKCS#11 Configuration | Utimaco Integration Guides

Create the directory /etc/utimaco. We will copy the Utimaco PKCS#11 configuration file cs_pkcs11_R3.cfg into this directory. It is located in your CryptoServer-V4.45.2.0 directory, Linux/x86-64/Crypto_APIS/PKCS11_R3/sample.

# mkdir /etc/utimaco
 
# cd <install directory>/Software/Linux/x86-64/Crypto_APIs/PKCS11_R3/sample
 
# cp cs_pkcs11_R3.cfg /etc/utimaco
 
# cd /etc/utimaco

Edit the cs_pkcs11_R3.cfg file you copied to direct it to use your Utimaco HSM device.

The device may be a CryptoServer (PCIe or LAN) device. The device line will follow one of these patterns, based on the HSM form-factor:

Device = 288@<HSM IP address> Hardware (LAN) HSM
Or
Device = /dev/cs2.0 Hardware (PCIe) HSM

Example values

# Set the log path
 
[Global]
 
# Path to the logfile (name of logfile is attached by the API)
 
# For unix:
 
LogPath = /tmp
 
# Set the Loglevel
 
# Loglevel (0 = NONE; 1 = ERROR; 2 = WARNING; 3 = INFO; 4 = TRACE)
 
Logging = 1
 
# Set the Device to connect with
 
[CryptoServer]
 
# Device specifier
Device = 288@10.0.0.164

For deployments with u.trust Anchor, the port number will be in the range 4001 thru 4032 or 4001@10.0.0.164 for example.

For this example the Utimaco HSM is at IP address 10.0.0.164. You need to set the Device to reflect your actual HSM IP address. Ensure that the file cs_pkcs11_R3.cfg is accessible to OKV. Recommend setting the permissions to chmod 555 and chown oracle:oinstall.

To make your testing easier, it would be good to enable the PKCS#11 log file. That can be enabled by editing the Logging Loglevel. Set the LogPath and Logging Loglevel to 1. For testing you may want to increase it to 4.

The added LogPath points to a writable directory, not to a file.

If you encounter problems, check the log file named cs_pkcs11_R3.log in the LogPath defined directory. When you are done testing, you should change Logging to 1 or 2. This will limit the logging to only critical and important messages.