PKCS#11 Setting up PKCS#11 | Utimaco Integration Guides

We will access the HSM using the IP address of the GP HSM device.

Initialize a Slot

Oracle OKV uses the token label to specify the slot to be used. To avoid any problems, please make sure the token label you are using is unique.

To initialize a slot with a custom label; use the following commands on the machine where you installed the p11tool2 tool.

The first p11tool2 command creates the SO or Security Officer and the second p11tool2 command initializes the Slot 0 User.

Make sure that you secure the new OKVADMIN.key which you just created. You will need that key to perform any Administrative functions on the Utimaco HSM.

Setting up your PKCS#11 users

Following the Utimaco documentation for setting up your PKCS#11 users.

For our example we have chosen the PIN ”123456”, to use for our SO and Crypto User.

# /opt/utimaco/bin/p11tool2 slot=0 Label=OKVDemo Login=OKVADMIN,OKVADMIN.key InitToken=123456
# /opt/utimaco/bin/p11tool2 slot=0 LoginSO=123456 InitPin=123456

Now check to see that you can access the Slot 0.

# /opt/utimaco/bin/p11tool2 LoginUser=123456 GetInfo
 
  CK_INFO:
  cryptokiVersion   : 3.00
  manufacturerID      5574696d 61636f20  49532047 6d624820 |Utimaco IS GmbH|
                      20202020 20202020  20202020 20202020 |               |
  flags             : 0x00000000
  libraryDescription  43727970 746f5365  72766572 20504b43 |CryptoServer PKC|
                      53233131 204c6962  72617279 20523320 |S#11 Library R3|
  libraryVersion    : 1.14

List users and verify MBK

Use the /opt/utimaco/bin/csadm command, list and confirm the users created.

# /opt/utimaco/csadm DEV=10.0.0.164 listusers
Name      Permission   Mechanism      Attributes
OKVADMIN   22000000    RSA sign       Z[0]
SO_0000    00000200    HMAC passwd    A[CXI_GROUP=SLOT_0000]
USR_0000   00000002    HMAC passwd    Z[0]A[CXI_GROUP=SLOT_0000]

Now check to confirm the Utimaco HSM has an MBK.

# csadm Dev=10.0.0.164 LogonSign=OKVADMIN,OKVADMIN.key MBKListKeys
slot name     len algo type   k  generation date      key check value
-------------------------------------------------------------------------
3    MYMBK   32  AES  XOR    2  2012/08/15 13:08:39  CC06067E3C8692DE:D53279C7B862EC54

If no MBK is present you will need to generate one, before you can create any KEYS in the HSM.

Look at the csadm help=MBKGenerateKey and help=MBKImportKey for how to make this happen. Details can be found in the csadm document.

CryptoServer csadm Manual 5.7 Commands for Managing the Master Backup Keys

Check the slot

Check the PKCS#11 slot. Results should be similar to the following output.

# /opt/utimaco/p11tool2 LoginUser=123456 GetSlotInfo
 
CK_SLOT_INFO (slot ID: 0x00000000):
 
slotDescription
31302e31 392e3732 2e323031 202d2053 |10.0.0.164  -  S|
4c4f545f 30303030 20202020 20202020 |LOT_0000        |
20202020 20202020 20202020 20202020 |                |
20202020 20202020 20202020 20202020 |                |
 
manufacturerID
5574696d 61636f20 49532047 6d624820 |Utimaco IS GmbH |
20202020 20202020 20202020 20202020 |                |
flags: 0x00000005
 
CKF_TOKEN_PRESENT : CK_TRUE
CKF_REMOVABLE_DEVICE : CK_FALSE
CKF_HW_SLOT : CK_TRUE
hardwareVersion : 5.01
firmwareVersion : 2.03

OKV should now be able to access The Utimaco PKCS#11 HSM provider.