Breadcrumbs

Setting Up Utimaco SecurityServer Software

On Linux:

  1. Copy the downloaded software to the appropriate location on the Oracle Database Server.

  2. Create a utimaco folder under the /opt directory and create 2 directories /opt/utimaco/bin and /opt/utimaco/lib.

# mkdir -p /opt/utimaco/bin 
# mkdir /opt/utimaco/lib

  1. Copy the pkcs11 library file libcs_pkcs11_R3.so from the Utimaco CryptoServer software to the /opt/utimaco/lib directory and make the file executable.

cp ~/path_to_application_folder/lib/libcs_pkcs11_R3.so /opt/utimaco/lib
chmod +x /opt/utimaco/lib/libcs_pkcs11_R3.so

  1. Copy the csadm and p11tool2 files from the Utimaco CryptoServer software to the /opt/utimaco/bin directory and make both files executable.

# cd ~/path_to_application_folder 
# cp csadm p11tool2 /opt/utimaco/bin
# chmod +x /opt/utimaco/bin/csadm /opt/utimaco/bin/p11tool2

  1. Create the directory /etc/utimaco. Locate the Utimaco PKCS#11 configuration file in your SecurityServer directory, Software\Linux\Crypto_APIs\PKCS11_R3\sample. Copy the Utimaco PKCS#11 configuration file cs_pkcs11_R3.cfg to /etc/utimaco directory.

# mkdir /etc/utimaco
# cd ~/path_to_application_folder/Software/Linux/Crypto_APIs/PKCS11_R3/sample 
# cp cs_pkcs11_R3.cfg /etc/utimaco

On Windows:

On Windows, cs_pkcs11_R3.cfg will be automatically created and available in the C:\ProgramData\UtimacoPKCS11_R3 folder as part of the CryptoServer software installation.

Edit the cs_pkcs11_R3.cfg file and make the appropriate changes to the file.

cs_pkcs11_R3.cfg (Sample file)

library = C:\oracle\extapi\64\hsm\utimaco\6.1.1.0\cs_pkcs11_R3.dll
slot = 0
pin = Oracle123

[Global]

# For Unix:

Logpath = /tmp

# For Windows:

# Logpath = C:/ProgramData/Utimaco/PKCS11_R3

# Loglevel (0 = NONE; 1 = ERROR; 2 = WARNING; 3 = INFO; 4 = TRACE)

Logging = 1

# Prevents expiring session after inactivity of 15 minutes

KeepAlive = true

# Set the Device to connect with

#[CryptoServer]

# Device specifier

Device = <HSM_IP>

For detailed guidance on commands and their parameters, please refer to the Utimaco CryptoServer documentation.

The device could be a CryptoServer HSM, available in either PCIe or LAN form factors. Depending on the type, the device configuration line will follow one of these formats:

  • LAN-based HSM:
    Device = 288@ipaddress

  • PCIe-based HSM:
    Device = /dev/cs2.0

Make sure to select the appropriate format based on your specific hardware setup.

library specifies the path where the cs_pkcs11_R3.dll file is located.

Slot indicates the slot number associated with the created USER.

Pin represents the password assigned to the USER.

To simplify your testing process, it's recommended that you enable the PKCS#11 log file by adjusting the logging settings. Specifically:

  • Set the LogPath to a writable directory (not a specific file).

  • Set the Logging Loglevel to 1 for basic logging. Increase it to 4 for more detailed output during testing.

This will generate a log file named cs_pkcs11_R3.log within the specified LogPath directory. Reviewing this log can help with troubleshooting if you encounter issues.

Once testing is complete, it's advisable to reduce Logging Loglevel to 1 or 2 to limit output to only critical or important messages.