Breadcrumbs

Setting Environment for Utimaco Security Server Access

Setting environment variables for Utimaco Security Server via PKCS11:

  1. Copy the PKCS#11 library libcs_pkcs11_R3.so to the ASE library path /opt/sap/ASE-16_1/lib/.

  2. Copy the PKCS#11 config file cs_pkcs11_R3.cfg to the config folder in SAP home directory /opt/sap/config.

  3. Update the PKCS#11 config file cs_pkcs11_R3.cfg.

 [Global]
 # For Unix:
 #Logpath = /tmp
 # For Windows:
  Logpath = C:/ProgramData/Utimaco/PKCS11_R3
 # Loglevel (0 = NONE; 1 = ERROR; 2 = WARNING; 3 = INFO; 4 = TRACE)
 Logging = 1
 # Prevents expiring session after inactivity of 15 minutes
 KeepAlive = true
 # Set the Device to connect with
 #[CryptoServer]
 # Device specifier
 Device = <port>@<HSM_IP>

Replace Device parameter with HSM device IP and port details

For detailed guidance on commands and their parameters, please refer to the Utimaco CryptoServer documentation. The device could be a CryptoServer HSM, available in either PCIe or LAN form factors. Depending on the type, the device configuration line will follow one of these formats:

LAN-based HSM:

Device = 288@ipaddress

PCIe-based HSM:

Device = /dev/cs2.0

Be sure to select the appropriate format based on your specific hardware setup.

To simplify your testing process, it's recommended that you enable the PKCS#11 log file by adjusting the logging settings.

Specifically: Set the LogPath to a writable directory (not a specific file). Set the Logging Loglevel to 1 for basic logging. Increase it to 4 for more detailed output during testing. This will generate a log file named cs_pkcs11_R3.log within the specified LogPath directory. Reviewing this log can help with troubleshooting if you encounter issues.

Once the testing is complete, it's advisable to reduce Logging Loglevel to limit the output to only critical or important messages

  1. Update the environment variables in SYBASE.sh for the u.trust GP HSM Se-Series. Add the environment variable for the PKCS#11 R3 library and config file:

image-20260330-170415.png


Environment Variable Details for SYBASE.sh

  1. Include the SYBASE.sh execution in '.bash_profile':

# Load SAP Sybase ASE environment automatically

if [ -f "$HOME/SYBASE.sh" ]; then
    . "$HOME/SYBASE.sh"
fi

  1. Update the environment variables in RUN_SAP01 and RUN_SAP01_BS for the u.trust GP HSM Se-Series. Both files are available in /ASE-16_1/install/RUN_SAP01 and /ASE-16_1/install/RUN_SAP01/RUN_SAP01_BS.

+# Path to PKCS#11 config required by ASE TDE
+export CS_PKCS11_R3_CFG="/opt/sap/config/cs_pkcs11_R3.cfg"
+# Ensure ASE can find libcs_pkcs11_R3.so
+export LD_LIBRARY_PATH="/opt/sap/ASE-16_1/lib:${LD_LIBRARY_PATH}"
+
  /opt/sap/ASE-16_1/bin/datasever \
  -d/opt/sap/data/master.dat \
  -e/opt/sap/ASE-16_1/install/SAP01.log \

  1. Shutdown the ASE server then restart the ASE server using startserver:

1>shutdown
2>go
image-20260326-232606.png


Shutdown from ASE server

#cd ASE-16_1/install/
#/opt/sap/ASE-16_1/bin/startserver -f RUN_SAP01


image-20260326-232827.png

Start ASE Server