[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

System Management Guide: Operating System and Devices


PKCS #11 Subsystem Configuration

Note: The information in this section is specific to the POWER-based platform.

The PKCS #11 subsystem automatically detects devices supporting PKCS #11. However, in order for some applications to use these devices, some initial set up is necessary. These tasks include:

These tasks can be performed through the API (by writing a PKCS #11 application) or by using the SMIT interface. The PKCS #11 SMIT options are accessed either through Manage the PKCS11 subsystem off the main SMIT menu, or by using the smit pkcs11 fastpath.

Initializing the Token

Each adapter or PKCS #11 token must be initialized before it can be used successfully. This initialization procedure involves setting a unique label to the token. This label allows applications to uniquely identify the token. Therefore, the labels should not be repeated. However; the API does not verify that labels are not re-used. This initialization can be done through a PKCS #11 application or by the system administrator using SMIT. If your token has a Security Officer PIN, the default value is set to 87654321. To ensure the security of the PKCS #11 subsystem, this value should be changed after initialization.

To initialize the token:

  1. Enter the token management screen by typing smit pkcs11
  2. Select Initialize a Token
  3. Select a PKCS #11 adapter from the list of supported adapters.
  4. Confirm your selection by pressing enter.

    Note: This will erase all information on the token.
  5. Enter the Security Officer PIN (SO PIN) and a unique token label.

If the correct PIN is entered, the adapter will be initialized or reinitialized after the command has finished execution.

Setting the Security Officer PIN

If your token has an SO PIN, you can change the PIN from its default value. To do this:

  1. Type smit pkcs11.
  2. Select Set the Security Officer PIN.
  3. Select the initialized adapter for which you want to set the SO PIN.
  4. Enter the current SO PIN and a new PIN.
  5. Verify the new PIN.

Initializing the User PIN

After the token has been initialized, it might be necessary to set the user PIN to allow applications to access token objects. Refer to your device specific documentation to determine if the device requires a user to log in before accessing objects.

To initialize the user PIN:

  1. Enter the token management screen typing smit pkcs11.
  2. Select Initialize the User PIN.
  3. Select a PKCS #11 adapter from the list of supported adapters.
  4. Enter SO PIN and the User PIN
  5. Verify the User PIN
  6. Upon verification, the User PIN must be changed

Resetting the User PIN

If you wish to reset the user PIN, you can either reinitialize the PIN using the SO PIN or set the user PIN by using the existing user PIN. To do this:

  1. Enter the token management screen by typing smit pkcs11.
  2. Select Set the User PIN.
  3. Select the initialized adapter for which you want to set the user PIN.
  4. Enter the current user PIN and a new PIN.
  5. Verify the new user PIN.

Setting the PKCS #11 Function Control Vector

Your token might not support strong cryptographic operations without loading a function control vector. Please refer to your device specific documentation to determine if your token needs a function control vector and where to locate it.

If a function control vector is required you should have a key file. To load the function control vector:

  1. Enter the token management screen by typing smit pkcs11.
  2. Select Set the function control vector.
  3. Select the PKCS #11 slot for the token.
  4. Enter the path to the function control vector file.


[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]