Security

Enabling Clear Key Encryption With Hardware
To enable use of cryptographic hardware, you must complete some installation and configuration steps as a super user (root).

First, you must install the libica and opencryptoki packages, both available in the Red Hat Enterprise Linux (RHEL) 6.2 and Novell’s SUSE Linux Enterprise Server (SLES) 11 SP2 distributions. These packages aren’t always installed by default; you may need to install the packages explicitly. The version of libica should be 2.0 or higher and openCryptoki should be 2.4.0 or later.

If the system has access to a crypto adapter, you must load the device driver for the crypto adapter into the kernel (on RHEL 6.2 and SLES11 SP2 using the modprobe z90crypt command) to enable offloading RSA functions.

Once you’ve installed the libica and openCryptoki packages, you must initialize and configure openCryptoki by running the pkcs11_startup command, which detects and configures the tokens available on the system. Next, you must start the daemon that manages tokens and slots with the pkcsslotd command.

Upon successful completion, you can use the pkcsconf tool to get information about openCryptoki (using the -i option) and find out which slots contain which tokens (with the -s option). In the output of pkcsconf –s, the section of the icatoken slot has the string “(ICA)” in the description attribute.

Assuming the slot number of the icatoken is 0, take the following steps to initialize the icatoken:  

First, change the pin of the Security Officer (SO) of the token in slot 0 from the default “87654321” to another value:

# pkcsconf -P -c0
Next, set the label of the token in slot 0 to an arbitrary string (e.g., to “icatoken”):

# pkcsconf -I -c0
Then you must set the user pin of the token in slot 0:

# pkcsconf -u -c0
Now the icatoken is ready for use via openCryptoki.

5 Pages