Security

OpenCryptoki supports 32 slots with up to 32 tokens. Multithreading is supported with locking from the native operating system. All processes calling openCryptoki must be members of the UNIX group pkcs11.

OpenCryptoki comes with a set of tokens; some are platform-independent and some are specific to Linux on System z:

Soft token is a platform-independent token providing clear key cryptographic functions using a pure software implementation from openssl.
ICA token is a Linux on System z-specific token for clear key cryptography exploiting symmetric crypto algorithms and hashes provided by CPACF and possibly RSA algorithms provided by either CryptoExpress accelerators or CCA coprocessors.
CCA token is a Linux on System z-specific token for secure key cryptography calling the CCA library, which exploits CCA coprocessors.
ICFS token is a platform-independent token that calls services from a remote cryptography server hosted on z/OS.
TPM token is a token for platforms that support a Trusted Platform Module (TPM).
Let’s examine the ICA and CCA tokens.

OpenCryptoki Components
The openCryptoki package consists of one library for the generic API (libopencyptoki.so) and one (so-called stdll) for each token. In addition, there’s a configuration tool called pkcsconf and a slot manager daemon called pkcsslotd that maintain a shared memory region that’s used to coordinate multiple tokens. Running this daemon is a prerequisite to running a program linking to openCryptoki. For openCryptoki 2.4.x, the pkcs11-startup script generates a configuration file in /var/libopencryptoki/pk_config_data. For openCryptoki 3.x, the configuration file is customizable and located in /etc/opencryptoki/opencryptoki.conf.

The directory /var/lib/opencryptoki contains a subdirectory for each token containing:

NVTOK.DAT, which is configuration data and state
MK_SO, which is an encrypted master key to encrypt SO’s private objects
MK_USER, which is an encrypted master key to encrypt the user’s private objects
TOK_OBJ, which is a directory for token objects (token key store). Each private object is represented by an encrypted file.
The openCryptoki package comes with UNIX manual pages that describe the use of the tools and the format of the configuration files.

Configuring OpenCryptoki
Configuring openCryptoki starts with installing the openCryptoki RPM using the installation tool specific to the Linux distribution (e.g., anaconda/yum for RHEL or yast/zypper for SLES). Depending on the tokens to be used, further libraries will need to be installed and crypto adapters must be enabled.

Next, the opencryptoki configuration file must be generated with the pkcs11_startup script. This step is needed only for openCryptoki version 2.4.x. The pkcs11_startup script also generates the UNIX group pkcs11. Then the pkcsslotd daemon must be started. Finally, each token to be used must be configured, which means a token label must be set and the SO PIN must be changed from its default (“87654321”). Then the SO must set an initial PKCS#11 user PIN and the PKCS#11 user must change that initial user PIN.

Following is an example of how to install openCryptoki and configure the ICA token. All outputs shown are approximate and may differ from system to system.

1. Check whether libica is installed and install it if needed:

6 Pages