Your browser does not allow storing cookies. We recommend enabling them.

PreviousNextUp[Front page] [Index]

Adding PKCS #11 Modules to the Certifier Engine

PKCS #11 modules are added to SSH Tectia Certifier by editing the configuration file of the SSH Tectia Certifier engine. The configuration file is named engine.conf and it can be found under the SSH Tectia Certifier installation directory in the conf sub-directory (for example, /usr/local/certifier/conf/engine.conf on Linux).

The PKCS #11 module configuration is in the top level of the ca-engine block (as a commented-out example in the default file indicates). On Unix, the following example adds an Eracom PKCS #11 module to the engine installation.

  (provider (type "pkcs11")
            (library "/opt/ERACcpsdk/lib/linux-i386/")
            (info "read-only(no)")))

On Windows, the following example adds an nCipher PKCS #11 module. Note that the backslash characters in the path need to be escaped.

provider  (type "pkcs11") 
             (library "C:\\nfast\\bin\\cknfast.dll") 
             (info "read-only(no) threads(no)")) 

The information which needs to be changed is the path to the dynamically loaded PKCS #11 DLL (in Windows) or a shared object in Unix.

The default location for the PKCS #11 modules in Windows are:

  • nCipher: c:\nfast\bin\cknfast.dll
  • Eracom: c:\Program Files\ERACOM\CProv Runtime\cryptoki.dll

In Unix systems the defaults are:

  • nCipher: /opt/nfast/gcc/lib/
  • Eracom: /opt/ERACcpsdk/lib/linux-i386/

Note: When the info parameter is set to "read-only(no)", keys can be created via the PKCS#11 interface. If the read-only option is missing, or it is set to "read-only(yes), only existing keys can be used via the PKCS#11 interface. In addition, "threads(no)" has to be added under info when an nCipher module is used on Linux platforms.

Once the PKCS #11 modules are added to SSH Tectia Certifier Engine, the Engine needs to be restarted. To check whether the Engine has detected the installed PKCS #11 keys, log in to the Administration Service, and click System Configuration. Click Show CA Passphrase Status. The created PKCS #11 keys should be visible in the appearing key list.

PreviousNextUp[Front page] [Index]




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now