table of contents
OPENCRYPTOKI.CONF(5) | openCryptoki | OPENCRYPTOKI.CONF(5) |
NAME¶
opencryptoki.conf - Configuration file for pkcsslotd.
DESCRIPTION¶
pkcsslotd uses a configuration file at /etc/opencryptoki/opencryptoki.conf
This is a text file that contains information used to configure pkcs#11 slots. At startup, the pkcsslotd daemon parses this file to determine which slots will be made available.
SYNTAX¶
This file is made up of optional global definitions, and slot descriptions.
The following global definitions are valid:
- disable-event-support
- If this keyword is specified the openCryptoki event support is disabled.
- statistics (off|on[,implicit][,internal])
- Enables or disables collection of statistics of mechanism usage. By
default, statistics collection is enabled. A value of (off)
disables all statistics collection. A value of (on) enables
collection of mechanism usage. The collected statistics can be displayed
using the pkcsstats tool.
In addition to enabling statistics collection for mechanisms used by PKCS#11 applications, you can specify (on,implicit) to also enable collection of implicit mechanism usage, where additional mechanisms are specified in mechanism parameters. For example, RSA-PSS or RSA-OAEP allow to specify a hash mechanism and a mask generation function (MGF) in the mechanism parameter. ECDH allows to specify a key derivation function (KDF) in the mechanism parameter.
You can additionally enable statistics collection of mechanisms internally used by Opencryptoki by specifying (on,internal). This additionally collects usage statistics for crypto operations used internally for pin handling and encryption of private token objects in the data store.
Implicit and internal statistics collection can also be combined: (on,implicit,internal)
Each slot description is composed of a slot number, brackets and key-value pairs.
slot number
{
key = value
...
}
More than one key-value pair may be used within a slot description.
A key-value pair is composed of, keyword = value.
The following keywords are valid:
- description
- A Description of the slot. PKCS#11v2.20 defined this as a 64-byte max character-string.
- stdll
- This keyword is used to define the name of the stdll or token library that will be used for this slot. The stdll is an available token library in opencryptoki.
- manufacturer
- This keyword is used to name the ID of the slot manufacturer. PKCS#11v2.20 defines this as a 32 byte long string.
- hwversion
- Version number of the slot's hardware, if any. The version number is composed of a major version number (the integer portion of the version) and a minor version number (the hundredths portion of the version). For example, version 1.2, major = 1, minor = 2
- firmwareversion
- Version number of the slot's firmware, if any. The version number is composed of a major version number (the integer portion of the version) and a minor version number (the hundredths portion of the version).
- confname
- If the slot is associated with a token that has its own configuration file, this option identifies the name of that configuration file. For example, confname=ep11tok.conf
- tokname
- If a token want to have its own token directory name that is different
from the default name, especially if multiple tokens of the same type are
configured, this option defines the name of the token individual
directory. For example, tokname=ep11tok01
Note: This key-value pair is optional: If only one token per token type is used, you don't need that entry. In that case the default directory name is used.
- tokversion
- Version number of the slot's token of the form <major>.<minor>.
- usergroup
- Specifies the name of a user group that is set as the owner of the token
directory. Only users that are members of this group have access to the
token and its objects. Users that are not a member of this group will not
see the token as being available (e.g. via pkcsconf -t or via
C_GetTokenInfo). All uses that are a member of this group must also
be members of the pkcs11 group to be able to use Opencryptoki.
Note: This key-value pair is optional: If not specified, the token belongs to the pkcs11 group.
Notes¶
The pound sign ('#') is used to indicate a comment. Both the comment character and any text after it, up to the end of the line, are ignored. The comment character cannot be used inside the brackets of slot descriptions, as this will cause a syntax error.
SEE ALSO¶
September 2012 | 3.24 |