| opencryptoki README |
| Package version 2.2.4 |
| Authors: |
| Mike Halcrow <mhalcrow@us.ibm.com> |
| Kent Yoder <yoder1@us.ibm.com> |
| Daniel H Jones <danjones@us.ibm.com> |
| |
| OVERVIEW |
| |
| openCryptoki version 2.2 implements the PKCS#11 specification version |
| 2.11. This package includes several cryptographic tokens, including |
| the IBM ICA token (requires libICA, which supports zSeries CPACF and |
| LeedsLite hardware) and an OpenSSL-based software token. |
| |
| |
| REQUIREMENTS |
| |
| - SW token: OpenSSL version 0.9.7 or higher |
| - ICA token: libICA version 1.3.6 or higher |
| |
| |
| BUILD PROCESS |
| |
| The simplest way to compile this package is to enter the source code |
| main directory and do the following: |
| |
| 1. Run the bootstrap.sh script by typing: |
| % sh bootstrap.sh |
| |
| 2. Configure the source code by typing: |
| % sh ./configure |
| |
| If you're planning to install the package into your home directory |
| or to a location other than `/usr/local' then add the flag |
| `--prefix=PATH' to `configure'. For example, if your home directory |
| is `/home/luser' you can configure the package to install itself there |
| by invoking: |
| % sh ./configure --prefix=/home/luser |
| |
| If your stdll headers and libraries are not under any standard |
| path, you will need to pass the paths to your files to the |
| configure script. For instance: |
| |
| $ CPPFLAGS="-L/path/lib" LDFLAGS="-I/path/include" ./configure |
| |
| See ./configure --help for info on various options. The default |
| behavior is to build a default token implicitly. For the s390 |
| platform, the default token is ica_s390. For other platforms, the |
| default token is the software token. Other tokens may be enabled |
| using the corresponding --enable-<tok> configuration option |
| provided the appropriate libraries are available. |
| |
| While running, `configure' prints some messages telling which |
| features is it checking for. |
| |
| 3. Compile the package by typing: |
| % make |
| |
| 4. Type `make install' to install the programs and any data files and |
| documentation. During installation, the following files go to the |
| following directories: |
| /prefix/sbin/pkcs11_startup |
| /prefix/sbin/pkcs_slot |
| /prefix/sbin/pkcsconf |
| /prefix/sbin/pkcsslotd |
| /prefix/libdir/libopencryptoki.so |
| /prefix/libdir/libopencryptoki.so.0 |
| /prefix/libdir/opencryptoki/libopencryptoki.so |
| /prefix/libdir/opencryptoki/libopencryptoki.so.0 |
| /prefix/libdir/opencryptoki/libopencryptoki.so.0.0.0 |
| /prefix/var/lib/opencryptoki |
| |
| Token objects, which may be optionally built, go to the following |
| locations: |
| /prefix/libdir/opencryptoki/stdll/libpkcs11_ica.so |
| /prefix/libdir/opencryptoki/stdll/libpkcs11_ica.so.0 |
| /prefix/libdir/opencryptoki/stdll/libpkcs11_ica.so.0.0.0 |
| /prefix/libdir/opencryptoki/stdll/libpkcs11_sw.so |
| /prefix/libdir/opencryptoki/stdll/libpkcs11_sw.so.0 |
| /prefix/libdir/opencryptoki/stdll/libpkcs11_sw.so.0.0.0 |
| /prefix/libdir/opencryptoki/stdll/libpkcs11_tpm.so |
| /prefix/libdir/opencryptoki/stdll/libpkcs11_tpm.so.0 |
| /prefix/libdir/opencryptoki/stdll/libpkcs11_tpm.so.0.0.0 |
| |
| where `prefix' is either `/usr/local' or the PATH that you specified |
| in the `--prefix' flag. `libdir' is the name of the library |
| directory; for 32-bit libraries it is usually `lib' and for |
| 64-bit libraries it is usually `lib64'. |
| |
| To maintain backwards compatibility, some additional symlinks |
| are generated (note that these are deprecated, and applications |
| should migrate to use the LSB-compliant names and locations for |
| libraries and executables): |
| /prefix/lib/opencryptoki/PKCS11_API.so |
| - Symlink to /prefix/lib/opencryptoki/libopencryptoki.so |
| /prefix/lib/opencryptoki/stdll/PKCS11_ICA.so |
| - Symlink to /prefix/lib/opencryptoki/stdll/libpkcs11_ica.so |
| /prefix/lib/opencryptoki/stdll/PKCS11_SW.so |
| - Symlink to /prefix/lib/opencryptoki/stdll/libpkcs11_sw.so |
| /prefix/lib/pkcs11/PKCS11_API.so |
| - Symlink to /prefix/lib/opencryptoki/libopencryptoki.so |
| /prefix/lib/pkcs11 |
| - Directory created if non-existent |
| /prefix/lib/pkcs11/methods |
| - Symlink to /prefix/sbin |
| /prefix/lib/pkcs11/stdll |
| - Symlink to /prefix/lib/opencryptoki/stdll |
| /prefix/etc/pkcs11 |
| - Symlink to /prefix/var/lib/opencryptoki |
| |
| If any of these directories do not presently exist, they will be |
| created on demand. Note that if ``prefix'' is ``/usr'', then |
| /prefix/var and /prefix/etc resolve to /var and /etc. On the |
| ``make install'' stage, if content exists in the old |
| /prefix/etc/pkcs11 directory, it will be migrated to the new |
| /prefix/var/lib/opencryptoki location. |
| |
| If you are installing in your home directory make sure that |
| `/home/luser/bin' is in your path. If you're using the bash shell |
| add this line at the end of your .cshrc file: |
| PATH="/home/luser/bin:${PATH}" |
| export PATH |
| If you are using csh or tcsh, then use this line instead: |
| setenv PATH /home/luser/bin:${PATH} |
| By prepending your home directory to the rest of the PATH you can |
| override systemwide installed software with your own custom installation. |
| |
| RUNNING |
| |
| See: |
| http://www-128.ibm.com/developerworks/security/library/s-pkcs/index.html |
| |
| openCryptoki defaults to be usable by anyone who is in the group |
| ``pkcs11''. |
| |
| In this version of openCrypoki, the default SO PIN is 87654321, |
| and the default user PIN is 12345678. These should both be |
| changed to different PIN values before use. You can change the |
| SO PIN by running pkcsconf: |
| % pkcsconf -I |
| |
| You can change the user PIN by typing: |
| % pkcsconf -u |
| |
| You can select the token with the -c command line option; refer |
| to the documentation linked to above for further instructions. |