openCryptoki README Package version 2.2.2 Authors: Mike Halcrow <mhalcrow@us.ibm.com> Kent Yoder <yoder1@us.ibm.com> OVERVIEW openCryptoki version 2.2 implements the PKCS#11 specification version 2.11. This package includes several cryptographic tokens, including the IBM ICA token (requires libICA, which supports zSeries CPACF and LeedsLite hardware) and an OpenSSL-based software token. REQUIREMENTS - SW token: OpenSSL version 0.9.7 or higher - ICA token: libICA version 1.3.6 or higher BUILD PROCESS The simplest way to compile this package is to enter the source code main directory and do the following: 1. Run the bootstrap.sh script by typing: % sh bootstrap.sh 2. Configure the source code by typing: % sh ./configure If you're planning to install the package into your home directory or to a location other than `/usr/local' then add the flag `--prefix=PATH' to `configure'. For example, if your home directory is `/home/luser' you can configure the package to install itself there by invoking: % sh ./configure --prefix=/home/luser If your stdll headers and libraries are not under any standard path, you will need to pass the paths to your files to the configure script. For instance: $ CPPFLAGS="-L/path/lib" LDFLAGS="-I/path/include" ./configure See ./configure --help for info on various options. The default behavior is to build any token whose libraries are found. You may disable building any token with its corresponding --disable-<tok> configure option. While running, `configure' prints some messages telling which features is it checking for. 3. Compile the package by typing: % make 4. Type `make install' to install the programs and any data files and documentation. During installation, the following files go to the following directories: /prefix/sbin/pkcs11_startup /prefix/sbin/pkcs_slot /prefix/sbin/pkcsconf /prefix/sbin/pkcsslotd /prefix/libdir/libopencryptoki.so /prefix/libdir/libopencryptoki.so.0 /prefix/libdir/opencryptoki/libopencryptoki.so /prefix/libdir/opencryptoki/libopencryptoki.so.0 /prefix/libdir/opencryptoki/libopencryptoki.so.0.0.0 /prefix/var/lib/opencryptoki Token objects, which may be optionally built, go to the following locations: /prefix/libdir/opencryptoki/stdll/libpkcs11_ica.so /prefix/libdir/opencryptoki/stdll/libpkcs11_ica.so.0 /prefix/libdir/opencryptoki/stdll/libpkcs11_ica.so.0.0.0 /prefix/libdir/opencryptoki/stdll/libpkcs11_sw.so /prefix/libdir/opencryptoki/stdll/libpkcs11_sw.so.0 /prefix/libdir/opencryptoki/stdll/libpkcs11_sw.so.0.0.0 /prefix/libdir/opencryptoki/stdll/libpkcs11_tpm.so /prefix/libdir/opencryptoki/stdll/libpkcs11_tpm.so.0 /prefix/libdir/opencryptoki/stdll/libpkcs11_tpm.so.0.0.0 where `prefix' is either `/usr/local' or the PATH that you specified in the `--prefix' flag. `libdir' is the name of the library directory; for 32-bit libraries it is usually `lib' and for 64-bit libraries it is usually `lib64'. To maintain backwards compatibility, some additional symlinks are generated (note that these are deprecated, and applications should migrate to use the LSB-compliant names and locations for libraries and executables): /prefix/lib/opencryptoki/PKCS11_API.so - Symlink to /prefix/lib/opencryptoki/libopencryptoki.so /prefix/lib/opencryptoki/stdll/PKCS11_ICA.so - Symlink to /prefix/lib/opencryptoki/stdll/libpkcs11_ica.so /prefix/lib/opencryptoki/stdll/PKCS11_SW.so - Symlink to /prefix/lib/opencryptoki/stdll/libpkcs11_sw.so /prefix/lib/pkcs11/PKCS11_API.so - Symlink to /prefix/lib/opencryptoki/libopencryptoki.so /prefix/lib/pkcs11 - Directory created if non-existent /prefix/lib/pkcs11/methods - Symlink to /prefix/sbin /prefix/lib/pkcs11/stdll - Symlink to /prefix/lib/opencryptoki/stdll /prefix/etc/pkcs11 - Symlink to /prefix/var/lib/opencryptoki If any of these directories do not presently exist, they will be created on demand. Note that if ``prefix'' is ``/usr'', then /prefix/var and /prefix/etc resolve to /var and /etc. On the ``make install'' stage, if content exists in the old /prefix/etc/pkcs11 directory, it will be migrated to the new /prefix/var/lib/opencryptoki location. If you are installing in your home directory make sure that `/home/luser/bin' is in your path. If you're using the bash shell add this line at the end of your .cshrc file: PATH="/home/luser/bin:${PATH}" export PATH If you are using csh or tcsh, then use this line instead: setenv PATH /home/luser/bin:${PATH} By prepending your home directory to the rest of the PATH you can override systemwide installed software with your own custom installation. RUNNING See: http://www-128.ibm.com/developerworks/security/library/s-pkcs/index.html openCryptoki defaults to be usable by anyone who is in the group ``pkcs11''. In this version of openCrypoki, the default SO PIN is 87654321, and the default user PIN is 12345678. These should both be changed to different PIN values before use. You can change the SO PIN by running pkcsconf: % pkcsconf -I You can change the user PIN by typing: % pkcsconf -u You can select the token with the -c command line option; refer to the documentation linked to above for further instructions.