Mar 10 2020

The Sun Metaslot also supports failover. The auto-key migration can also be disabled on a per application basis by setting the following environment variable. Users created by the security officer authenticate to a board through the PKCS 11 interface. These slots are useful for diagnosis because they are directly associated with a board. SmartKey PKCS 11 library implements this by mapping the application credential to the user PIN, and by having a single slot numbered 0 , with a token numbered 1 already initialized. Will be used the first slot, that has the inserted token with this label. Thus, the secure key value is never revealed clear on the host memory.

Uploader: Netaxe
Date Added: 15 May 2007
File Size: 23.50 Mb
Operating Systems: Windows NT/2000/XP/2003/2003/7/8/10 MacOS 10/X
Downloads: 9602
Price: Free* [*Free Regsitration Required]

Detailed information on FIPS can be found at: Examples are certprivkey and pubkey. However, even if this login is for the same user, the token objects might not get the same handles as they had before.


If the job fails over to a software slot, such as Sun Softtoken, the key could be revealed on the host memory. This option is most useful when used with either –login or –pin.

This command forces a global change throughout the system, which causes all applications on the system to use the board keystore by default. There should be three hardware pkcs111 per board. The same warning as –pin also applies here. Additional instructions for Linux platforms are included in the last section.

PKCS#11 Library – SmartKey™ Developer’s Guide

By default, Sun Metaslot uses the Oracle Solaris Softtoken keystore; however it can be configured to use the board keystore. The number of session objects is limited by virtual memory only.


The auto-key migration can also be disabled on a per application basis by setting the following environment variable. If provided, the client certificate and key are used to authenticate to the the server. By doing so, the keys securely stored on the board might be revealed on the host memory. User PIN authentication is performed for those operations that require it.

Token objects must all fit in the RAM on the board, and the driver limits the size of the keystore to 16 Mbytes. When the Keystore slot is used, a crypto job may be sent to either board based on the board state.

With this configuration, if an operation with a sensitive token key fails on the board, the request does not failover to other slots, and the operation fails. When the board is first initialized, scamgr prompts you to set up a security officer account.

By default, the trusted certificates used to verify the connection with the SmartKey server are provided by the system. Linix the example in this section, ks is the name of the llnux keystore.

Lijux slot is dedicated to a single board and thus does not allow hardware redundancy or load balancing. With Keystore slot, both sensitive session keys and sensitive token keys are kept secure on the board.

Note – The 64 directory is a softlink that resolves to sparcv9 or amd64 depending on your architecture. When the auto key migration is disabled, sensitive token keys are not automatically migrated to other slots.


If the softtoken slot of the openCryptoki software is installed, you see the Sun Crypto Accelerator SCA slot first followed by the softtoken slot as follows:. Once set, the user PIN can be changed using –change-pin.

The Sun Metaslot also supports failover. Through Sun Metaslot, only one keystore can be accessed. For example, when there are two boards with the pkcs111 keystore with the name of ksa slot with the slot description and token label of ks is used as the Keystore slot.

In PKCS 11, public token objects are token objects that are visible and deletable without authentication.

PKCS#11 Library

To verify the current system-wide configuration, enter the following command:. The Sun Crypto Accelerator software defines the default values for some attributes as listed in the following table.

Users created by the security officer authenticate to pkc1s1 board through the PKCS 11 interface. ;kcs11 keys, such as nonsensitive keys and sensitive session keys are still automatically migrated for failover.

This option is not needed if a PIN is provided on the command line. After the board is initialized, the security officer can create one or more users using the scamgr utility.