How to verify that changes made to cknfastrc file have taken affect for supporting SSL keys based on nCipher/Thales PKCS#11 library?

2 years ago

Originally Published: 2013-04-18

Article Number

000042664

Applies To

RSA Certificate Manager 6.9
RSA Certificate Manager 6.8 build 520 (and higher)
nCipher / Thales PKCS#11 Library (cknfast.dll or libcknfast.so)

Issue

How to verify that changes made to cknfastrc file have taken effect for supporting SSL keys based on nCipher/Thales PKCS#11 library?
How to verify that changes made to cknfastrc file have taken effect for supporting SSL keys based on nCipher/Thales PKCS#11 library
When upgrading or installing RSA Certificate Manager, the installation and administration guides instruct to set the following variables in the nCipher/Thales configuration file C:\nfast\cknfastrc (on Windows) or /opt/nfast/bin/cknfastrc (on Solaris or Linux):

CKNFAST_NO_ACCELERATOR_SLOTS=1
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=import

Resolution

The following example shows what to look for when verifying whether changes made to cknfastrc file have taken effect:

A) PRIOR to updating the configuration file cknfastrc, run the nCipher tools ckcheckinst and ckinfo as described in the RSA Certificate Manager guides. The output for these commands may look like the following:

SAMPLE OUTPUT for ckcheckinst (BEFORE updating cknfastrc):

C:\nfast\bin>ckcheckinst.exe
PKCS#11 library interface version 2.01
                            flags 0
                   manufacturerID "nCipher Corp. Ltd               "
               libraryDescription "nCipher PKCS#11 1.48.25         "
           implementation version 1.48

Slot Status            Label
==== ======            =====
   0 Fixed token       "accelerator                     "
   1 Operator card     "MyTestOCS                       "

Select slot number to run library test or 'R'etry or to 'E'xit:

SAMPLE OUTPUT for ckinfo (BEFORE updating cknfastrc):

C:\nfast\bin>ckinfo.exe
PKCS#11 library CK_INFO
       interface version 2.01
                   flags 0
          manufacturerID "nCipher Corp. Ltd               "
      libraryDescription "nCipher PKCS#11 1.48.25         "
implementation version 1.48

slots[0] CK_SLOT_INFO
         slotDescription "7E11-D9B6-48CA Rt1              "
          manufacturerID "nCipher Corp. Ltd               "
                   flags 5
                   flags & CKF_TOKEN_PRESENT
                   flags & CKF_HW_SLOT
        hardware version 0.07
        firmware version 2.22

slots[0] CK_TOKEN_INFO
                   label "accelerator                     "
          manufacturerID "nCipher Corp. Ltd               "
                   model "                "
            serialNumber "7E11-D9B6-48CA "
                   flags 201
                   flags & CKF_RNG
                   flags & CKF_DUAL_CRYPTO_OPERATIONS
       ulMaxSessionCount 1024
     ulMaxRwSessionCount 1024
             ulMaxPinLen 256
             ulMinPinLen 0
     ulTotalPublicMemory CK_UNAVAILABLE_INFORMATION
      ulFreePublicMemory CK_UNAVAILABLE_INFORMATION
    ulTotalPrivateMemory CK_UNAVAILABLE_INFORMATION
      ulFreePrivateMemory CK_UNAVAILABLE_INFORMATION
        hardware version 0.07
        firmware version 2.22
                 utcTime "                "

slots[1] CK_SLOT_INFO
         slotDescription "7E11-D9B6-48CA Rt1 slot 0       "
          manufacturerID "nCipher Corp. Ltd               "
                   flags 7
                   flags & CKF_TOKEN_PRESENT
                   flags & CKF_REMOVABLE_DEVICE
                   flags & CKF_HW_SLOT
        hardware version 0.07
        firmware version 2.22

slots[1] CK_TOKEN_INFO
                   label "MyTestOCS                       "
          manufacturerID "nCipher Corp. Ltd               "
                   model "                "
            serialNumber "abdc4341cf8e0b14"
                   flags 20D
                   flags & CKF_RNG
                   flags & CKF_LOGIN_REQUIRED
                   flags & CKF_USER_PIN_INITIALIZED
                   flags & CKF_DUAL_CRYPTO_OPERATIONS
       ulMaxSessionCount 1024
     ulMaxRwSessionCount 1024
             ulMaxPinLen 256
             ulMinPinLen 0
     ulTotalPublicMemory CK_UNAVAILABLE_INFORMATION
      ulFreePublicMemory CK_UNAVAILABLE_INFORMATION
    ulTotalPrivateMemory CK_UNAVAILABLE_INFORMATION
      ulFreePrivateMemory CK_UNAVAILABLE_INFORMATION
        hardware version 0.07
        firmware version 2.22
                 utcTime "                "

B) AFTER updating the configuration file cknfastrc, run the nCipher tools ckcheckinst and ckinfo as described in the RSA Certificate Manager guides (and restarting nCipher hardserver). The output for these commands may look like the following:

SAMPLE OUTPUT for ckcheckinst (AFTER updating cknfastrc):

C:\nfast\bin>ckcheckinst.exe
PKCS#11 library interface version 2.01
                            flags 0
                   manufacturerID "nCipher Corp. Ltd               "
               libraryDescription "nCipher PKCS#11 1.48.25         "
           implementation version 1.48

Slot Status            Label
==== ======            =====
   0 Fixed token       "accelerator                     "
   1 Operator card     "MyTestOCS                       "

Select slot number to run library test or 'R'etry or to 'E'xit:

NOTICE that the output for ckcheckinst has not changed and the accelerator slot still shows. As per nCipher documentation, if the variable CKNFAST_NO_ACCELERATOR_SLOTS is set, the nCipher PKCS#11 does not create the accelerator slot and the library only presents the smart card slots. However, setting this environment variable has no effect on ckcheckinst because ckcheckinst needs to list accelerator slots.

SAMPLE OUTPUT for ckinfo (AFTER updating cknfastrc):

C:\nfast\bin>ckinfo.exe
PKCS#11 library CK_INFO
       interface version 2.01
                   flags 0
          manufacturerID "nCipher Corp. Ltd               "
      libraryDescription "nCipher PKCS#11 1.48.25         "
implementation version 1.48

slots[0] CK_SLOT_INFO
         slotDescription "7E11-D9B6-48CA Rt1 slot 0
          manufacturerID "nCipher Corp. Ltd               "
                   flags 7
                   flags & CKF_TOKEN_PRESENT
                   flags & CKF_REMOVABLE_DEVICE
                   flags & CKF_HW_SLOT
        hardware version 0.07
        firmware version 2.22

slots[0] CK_TOKEN_INFO
                   label "MyTestOCS                       "
          manufacturerID "nCipher Corp. Ltd               "
                   model "                "
            serialNumber "abdc4341cf8e0b14"
                   flags 20D
                   flags & CKF_RNG
                   flags & CKF_LOGIN_REQUIRED
                   flags & CKF_USER_PIN_INITIALIZED
                   flags & CKF_DUAL_CRYPTO_OPERATIONS
       ulMaxSessionCount 1024
     ulMaxRwSessionCount 1024
             ulMaxPinLen 256
             ulMinPinLen 0
     ulTotalPublicMemory CK_UNAVAILABLE_INFORMATION
      ulFreePublicMemory CK_UNAVAILABLE_INFORMATION
    ulTotalPrivateMemory CK_UNAVAILABLE_INFORMATION
      ulFreePrivateMemory CK_UNAVAILABLE_INFORMATION
        hardware version 0.07
        firmware version 2.22
                 utcTime "                "

NOTICE that only slot 0 is listed which maps to smart card slot, the accelerator slot does not show. When prompted for slot number on RSA Certificate Manager, slot number should be entered as "1" and this will map to the smart card slot being shown above as "0".

Notes

If the configuration file cknfastrc does not already exist, create the file with required content. For Linux or Solaris platforms, you may need to create cknfastrc in the folder /opt/nfast (instead of creating it in folder /opt/nfast/bin) for nCipher hardserver to pick up the configuration.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles