|
|
- Install bos.pkcs11 fileset off of the AIX 4.3.3 Additional Device Software CD
- installp bos.pkcs11
> lslpp -l bos.pkcs11
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.pkcs11 4.3.3.0 COMMITTED Base Operating System PKCS11
Support
Path: /etc/objrepos
bos.pkcs11 4.3.3.0 COMMITTED Base Operating System PKCS11
Support
This will start-up the pkcsslotd daemon and add a call to /etc/inittab to call /etc/rc.pkcs11
upon system startup.
- Install the IBM PCI 4758 Cryptographic Coprocessor Card device drivers off of the
AIX 4.3.3 Additional Device Software CD
- installp devices.pci.14109f00
> lslpp -l "devices.pci.14109f00*"
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
devices.pci.14109f00.diag 4.3.3.0 COMMITTED IBM PCI 4758 Cryptographic
Coprocessor Card Diagnostics
devices.pci.14109f00.rte 2.2.0.0 COMMITTED IBM 4758 PCI Cryptographic
Coprocessor
You probably will need to run cfgmgr after this and verify that the system
sees the 4758 adapter (lsdev -C | grep crypt)
- Install the Cryptographic Coprocessor Support Software
- installp csuf.ccs csuf.com csuf.pkcs11
> lslpp -l "csuf*"
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
csuf.cca 2.3.1.0 COMMITTED Cryptographic Coprocessor
Support Software
csuf.com 2.3.1.0 COMMITTED Cryptographic Coprocessor
Common Code
csuf.pkcs11 2.3.1.0 COMMITTED Cryptographic Coprocessor
PKCS11 Support Code
- Gathering the initial information about the card
- csufclu /path/logfile.log ST
======================================================================
CSUFCLU V2.30 /path/logfile.log ST begun Fri Mar 23 17:04:02 2001
*********** Command ST started. ---- Fri Mar 23 17:04:02 2001
*** VPD data; PartNum = 40H9858
*** VPD data; EC Num = C75653M
*** VPD data; Ser Num = 12345678
*** VPD data; Description = IBM4758-023 3.3V FIPS 140 LVL 3
*** VPD data; Mfg. Loc. = IBM041
*** VPD data; Flags = 2300300020000000
*** ROM Status; PIC ver: 2100, ROM ver: 202
*** ROM Status; INIT: INITIALIZED
*** ROM Status; SEG2: UNOWNED , OWNER2: 0
*** ROM Status; SEG3: UNOWNED , OWNER3: 0
*** Page 1 Certified: YES
*** Segment 1 Image: 40H9858 G75653G 10J0593 3.3V FL3 Factory Seg1 22000000110000000000000000000000
*** Segment 1 Revision: 0
*** Segment 1 Hash: 1BDF 675F F8C5 B38D 574D EAB7 4542 4523 F9A9 BF27
*** Query Adapter Status successful ***
Obtain Status ended successfully!
*********** Command ST ended. ---- Fri Mar 23 17:06:54 2001
*********** Command ST exited. ---- Fri Mar 23 17:07:54 2001
======================================================================
- Loading the initial PKCS #11 code
- csufclu /path/logfile.log PL /usr/lpp/csuf/clu/cr123100.clu
======================================================================
CSUFCLU V2.30 /path/logfile.log PL /usr/lpp/csuf/clu/cr123100.clu begun Fri Mar 23 17:27:46 2001
*********** Command PL started. ---- Fri Mar 23 17:27:46 2001
*** Reload Segment 1 command Successful ***
Microcode download ended successfully!
*********** Command PL ended. ---- Fri Mar 23 17:30:50 2001
*********** Command PL exited. ---- Fri Mar 23 17:31:50 2001
======================================================================
- Load the operating system into segment 2 on the coprocessor and load
the PKCS #11 application into segment 3
- csufclu /path/logfile.log PL /usr/lpp/csuf/clu/pnw23100.clu
======================================================================
CSUFCLU V2.30 /path/logfile.log PL /usr/lpp/csuf/clu/pnw23100.clu begun Mon Mar 26 09:32:53 2001
*********** Command PL started. ---- Mon Mar 26 09:32:53 2001
*** Establish Segment 2 Owner command Successful ***
*** Load Segment 2 command Successful ***
*** Establish Segment 3 Owner command Successful ***
*** Load Segment 3 command Successful *** ...(60-second delay)...
Microcode download ended successfully!
*********** Command PL ended. ---- Mon Mar 26 09:37:42 2001
...finishing up...
*********** Command PL exited. ---- Mon Mar 26 09:38:42 2001
======================================================================
After this command is run, the csufclu /path/logfile.log ST command should show
"PKCS #11 Application" installed in Segment 3.
- Initialize the PKCS#11 token
- smitty pkcs11
a. Select "Initialize a Token"
b. Choose the 4758 adapter
c. Enter the SO PIN (there is already a default SO PIN set)
d. Choose a unique label for the token
- Change the Security Office (SO) PIN, if necessary
- smitty pkcs11
a. Select "Set the Security Officer PIN"
b. Choose the 4758 adapter
c. like the passwd command, enter the current SO PIN and the desired new SO PIN
- Initialize the User PIN
- smitty pkcs11
a. Select "Initialize the User PIN"
b. Choose the 4758 adapter
c. enter the SO PIN and the desired new User PIN
- Create a Trust Database through the IPlanet Admin. Server
-
a. Choose Security tab.
b. Choose "Create Database" button.
c. Enter database password.
- Add as a valid cryptographic module for IPlanet
-
/pathto-netscape/bin/https/admin/bin/modutil -dbdir /pathto-netscape/alias/ -add ibm4758 -libfile /usr/lib/pkcs11/PKCS11_API.so -mechanisms RSA:DSA:DES:SHA1:MD5:MD2
- Request/Install Certificate via IPlanet administration interface
-
- Update magnus.conf for the web server
-
Add "CERTDefaultNickname [module-name]:[cert-name]" to magnus.conf
Now when you start up the web server, it will ask for both the Trust Database
password and the User PIN for the 4758 adapter.
|
