Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
back

Tasks for PKCS #11

Initializing CADP PKCS11 Library

search

Please Note:

printsuggest an edit

Initializing CADP PKCS11 Library

The initPKCS11Library function is included in the vpkcs11_sample_helper.c file. This file contains the shared functions that are used within the CADP for PKCS11 samples.

The initPKCS11Library function loads the DLL and then obtains the function list from the DLL. This function uses the C_Initialize API to initialize the CADP for C PKCS11 library. For more information about this API, refer to the CADP for C PKCS11 API Guide.

To initialize the CADP PKCS11 library, call the initPKCS11Library function: 

rc = initPKCS11Library(Path to PKCS11 library); //from vpkcs11_sample_helper.c

copy link to clipboardOpening a Session

After initializing the CADP PKCS11 library, perform the following steps to open a session within the CipherTrust Manager:

  1. Initialize the slot list. 

    rc = initSlotList();    //from vpkcs11_sample_helper.c

    The initSlotList function obtains a list of the available slots within the CipherTrust Manager. This function uses C_GetSlotList and C_GetMechanismList APIs.

  2. Open a session within the CipherTrust Manager and login as a user.

    rc = openSessionAndLogin(pin, slotId);  // from vpkcs11_sample_helper.c

    The openSessionAndLogin function opens a session within the CipherTrust Manager and then logs in the session as a user. This function uses the C_OpenSession and C_Login APIs. Refer to the Important Points regarding the C_Login API pin requirement

copy link to clipboardImportant Points

Here are few important points.

pin: Pin required for the C_Login API which consists of the following parameters:

  • PIN: pin entered during the CADP PKCS11 installation

  • domain_name: Name of the domain to access

  • domain_admin: Admin of the domain_name domain

  • domain_admin_password: Password of the domain admin

For LegacyVAE mode:

  • if the SSL/TLS setting on Server Port is set to TLS, verify client cert, user must supply password

    pin = PIN:domain_name||domain_admin:domain_admin_password

  • if the SSL/TLS setting on Server Port is set to TLS, verify client cert, password is needed, user name in cert must match user name in authetiation request

    pin = PIN:domain_name||domain_admin:domain_admin_password

    note

    Note

    The Client certificate CN should be set to domain_name||domain_admin and the application can only access the keys from the domain_name only.

  • if the SSL/TLS setting on Server Port is set to TLS, verify client cert, user name taken from client cert, auth request is optional

    pin = PIN

    note

    Note

    The Client certificate CN should be set to domain_name||domain_admin and the application can only access the keys from the domain_name only.

  • if the SSL/TLS setting on Server Port is set to TLS, verify client cert, user name in cert must match user name in authentication request

For CipherTrust Mode:

pin = domain_name||domain_admin:domain_admin_password

On this page