Configuring CADP for C PKCS11 Properties File
This section lists and defines each of the parameters within the CADP_PKCS11.properties file. The properties file defines the IP address/Hostname, port, and protocol etc. of the CipherTrust Manager to which your client connects.
This section covers the following topics:
Editing the Properties File
The values in the properties file are case-sensitive. yes is not YES. tcp is not TCP. Follow the example of the default properties file.
You can comment-out values using #. You may want to use comments to save settings when troubleshooting. For example, you could store commonly used NAE_IP addresses/hostnames like this:
NAE_IP=10.0.0.2
#NAE_IP=10.0.0.3
#NAE_IP=10.0.0.4
When editing parameters that use time values, you can use the following abbreviations:
ms - milliseconds. e.g. 4500ms for 4.5 seconds.
s - seconds. e.g. 30s for 30 seconds.
m- minutes. e.g. 5m for 5 minutes.
h - hours. e.g. 10h for 10 hours.
d - days. e.g. 2d for 2 days.
If you do not include an abbreviation, the default time unit is used. For most time-related values, the default is milliseconds. For Symmetric_Key_Cache_Expiry, the default is seconds.
Renaming the Properties File
The default properties file name is CADP_PKCS11.properties. However, you can rename the properties file for the following:
Linux
You can rename the properties file to any valid name with the help of exporting variable NAE_Properties_Conf_Filename.
For example, export NAE_Properties_Conf_Filename=<absolute path>/RenamePropertyFile
where, <absolute path> is absolute path on the system
Windows
You can rename the properties file through Registry Editor. Open Registry Editor, navigate to the path SOFTWARE\\CipherTrust\\CADP_for_C\\NAE_Properties_Config, and set the value of the variable Pkcs11ConfigFileName to the new value.
Note
If you are using the Java or .NET Core wrapper for CADP for C, renaming the property file is not allowed.
Modifying Parameters
After you install the client software, you can customize it to meet the needs of your environment by modifying the properties file (CADP_PKCS11.properties).
The Connection_Retry_Interval and Connection_Timeout parameters continue to function in the same way as earlier. You can modify the Connection_Timeout parameter to specify an appropriate time for which a client waits to connect to a CipherTrust Manager before timing out. Specifying a large value for the Connection_Timeout parameter results in delayed switching from one CipherTrust Manager to another.
To achieve the desired Unreachable_Server_Retry_Period, set the Connection_Timeout value using the following formula:
Connection_Timeout = Unreachable_Server_Retry_Period/number of servers in a tier
As trying to connect to an unreachable server again delays the transition to the next tier, the Connection_Timeout value should be large enough to make sure that the server is unreachable.
Likewise, to achieve the desired Maximum_Server_Retry_Period, set the Connection_Timeout value using the following formula:
Connection_Timeout = Maximum_Server_Retry_Period/number of servers in all tiers
The parameters listed in the file, including the delivered default settings, are shown below.
The content of the file, including the settings but excluding comments, is shown below:
Version=3.1
NAE_IP=
NAE_Port=9000
Protocol=tcp
Use_Persistent_Connections=yes
Size_of_Connection_Pool=300
Connection_Timeout=30000
Connection_Read_Timeout=30000
Connection_Idle_Timeout=600000
Connection_Retry_Interval=600000
Cluster_Synchronization_Delay=100
CA_File=
Cert_File=
Key_File=
Passphrase=
Symmetric_Key_Cache_Enabled=Yes
Symmetric_Key_Cache_Expiry=43200
Asymmetric_Key_Cache_Enabled=No
Log_Level=WARN
Log_File=
Log_Rotation=Daily
Log_Size_Limit=100k
Client_Compatibility_Mode=CipherTrust
Gen_Key_Id=NO
Refer to Configuration for details on properties.
