Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Tasks for PKCS#11

Initializing CADP PKCS#11 Library

search

Please Note:

Initializing CADP PKCS#11 Library

The initPKCS11Library function is included in the vpkcs11_sample_helper.c file. This file contains the shared functions that are used within the CADP for PKCS#11 samples.

The initPKCS11Library function loads the DLL and then obtains the function list from the DLL. This function uses the C_Initialize API to initialize the CADP for C PKCS#11 library. For more information about this API, refer to the CADP for C PKCS#11 API Guide.

To initialize the CADP PKCS#11 library, call the initPKCS11Library function: 

rc = initPKCS11Library(Path to PKCS#11 library); //from vpkcs11_sample_helper.c

Opening a Session

After initializing the CADP PKCS#11 library, perform the following steps to open a session within the CipherTrust Manager:

  1. Initialize the slot list. 

    rc = initSlotList();    //from vpkcs11_sample_helper.c

    The initSlotList function obtains a list of the available slots within the CipherTrust Manager. This function uses C_GetSlotList and C_GetMechanismList APIs.

  2. Open a session within the CipherTrust Manager and login as a user.

    rc = openSessionAndLogin(pin, slotId);  // from vpkcs11_sample_helper.c

    The openSessionAndLogin function opens a session within the CipherTrust Manager and then logs in the session as a user. This function uses the C_OpenSession and C_Login APIs. Refer to the Important Points regarding the C_Login API pin requirement

Important Points

Here are few important points.

pin: Pin required for the C_Login API which consists of the following parameters:

  • PIN: pin entered during the CADP PKCS#11 installation

  • domain_name: Name of the domain to access

  • domain_admin: Admin of the domain_name domain

  • domain_admin_password: Password of the domain admin

For LegacyVAE mode:

  • if the SSL/TLS setting on Server Port is set to TLS, verify client cert, user must supply password

    pin = PIN:domain_name||domain_admin:domain_admin_password

  • if the SSL/TLS setting on Server Port is set to TLS, verify client cert, password is needed, user name in cert must match user name in authetiation request

    pin = PIN:domain_name||domain_admin:domain_admin_password

    !!! note The Client certificate CN should be set to domain_name||domain_admin and the application can only access the keys from the domain_name only.

  • if the SSL/TLS setting on Server Port is set to TLS, verify client cert, user name taken from client cert, auth request is optional

    pin = PIN

    !!! note The Client certificate CN should be set to domain_name||domain_admin and the application can only access the keys from the domain_name only.

  • if the SSL/TLS setting on Server Port is set to TLS, verify client cert, user name in cert must match user name in authentication request

For CipherTrust Mode:

pin = domain_name||domain_admin:domain_admin_password

On this page