Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Tasks for PKCS#11

Initializing CADP PKCS#11 Library

search

Please Note:

printsuggest an edit

Initializing CADP PKCS#11 Library

The initPKCS11Library function is included in the vpkcs11_sample_helper.c file. This file contains the shared functions that are used within the CADP for PKCS#11 samples.

The initPKCS11Library function loads the DLL and then obtains the function list from the DLL. This function uses the C_Initialize API to initialize the CADP for C PKCS#11 library. For more information about this API, refer to the CADP for C PKCS#11 API Guide.

To initialize the CADP PKCS#11 library, call the initPKCS11Library function: 

rc = initPKCS11Library(Path to PKCS#11 library); //from vpkcs11_sample_helper.c

copy link to clipboardOpening a Session

After initializing the CADP PKCS#11 library, perform the following steps to open a session within the CipherTrust Manager:

  1. Initialize the slot list. 

    rc = initSlotList();    //from vpkcs11_sample_helper.c

    The initSlotList function obtains a list of the available slots within the CipherTrust Manager. This function uses C_GetSlotList and C_GetMechanismList APIs.

  2. Open a session within the CipherTrust Manager and login as a user.

    rc = openSessionAndLogin(pin, slotId);  // from vpkcs11_sample_helper.c

    The openSessionAndLogin function opens a session within the CipherTrust Manager and then logs in the session as a user. This function uses the C_OpenSession and C_Login APIs. Refer to the Important Points regarding the C_Login API pin requirement

copy link to clipboardImportant Points

Here are few important points.

pin: Pin required for the C_Login API which consists of the following parameters:

  • PIN: pin entered during the CADP PKCS#11 installation

  • domain_name: Name of the domain to access

  • domain_admin: Admin of the domain_name domain

  • domain_admin_password: Password of the domain admin

For LegacyVAE mode:

  • if the SSL/TLS setting on Server Port is set to TLS, verify client cert, user must supply password

    pin = PIN:domain_name||domain_admin:domain_admin_password

  • if the SSL/TLS setting on Server Port is set to TLS, verify client cert, password is needed, user name in cert must match user name in authetiation request

    pin = PIN:domain_name||domain_admin:domain_admin_password

    !!! note The Client certificate CN should be set to domain_name||domain_admin and the application can only access the keys from the domain_name only.

  • if the SSL/TLS setting on Server Port is set to TLS, verify client cert, user name taken from client cert, auth request is optional

    pin = PIN

    !!! note The Client certificate CN should be set to domain_name||domain_admin and the application can only access the keys from the domain_name only.

  • if the SSL/TLS setting on Server Port is set to TLS, verify client cert, user name in cert must match user name in authentication request

For CipherTrust Mode:

pin = domain_name||domain_admin:domain_admin_password

On this page