KSP (for CNG) Configuration

SafeNet ProtectToolkit-M provides two tools for configuring ProtectServer tokens with KSP:

>kspcmd.exe: Configuring KSP via the Command Line

>KspConfig.exe: Configuring KSP via the GUI

Configuring KSP via the Command Line

Use the following method to configure and register KSP via the command line.

In the SAFENET directory, the kspcmd utility is used to manually register the users along with their domain.

>Administrator user with the appropriate domain. In this example the domain is WIN-81RT79OFJB3

>SYSTEM user with the NT-AUTHORITY domain

To configure KSP via the command line

1.Open a command prompt and navigate to the C:\Program Files\SafeNet\Protect Toolkit 5\KSP\ directory.

2.Use the kspcmd utility to register the PKCS library.

>kspcmd library "C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit M\sw\cryptoki.dll"

C:\Program Files\SafeNet\Protect Toolkit 5\KSP>kspcmd library "C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit M\sw\cryptoki.dll"

This Servers Host Name is: WIN-81RT79OFJB3 and the logged on user is: Administrator@WIN-81RT79OFJB3

Success registering the security library!

3.Register the Administrator user with the domain. Enter the token user PIN when prompted.

>kspcmd password /slotlabel <label> /userName Administrator /domainName <domain>

C:\Program Files\SafeNet\Protect Toolkit 5\KSP>kspcmd password /s Token0 /u Administrator /d WIN-81RT79OFJB3

This Servers Host Name is: WIN-81RT79OFJB3 and the logged on user is: Administrator@WIN-81RT79OFJB3

Enter challenge for slot '0' <Just hit Enter when using PED>:********

The slot Token0 was successfully and securely registered for user Administrator at domain WIN-81RT79OFJB3!

4.Register the SYSTEM user with the domain NT-AUTHORITY. Enter the token user PIN when prompted.

>kspcmd password /slotlabel <label> /userName SYSTEM /domainName NT-AUTHORITY

C:\Program Files\SafeNet\Protect Toolkit 5\KSP>kspcmd password /s Token0 /u SYSTEM /d NT-AUTHORITY

This Servers Host Name is: WIN-81RT79OFJB3 and the logged on user is: Administrator@WIN-81RT79OFJB3

Enter challenge for slot '0' <Just hit Enter when using PED>:********

The slot Token0 was successfully and securely registered for user SYSTEM at domain NT-AUTHORITY!

5.To verify that the library and domain have been registered:

a.Open the registry.

b.Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Safenet\SafeNetKSP\CurrentConfig.

Confirm the entry CryptokiLibrary = "C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit M\sw\cryptoki.dll".

c.Browse to HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\SafeNetKSP\Slots.

Confirm the entries Administrator@WIN-81RT79OFJB3 and SYSTEM@NT-AUTHORITY.

Configuring KSP via the GUI

The registration tool KspConfig.exe, installed by the 64-bit Client software installer into the C:\Program Files\SafeNet\Protect Toolkit 5\KSP directory, registers HSM tokens for use with CNG. It secures the Password for each token such that only the user for which the Password was secured is able to un-secure it.

1.Go to C:\Program Files\SafeNet\Protect Toolkit 5\KSP and launch KspConfig.exe (the KSP configuration wizard).

2.In the left-hand pane (tree view) double-click "Register Or View Security Library"

3.In the right-hand pane, browse to the library C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin\hsm\cryptoki.dll and click Register.


4.Return to the left-hand pane and double-click “Register HSM Slots” and click Next.


5.In the Slot Password field, type in the password for the indicated slot.

To the right of the window, click the “Register Slot” button.


6.Return to the Domain pull-down list and select "NT AUTHORITY," supply the password for the slot being registered, and again click “Register Slot” to complete the KSP configuration.


Once you have the slots registered, you can begin connecting with your client application to perform crypto operations in your HSM.