Installing ProtectToolkit on Unix/Linux
Installation and uninstallation commands are different for each of the supported Unix platforms. To account for these differences, the package should be installed using the Unix Installation Utility. Manual commands specific to your operating system can be used, but this is not the recommended method. The Installation Utility is more likely to result in a problem-free installation or uninstallation. The latest versions of the client software and HSM firmware can be found on the Thales Technical Support Customer Portal. See Support Contacts for more information.
The utility provides a simple menu-driven interface. In addition to installing and uninstalling the access provider on Unix systems, it can also:
>List already-installed packages
>List directory contents, for the current platform or all platforms
>Install a package from the directory (which also installs the utility in /usr/bin)
>Change the default operating mode (hardware or software-only).
Whenever the utility installs a package, it also installs itself on the host system's hard disk (in /usr/bin/safeNet-install.sh). This copy can be used to uninstall or configure the software.
You must become the superuser of the host system before adding or removing any packages.
NOTE If you are installing ProtectToolkit 5.9.1 on an AIX system, you must first download ProtectToolkit 5.9 from the Thales Support Portal and install it by following the procedures described in this section.
The following procedures are described below:
>Changing the Cryptoki provider
>Boot Service Operation on Unix/Linux Platforms
Utility Startup
Options can be specified when executing the safeNet-install.sh command. These options are not normally required and are mainly useful for troubleshooting. To troubleshoot an issue you are experiencing while using the installation utility, refer to ProtectToolkit Installation Issues.
Syntax
safeNet-install.sh [-h] [-p] [-s <size>] [-v]
Option | Description |
---|---|
-h | Show help. |
-p | Plain mode. In this mode the ‘tput’ is not used for video enhancements. |
-s<size> | Override the screen size (default = ‘tput lines/cols’ or 24x80). |
-v | Print the version of this script. |
If you wish to enter platform-specific commands manually, use the commands given in Installing ProtectToolkit on Linux Manually.
To start up the utility
1.The Thales Unix Installation Utility is located in the installation image's root directory. Unzip the image by following standard procedure for your platform and installation.
2.Change to the unzipped directory and start the utility. The utility scans the system and the directory and displays the Main Menu.
Gemalto Unix Installation Utility: Hostname: 66 (Linux 2.6.32-504.16.2.el6.i686) Main menu 1 list Gemalto packages already installed 2 list packages on CD 3 install a package from this CD 4 uninstall a Gemalto package 5 Set the default cryptoki and/or hsm link q quit the utility Choice (1 2 3 4 q) [Redraw]:
NOTE Enter 'b' to go back to the previous menu and 'q' to quit the utility. You can also quit with the system INTR key (normally ^C).
Available Packages
This section provides a description of each available ProtectToolkit package and its prerequisites. The packages are listed below in their most ideal installation order.
NOTE Install only the packages required for your deployment.
>SafeNet Network HSM Access Provider: installs the components required to access a ProtectServer HSM over the network, whether a ProtectServer External 2, ProtectServer External 2 Plus, or ProtectServer PCIe 2 configured for network access.
>SafeNet PCIe HSM Access Provider (Device Driver): installs the device driver components for a ProtectServer PCIe 2 HSM installed in the host system.
>SafeNet HSM Net Server: installs the components required to make an installed ProtectServer PCIe 2 HSM available on the network to other ProtectToolkit clients. Requires an installed ProtectServer PCIe 2 and the SafeNet PCIe HSM Access Provider package as prerequisites.
>SafeNet ProtectToolkit C Runtime: installs all the necessary tools and interfaces for a ProtectToolkit-C based Cryptoki service provider. Requires the correct Access Provider package for your deployment as a prerequisite.
>SafeNet ProtectToolkit C SDK: installs the PTK-C software development platform. Header files are included, in addition to the PTK-C Runtime. Requires the correct Access Provider package for your deployment as a prerequisite.
NOTE The PTK-C Runtime and PTK-C SDK packages cannot be installed at the same time. To switch between them, first uninstall the package you no longer wish to use.
>SafeNet ProtectToolkit J Runtime: installs all the necessary tools and interfaces for a PTK-J Cryptoki service provider, using the Java Cryptographic Architecture (JCA) / Java Cryptographic Extension (JCE) interface. NOTE: PTK-J requires the PTK-C Runtime component as a prerequisite.
>SafeNet ProtectToolkit J SDK: installs the PTK-J software development platform, for developing Java applications for use with your ProtectServer HSM.
>SafeNet ProtectToolkit FM SDK: installs the ProtectToolkit Functionality Module Software Development Kit for building FMs or host applications. Requires the PTK-C SDK as a prerequisite. You must also install the FM Toolchain.
NOTE You cannot install the ProtectToolkit runtime and FM SDK on the same machine. It is recommended that you do your FM development on a separate machine.
>SafeNet 1.i686.rpm FM Toolchain: installs the components required to compile and run your Functionality Modules. Requires the PTK-C SDK and FM SDK as prerequisites.
Installing a package
Should you encounter any problems, please see Installing ProtectToolkit on Unix/Linux.
To install a package
1.Select install a package from this CD from the utility's Main Menu.
A list of installable SafeNet packages is displayed.
2.Select the package required by typing the appropriate menu number followed by Enter.
The utility verifies the action and executes the appropriate command for your platform.
3.On some platforms, you may be prompted for additional installation options. On Linux, for example, you can add a -nodeps option to suppress the checking of dependencies. These options should be selected with appropriate care.
4.You may now need to respond to any platform-specific messages (for example: to confirm you wish to proceed with the installation).
5.After installation, the utility will return Success or Failure, scan the system again, and display the current installation status. Press the Enter key to continue.
Setting up your environment
After installing the software on Linux platforms, you must run the ProtectToolkitsetvars.sh script to configure your environment for the ProtectToolkit software. You cannot run the script directly, but instead you must source it or add it to a startup file (for example, .bashrc). If you source the script, your environment will be set for the current session only. If you add it to your startup file, your environment will be set each time you log in.
To set up your environment
1.Go to the ProtectToolkit software installation directory:
cd /opt/safenet/protecttoolkit5/ptk
2.Source the setvars.sh script:
. ./setvars.sh
Once installed and configured, the software is ready to use under /opt/safenet.
When you have completed the installation, refer to Configuration Items for additional PTK client configuration options, then to the guides for your installed components:
>About the ProtectToolkit-C Administration Guide
>About the ProtectToolkit-J Reference Guide
>About the FM SDK Programming Guide
Changing the Cryptoki provider
On Unix/Linux systems, the software-only Cryptoki provider is made active by default. If you plan to use this instance of ProtectToolkit-C with a ProtectServer HSM, you will need to change the Cryptoki provider. Software-only mode is not secure, as cryptographic material is stored on the host system. You can use the Unix Installation Utility to change modes.
To change the Cryptoki provider
1.From the Main menu, select Set the default cryptoki and/or HSM link.
The Cryptoki Selection screen is displayed.
Gemalto Unix Installation Utility: Hostname: 66 (Linux 2.6.32-504.16.2.el6.i686) Main Menu >> Check/Set Default Cryptoki & HSM Menu -------------------- Cryptoki Selection -------------------- 1 SafeNet ProtectToolkit C SDK Software (emulator) 2 * SafeNet ProtectToolkit C SDK Runtime (hardware) 3 * SafeNet Network HSM Access Provider b back q quit the utility Choice (1 2 3 b q) [Redraw]:
2.Select SafeNet ProtectToolkit C SDK Runtime (hardware) and confirm your selection.
Configuring ProtectToolkit
When you have completed the installation, refer to Configuration Items for additional PTK client configuration options, then to the guides for your installed components:
>About the ProtectToolkit-C Administration Guide
>About the ProtectToolkit-J Reference Guide
>About the ProtectToolkit-M User Guide
>About the FM SDK Programming Guide
If you have installed ProtectToolkit-C and intend to use PCI or network operating modes:
>Configure the secure messaging system (SMS). Refer to Secure Messaging.
>Establish network communication (network operating mode only). by configuring the client to use one or more servers that are available on the same network. Refer to Specifying the Network Server(s).
If you have installed ProtectToolkit-C and intend to use software-only mode:
>Customize the installation to optimize performance. Refer to Software-Only Mode Configuration .
Uninstalling a package
Should you encounter any problems, please see Installing ProtectToolkit on Unix/Linux.
To uninstall a package
1.Select Uninstall a SafeNet package from the utility's Main Menu.
A list of installed SafeNet packages is displayed.
2.Select the required package by typing the appropriate menu number and pressing Enter.
The utility verifies the action and executes the appropriate command for your platform.
3.On some platforms, you may be prompted for additional uninstallation options. On Linux, for example, you can add a -nodeps option to suppress the checking of dependencies. These options should be selected with appropriate care.
4.After completing uninstallation, the utility will return Success or Failure, scan the system again, and display the current installation status.
5.You may now need to respond to any platform-specific messages to confirm that you wish to proceed with the uninstallation. Press the Enter key to continue.
Boot Service Operation on Unix/Linux Platforms
To run the server as an rc.d(init.d)service, run the following script:
/opt/safenet/protecttoolkit5/netsrv/bin/etnetsrv_install_rc