Setup / Configuration

An application may initialize the token and key sets, or it may presume that they have already been set up. The latter is normally the case and SafeNet ProtectToolkit-C includes initialization applications to perform this function.

The ProtectServer configuration and management strategy is based on the Administrator token created automatically on all adapters. Please refer to the SafeNet ProtectToolkit-C Administration Guide for more details.

SafeNet ProtectToolkit-C Setup / Configuration

>Decide early how many tokens should be created for the HSM configuration. Changing the number of tokens / slots is a significant change. Generally, one token should be used per application, but there may be necessary exceptions.

>Decide the security settings. FIPS mode enables a collection of different security settings (see the SafeNet ProtectToolkit-C Administration Guide for details), some of which will impact performance. Take this into consideration when writing applications.

>Decide how to manage the user and security officer (SO) PINs for each token. The PINs protect different services and it is important to note that, when not in FIPS mode, both keys and cryptographic services can be used when no PIN has been provided.

>Plan for operations to backup / restore to disk or smart card on working key sets. This will influence what key attributes to set for various keys and may require backup / restore master keys. Refer to the SafeNet ProtectToolkit-C Administration Guide for more information on the available backup options.

>Use the KMU to manually set up key sets, or the CTKMU console application to set them up from a batch file. A simple custom application may also be used to set up a key set; both KMU and CTKMU use PKCS#11 functions that any application can call.

SafeNet ProtectToolkit-C Setup/Configuration Caveats

>The administrator token in SafeNet ProtectToolkit-C V3.x may cause confusion, since it appears as a standard PKCS#11 token. This token contains special objects that should not be accessed by any applications other than the SafeNet ProtectToolkit-C supplied tools. 

>Server applications may require the abillity to run from a reboot without any assistance or input (including PINs) from a human operator. This may affect how login PINs are presented to the token.