ProtectServer 3 HSM and ProtectToolkit 7
Customer release notes
- ProtectToolkit 7 releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- ProtectServer 3 HSM firmware releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- ProtectServer 3 Network HSM Appliance Software releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- Supported ProtectToolkit 7 platforms
- Supported ProtectServer 3 HSM firmware and boot loader versions
- Known and resolved issues
ProtectServer 3 HSM and ProtectToolkit 7 installation and configuration
- ProtectServer 3 PCIe hardware installation
- ProtectServer 3 External installation and configuration
  - ProtectServer 3 External overview
  - ProtectServer 3 External required items
  - Installing the ProtectServer 3 External hardware
  - Deployment guidelines
  - First log on and system test
  - Network configuration
  - Powering off the ProtectServer 3 External
  - Updating the ProtectServer 3 External appliance software image
- ProtectServer 3+ External installation and configuration
  - ProtectServer 3+ External overview
  - ProtectServer 3+ External required items
  - Installing the ProtectServer 3+ External in a server rack
  - Physical features
  - Deployment guidelines
  - First log on and system test
  - Network configuration
  - Powering off the ProtectServer 3+ External
  - Updating the ProtectServer 3+ External appliance software image
- ProtectToolkit 7 software installation
  - Installing ProtectToolkit 7 on Windows
  - Installing ProtectToolkit 7 on Unix/Linux
  - Installing ProtectToolkit 7 on Unix/Linux manually
  - Deploying ProtectToolkit 7 in a Docker container on Linux
  - Available ProtectToolkit 7 components
- Configuration items
- Utilities command reference
PSESH command reference
- Using PSESH
- PSESH commands
  - audit
    - audit audit
    - audit log
    - audit service
  - exit
  - files
    - files clear
    - files delete
    - files show
  - help
  - hsm
    - hsm cert
    - hsm factoryreset
    - hsm reset
    - hsm show
    - hsm state
  - network
    - network dns
    - network domain
    - network hostname
    - network interface
    - network iptables
    - network ping
    - network route
    - network show
  - package
    - package list
    - package install
    - package listfile
  - service
    - service list
    - service restart
    - service start
    - service status
    - service stop
  - status
    - status cpu
    - status date
    - status disk
    - status interface
    - status mac
    - status mem
    - status netstat
    - status ps
    - status time
    - status zone
  - sysconf
    - sysconf appliance
    - sysconf etnetcfg
    - sysconf snmp
    - sysconf time
    - sysconf timezone
  - syslog
    - syslog cleanup
    - syslog export
    - syslog period
    - syslog remotehost
    - syslog rotate
    - syslog rotations
    - syslog show
    - syslog tail
    - syslog tarlogs
  - user password
ProtectServer HSM migration
- Migrating keys from ProtectServer 2 HSMs to ProtectServer 3 HSMs
- Migrating functionality modules from ProtectServer 2 HSMs to ProtectServer 3 HSMs
ProtectToolkit-C administration
- Introduction
- Cryptoki configuration
  - ProtectToolkit-C model
  - Initial configuration
    - Trust management
    - ProtectServer owner and identity certificates
    - Secure messaging
    - Token replication
  - Changing the Cryptoki provider
  - Work Load Distribution and High Availability
    - WLD system setup
    - Operation in WLD Mode
    - Operation in High Availability Mode
  - Real-time clock
  - ProtectToolkit-C configuration items
- Security policies and user roles
  - Typical security policies
  - Security flags
  - Security policy options
  - User roles
- Audit logging
  - Audit logging overview
  - Configuring and using audit logging
  - Audit log entries and structure
- SNMP monitoring
- Self-tests
- Operational tasks
  - Changing a user or Security Officer PIN
  - Secure key backup and restoration
  - Adding and removing slots
  - Re-initializing a token
  - Multifactor authentication (one-time password)
  - Connecting and removing smart card readers
  - Using Transport Mode to avoid a board removal tamper
  - Adjusting the HSM clock
  - Changing secure messaging mode
  - Using the system event log
  - Updating the HSM firmware or boot loader
  - Installing a functionality module
  - Key entry via PIN pad
  - Resetting the HSM to factory settings
  - Resetting the ProtectServer 3 Network HSM appliance to factory settings
  - Tampering or decommissioning the HSM
  - RMA and shipping back to Thales
- Command-line utilities reference
  - ctcert
  - ctcheck
  - ctconf
  - ctfm
  - ctident
  - ctlimits
  - ctmultitoken
  - ctotp
  - ctkmu
  - ctperf
  - ctstat
  - auditverify
  - ptk7tokmigration
- PKCS#11 attributes
- Sample EC domain parameter files
ProtectToolkit-C programming
- Introduction to PKCS#11
- Environments
- Object classes
  - Creating, modifying, copying, and deleting objects
  - Additional attribute types
  - Common attributes
  - Hardware feature objects
  - Clock objects
  - Monotonic counter objects
  - Storage objects
  - Data objects
  - Certificate objects
  - Key objects
    - Public key objects
    - Private key objects
    - Secret key objects
    - Key parameter objects
- ProtectToolkit-C mechanisms
  - CKM_AES_CBC
  - CKM_AES_CBC_ENCRYPT_DATA
  - CKM_AES_CBC_PAD
  - CKM_AES_CCM
  - CKM_AES_CMAC
  - CKM_AES_CMAC_GENERAL
  - CKM_AES_CTR
  - CKM_AES_ECB
  - CKM_AES_ECB_ENCRYPT_DATA
  - CKM_AES_GCM
  - CKM_AES_GCM_OLD
  - CKM_AES_GMAC
  - CKM_AES_KEY_GEN
  - CKM_AES_KEY_WRAP
  - CKM_AES_KEY_WRAP_PAD
  - CKM_AES_KW
  - CKM_AES_KWP
  - CKM_AES_MAC
  - CKM_AES_MAC_GENERAL
  - CKM_AES_OFB
  - CKM_ARDFP
  - CKM_ARIA_CBC
  - CKM_ARIA_CBC_PAD
  - CKM_ARIA_ECB
  - CKM_ARIA_KEY_GEN
  - CKM_ARIA_MAC
  - CKM_ARIA_MAC_GENERAL
  - CKM_BIP32_CHILD_DERIVE
  - CKM_BIP32_MASTER_DERIVE
  - CKM_CAST128_CBC
  - CKM_CAST128_CBC_PAD
  - CKM_CAST128_ECB
  - CKM_CAST128_ECB_PAD
  - CKM_CAST128_KEY_GEN
  - CKM_CAST128_MAC
  - CKM_CAST128_MAC_GENERAL
  - CKM_CONCATENATE_BASE_AND_DATA
  - CKM_CONCATENATE_BASE_AND_KEY
  - CKM_CONCATENATE_DATA_AND_BASE
  - CKM_DECODE_PKCS_7
  - CKM_DECODE_X_509
  - CKM_DES2_KEY_GEN
  - CKM_DES3_BCF
  - CKM_DES3_CBC
  - CKM_DES3_CBC_ENCRYPT_DATA
  - CKM_DES3_CBC_PAD
  - CKM_DES3_CMAC
  - CKM_DES3_CMAC_GENERAL
  - CKM_DES3_DDD_CBC
  - CKM_DES3_DERIVE_CBC_DEPRECATED
  - CKM_DES3_DERIVE_ECB_DEPRECATED
  - CKM_DES3_ECB
  - CKM_DES3_ECB_ENCRYPT_DATA
  - CKM_DES3_ECB_PAD
  - CKM_DES3_KEY_GEN
  - CKM_DES3_MAC
  - CKM_DES3_MAC_GENERAL
  - CKM_DES3_OFB64
  - CKM_DES3_RETAIL_CFB_MAC
  - CKM_DES3_X919_MAC
  - CKM_DES3_X919_MAC_GENERAL
  - CKM_DES_BCF
  - CKM_DES_CBC
  - CKM_DES_CBC_ENCRYPT_DATA
  - CKM_DES_CBC_PAD
  - CKM_DES_DERIVE_CBC_DEPRECATED
  - CKM_DES_DERIVE_ECB_DEPRECATED
  - CKM_DES_ECB
  - CKM_DES_ECB_ENCRYPT_DATA
  - CKM_DES_ECB_PAD
  - CKM_DES_KEY_GEN
  - CKM_DES_MAC
  - CKM_DES_MAC_GENERAL
  - CKM_DES_MDC_2_PAD1
  - CKM_DES_OFB64
  - CKM_DH_PKCS_DERIVE
  - CKM_DH_PKCS_KEY_PAIR_GEN
  - CKM_DH_PKCS_PARAMETER_GEN
  - CKM_DSA
  - CKM_DSA_KEY_PAIR_GEN
  - CKM_DSA_PARAMETER_GEN
  - CKM_DSA_SHA1
  - CKM_DSA_SHA1_PKCS
  - CKM_DSA_SHA224
  - CKM_DSA_SHA224_PKCS
  - CKM_DSA_SHA256
  - CKM_DSA_SHA256_PKCS
  - CKM_DSA_SHA384
  - CKM_DSA_SHA384_PKCS
  - CKM_DSA_SHA512
  - CKM_DSA_SHA512_PKCS
  - CKM_EC_EDWARDS_KEY_PAIR_GEN
  - CKM_EC_KEY_PAIR_GEN
  - CKM_EC_MONTGOMERY_KEY_PAIR_GEN
  - CKM_ECDH1_DERIVE
  - CKM_ECDSA
  - CKM_ECDSA_GBCS_SHA256
  - CKM_ECDSA_SHA1
  - CKM_ECDSA_SHA224
  - CKM_ECDSA_SHA256
  - CKM_ECDSA_SHA384
  - CKM_ECDSA_SHA3_224
  - CKM_ECDSA_SHA3_256
  - CKM_ECDSA_SHA3_384
  - CKM_ECDSA_SHA3_512
  - CKM_ECDSA_SHA512
  - CKM_ECIES
  - CKM_EDDSA
  - CKM_ENCODE_ATTRIBUTES
  - CKM_ENCODE_PKCS_10
  - CKM_ENCODE_PUBLIC_KEY
  - CKM_ENCODE_X_509
  - CKM_ENCODE_X_509_LOCAL_CERT
  - CKM_EXTRACT_KEY_FROM_KEY
  - CKM_GENERIC_SECRET_KEY_GEN
  - CKM_IDEA_CBC
  - CKM_IDEA_CBC_PAD
  - CKM_IDEA_ECB
  - CKM_IDEA_ECB_PAD
  - CKM_IDEA_KEY_GEN
  - CKM_IDEA_MAC
  - CKM_IDEA_MAC_GENERAL
  - CKM_KECCAK_1600
  - CKM_KEY_TRANSLATION
  - CKM_KEY_WRAP_SET_OAEP
  - CKM_MD2
  - CKM_MD2_HMAC
  - CKM_MD2_HMAC_GENERAL
  - CKM_MD2_KEY_DERIVATION
  - CKM_MD2_RSA_PKCS
  - CKM_MD5
  - CKM_MD5_HMAC
  - CKM_MD5_HMAC_GENERAL
  - CKM_MD5_KEY_DERIVATION
  - CKM_MD5_RSA_PKCS
  - CKM_MILENAGE_DERIVE
  - CKM_MILENAGE_SIGN
  - CKM_NVB
  - CKM_PBA_SHA1_WITH_SHA1_HMAC
  - CKM_PBE_MD2_DES_CBC
  - CKM_PBE_MD5_CAST128_CBC
  - CKM_PBE_MD5_DES_CBC
  - CKM_PBE_SHA1_CAST128_CBC
  - CKM_PBE_SHA1_DES2_EDE_CBC
  - CKM_PBE_SHA1_DES3_EDE_CBC
  - CKM_PBE_SHA1_RC2_128_CBC
  - CKM_PBE_SHA1_RC2_40_CBC
  - CKM_PBE_SHA1_RC4_128
  - CKM_PBE_SHA1_RC4_40
  - CKM_PKCS12_PBE_EXPORT
  - CKM_PKCS12_PBE_IMPORT
  - CKM_PP_LOAD_SECRET
  - CKM_PP_LOAD_SECRET_2
  - CKM_RC2_CBC
  - CKM_RC2_CBC_PAD
  - CKM_RC2_ECB
  - CKM_RC2_ECB_PAD
  - CKM_RC2_KEY_GEN
  - CKM_RC2_MAC
  - CKM_RC2_MAC_GENERAL
  - CKM_RC4
  - CKM_RC4_KEY_GEN
  - CKM_REPLICATE_TOKEN_RSA_AES
  - CKM_RIPEMD128
  - CKM_RIPEMD128_HMAC
  - CKM_RIPEMD128_HMAC_GENERAL
  - CKM_RIPEMD128_RSA_PKCS
  - CKM_RIPEMD160
  - CKM_RIPEMD160_HMAC
  - CKM_RIPEMD160_HMAC_GENERAL
  - CKM_RIPEMD160_RSA_PKCS
  - CKM_RSA_9796
  - CKM_RSA_FIPS_186_4_PRIME_KEY_PAIR_ GEN
  - CKM_RSA_PKCS
  - CKM_RSA_PKCS_KEY_PAIR_GEN
  - CKM_RSA_PKCS_OAEP
  - CKM_RSA_PKCS_PSS
  - CKM_RSA_X9_31_KEY_PAIR_GEN
  - CKM_RSA_X_509
  - CKM_SECRET_RECOVER_WITH_ATTRIBUTES
  - CKM_SECRET_SHARE_WITH_ATTRIBUTES
  - CKM_SEED_CBC
  - CKM_SEED_CBC_PAD
  - CKM_SEED_ECB
  - CKM_SEED_ECB_PAD
  - CKM_SEED_KEY_GEN
  - CKM_SEED_MAC
  - CKM_SEED_MAC_GENERAL
  - CKM_SET_ATTRIBUTES
  - CKM_SHA1
  - CKM_SHA1_EDDSA
  - CKM_SHA1_HMAC
  - CKM_SHA1_HMAC_GENERAL
  - CKM_SHA1_KEY_DERIVATION
  - CKM_SHA1_RSA_PKCS
  - CKM_SHA1_RSA_PKCS_PSS
  - CKM_SHA1_RSA_PKCS_TIMESTAMP
  - CKM_SHA224
  - CKM_SHA224_EDDSA
  - CKM_SHA224_HMAC
  - CKM_SHA224_HMAC_GENERAL
  - CKM_SHA224_KEY_DERIVATION
  - CKM_SHA224_RSA_PKCS
  - CKM_SHA224_RSA_PKCS_PSS
  - CKM_SHA256
  - CKM_SHA256_EDDSA
  - CKM_SHA256_HMAC
  - CKM_SHA256_HMAC_GENERAL
  - CKM_SHA256_KEY_DERIVATION
  - CKM_SHA256_RSA_PKCS
  - CKM_SHA256_RSA_PKCS_PSS
  - CKM_SHA384
  - CKM_SHA384_EDDSA
  - CKM_SHA384_HMAC
  - CKM_SHA384_HMAC_GENERAL
  - CKM_SHA384_KEY_DERIVATION
  - CKM_SHA384_RSA_PKCS
  - CKM_SHA384_RSA_PKCS_PSS
  - CKM_SHA3_224
  - CKM_SHA3_224_EDDSA
  - CKM_SHA3_224_HMAC
  - CKM_SHA3_224_HMAC_GENERAL
  - CKM_SHA3_224_KEY_DERIVE
  - CKM_SHA3_224_RSA_PKCS
  - CKM_SHA3_224_RSA_PKCS_PSS
  - CKM_SHA3_256
  - CKM_SHA3_256_EDDSA
  - CKM_SHA3_256_HMAC
  - CKM_SHA3_256_HMAC_GENERAL
  - CKM_SHA3_256_KEY_DERIVE
  - CKM_SHA3_256_RSA_PKCS
  - CKM_SHA3_256_RSA_PKCS_PSS
  - CKM_SHA3_384
  - CKM_SHA3_384_EDDSA
  - CKM_SHA3_384_HMAC
  - CKM_SHA3_384_HMAC_GENERAL
  - CKM_SHA3_384_KEY_DERIVE
  - CKM_SHA3_384_RSA_PKCS
  - CKM_SHA3_384_RSA_PKCS_PSS
  - CKM_SHA3_512
  - CKM_SHA3_512_EDDSA
  - CKM_SHA3_512_HMAC
  - CKM_SHA3_512_HMAC_GENERAL
  - CKM_SHA3_512_KEY_DERIVE
  - CKM_SHA3_512_RSA_PKCS
  - CKM_SHA3_512_RSA_PKCS_PSS
  - CKM_SHA512
  - CKM_SHA512_EDDSA
  - CKM_SHA512_HMAC
  - CKM_SHA512_HMAC_GENERAL
  - CKM_SHA512_KEY_DERIVATION
  - CKM_SHA512_RSA_PKCS
  - CKM_SHA512_RSA_PKCS_PSS
  - CKM_SSL3_KEY_AND_MAC_DERIVE
  - CKM_SSL3_MASTER_KEY_DERIVE
  - CKM_SSL3_MD5_MAC
  - CKM_SSL3_PRE_MASTER_KEY_GEN
  - CKM_SSL3_SHA1_MAC
  - CKM_TDEA_TKW
  - CKM_TUAK_DERIVE
  - CKM_TUAK_SIGN
  - CKM_UNWRAP_TR31
  - CKM_VISA_CVV
  - CKM_WRAP_TR31_DERIVE
  - CKM_WRAP_TR31_VARIANT
  - CKM_WRAPKEY_AES_CBC
  - CKM_WRAPKEY_AES_KWP
  - CKM_WRAPKEY_DES3_CBC
  - CKM_WRAPKEY_DES3_ECB
  - CKM_WRAPKEYBLOB_AES_CBC
  - CKM_WRAPKEYBLOB_DES3_CBC
  - CKM_X9_42_DH_DERIVE
  - CKM_X9_42_DH_KEY_PAIR_GEN
  - CKM_X9_42_DH_PARAMETER_GEN
  - CKM_XOR_BASE_AND_DATA
  - CKM_XOR_BASE_AND_KEY
  - CKM_ZKA_MDC_2_KEY_DERIVATION
  - PTK-C vendor-defined error codes
- Supported ECC curves
- C sample programs
- Best practice guidelines
  - Application security
  - Application usability
  - Performance
  - Capacity
  - Setup and configuration
  - Maintainability
  - Debugging
  - Interoperability
  - Programming in FIPS Mode
  - Key management
  - Hierarchical deterministic wallets in ProtectToolkit
- ctbrowse - token browser
- API tutorial: development of a sample application
- PKCS#11 logger library
- PKCS#11 command reference
  - General purpose functions
  - Slot and token management functions
  - Session management functions
  - Object management functions
  - Encryption functions
  - Decryption functions
  - Message digesting functions
  - Signing and MACing functions
  - Functions for verifying signatures and MACs
  - Dual-function cryptographic functions
  - Key management functions
  - Random number generation functions
  - Parallel function management functions
  - Extra functions
- ctutil.h functionality reference
- ctextra.h library reference
- hex2bin.h library reference
- hsmadmin.h library reference
- Attribute certificate
ProtectToolkit-C management libraries programming
- KMLIB sample applications
- KMLIB callback prototypes reference
- KMLIB function reference
ProtectToolkit-J reference
- ProtectToolkit-J overview
- JCA/JCE API overview
  - Encryption and decryption
  - Message digests
  - Message authentication code (MAC)
  - Authentication
  - Key management
  - Error handling and exceptions
- Supported ciphers
  - DES
  - DESede
  - AES
  - IDEA
  - CAST128
  - RC2
  - RC4
  - PBE ciphers
  - RSA
- Supported signature algorithms
- Supported MAC algorithms
- Supported message digest algorithms
- Key Management Utility (KMU) reference
  - Compatibility issues
  - Main KMU interface
  - Logging into and out from tokens
  - Creating keys
  - Editing key attributes
  - Deleting a key
  - Display key check value
  - Importing and exporting keys
  - Key backup feature tutorial
- Administration Utility (gCTAdmin) reference
  - Logging in and out
  - Main gCTAdmin Interface
  - Slot and token management
  - HSM management
- KMU key check value (KCV) calculation
- Key generation
- Key management
- Best practice guidelines
- Java sample programs
- JCA/JCE API tutorial
  - Public key cryptography
  - FileCrypt application
  - File encryption
  - File decryption
  - Accessing public keys
  - Main()
- Random number generation
- References
ProtectToolkit-M reference
- Overview
- Setup and configuration
  - User roles
  - Initial configuration: mandatory steps
  - Security mode descriptions
  - Security mode flag descriptions
  - Allocating keyset space
  - Configuration options
  - SafeNet KSP for CNG registration utilities
  - Configuring IIS7 (Win2008) with CNG
- Administrative tasks
  - Changing the device administrator password
  - Allocating keyset space
  - De-allocating keyset space
  - Creating user keysets
  - Deleting a keyset
  - Setting the adapter Transport Mode
  - Correcting clock drift
  - Viewing and purging the HSM event log
  - Checking and upgrading HSM firmware
  - Tampering the HSM
  - Backing up a keyset
  - Restoring a keyset
  - Enabling private key clear export
- User tasks
- Administration and user utilities
  - Administration Utility
  - Keyset Management Utility
  - createcert
- Integration with Microsoft CA
  - Setting up a CA with ProtectToolkit-M
  - Certificate template support for SafeNet CSPs
  - CA replication (key backup and recovery)
  - Private key archiving and recovery
- Integration with IIS
  - Creating a certificate
  - Installing a certificate for use with IIS
- Work Load Distribution
- Registry configuration
FM SDK programming
- Overview
- FM architecture
- FM development
- FM samples
- Building sample FMs in Emulation Mode on Windows
- Configuring WSL 2 for FM development and deployment
- FM deployment
- Utilities reference
- Cipher object
  - FmCreateCipherObject
  - Cipher object functions
  - Algorithm-specific cipher information
- Hash object
  - FmCreateHashObject
  - Hash object functions
- Setting privilege level
- SMFS reference
- FMDEBUG reference
- Message Dispatch API reference
- HSM functions reference
  - HIFACE reply management functions
  - Functionality module dispatch switcher function
  - Serial communication functions
  - High resolution timer functions
  - Cprov function patching helper function
  - Current application ID functions
  - PKCS#11 state management functions
  - Functionality module header definition macro
- USB API reference
ProtectServer 3 HSM and ProtectToolkit 7 troubleshooting
- Installation troubleshooting
- ProtectToolkit-J troubleshooting
- ProtectToolkit-M troubleshooting
Third-Party Software Licenses

Changing the Cryptoki provider

This section applies to the ProtectToolkit(PTK)-C SDK package only and describes how to change the Cryptoki provider.

Different ProtectToolkit-C Cryptoki provider files are required, depending on whether you are using ProtectToolkit-C SDK with a ProtectServer 3 HSM (PCI or Network operating mode) or without a ProtectServer 3 HSM (Software Emulator operating mode). For more information about operating modes, refer to Operating modes.

Both Cryptoki provider files are installed with the ProtectToolkit-C SDK package. On Windows systems, you are prompted during installation to choose which Cryptoki provider file is made active. On Linux systems, the Software Emulator Cryptoki provider file is made active by default. In both cases, you can change the Cryptoki provider after installing the ProtectToolkit-C SDK and configuring Cryptoki.

Caution

Software Emulator mode is not secure because cryptographic material is stored on the host system.

Windows

On Windows systems, you can change the Cryptoki provider by doing one of the following:

Modifying the ProtectToolkit Windows installation
Using the SetHsmMode.ps1 PowerShell script (ProtectToolkit 7.2.0 and newer only)

Modifying the ProtectToolkit Windows installation

You can use the Windows client installer to change the Cryptoki provider. For more information, refer to Modifying the ProtectToolkit Windows installation.

Using the SetHsmMode.ps1 Windows PowerShell script

Thales provides a PowerShell script (SetHsmMode.ps1) with ProtectToolkit 7.2.0 and newer that you can use to change the Cryptoki provider.

To change the Cryptoki provider using SetHsmMode.ps1

Open PowerShell as administrator.
Change directory to C:\Program Files\Safenet\ProtectToolkit 7\C SDK\bin.

Run the SetHsmMode.ps1 script by running the following command:

.\SetHsmMode.ps1

You are then prompted to select an operating mode.

CRYPTOKI Mode Selector
----------------------
[SW] Software Emulator Library
[HW] Runtime (HW) Library

Select from above options (SW/HW):

Enter SW or HW.

A prompt appears confirming the newly selected operating mode. For example, the following prompt appears if HW is selected:
```
SFNT_CRYPT path set to HW
Cryptoki path set to HW
```

After receiving the prompt shown above, you have successfully changed the Cryptoki provider.

Linux

On Linux systems, you can change the Cryptoki provider by doing one of the following:

Changing the Cryptoki provider with the Unix Installation Utility
Changing the Cryptoki provider manually

Changing the Cryptoki provider with the Unix Installation Utility

You can use the Unix Installation Utility to change the Cryptoki provider.

To change the Cryptoki provider with the Unix Installation Utility

From the main menu, select Set the default cryptoki and/or HSM link.

The Cryptoki Selection screen is displayed.

Gemalto Unix Installation Utility:
Hostname: 66 (Linux 2.6.32-504.16.2.el6.i686)
Main Menu >> Check/Set Default Cryptoki & HSM Menu

-------------------- Cryptoki Selection --------------------
1   SafeNet ProtectToolkit C SDK Software (emulator)
2 * SafeNet ProtectToolkit C SDK Runtime (hardware)
3 * SafeNet Network HSM Access Provider

b back
q quit the utility

Choice (1 2 3 b q) [Redraw]:

Select SafeNet ProtectToolkit C SDK Runtime (hardware) and confirm your selection.

Changing the Cryptoki provider manually

You can change the Cryptoki provider manually.

To change the Cryptoki provider manually

Remove the soft-link.

/opt/safenet/protecttoolkit7/ptk/lib/libcryptoki.so

Recreate the soft-link to point to the SafeNet HSM Cryptoki provider. For example:

The following shell commands are used to enable the HSM (executed as the super-user):
```
# cd /opt/safenet/protecttoolkit7/ptk/lib
# rm libcryptoki.so
# ln -s libcthsm.so libcryptoki.so
```
The following shell commands are used to enable the software emulation (executed as the super-user):
```
# cd /opt/safenet/protecttoolkit7/ptk/lib
# rm libcryptoki.so
# ln -s libctsw.so libcryptoki.so
```

Suggest A Change

Changing the Cryptoki provider

Modifying the ProtectToolkit Windows installation

Using the SetHsmMode.ps1 Windows PowerShell script

To change the Cryptoki provider using SetHsmMode.ps1

Changing the Cryptoki provider with the Unix Installation Utility

To change the Cryptoki provider with the Unix Installation Utility

Changing the Cryptoki provider manually

To change the Cryptoki provider manually

On this page