ProtectToolkit-C configuration items

This chapter lists the available ProtectToolkit-C configuration items and, where applicable, their default values and valid range of values.

For more information about using configuration items see Configuration items.

General ProtectToolkit-C configuration items

The following configuration items are used to configure PTK-C more generally.

ET_PTKC_GENERAL_CERT_STORE

The location of the PTK client certificate store.

This path can be edited before creating ProtectServer Owner and Identity Certificates (see ProtectServer owner and identity certificates).

• Windows default=%USERPROFILE%.ptk

• Linux default=$HOME/.ptk

ET_PTKC_GENERAL_LEGACY_EDDSA

Whether the HSM uses the vendor-defined values for CKM_EC_EDWARDS_KEY_PAIR_GEN and CKK_EC_EDWARDS instead of the standard PKCS#11 3.0 values. Use this configuration item to ensure that clients compiled with different PTK SDK levels (for example, an application compiled with the ProtectToolkit 7.2.0 SDK and ProtectToolkit 7.1.0 SDK) can send the same requests and receive the same replies.

Valid values:

• Yes - Use the vendor-defined values for CKM_EC_EDWARDS_KEY_PAIR_GEN and CKK_EC_EDWARDS.

• No - Use the standard PKCS#11 3.0 values for CKM_EC_EDWARDS_KEY_PAIR_GEN and CKK_EC_EDWARDS.

Default=No

ET_PTKC_GENERAL_LIBRARY_MODE

The Cryptoki library operating mode and controls which PKCS#11 model is applied to slot and token usage (see Work Load Distribution model (WLD) and High Availability (HA)).

If this item is not defined, or contains an invalid value, then ProtectToolkit-C will operate in NORMAL PKCS#11 mode.

Valid values:

• NORMAL - Standard PKCS#11 mode.

• WLD - Work Load Distribution mode.

• HA - High Availability mode.

Default=NORMAL

Work Load Distribution and High Availability configuration items

The following configuration items are used to configure PTK-C for Work Load Distribution (WLD) and High Availability (HA). For more information about these modes, refer to Work Load Distribution model (WLD) and High Availability (HA).

ET_PTKC_HA_LOG_FILE

The name of the PTK-C file where the Cryptoki library generates log messages while operating in HA mode.

• Windows default= c:\ptk_halog.log

• Linux default=/ptk_halog.log

ET_PTKC_HA_LOG_NAME

The name of the application.

Default=ptk_cryptoki

ET_PTKC_HA_RECOVER_DELAY

The number of minutes the system will wait after an HSM failure before attempting reconnection to the failed HSM. If the value is zero, reconnection is not attempted.

Default=0

ET_PTKC_HA_RECOVER_WAIT

Whether the system will poll and attempt recovery if an HSM has failed. This configuration item is valid only if HA mode is enabled.

Valid values:

• YES

• NO

ET_PTKC_WLD_SLOT_n

The configuration parameters of a WLD slot in a WLD system. In the name of this configuration item, n is an integer (in the range 0 to 99) that defines the slot number. Slot numbers allocated within an application must be unique.

The value of this configuration item is specified in the following format:

<WLDTokenLabel>[,[<WLDTokenSerial#>][,<WLDSlotDescription>]]

• <WLDTokenLabel>

  This variable is mandatory. The PKCS#11 token label for this WLD token identifies the HSM tokens to be used for WLD. The <WLDTokenLabel> should be unique in the complete list of WLD slot configurations.

• <WLDTokenSerial#>

  This variable is optional. You can assign any PKCS#11 token serial number you wish to this WLD token. The default value is the same as the value of n in the configuration variable name.

• <WLDSlotDescription>

  This variable is optional. You can assign any PKCS#11 slot description you wish for this WLD slot. The default value is “WLD Slot:n”, where n is the same as the value of n in the configuration variable name.

Logger configuration items

The following configuration items are used to configure the logger library. For more information about the logger library, refer to PKCS#11 Logger Library.

ET_PTKC_LOGGER_FILE

The name of the PTK-C file where the logger library writes log information.

• Windows default=\ctlog.log

• Linux default=~/ctlog.log

ET_PTKC_LOGGER_LOGMEM

Whether all numeric data, buffer addresses, and the contents of buffer addresses at the input and output of functions (excluding PIN values) are included in log messages.

Valid values:

• TRUE

• FALSE - the contents of buffer addresses at the input and output of functions are omitted, while numeric data and buffer addresses are retained.

Default=TRUE

ET_PTKC_LOGGER_LOGPID

Whether the calling process ID (PID) is included in log messages.

Valid values:

• TRUE

• FALSE

Default=TRUE

ET_PTKC_LOGGER_LOGPIN

Whether the PIN values passed to C_Login, that are used to log into tokens, are included in log messages.

Valid values:

• TRUE

• FALSE

Default=FALSE

ET_PTKC_LOGGER_LOGTID

Whether the thread ID (TID) is included in log messages.

Valid values:

• TRUE

• FALSE

Default=TRUE

ET_PTKC_LOGGER_LOGTIME

Whether the date and time of each message is included in the log.

Valid values:

• TRUE

• FALSE

Default=TRUE

ET_PTKC_LOGGER_PKCS11LIB

Whether the logger is configured for HSM or Software Emulator operating mode on Windows.

• Valid values:

  • C:\Program Files\Safenet\ProtectToolkit 7\Runtime\lib\cryptoki.dll (for HSM mode)

  • C:\Program Files\Safenet\ProtectToolkit 7\C SDK\bin\sw\cryptoki.dll (for Software Emulator mode)

Secure messaging configuration items

The following configuration items are used to configure the Secure Messaging System (SMS). For more information about the SMS, refer to Secure messaging.

ET_PTKC_<serial>_SMPR

The Secure Messaging Policy Register (SMPR) security mode flag(s) to enable.

In the name of this configuration item, <serial> is the serial number of the HSM.

Valid values:

• E - Only messages sent to the HSM that contain sensitive data are encrypted (No clear PINs).

• S - Only messages sent to the HSM are signed (Auth Protection).

• R - Only messages received from the HSM are signed (Auth Replies).

Software Emulator Mode configuration items

The following configuration items are used to configure PTK-C for Software Emulator mode. For more information about configuring Software Emulator mode, refer to Software emulator mode configuration.

ET_PTKC_SW_DATAPATH

The directory within the local file system where keys and configuration information are stored in Software Emulation mode.

• Windows default=C:\cryptoki

• Linux default=$HOME/.cryptoki/cryptoki

ProtectToolkit-C mechanism configuration items

The following configuration items are used to configure PTK-C mechanisms. For more information about PTK-C mechanisms, refer to ProtectToolkit-C Mechanisms.

ET_PTKC_GENERAL_LEGACY_AESKW

Whether the HSM uses the values of CKM_AES_KEY_WRAP and CKM_AES_KEY_WRAP_PAD defined in PKCS#11 2.30.

Valid values:

• YES

• NO

Default=NO

ET_PTKC_GENERAL_LEGACY_CMAC

Whether the HSM uses the values of CKM_AES_CMAC_GENERAL and CKM_AES_CTS defined in PKCS#11 2.30.

Valid values:

• YES

• NO

Default=NO

ET_PTKC_GENERAL_LEGACY_GCM

Whether the HSM uses CKM_AES_GCM_OLD instead of CKM_AES_GCM.

Valid values:

• YES

• NO

Default=NO