ProtectServer 3 HSM and ProtectToolkit 7
Customer release notes
- ProtectToolkit 7 releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- ProtectServer 3 HSM firmware releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- ProtectServer 3 Network HSM Appliance Software releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- Supported ProtectToolkit 7 platforms
- Supported ProtectServer 3 HSM firmware and boot loader versions
- Known and resolved issues
ProtectServer 3 HSM and ProtectToolkit 7 installation and configuration
- ProtectServer 3 PCIe hardware installation
- ProtectServer 3 External installation and configuration
  - ProtectServer 3 External overview
  - ProtectServer 3 External required items
  - Installing the ProtectServer 3 External hardware
  - Deployment guidelines
  - First log on and system test
  - Network configuration
  - Powering off the ProtectServer 3 External
  - Updating the ProtectServer 3 External appliance software image
- ProtectServer 3+ External installation and configuration
  - ProtectServer 3+ External overview
  - ProtectServer 3+ External required items
  - Installing the ProtectServer 3+ External in a server rack
  - Physical features
  - Deployment guidelines
  - First log on and system test
  - Network configuration
  - Powering off the ProtectServer 3+ External
  - Updating the ProtectServer 3+ External appliance software image
- ProtectToolkit 7 software installation
  - Installing ProtectToolkit 7 on Windows
  - Installing ProtectToolkit 7 on Unix/Linux
  - Installing ProtectToolkit 7 on Unix/Linux manually
  - Deploying ProtectToolkit 7 in a Docker container on Linux
  - Available ProtectToolkit 7 components
- Configuration items
- Utilities command reference
PSESH command reference
- Using PSESH
- PSESH commands
  - audit
    - audit audit
      - audit audit changepwd
      - audit audit init
      - audit audit secret
    - audit log
      - audit log clear
      - audit log rotation
      - audit log show
      - audit log tarlogs
    - audit service
      - audit service enable
      - audit service disable
  - exit
  - files
    - files clear
    - files delete
    - files show
  - help
  - hsm
    - hsm cert
    - hsm factoryreset
    - hsm reset
    - hsm show
    - hsm state
  - network
    - network dns
      - network dns add
        
        network dns add nameserver
        
        network dns add searchdomain
      - network dns delete
        
        network dns delete nameserver
        
        network dns delete searchdomain
    - network domain
    - network hostname
    - network interface
      - network interface bonding
        
        network interface bonding config
        
        network interface bonding disable
        
        network interface bonding enable
        
        network interface bonding show
      - network interface delete
      - network interface dhcp
      - network interface ipv6
      - network interface static
    - network iptables
      - network iptables addrule
        
        network iptables addrule accept
        
        network iptables addrule drop
      - network iptables clear
      - network iptables delrule
      - network iptables save
      - network iptables show
    - network ping
    - network route
      - network route add
      - network route clear
      - network route delete
      - network route show
      - network route default
    - network show
  - package
    - package list
      - package list all
      - package list ptk
    - package install
    - package listfile
  - service
    - service list
    - service restart
    - service start
    - service status
    - service stop
  - status
    - status cpu
    - status date
    - status disk
    - status interface
    - status mac
    - status mem
    - status netstat
    - status ps
    - status time
    - status zone
  - sysconf
    - sysconf appliance
      - sysconf appliance factory
      - sysconf appliance poweroff
      - sysconf appliance reboot
      - sysconf appliance backup create
      - sysconf appliance backup restore
    - sysconf etnetcfg
      - sysconf etnetcfg set
      - sysconf etnetcfg show
    - sysconf snmp
      - sysconf snmp config
      - sysconf snmp disable
      - sysconf snmp enable
      - sysconf snmp show
    - sysconf time
    - sysconf timezone
      - sysconf timezone set
      - sysconf timezone show
  - syslog
    - syslog cleanup
    - syslog export
    - syslog period
    - syslog remotehost
      - syslog remotehost add
      - syslog remotehost clear
      - syslog remotehost delete
      - syslog remotehost list
    - syslog rotate
    - syslog rotations
    - syslog show
    - syslog tail
    - syslog tarlogs
  - user password
ProtectServer HSM migration
- Migrating keys from ProtectServer 2 HSMs to ProtectServer 3 HSMs
- Migrating functionality modules from ProtectServer 2 HSMs to ProtectServer 3 HSMs
ProtectToolkit-C administration
- Introduction
- Cryptoki configuration
  - ProtectToolkit-C model
  - Initial configuration
    - Trust management
    - ProtectServer owner and identity certificates
    - Secure messaging
    - Token replication
  - Changing the Cryptoki provider
  - Work Load Distribution and High Availability
    - WLD system setup
    - Operation in WLD Mode
    - Operation in High Availability Mode
  - Real-time clock
  - ProtectToolkit-C configuration items
- Security policies and user roles
  - Typical security policies
  - Security flags
  - Security policy options
  - User roles
- Audit logging
  - Audit logging overview
  - Configuring and using audit logging
  - Audit log entries and structure
- SNMP monitoring
- Self-tests
- Operational tasks
  - Changing a user or Security Officer PIN
  - Secure key backup and restoration
  - Adding and removing slots
  - Re-initializing a token
  - Multifactor authentication (one-time password)
  - Connecting and removing smart card readers
  - Using Transport Mode to avoid a board removal tamper
  - Adjusting the HSM clock
  - Changing secure messaging mode
  - Using the system event log
  - Updating the HSM firmware or boot loader
  - Installing a functionality module
  - Key entry via PIN pad
  - Resetting the HSM to factory settings
  - Resetting the ProtectServer 3 Network HSM appliance to factory settings
  - Tampering or decommissioning the HSM
  - RMA and shipping back to Thales
- Command-line utilities reference
  - ctcert
  - ctcheck
  - ctconf
  - ctfm
  - ctident
  - ctlimits
  - ctmultitoken
  - ctotp
  - ctkmu
  - ctperf
  - ctstat
  - auditverify
  - ptk7tokmigration
- PKCS#11 attributes
- Sample EC domain parameter files
ProtectToolkit-C programming
- Introduction to PKCS#11
- Environments
- Object classes
  - Creating, modifying, copying, and deleting objects
  - Additional attribute types
  - Common attributes
  - Hardware feature objects
  - Clock objects
  - Monotonic counter objects
  - Storage objects
  - Data objects
  - Certificate objects
  - Key objects
    - Public key objects
    - Private key objects
    - Secret key objects
    - Key parameter objects
- ProtectToolkit-C mechanisms
  - CKM_AES_CBC
  - CKM_AES_CBC_ENCRYPT_DATA
  - CKM_AES_CBC_PAD
  - CKM_AES_CCM
  - CKM_AES_CMAC
  - CKM_AES_CMAC_GENERAL
  - CKM_AES_CTR
  - CKM_AES_ECB
  - CKM_AES_ECB_ENCRYPT_DATA
  - CKM_AES_GCM
  - CKM_AES_GCM_OLD
  - CKM_AES_GMAC
  - CKM_AES_KEY_GEN
  - CKM_AES_KEY_WRAP
  - CKM_AES_KEY_WRAP_PAD
  - CKM_AES_KW
  - CKM_AES_KWP
  - CKM_AES_MAC
  - CKM_AES_MAC_GENERAL
  - CKM_AES_OFB
  - CKM_ARDFP
  - CKM_ARIA_CBC
  - CKM_ARIA_CBC_PAD
  - CKM_ARIA_ECB
  - CKM_ARIA_KEY_GEN
  - CKM_ARIA_MAC
  - CKM_ARIA_MAC_GENERAL
  - CKM_BIP32_CHILD_DERIVE
  - CKM_BIP32_MASTER_DERIVE
  - CKM_CAST128_CBC
  - CKM_CAST128_CBC_PAD
  - CKM_CAST128_ECB
  - CKM_CAST128_ECB_PAD
  - CKM_CAST128_KEY_GEN
  - CKM_CAST128_MAC
  - CKM_CAST128_MAC_GENERAL
  - CKM_CONCATENATE_BASE_AND_DATA
  - CKM_CONCATENATE_BASE_AND_KEY
  - CKM_CONCATENATE_DATA_AND_BASE
  - CKM_DECODE_PKCS_7
  - CKM_DECODE_X_509
  - CKM_DES2_KEY_GEN
  - CKM_DES3_BCF
  - CKM_DES3_CBC
  - CKM_DES3_CBC_ENCRYPT_DATA
  - CKM_DES3_CBC_PAD
  - CKM_DES3_CMAC
  - CKM_DES3_CMAC_GENERAL
  - CKM_DES3_DDD_CBC
  - CKM_DES3_DERIVE_CBC_DEPRECATED
  - CKM_DES3_DERIVE_ECB_DEPRECATED
  - CKM_DES3_ECB
  - CKM_DES3_ECB_ENCRYPT_DATA
  - CKM_DES3_ECB_PAD
  - CKM_DES3_KEY_GEN
  - CKM_DES3_MAC
  - CKM_DES3_MAC_GENERAL
  - CKM_DES3_OFB64
  - CKM_DES3_RETAIL_CFB_MAC
  - CKM_DES3_X919_MAC
  - CKM_DES3_X919_MAC_GENERAL
  - CKM_DES_BCF
  - CKM_DES_CBC
  - CKM_DES_CBC_ENCRYPT_DATA
  - CKM_DES_CBC_PAD
  - CKM_DES_DERIVE_CBC_DEPRECATED
  - CKM_DES_DERIVE_ECB_DEPRECATED
  - CKM_DES_ECB
  - CKM_DES_ECB_ENCRYPT_DATA
  - CKM_DES_ECB_PAD
  - CKM_DES_KEY_GEN
  - CKM_DES_MAC
  - CKM_DES_MAC_GENERAL
  - CKM_DES_MDC_2_PAD1
  - CKM_DES_OFB64
  - CKM_DH_PKCS_DERIVE
  - CKM_DH_PKCS_KEY_PAIR_GEN
  - CKM_DH_PKCS_PARAMETER_GEN
  - CKM_DSA
  - CKM_DSA_KEY_PAIR_GEN
  - CKM_DSA_PARAMETER_GEN
  - CKM_DSA_SHA1
  - CKM_DSA_SHA1_PKCS
  - CKM_DSA_SHA224
  - CKM_DSA_SHA224_PKCS
  - CKM_DSA_SHA256
  - CKM_DSA_SHA256_PKCS
  - CKM_DSA_SHA384
  - CKM_DSA_SHA384_PKCS
  - CKM_DSA_SHA512
  - CKM_DSA_SHA512_PKCS
  - CKM_EC_EDWARDS_KEY_PAIR_GEN
  - CKM_EC_KEY_PAIR_GEN
  - CKM_EC_MONTGOMERY_KEY_PAIR_GEN
  - CKM_ECDH1_DERIVE
  - CKM_ECDSA
  - CKM_ECDSA_GBCS_SHA256
  - CKM_ECDSA_SHA1
  - CKM_ECDSA_SHA224
  - CKM_ECDSA_SHA256
  - CKM_ECDSA_SHA384
  - CKM_ECDSA_SHA3_224
  - CKM_ECDSA_SHA3_256
  - CKM_ECDSA_SHA3_384
  - CKM_ECDSA_SHA3_512
  - CKM_ECDSA_SHA512
  - CKM_ECIES
  - CKM_EDDSA
  - CKM_ENCODE_ATTRIBUTES
  - CKM_ENCODE_PKCS_10
  - CKM_ENCODE_PUBLIC_KEY
  - CKM_ENCODE_X_509
  - CKM_ENCODE_X_509_LOCAL_CERT
  - CKM_EXTRACT_KEY_FROM_KEY
  - CKM_GENERIC_SECRET_KEY_GEN
  - CKM_IDEA_CBC
  - CKM_IDEA_CBC_PAD
  - CKM_IDEA_ECB
  - CKM_IDEA_ECB_PAD
  - CKM_IDEA_KEY_GEN
  - CKM_IDEA_MAC
  - CKM_IDEA_MAC_GENERAL
  - CKM_KECCAK_1600
  - CKM_KEY_TRANSLATION
  - CKM_KEY_WRAP_SET_OAEP
  - CKM_MD2
  - CKM_MD2_HMAC
  - CKM_MD2_HMAC_GENERAL
  - CKM_MD2_KEY_DERIVATION
  - CKM_MD2_RSA_PKCS
  - CKM_MD5
  - CKM_MD5_HMAC
  - CKM_MD5_HMAC_GENERAL
  - CKM_MD5_KEY_DERIVATION
  - CKM_MD5_RSA_PKCS
  - CKM_MILENAGE_DERIVE
  - CKM_MILENAGE_SIGN
  - CKM_NVB
  - CKM_PBA_SHA1_WITH_SHA1_HMAC
  - CKM_PBE_MD2_DES_CBC
  - CKM_PBE_MD5_CAST128_CBC
  - CKM_PBE_MD5_DES_CBC
  - CKM_PBE_SHA1_CAST128_CBC
  - CKM_PBE_SHA1_DES2_EDE_CBC
  - CKM_PBE_SHA1_DES3_EDE_CBC
  - CKM_PBE_SHA1_RC2_128_CBC
  - CKM_PBE_SHA1_RC2_40_CBC
  - CKM_PBE_SHA1_RC4_128
  - CKM_PBE_SHA1_RC4_40
  - CKM_PKCS12_PBE_EXPORT
  - CKM_PKCS12_PBE_IMPORT
  - CKM_PP_LOAD_SECRET
  - CKM_PP_LOAD_SECRET_2
  - CKM_RC2_CBC
  - CKM_RC2_CBC_PAD
  - CKM_RC2_ECB
  - CKM_RC2_ECB_PAD
  - CKM_RC2_KEY_GEN
  - CKM_RC2_MAC
  - CKM_RC2_MAC_GENERAL
  - CKM_RC4
  - CKM_RC4_KEY_GEN
  - CKM_REPLICATE_TOKEN_RSA_AES
  - CKM_RIPEMD128
  - CKM_RIPEMD128_HMAC
  - CKM_RIPEMD128_HMAC_GENERAL
  - CKM_RIPEMD128_RSA_PKCS
  - CKM_RIPEMD160
  - CKM_RIPEMD160_HMAC
  - CKM_RIPEMD160_HMAC_GENERAL
  - CKM_RIPEMD160_RSA_PKCS
  - CKM_RSA_9796
  - CKM_RSA_FIPS_186_4_PRIME_KEY_PAIR_ GEN
  - CKM_RSA_PKCS
  - CKM_RSA_PKCS_KEY_PAIR_GEN
  - CKM_RSA_PKCS_OAEP
  - CKM_RSA_PKCS_PSS
  - CKM_RSA_X9_31_KEY_PAIR_GEN
  - CKM_RSA_X_509
  - CKM_SECRET_RECOVER_WITH_ATTRIBUTES
  - CKM_SECRET_SHARE_WITH_ATTRIBUTES
  - CKM_SEED_CBC
  - CKM_SEED_CBC_PAD
  - CKM_SEED_ECB
  - CKM_SEED_ECB_PAD
  - CKM_SEED_KEY_GEN
  - CKM_SEED_MAC
  - CKM_SEED_MAC_GENERAL
  - CKM_SET_ATTRIBUTES
  - CKM_SHA1
  - CKM_SHA1_EDDSA
  - CKM_SHA1_HMAC
  - CKM_SHA1_HMAC_GENERAL
  - CKM_SHA1_KEY_DERIVATION
  - CKM_SHA1_RSA_PKCS
  - CKM_SHA1_RSA_PKCS_PSS
  - CKM_SHA1_RSA_PKCS_TIMESTAMP
  - CKM_SHA224
  - CKM_SHA224_EDDSA
  - CKM_SHA224_HMAC
  - CKM_SHA224_HMAC_GENERAL
  - CKM_SHA224_KEY_DERIVATION
  - CKM_SHA224_RSA_PKCS
  - CKM_SHA224_RSA_PKCS_PSS
  - CKM_SHA256
  - CKM_SHA256_EDDSA
  - CKM_SHA256_HMAC
  - CKM_SHA256_HMAC_GENERAL
  - CKM_SHA256_KEY_DERIVATION
  - CKM_SHA256_RSA_PKCS
  - CKM_SHA256_RSA_PKCS_PSS
  - CKM_SHA384
  - CKM_SHA384_EDDSA
  - CKM_SHA384_HMAC
  - CKM_SHA384_HMAC_GENERAL
  - CKM_SHA384_KEY_DERIVATION
  - CKM_SHA384_RSA_PKCS
  - CKM_SHA384_RSA_PKCS_PSS
  - CKM_SHA3_224
  - CKM_SHA3_224_EDDSA
  - CKM_SHA3_224_HMAC
  - CKM_SHA3_224_HMAC_GENERAL
  - CKM_SHA3_224_KEY_DERIVE
  - CKM_SHA3_224_RSA_PKCS
  - CKM_SHA3_224_RSA_PKCS_PSS
  - CKM_SHA3_256
  - CKM_SHA3_256_EDDSA
  - CKM_SHA3_256_HMAC
  - CKM_SHA3_256_HMAC_GENERAL
  - CKM_SHA3_256_KEY_DERIVE
  - CKM_SHA3_256_RSA_PKCS
  - CKM_SHA3_256_RSA_PKCS_PSS
  - CKM_SHA3_384
  - CKM_SHA3_384_EDDSA
  - CKM_SHA3_384_HMAC
  - CKM_SHA3_384_HMAC_GENERAL
  - CKM_SHA3_384_KEY_DERIVE
  - CKM_SHA3_384_RSA_PKCS
  - CKM_SHA3_384_RSA_PKCS_PSS
  - CKM_SHA3_512
  - CKM_SHA3_512_EDDSA
  - CKM_SHA3_512_HMAC
  - CKM_SHA3_512_HMAC_GENERAL
  - CKM_SHA3_512_KEY_DERIVE
  - CKM_SHA3_512_RSA_PKCS
  - CKM_SHA3_512_RSA_PKCS_PSS
  - CKM_SHA512
  - CKM_SHA512_EDDSA
  - CKM_SHA512_HMAC
  - CKM_SHA512_HMAC_GENERAL
  - CKM_SHA512_KEY_DERIVATION
  - CKM_SHA512_RSA_PKCS
  - CKM_SHA512_RSA_PKCS_PSS
  - CKM_SSL3_KEY_AND_MAC_DERIVE
  - CKM_SSL3_MASTER_KEY_DERIVE
  - CKM_SSL3_MD5_MAC
  - CKM_SSL3_PRE_MASTER_KEY_GEN
  - CKM_SSL3_SHA1_MAC
  - CKM_TDEA_TKW
  - CKM_TUAK_DERIVE
  - CKM_TUAK_SIGN
  - CKM_UNWRAP_TR31
  - CKM_VISA_CVV
  - CKM_WRAP_TR31_DERIVE
  - CKM_WRAP_TR31_VARIANT
  - CKM_WRAPKEY_AES_CBC
  - CKM_WRAPKEY_AES_KWP
  - CKM_WRAPKEY_DES3_CBC
  - CKM_WRAPKEY_DES3_ECB
  - CKM_WRAPKEYBLOB_AES_CBC
  - CKM_WRAPKEYBLOB_DES3_CBC
  - CKM_X9_42_DH_DERIVE
  - CKM_X9_42_DH_KEY_PAIR_GEN
  - CKM_X9_42_DH_PARAMETER_GEN
  - CKM_XOR_BASE_AND_DATA
  - CKM_XOR_BASE_AND_KEY
  - CKM_ZKA_MDC_2_KEY_DERIVATION
  - PTK-C vendor-defined error codes
- Supported ECC curves
- C sample programs
- Best practice guidelines
  - Application security
  - Application usability
  - Performance
  - Capacity
  - Setup and configuration
  - Maintainability
  - Debugging
  - Interoperability
  - Programming in FIPS Mode
  - Key management
  - Hierarchical deterministic wallets in ProtectToolkit
- ctbrowse - token browser
- API tutorial: development of a sample application
- PKCS#11 logger library
- PKCS#11 command reference
  - General purpose functions
  - Slot and token management functions
  - Session management functions
  - Object management functions
  - Encryption functions
  - Decryption functions
  - Message digesting functions
  - Signing and MACing functions
  - Functions for verifying signatures and MACs
  - Dual-function cryptographic functions
  - Key management functions
  - Random number generation functions
  - Parallel function management functions
  - Extra functions
- ctutil.h functionality reference
- ctextra.h library reference
- hex2bin.h library reference
- hsmadmin.h library reference
- Attribute certificate
ProtectToolkit-C management libraries programming
- KMLIB sample applications
- KMLIB callback prototypes reference
- KMLIB function reference
ProtectToolkit-J reference
- ProtectToolkit-J overview
- JCA/JCE API overview
  - Encryption and decryption
  - Message digests
  - Message authentication code (MAC)
  - Authentication
  - Key management
  - Error handling and exceptions
- Supported ciphers
  - DES
  - DESede
  - AES
  - IDEA
  - CAST128
  - RC2
  - RC4
  - PBE ciphers
  - RSA
- Supported signature algorithms
- Supported MAC algorithms
- Supported message digest algorithms
- Key Management Utility (KMU) reference
  - Compatibility issues
  - Main KMU interface
  - Logging into and out from tokens
  - Creating keys
  - Editing key attributes
  - Deleting a key
  - Display key check value
  - Importing and exporting keys
  - Key backup feature tutorial
- Administration Utility (gCTAdmin) reference
  - Logging in and out
  - Main gCTAdmin Interface
  - Slot and token management
  - HSM management
- KMU key check value (KCV) calculation
- Key generation
- Key management
- Best practice guidelines
- Java sample programs
- JCA/JCE API tutorial
  - Public key cryptography
  - FileCrypt application
  - File encryption
  - File decryption
  - Accessing public keys
  - Main()
- Random number generation
- References
ProtectToolkit-M reference
- Overview
- Setup and configuration
  - User roles
  - Initial configuration: mandatory steps
  - Security mode descriptions
  - Security mode flag descriptions
  - Allocating keyset space
  - Configuration options
  - SafeNet KSP for CNG registration utilities
  - Configuring IIS7 (Win2008) with CNG
- Administrative tasks
  - Changing the device administrator password
  - Allocating keyset space
  - De-allocating keyset space
  - Creating user keysets
  - Deleting a keyset
  - Setting the adapter Transport Mode
  - Correcting clock drift
  - Viewing and purging the HSM event log
  - Checking and upgrading HSM firmware
  - Tampering the HSM
  - Backing up a keyset
  - Restoring a keyset
  - Enabling private key clear export
- User tasks
- Administration and user utilities
  - Administration Utility
  - Keyset Management Utility
  - createcert
- Integration with Microsoft CA
  - Setting up a CA with ProtectToolkit-M
  - Certificate template support for SafeNet CSPs
  - CA replication (key backup and recovery)
  - Private key archiving and recovery
- Integration with IIS
  - Creating a certificate
  - Installing a certificate for use with IIS
- Work Load Distribution
- Registry configuration
FM SDK programming
- Overview
- FM architecture
- FM development
- FM samples
- Building sample FMs in Emulation Mode on Windows
- Configuring WSL 2 for FM development and deployment
- FM deployment
- Utilities reference
- Cipher object
  - FmCreateCipherObject
  - Cipher object functions
  - Algorithm-specific cipher information
- Hash object
  - FmCreateHashObject
  - Hash object functions
- Setting privilege level
- SMFS reference
- FMDEBUG reference
- Message Dispatch API reference
- HSM functions reference
  - HIFACE reply management functions
  - Functionality module dispatch switcher function
  - Serial communication functions
  - High resolution timer functions
  - Cprov function patching helper function
  - Current application ID functions
  - PKCS#11 state management functions
  - Functionality module header definition macro
- USB API reference
ProtectServer 3 HSM and ProtectToolkit 7 troubleshooting
- Installation troubleshooting
- ProtectToolkit-J troubleshooting
- ProtectToolkit-M troubleshooting
Third-Party Software Licenses

Environments

This section describes how ProtectToolkit-C is supplied in different environments, provides development environment guidelines, and lists links to setup and configuration instructions.

Application environment

ProtectToolkit-C can be used in Win64™, Linux, and Java™ environments.

Win64™ environment

ProtectToolkit-C is supplied as a Win64 Dynamic Link Library (cryptoki.dll) built with Microsoft development tools (MSVC). cryptoki2.lib is an import library that should be linked against applications to resolve function calls into cryptoki.dll.

Unix environments

This is supplied as shared libraries. The hardware based ProtectToolkit-C library is stored as the shared library libcthsm.so (libcthsm.a for AIX) and the software-only version as libctsw.so (libctsw.a for AIX). The symbolic link libcryptoki.so (libcryptoki.a for AIX) is setup in the /opt/safenet/protecttoolkit7/ptk/lib folder and should point to the appropriate library. Additionally these libraries must be included in the LD_LIBRARY_PATH (LIBPATH for AIX).

The libcthsm shared object requires the library libethsm.

Java™ environments

A lightweight proprietary Java wrapper for PKCS#11 API, JCPROV, is provided to allow access to the ProtectToolkit-C functionality from Java, without the overhead of the JCA/JCE API. The aim of this API is to be as similar to the PKCS#11 as the Java language allows. This provides a high level of familiarity with the PKCS#11 environment and allows for faster implementation of Java programs.

The Java API is compatible with OpenJDK 7, 8, 9, 10, 11, and 17. The library is implemented in jcprov.jar, under the namespace safenet_tech.jcprov. An accompanying shared library “jcprov” (jcprov.dll in Win32/64 environments, and libjcprov.so in Unix environments (libjcprov.a for AIX) provides the native methods used to access the appropriate PKCS#11 library.

JCPROV Java JNI support (AIX only)

The Java VM on AIX does not support mixed mode JNI libraries, which are shared libraries that provide both 32-bit and 64-bit interfaces. Select the correct JNI library for the Java VM.

32-bit Java VM

The /opt/safenet/protecttoolkit7/ptk/lib/libjcprov.a symbolic link must point to a 32-bit version of the library (libjcprov_32.a).

For example: /opt/safenet/protecttoolkit7/ptk/lib/libjcprov_32.a
The /opt/safenet/protecttoolkit7/ptk/lib/libjcryptoki.a symbolic link must point a 32-bit version of the library (libjcryptoki_32.a).

For example: /opt/safenet/protecttoolkit7/ptk/lib/libjcryptoki_32.a

64-bit Java VM

The /opt/safenet/protecttoolkit7/ptk/lib/libjcprov.a symbolic link must point to a 64-bit version of the library (libjcprov_64.a).

For example: /opt/safenet/protecttoolkit7/ptk/lib/libjcprov_64.a
The /opt/safenet/protecttoolkit7/ptk/lib/libjcryptoki.a symbolic link must point a 64-bit version of the library (libjcryptoki_64.a).

For example: /opt/safenet/protecttoolkit7/ptk/lib/libjcryptoki_64.a

Note

When installing the ProtectToolkit-C Runtime package, the above links are automatically created to use the 32-bit versions of the JNI libraries.

Development Environment guidelines

This guide gives a number of application development guidelines that can be of benefit for both novice and advanced developers using ProtectToolkit-C.

An API tutorial is provided in API tutorial: development of a sample application.

Further sample programs, for which source code has been provided, can be compiled and linked against the supplied libraries. Further details about the sample programs are covered in Chapter 5.

The additional libraries ctextra, ctutil, hex2bin and LMlib are static libraries that contain additional PKCS#11 support and helper functions that are not a part of the PKCS#11 standard.

For details on the content of these libraries refer to the following sections:

The library HSMAdmin calls services on the HSM that are not part of the PKCS#11 standard - refer to hsmadmin.h library reference for details.

This development kit can be used to build applications for any variant of the ProtectToolkit-C runtimes.

Note

It is assumed that the Native C/C++ compiler is being used.

Compiling and linking applications on AIX

It is important that new applications link against libraries in the /opt/safenet/protecttoolkit7/ptk/lib directory instead of the libraries in the /opt/safenet/protecttoolkit7/ptk/lib/legacy directory. This can be achieved by using the -L/opt/safenet/protecttoolkit7/ProtectToolkit/lib argument to the compiler or linker. Do not specify the /opt/safenet/protecttoolkit7/ptk/lib/legacy library path, since the legacy shared libraries are deprecated, and support is to be removed in a future release.

You may also want to explicitly specify an embedded library path when linking your own applications and libraries, so that your applications automatically find the required libraries without requiring the LIBPATH environment variable to be set. Do this by using the -blibpath:/usr/lib:/lib:/opt/safenet/protecttoolkit7/ptk/lib option to the linker (ld), or alternatively (if using the compiler to link):

-Wl,-blibpath:/usr/lib:/lib:/opt/safenet/protecttoolkit7/ptk/lib

Compiling and linking 64-bit applications on AIX

To compile 64-bit applications for AIX specify the following compiler and linker flags:

-q64###

MSVC project settings

In order to remove link errors when linking to the additional libraries ctextra and ctutil etc, you need to set the MSVC project settings to Multithreaded under the C/C++ tab of the Code generation category, since this is what the libraries were compiled with.

Also add “_WINDOWS” to the Preprocessor definitions under the C/C++ tab of the General category.

Modes of operation

To switch the ProtectToolkit-C operational mode, you will need to ensure that you are linking to the correct cryptoki.dll. For more information, refer to Changing the Cryptoki provider.

Setup and configuration

For details regarding setup and configuration of ProtectToolkit-C and ProtectServer 3 HSMs, refer to:

Suggest A Change

Environments

Application environment

Win64™ environment

Unix environments

Java™ environments

JCPROV Java JNI support (AIX only)

Development Environment guidelines

Compiling and linking applications on AIX

Compiling and linking 64-bit applications on AIX

MSVC project settings

Modes of operation

Setup and configuration

On this page