Package version 3.10.0
Please see ChangeLog for release specific information.
openCryptoki version 3.10.0 implements the PKCS#11 specification version 2.20.
This package includes several cryptographic tokens: CCA, ICA, TPM , SWToken, ICSF and EP11.
For a more in-depth overview of openCryptoki, please refer to the HOWTO
-
IBM ICA - requires libica library version 2.3.0 or higher for accessing ICA hardware crypto on IBM zSeries.
-
IBM CCA - requires IBM XCrypto CEX3C card (or higher) and the CEX3C host libraries and tools version 4.1 (or higher).
-
TPM - requires a TPM, TPM tools, and TCG software stack.
-
SWToken - The software token uses OpenSSL version 0.9.7 or higher.
-
ICSF - The Integrated Cryptographic Service Facility (ICSF) token requires openldap and openldap client software version 2.4.23 or higher. Lex and Yacc are also required to build this token.
-
EP11 - The EP11 token is a token that uses the IBM Crypto Express adapters (starting with Crypto Express 4S adapters) configured with Enterprise PKCS#11 (EP11) firmware.
The simplest way to compile this package is to enter the source code main directory and do the following:
- Run the bootstrap.sh script by typing:
$ ./bootstrap.sh
- Configure the source code by typing:
$ ./configure
If you're planning to install the package into your home directory or to a
location other than /usr/local
then add the flag --prefix=PATH
to
configure
. Fox example, if your home directory is /home/luser
you can
configure the package to install itself there by invoking:
$ ./configure --prefix=/home/luser
If your stdll headers and libraries are not under any standard path, you will need to pass the paths to your files to the configure script. For instance:
$ CPPFLAGS="-L/path/lib" LDFLAGS="-I/path/include" ./configure
See ./configure --help
for info on various options. The default behavior is
to build a default token implicitly. For the s390 platform, the default token
is ICA. For other platforms, the default token is the software token. Other
tokens may be enabled using the corresponding --enable-<tok>
configuration
option provided the appropriate libraries are available.
While running, configure
prints some messages telling which features is it
checking for.
- Compile the package by typing:
$ make
- openCryptoki defaults to be usable by anyone who is in the group
pkcs11
. Add the pkcs11 group before installing it, by typing as root the command:
# groupadd pkcs11
In addition, add the necessary user to the pkcs11 group (root doesn't need to be in pkcs11 group):
# usermod -G pkcs11 <user>
- Type
make install
(as root) to install the programs and any data files and documentation. During installation, the following files go to the following directories:
/prefix/sbin/pkcsconf
/prefix/sbin/pkcsslotd
/prefix/sbin/pkcsicsf
/prefix/libdir/libopencryptoki.so
/prefix/libdir/libopencryptoki.so.0
/prefix/libdir/opencryptoki/libopencryptoki.so
/prefix/libdir/opencry