Before configuring EzSign with an HSM it is worth performing a quick check that everything is working as expected and all libraries and passwords are correct
The steps below outline some steps that can be taken to verify everything is ready to go
HSM Status
The nCipher HSMs provide several commands for verifying the setup is correct
These utilties are normally located at (On UNIX)
/opt/nfast/bin
Or on windows:
C:\Program Files (x86)\nCipher\nfast\bin
First run the enquiry command e.g. On Unix from a shell run:
./enquiry
On Windows, from a Command Prompt, run:
enquiry.exe
The output will be split into several sections:
Server:
...
Module #1:
...
And if there is more than one module configured you will also see headings for these, e.g.:
Module #2:
...
etc.
The key things to note are that each of the module entries are showing:
mode operational
If there are no entries beneath the Server heading, first try starting the hardserver. On Unix:
/opt/nfast/sbin/init.d-ncipher start
On Windows, start the nFast Server service
HSM Test Tool
If all looks OK, download the Krestfield HSM Test tool from here
Run the tool as follows:
From a UNIX shell:
> ./hsmtest.sh
From a Windows Command Prompt:
hsmtest.bat
> Krestfield HSM Test Tool
Enter PKCS#11 library path > /opt/nfast/toolkits/pkcs11/libcknfast-64.so <-- Enter the full path to the PKCS#11 library
PKCS#11 Token: Loading the PKCS#11 library: /opt/nfast/toolkits/pkcs11/libcknfast-64.so...
PKCS#11 Token: Loaded PKCS#11 Driver /opt/nfast/toolkits/pkcs11/libcknfast-64.so OK
HSM Driver loaded OK
There are 2 slots:
Slot: 0
slotDescription:
manufacturerID: nCipher Corp. Ltd
flags: CKF_TOKEN_PRESENT | CKF_HW_SLOT
hardwareVersion: 0.00
firmwareVersion: 0.00
Slot: 1
slotDescription: SFHSMTTOCS
manufacturerID: nCipher Corp. Ltd
flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT
hardwareVersion: 0.00
firmwareVersion: 0.00
Select Slot > 1 <-- Enter the slot number - normally 1 if an operatore card set is in use
PKCS#11 Token: Opening session...
PKCS#11 Token: Opened session for slot 1 OK
HSM Session Opened OK. Session ID: 2251
Enter HSM OCS Passphrase > <-- Enter the operator cardset password and press enter
PKCS#11 Token: Password provided, attempting logon...
PKCS#11 Token: Logged on to Token
Logged in OK. Configuration is good
This tool performs the same operations to connect to the HSM as EzSign. Therefore, if you see this success message, translating the values entered above into the following properties:
channel.1.tokenType=This must be set to PKCS11
channel.1.token.password=Set this as the operator password (as entered above) via the Management Utility
channel.1.token.pkcs11.library=Set this to be the same path as entered above
channel.1.token.pkcs11.slot=Set this to be the same number slot as entered above
e.g.
channel.1.tokenType=PKCS11
channel.1.token.password=Mt3WQvXz6fUy2yhpNC5ZBxCdPJWsy2Ol1QdLH3c1pogbHViP7oDeQA==
channel.1.token.pkcs11.library=/opt/nfast/toolkits/pkcs11/libcknfast-64.so
channel.1.token.pkcs11.slot=1
Should result in a successfull HSM setup