PKCS#11 Security Officer

The PKCS #11 Security Officer is a role that is created and managed by the cksotool utility. The utility creates a softcard and key, which are used to perform operations within the nShield PKCS #11 library as the Security Officer. The idents of the generated softcard and key are ncipher-pkcs11-so-softcard and ncipher-pkcs11-so-key, respectively. They are used during Security Officer operations to provide the cryptographic security.

ncipher-pkcs11-so-softcard does not appear in the result of C_GetSlotList and therefore cannot be used to create PKCS #11 keys, or have its PIN changed using C_SetPIN.

To act as the Security Officer within the nShield PKCS #11 library, the Security Officer token and key must be preloaded using the preload utility:

preload -s ncipher-pkcs11-so-softcard pause

The PKCS #11 session must also be logged in as the user CKU_SO. preload is used so that virtual-slots in load-sharing can be logged into using the usual PKCS #11 API. This allows Security Officer operations to be performed on keys protected by any token.

It is strongly advised that operations that require loading the PKCS #11 Security Officer token are performed by a dedicated tool, and not integrated into a main application.