PKCS#11 Security Officer
The PKCS #11 Security Officer is a role that is created and managed by the cksotool
utility.
The utility creates a softcard and key, which are used to perform operations within the nShield PKCS #11 library as the Security Officer.
The ident
s of the generated softcard and key are ncipher-pkcs11-so-softcard
and ncipher-pkcs11-so-key
, respectively.
They are used during Security Officer operations to provide the cryptographic security.
ncipher-pkcs11-so-softcard does not appear in the result of C_GetSlotList and therefore cannot be used to create PKCS #11 keys, or have its PIN changed using C_SetPIN .
|
To act as the Security Officer within the nShield PKCS #11 library, the Security Officer token and key must be preloaded using the preload
utility:
preload -s ncipher-pkcs11-so-softcard pause
The PKCS #11 session must also be logged in as the user CKU_SO
. preload
is used so that virtual-slots in load-sharing can be logged into using the usual PKCS #11 API.
This allows Security Officer operations to be performed on keys protected by any token.
It is strongly advised that operations that require loading the PKCS #11 Security Officer token are performed by a dedicated tool, and not integrated into a main application.