PKCS#11 without load-sharing or HSM Pool modes

The nShield PKCS #11 library makes each nShield module appear to your PKCS #11 application as two or more PKCS #11 slots, unless you have set CKNFAST_NO_ACCELERATOR_SLOTS.

The entry called accelerator cannot be used to create private objects. It can be used to create module-protected keys.

The first slot represents the module itself. This token:

  • Appears as a non-removable hardware token and has the flag CKF_REMOVABLE not set

  • Has the flag CKF_LOGIN_REQUIRED not set (C_Login always fails on this flag).

Applications can ignore this slot, but you can use the slot to store public session objects or for functions that do not use objects (such as C_GenerateRandom) even when the smart-card is not present.

The second slot represents the smart-card reader. This token:

  • appears as a PKCS #11 slot, potentially containing a removable hardware token that has the flag CKF_REMOVABLE set

  • is marked as removed if the smart card is removed from the physical slot

  • has the flag CKF_LOGIN_REQUIRED

  • allows the creation of token objects.

To use softcards with PKCS #11, load-sharing mode must be enabled.

A PKCS #11 token can support multiple concurrent sessions on multiple applications. However, by default, only one token may be logged in to a given slot at a given time (see K/N support for PKCS #11). By default, when you insert a new card into a slot, the nShield PKCS #11 library automatically logs out any token that had been logged in to the slot previously.

The C_InitToken function is not supported for use in non-load-sharing FIPS 140 Level 3 Security Worlds.

K/N support for PKCS #11

If you use the nShield PKCS #11 library without load-sharing mode or HSM Pool mode, you can implement K/N card set support in two ways:

  • By using the nShield-specific API calls, C_LoginBegin, C_LoginNext, and C_LoginEnd

  • By using the preload command-line utility to load the logical token first.