PKCS#11 library with the preload utility
You can use the preload
command-line utility to preload K/N OCSs before actually using PKCS #11 applications.
The preload
utility loads the logical token and then passes it to the PKCS #11 utilities.
You must provide any required passphrase for the tokens when using preload
to load the card set.
However, because the application is not aware that the card set has been preloaded, the application operates normally when handling the login activity (including prompting for a passphrase), but the PKCS #11 library will not actually check the supplied passphrase.
preload
must be also used with the cksotool
utility to perform operations that require the PKCS #11 Security Officer role.
Normally, preload
uses environment variables to pass information to the program using the preloaded objects, including the PKCS #11 library.
Therefore, if the application you are using is one that clears its environment before the PKCS #11 library is loaded, you must set the appropriate values in the cknfastrc
file (see nShield PKCS #11 library environment variables).
The current environment variables remain usable.
The default setting for the CKNFAST_LOADSHARING
environment variable changes from specifying load-sharing as disabled to specifying load-sharing as enabled.
Moreover, in load-sharing mode, the loaded card set is used to set the environment variable CKNFAST_CARDSET_HASH
so that only the loaded card set is visible as a slot.
The NFAST_NFKM_TOKENSFILE
environment variable must also be set in the cknfastrc
file to the location of the preload file (see nShield PKCS #11 library environment variables).
A logical token preloaded by preload
for use with the nShield PKCS #11 library is the only such token available to the application for the complete invocation of the library.
You can use more than one HSM with the same card set.
If the loaded card set is non-persistent, then a card must be left in each HSM on which the set has been loaded during the start-up sequence. After a non-persistent card has been removed, the token is not present even if the card is reinserted.
If load-sharing has been specifically switched off, you see multiple slots with the same label.