ckcheckinst
ckcheckinstPKCS #11 information utility.
| Do not use PKCS #11 to perform any task that requires an Administrator Card. Use the equivalent nShield utilities instead. |
For instructions how to verify the installation of the nShield PKCS #11 libraries, see Checking the installation of the nCipher PKCS #11 library.
| Option | Description |
|---|---|
|
Uses slot SLOT for tests rather than prompting. |
|
Uses PIN for the slot rather than prompting. [WARNING] This will expose the PIN to other users of your system. |
Help options |
|
|
Displays help for |
|
Displays a brief usage summary for |
|
Displays the version number of the Security World Software that deploys |
ckcheckinst output examples: Security World validity
If you have an invalid Security World (for example, if all your HSMs are in the initialization state), ckcheckinst quits with the following error message:
ckcheckinst: C_Initialize failed rv = 00000006
Is the security world initialized? (Use nfkminfo to check)If your Security World is valid, ckcheckinst displays information similar to the following:
PKCS#11 library interface version 2.40
flags 0
manufacturerID "nCipher Corp. Ltd "
libraryDescription "nCipher PKCS#11 1.#.# "
implementation version 1.##
Load sharing and Failover enabled
slot Status Label
===== ====== ===== 0 Fixed token "accelerator "
1 Operator card "card2 "
2 Operator card "card3 "
Select slot Number to run library test or 'R'etry or to 'E'xit:In this example output:
-
PKCS #11 library interface version 2.40refers to the version of the PKCS #11 specification supported -
implementation version 1.##refers to the version of the nCipher PKCS #11 library -
Loadsharing and Failover enabledis shown if load-sharing has been enabled. AlternativelyPool mode enabledis shown if Pool mode has been enabled.
Slots that contain a valid Operator Card are indicated by the status Operator card and the card’s label.
A fixed token is always available and is listed as slot 0.
ckcheckinst output examples: invalid cards
If you insert a blank card or an unrecognized card (for example, an Operator Card from a different Security World or an Administrator Card), this is indicated in the Status column.
The corresponding slot number is not available.
If you are using the preload command-line utility in conjunction with the nShield PKCS #11 library, you can only see the token that you loaded with the preload utility.
In load-sharing mode, the loaded card set is used to set the environment variable CKNFAST_CARDSET_HASH, so only this card set is visible as a slot.
|
If there is no card in a slot, ckcheckinst displays No token present beside the relevant slot numbers.
ckcheckinst gives you the following choices:
No removable tokens present.
Please insert an operator card into at least one available slot and
enter 'R' retry.
If you have not created an operator card or there are no physical slots, enter a fixed token slot number,
or 'E' to exit this program and create a card set before continuing.If there are no available slots with cards in them, you can choose one of the following actions:
-
Insert a valid Operator Card, and press R
-
choose a fixed token slot
-
Press E to quit, then create an OCS, and run
ckcheckinstagain.
When there is at least one slot with a valid token, input a slot number, and press Enter.
In a FIPS 140 Level 3 compliant Security World, ckcheckinst prompts you to enter the passphrase for the selected Operator Card.
Type the passphrase, and press Enter.
ckcheckinst displays the results of the tests:
Test Pass/Failed
---- -----------
1 Generate RSA key pair Pass
2 Generate DSA key pair Pass
3 Encryption/Decryption Pass
4 Signing/Verify Pass
Deleted test keys ok
PKCS11 Library test successful.If any tests fail, ckcheckinst displays a message indicating the failure and quits.
It does not run any subsequent tests.
If ckcheckinst fails:
-
Check that the hardserver is running
-
Use the
enquiryandnfkminfoworld.