Managing Tokens Used By The Subsystems; Viewing Tokens; Changing A Token's Password; Detecting Tokens - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

Chapter 11. Managing Tokens
• For an nCipher HSM, do the following:
modutil -dbdir . -nocertdb -add nethsm -libfile /opt/nfast/toolkits/pkcs11/
libcknfast.so

11.3. Managing Tokens Used by the Subsystems

There are two main tasks involved in managing the tokens used by Certificate System:

• Viewing tokens

• Changing the token passwords
11.3.1. Viewing Tokens
To view a list of the tokens currently installed for a Certificate System instance, use the modutil
utility.
1. Open the instance alias directory. For example:
cd /var/lib/rhpki-ca/alias
2. Show the information about the installed PKCS #11 modules installed as well as information on
the corresponding tokens using the modutil tool.
modutil -dbdir . -nocertdb -list

11.3.2. Changing a Token's Password

The token, internal or external, that stores the key pairs and certificates for the subsystems is
protected (encrypted) by a password. To decrypt the key pairs or to gain access to them, enter the
token password. This password is set when the token is first accessed, usually during Certificate
System installation.
It is good security practice to change the password that protects the server's keys and certificates
periodically. Changing the password minimizes the risk of someone finding out the password. To
change a token's password, use the certutil command-line utility.
For information about certutil, see http://www.mozilla.org/projects/security/pki/nss/tools/.
The single sign-on password cache stores token passwords in the password.conf file. This file must
be manually updated every time the token password is changed. For more information on managing
passwords through the password.conf file, see

11.4. Detecting Tokens

To see if a token can be detected by Certificate System to be installed or configured, use the
TokenInfo utility.
234
Section 3.3, "System Passwords".