Red Hat CERTIFICATE SYSTEM 8 Install Manual page 29

service subsystem_name start
2. Open the /etc/Chrystoki.conf configuration file.
3. Add this configuration parameter.
Misc { NetscapeCustomize=1023; }
4. If they are there, remove these two configuration lines for the applet version.
AppIdMajor=2;
AppIdMinor=4;
Then, after going through the subsystem configuration, but before restarting the server when
completing the configuration wizard, edit the subsystem configuration to recognize the token:
1. Stop the server.
service subsystem_name stop
2. Edit the instance's serverCertNick.conf file in the /var/lib/subsystem_name/conf
directory. Add the HSM token name to the serverCert parameter.
The original value only points to the server:
Server-Cert instanceID
The new value includes a reference to the LunaSA HSM:
lunasa3-ca:Server-Cert instanceID"
3. Start the server.
service subsystem_name start
2.5.2.3. Installing External Tokens and Unsupported HSM
To use HSMs which are not officially supported by the Certificate System, add the module to the
subsystem database manually. If the desired HSM does not appear in the Security Modules panel
during the subsystem configuration, check that the HSM is installed and activated correctly. Then run
modutil manually to add the module to the secmod.db database.
1. Install the cryptographic device, using the manufacturer's instructions. Be sure to name the token
something that will help identify it easily later.
2. Install the PKCS #11 module using the modutil command-line utility.
a. Open the alias directory for the subsystem which is being configured with the PKCS #11
module. For example:
Using Hardware Security Modules with Subsystems
19