Red Hat CERTIFICATE SYSTEM 8 Install Manual page 30

Chapter 2. Prerequisites Before Installing Certificate System
cd /var/lib/pki-ca/alias
b. The required security module database file, secmod.db, should be created by default when
the subsystem is created. If it does not exist, use the modutil utility to create secmod.db.
modutil -dbdir . -nocertdb -create
c. Use the modutil utility to set the library information.
modutil -dbdir . -nocertdb /
library_file specifies the path to the library file containing the PKCS #11 interface module and
module_name gives the name of the PKCS #11 module which was set when the drivers were
installed.
• For the LunaSA HSM:
modutil -dbdir . -nocertdb -add lunasa -libfile /usr/lunasa/lib/libCryptoki2.so
• For an nCipher HSM:
modutil -dbdir . -nocertdb -add nethsm -libfile /opt/nfast/toolkits/pkcs11/
libcknfast.so
2.5.2.4. Setting up SELinux on nCiper netHSM 2000
SELinux policies are created and configured automatically for all Certificate System instances, so
Certificate System can run with SELinux in enforcing or permissive modes.
If SELinux is in enforcing mode, than any hardware tokens to be used with the Certificate System
instances must also be configured to run with SELinux in enforcing mode, or the HSM will not be
available during subsystem installation.
IMPORTANT
SELinux must be configured for the HSM before installing any Certificate System
instances.
1. Install the SELinux packages for Certificate System.
yum install pki-selinux
2. Reset the context of files in /dev/nfast to match the newly-installed policy.
/sbin/restorecon -R /dev/nfast
3. Restart the netHSM software.
20
-add module_name -libfile library_file