Chrysalis Lunasa Hsm; Installing External Tokens And Unsupported Hsm - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

hardware-lunasa2-ca=caPassword

12.2.1. Chrysalis LunaSA HSM

To make sure that the LunaSA HSM works with Red Hat Certificate System, add this configuration
parameter to /etc/Chrystoki.conf:
Misc { NetscapeCustomize=1023; }

12.2.2. Installing External Tokens and Unsupported HSM

To use HSMs which are not officially supported by the Certificate System, the modutil tool can be
used to add that module to the subsystem database manually. If the desired HSM does not appear
in the Key Store panel, check that the HSM is installed and activated correctly. Then run modutil
manually to add the module to the secmod.db database as follows:
To use external encryption devices or tokens, do the following:
1. Install the cryptographic device.
To install the drivers provided by the device manufacturer, follow the vendor's instructions. When
installing a hardware token, there is an opportunity to name it. Use a name that will help identify
the token later.
2. Install the PKCS #11 module.
The PKCS #11 module is installed using the modutil command-line utility.
a. Open the alias directory for the subsystem which is being configured with the PKCS #11
module. For example:
cd /var/lib/rhpki-ca/alias/
b. The required security module database file, secmod.db, should be created by default when
the subsystem is created. If it does not exist, use the modutil utility to create secmod.db.
modutil -dbdir . -nocertdb -create
c. Use the modutil utility to set the library information.
modutil -dbdir . -nocertdb /
library_file specifies the path to the library file containing the PKCS #11 interface module and
module_name gives the name of the PKCS #11 module which was set when the drivers were
installed.
• For the LunaSA HSM, do the following:
modutil -dbdir . -nocertdb -add lunasa -libfile /usr/lunasa/lib/libCryptoki2.so
-add module_name -libfile library_file
Chrysalis LunaSA HSM
267