3.3 PKI Settings

To use PKI, you must specify a PKCS#11 module for your PKI device. To do this, perform the following steps:

  1. Open a configuration file depending on your platform:

    • Microsoft Windows: C:\ProgramData\NetIQ\Device Service\config.properties.

    • Linux: /opt/NetIQ/Device Service/config.properties.

    • Apple Mac OS X: /Library/LaunchDaemons/NetIQ/Device Service/config.properties.

  2. Remove the hash sign(#) before vendorModule to remove any comments from the parameter.

  3. Specify a path to a PKCS#11 module.

    • Microsoft Windows:

      • for eToken PRO: pki.vendorModule: eToken.dll.

      • for ruToken: pki.vendorModule: rtPKCS11.dll.

      NOTE:You can specify more than one PKCS#11 library with semicolon in the format: pki.vendorModule: eToken.dll;rtPKCS11.dll

      If a vendor module is located out of the system32 folder, use \\. The quotation marks are not needed even if there are spaces in the path. For example, pki.vendorModule: C:\\Program Files\\ActivIdentity\\ActivClient\\acpkcs211.dll.

    • Linux:

      • for eToken PRO: pki.vendorModule: /usr/lib/libeTPkcs11.so.

    • Mac OS X:

      • for eToken PRO: pki.vendorModule: libeTPkcs11.dylib.

    You can find a list of the known PKI modules from the link.

    NOTE:If you have specified some pki.vendorModules separated by a semicolon, you must specify the same number of values for pki.blockingMode. For example, pki.blockingMode: true;false.

    PKI plugin of the Device Service supports the automatic mode, where the known vendor modules are detected automatically. You must specify: pki.vendorModule: auto.

    The following are the auto detectable vendor modules for different platforms.

    Microsoft Windows

    • rtPKCS11.dll, the default pki.blockingMode: true

    • eToken.dll, the default pki.blockingMode: true

    • acpkcs211.dll, the default pki.blockingMode: false

    Linux

    • libeToken.so, the default pki.blockingMode: true

    Mac OS

    • libeToken.dylib, the default pki.blockingMode: true

  4. Specify the optional parameters (if required):

    1. Hash method

      pki.hashMethod: SHA256

      The default value is SHA256 and you can specify this value, if a parameter is not presented. The following methods are also supported: SHA224, SHA384, SHA512, RIPEMD160. To set the methods, ensure that the PKCS#11 module supports the required hash method.

    2. Padding

      pki.padding: PKCS#1

      The default value is PKCS#1 and you can specify this value, if a parameter is not presented.The following options are also supported: PSS, OAEP.

    3. Key size

      pki.modulusBits: 2048

      The default value is 2048 bit. For example, eToken PRO 32k does not support it and you need to set 1024 to use it.

    4. Blocking mode

      pki.blockingMode: true

      The default value is True. OpenSC does not support the 'waiting for card' mechanism completely and it requires to change the option to False. Most of the vendors should work fine with the default mode.

      NOTE:If you specify both the parameters pki.vendorModule: auto and pki.blockingMode, the pki.blockingMode does not overwrite a blocking mode that is pre-defined for an autodetectable vendor module.

  5. Save the changes.

  6. Restart the workstation.