To use PKI, you must specify a PKCS#11 module for your PKI device. To do this, perform the following steps:
Open a configuration file depending on your platform:
Microsoft Windows: C:\ProgramData\NetIQ\Device Service\config.properties.
Linux: /opt/NetIQ/Device Service/config.properties.
Apple Mac OS X: /Library/LaunchDaemons/NetIQ/Device Service/config.properties.
Remove the hash sign(#) before vendorModule to remove any comments from the parameter.
Specify a path to a PKCS#11 module.
Microsoft Windows:
for eToken PRO: pki.vendorModule: eToken.dll.
for ruToken: pki.vendorModule: rtPKCS11.dll.
NOTE:You can specify more than one PKCS#11 library with semicolon in the format: pki.vendorModule: eToken.dll;rtPKCS11.dll
If a vendor module is located out of the system32 folder, use \\. The quotation marks are not needed even if there are spaces in the path. For example, pki.vendorModule: C:\\Program Files\\ActivIdentity\\ActivClient\\acpkcs211.dll.
Linux:
for eToken PRO: pki.vendorModule: /usr/lib/libeTPkcs11.so.
Mac OS X:
for eToken PRO: pki.vendorModule: libeTPkcs11.dylib.
You can find a list of the known PKI modules from the link.
NOTE:If you have specified some pki.vendorModules separated by a semicolon, you must specify the same number of values for pki.blockingMode. For example, pki.blockingMode: true;false.
PKI plugin of the Device Service supports the automatic mode, where the known vendor modules are detected automatically. You must specify: pki.vendorModule: auto.
The following are the auto detectable vendor modules for different platforms.
Microsoft Windows
rtPKCS11.dll, the default pki.blockingMode: true
eToken.dll, the default pki.blockingMode: true
acpkcs211.dll, the default pki.blockingMode: false
Linux
libeToken.so, the default pki.blockingMode: true
Mac OS
libeToken.dylib, the default pki.blockingMode: true
Specify the optional parameters (if required):
Hash method
pki.hashMethod: SHA256
The default value is SHA256 and you can specify this value, if a parameter is not presented. The following methods are also supported: SHA224, SHA384, SHA512, RIPEMD160. To set the methods, ensure that the PKCS#11 module supports the required hash method.
Padding
pki.padding: PKCS#1
The default value is PKCS#1 and you can specify this value, if a parameter is not presented.The following options are also supported: PSS, OAEP.
Key size
pki.modulusBits: 2048
The default value is 2048 bit. For example, eToken PRO 32k does not support it and you need to set 1024 to use it.
Blocking mode
pki.blockingMode: true
The default value is True. OpenSC does not support the 'waiting for card' mechanism completely and it requires to change the option to False. Most of the vendors should work fine with the default mode.
NOTE:If you specify both the parameters pki.vendorModule: auto and pki.blockingMode, the pki.blockingMode does not overwrite a blocking mode that is pre-defined for an autodetectable vendor module.
Save the changes.
Restart the workstation.