Discuss this help topic in SecureBlackbox Forum

Tuning up TElPKCS11CertStorage

The hardware security modules ecosystem is quite heterogeneous. The zoo of cryptographic devices ranges from small and dumb smart cards up to huge and powerful 30 kilo devices installed into a server rack. The PKCS#11 functionality supported by those devices and their drivers also ranges significantly. While we do our best to provide a universal and compatible solution, sometimes there might arise a need to tune-up the storage component to make it work with a particular device. This article provides guidance on some important properties that you need to know about.

SlotEventMonitoringMode (obsoletes MonitorSlotEvents, which should not be used) & specifies a particular slot event monitoring mode. Three options are available: No Monitoring (default), Standard and Synchronous. This property defines how exactly the changes in slot configuration are to be monitored and updated. If you are experiencing weird behavior of your application when inserting or removing a token, try setting this property to semNoMonitoring. Most likely the token does not support monitoring correctly.

TokenAccessMode specifies token access regime: compatible or full. In the compatible mode only a limited set of attributes for every token object is requested from the token. Unless you really need to access specific object attributes, choose this mode.

ImportOrder specifies the order in which cryptographic objects are imported to the token. Three modes are available: Auto, Certificate First, and Key First. Generally, there is no reason for overriding the default (Auto) option. However, if you have a problem with importing your certificate to the token, you may wish to try the other options too.

NSSParams specifies the parameters of a soft token, such as the Firefox key storage.

How To articles about certificate storages

Discuss this help topic in SecureBlackbox Forum