Checking PKCS11 HSM Functionality
ADSS Server contains a test utility called "test_pkcs11" that performs a full interoperability test on a PKCS#11 device. This is useful for confirming that an HSM, smartcard or a crypto USB token can be controlled properly on a given platform using the current firmware and device driver software. The test utility executes a number of test cases that covers all the operations that can be performed by ADSS Server. A detailed report is generated that can be used to analyse any faults. The test utility tests SHA2, SHA3 and RipeMD Hashing Algorithms. It also tests the key sizes for RSA and ECDSA key algorithms as well as performs testing for key wrapping (derive dynamic key wrapping), key unwrapping, HSM connections and HMAC Algorithms. Some issues may be expected if certain algorithms are not supported.
The list of algorithms supported by PKCS#11 for ADSS Server are as follows:
Items |
Description |
HMAC Algorithms |
The utility tests the following HMAC Algorithms:
|
Hashing Algorithms |
The utility tests the following Hashing Algorithms which are categorized on the basis of supported Key Algorithms i.e. RSA and ECDSA:
|
Key Lengths |
The utility tests the following Key Lengths which are categorized on the basis of supported Key Algorithms i.e. RSA and ECDSA:
|
To run the "test_pkcs11" utility follow these steps:
Windows OS
- Launch a windows command prompt.
- Change Directory (cd) to [ADSS Server Home]\util\bin\
- Type the following command to run the test utility
test_pkcs11.bat [PKCS#11 Name] [PKCS#11 Module library] [PKCS#11 Slot id] [PKCS#11 Slot PIN] [FIPS Mode true or false] [Local Path for PKCS#11 Log File] [Logging Level INFO or DEBUG] [HSM Vendor UTIMACO or THALES or SAFENET] [Key Template JSON File Path]
For example:
test_pkcs11.bat aladdin etpkcs11.dll 0 password false C:\Testing\pkcs11.log DEBUG UTIMACO [ADSS-Installation-Dir]\conf\hsm\keytemplates\default_utimaco_key_template.json
If ADSS Server version is older than v5.9 then do not use the parameter [HSM Vendor UTIMACO or THALES or SAFENET]. |
UNIX OS
- Launch the Terminal.
- Change Directory (cd) to [ADSS Server Home]\util\bin\
- Type the following command to run the test utility:
./test_pkcs11.sh [PKCS#11 Friendly Name] [PKCS#11 Module] [PKCS#11 Slot] [PKCS#11 Slot PIN] [FIPS Mode true or false] [Local Path for PKCS#11 Log File] [Logging Level INFO or DEBUG] [HSM Vendor UTIMACO or THALES or SAFENET] [Key Template JSON File Path]
For example:
./test_pkcs11.sh aladdin libeTPkcs11.so 0 password false /home/adss-test/pkcs11.log DEBUG UTIMACO [ADSS-Installation-Dir]\conf\hsm\keytemplates\default_utimaco_key_template.json
Open the log file (pkcs11.log), if unexpected issues are seen then check that the HSM firmware, HSM or smartcard device driver are at the current version and otherwise contact Ascertia support at support@ascertia.com.
If ADSS Server version is older than v5.9 then do not use the parameter [HSM Vendor UTIMACO or THALES or SAFENET]. |
See also
Starting & Stopping ADSS Server
Accessing the ADSS Server Console
Adding an Operator to ADSS Server
Managing Backups
Managing Disk Space
Upgrading ADSS Server
Checking PKCS11 HSM Functionality
Trace Logs Export Utility