1# 2# EP11 token configuration 3# 4# In order to use the EP11 Token you need to specify a list of 5# adapter/domain pairs installed and configured on your system. 6# 7# To force that the default for CKA_SENSITIVE is CK_TRUE for 8# secret keys specify the following option: 9# 10# FORCE_SENSITIVE 11# 12# To enable strict-mode, specify the following option: 13# 14# STRICT_MODE 15# 16# In strict-mode all session-keys will strictly belong to the PKCS#11 17# session that created it. When the PKCS#11 session ends, all session 18# keys created for this session can no longer be used. 19# 20# VHSM_MODE 21# 22# In VHSM-mode (virtual-HSM), all keys generated by the EP-11 token will 23# strictly belong to the EP11 token that created it. Every EP11 token 24# requires a VHSM-pin to be set using the pkcsep11_session tool. 25# 26# The list of mechanisms returned by C_GetMechanismList is filtered 27# using the control point settings of the used crypto adapters. 28# The EP11 CP-filter config file is used to associate certain 29# control points with mechanisms that are dependent on these control 30# points. The default CP-filter config file is 'ep11cpfilter.conf' located 31# in the same directory as this EP11 token configuration file. 32# You can optionally specify the name and/or location of the CP-filter 33# file: 34# 35# CPFILTER /etc/opencryptoki/ep11cpfilter.conf 36# 37# To enable optimization of single part Sign/Verify and Encrypt/Decrypt 38# operations specify the following option: 39# 40# OPTIMIZE_SINGLE_PART_OPERATIONS 41# 42# To optimize digest operations using CPACF the libica library is used. 43# Use the DIGEST_LIBICA option to control which libica library is loaded. 44# Specify the path of the libica library to use a specific libica library, 45# or specify 'DEFAULT' to use the system default libica library. 46# Specify 'OFF' to turn digest optimizations off. 47# 48# DIGEST_LIBICA <libica-path> | DEFAULT | OFF 49# 50# There are 2 ways to specify the crypto adapters: 51# 1) explicitly list of adapter/domain pairs 52# 53# APQN_WHITELIST 54# 8 13 55# 10 13 56# END 57# 58# The adapter and domain may be given in decimal, 59# octal (with leading 0) or hexadecimal (with leading 0x): 60# 61# APQN_WHITELIST 62# 8 0x0d 63# 0x0a 13 64# END 65# 66# Valid adapter and domain values are in the range 0...255 67# 68# 2) any available crypto adapters 69# 70# APQN_ANY 71# 72 73APQN_ANY 74