The PKCS#11 PIN(s) must be protected by additional encryption. The indexerconfigcrypter tool must be used to encrypt the PIN(s).
To encrypt the PIN(s)
-
Encrypt the PIN.
The PINs can be encrypted with a custom passphrase or a default one is used if no custom passphrase is provided. A custom passphrase is more secure, but interaction is needed to start or restart the external-indexer service. Using a custom passphrase is supported on hosts running CentOS 7 or later.
Issue either of the following commands:
-
Using a default password (CentOS 6 or 7): indexerconfigcrypter --input <your-PIN>
-
Using a custom password (CentOS 7 or later): indexerconfigcrypter --input <your-PIN> --password
It is possible to configure multiple slots. In that case, the PINs must be encrypted using the same passphrase.
-
-
Update the "pkcs11" object in the indexerworker.cfg file.
The encrypted PINs must be stored in the "pin" field of the configuration file (in the example, a SoftHSM is used):
... "pkcs11": { "custom_password": true "slots": [ { "library": "/usr/lib/softhsm/libsofthsm.so", "slot_id": 0, "pin": "<your-encrypted-PIN>" } ] } ...