RSA Keon Ready Implementation Guide For PKI 3rd Party Application

Keon CA Installation
If nCipher hardware, server software, and PKCS #11 library are installed before Keon CA, Keon
CA determines that nCipher support is available during installation. To install Keon CA using an
nCipher smart card, the smart card must be initialized prior to beginning the Keon CA
installation. See “Initializing nCipher Smart Cards for Use With Keon CA” in the nShield User
Guide for more information.
Note that for Solaris versions, Keon CA must be installed by the “root” user to allow operation
with nCipher hardware.
Adding nForce or nShield Support to an Existing Keon CA Installation
To add smart card support to an existing Keon CA installation that does not use smart cards,
you do not need to reinstall Keon CA.
To add nCipher smart card support to an existing installation:
0. Install the nCipher hardware, server software, and PKCS #11 library as described in the
following sections.
1. Initialize a smart card and insert it into the reader. See “Initializing nCipher Smart Cards
for Use With Keon CA”
2. Stop the Keon CA Administration Server and Secure Directory Server.
3. Add a directive to the top of /Xudad/conf/xudad.conf to specify the
location of the nCipher PKCS #11 dynamic link library. For Windows NT/Windows
2000, the default-installed location is C:\nfast\bin\cknfast.dll . For example:
crypto_providers “pkcs11v2,C:\nfast\bin\cknfast.dll”
For Solaris, the default installed location is /opt/nfast/gcc/lib/libcknfast.so. For
example:
crypto_providers “pkcs11v2,/opt/nfast/gcc/lib/libcknfast.so”
4. Add a directive to the end of /WebServer/conf/Keon.conf to specify the
location of the nCipher PKCS #11 dynamic link library.
For Windows NT/Windows 2000 the directive should read:
crypto_providers = pkcs11v2,C:\nfast\bin\cknfast.dll
For Solaris the directive should read
crypto_providers = pkcs11v2,/opt/nfast/gcc/lib/libcknfast.so
5. Start the Keon CA Administration Server and Secure Directory Server.