CA EEM Getting Started › FIPS 140-2 Support › How to Configure CA EEM Server in FIPS-only Mode › Configure the CA EEM to use Server certificates in a PKCS#11 Device

Configure the CA EEM to use Server certificates in a PKCS#11 Device

To use nCipher PKCS#11 devices with the CA EEM Server or the CA EEM SDK, configure the nCipher device and set the following property is set as follows:

CKNFAST_OVERRIDE_SECURITY_ASSURANCES=all

Note: For more information about how to configure the nCipher device with a hard token, see the nCipher documentation.

To configure the CA EEM Server to use certificates stored in a PKCS#11 devices, do the following:

1. Stop the iGateway service.
2. Open the iGateway.conf file and edit the <Connector name="defaultport"> CA Portal5250</port> tags to set the following values:
   • certType

     Defines the type of certificate to be used. Supported certificate types are p12, pem, and p11.

     Default: pem

     Type: Childnode

   • Using P11 certificate

     <pkcs11Lib/>—Path to PKCS11 library provided by token

     <token/>—Token id

     <userpin/>—Munged user pin

     <id/>—Certificate and private key id

     <sensitive/>—Private key is sensitive. Sensitive keys are not converted as software keys and crypto operation are performed using the cryptopki hardware (nonsensitive key can be treated as sensitive, but sensitive keys cannot be converted or treated as nonsensitive key)

     Default: False

3. Save and close the iGateway.conf file.
4. Start the iGateway services.