DEFAULTKEY

Key alias of the secret/symmetric wrapping key in the token that should be used to wrap and unwrap keys. Required.

WRAPPED_TESTKEY

Key alias of wrapped key stored in the database that can be used to test that unwrapping is working. If specified, the worker will be offline if a test signing cannot be performed with this key. Optional.

PIN

Authentication code for activation. Only required for auto-activation, otherwise manual activation can be performed.

SHAREDLIBRARYNAME

Name of pre-defined PKCS11 library to be used. The available libraries can be configured in signserver_deploy.properties. Required.

SLOTLABELTYPE

Indicates how the slot should be identified. Supported values are SLOT_NUMBER, or SLOT_INDEX. Required.

SLOTLABELVALUE

The slot to use, identified with the type specified in SLOTLABELTYPE:

• SLOT_NUMBER is the number (ID) of the slot

• SLOT_INDEX is the zero-base index of the slot in the list of available slots as returned by the PKCS#11 provider

Required.

SLOT_LABEL is currently not supported.

WRAPPING_CIPHER_ALGORITHM

Cipher algorithm used to wrap the keys by secret/symmetric key. The value can be provided as PKCS#11 mechanism name, long constant value, or hexadecimal constant value. See Wrapping Cipher Algorithm below. (Optional).

Default value is CKM_AES_CBC_PAD.

USE_CACHE

Specify if key and certificate search results from the HSM should be cached. This can prevent problems due to too many find object requests under high load with some PKCS#11 implementations. Optional: default true.