About this document

This is the official documentation to configure and install the eTokenServer servlet (v2.0.4).

This document provides an in-depth overview of the light-weight crypto library, a standard-based solution developed by INFN Catania for central management of robot credentials and provisioning of digital proxies to get seamless and secure access to computing e-Infrastructures supporting the X.509 standard for Authorisation.

In this solution robot certificates are available 24h per day on board of USB eToken PRO [1] 32/64 KBytes smart cards having the following technical specification:


We appreciate attribution. In case you would like to cite the Java light-weight crypto library in your papers, we recomment that you use the following reference:

V. Ardizzone, R. Barbera, A. Calanducci, M. Fargetta, E. Ingra’, I. Porro, G. La Rocca, S. Monforte, R. Ricceri, R. Rotondo, D. Scardaci and A. Schenone *The DECIDE Science Gateway* Journal of Grid Computing (2012) 10:689-70 DOI 10.1007/s10723-012-9242-3

We also would like to be notified about your publications that involve the use of the Java light-weight crypto libraries, as this will help us to document its usefulness. We like to feature links to these articles, with your permission, on our Web site. Additional reference to the Java light-weight crypto library and other relevant activities can be fould at [2].


Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Conventions used in this document

The following typographical conventions are used in this document:

Indicates new terms, URLs, filenames, and file extentions
Constant width italic
Shows text that should be replaced with user-specific values

warning This icon indicates a warning or caution.

download This icon indicates that there are files to be downloaded.

Chapter I - System and Software Requirements

This chapter provide the list of requirements and the basic information that you need to know to install and configure the servlet.

# Server OS and Arch. Host. Cert Disk Space CPU and RAM
1 Physical machine with at least 2 USB ports perfectly working SL release 5.10 (Boron) x86_64 GNU/Linux Yes >= 80 GB >= 4 cores >= 8 GB RAM Swap >=4 GB


  • The server must be registered to the DNS with direct adn reverse resolution;
  • Please set a human readable server hostname for your server (e.g. etoken<your-domain>);
  • The OS installation should include the X-server since it is needed to open etProps app;
  • This installation has been successfully tested with eToken PRO 32/64 KBytes USB smart cards;
  • At least 1 USB eToken PRO 75 KBytes must be available before the installation (contact SafeNet Inc. [3] to find a neighbor reseller and get prices).

OS and repos

Start with a fresh installation of Scientific Linux 5.X (x86_64).

]# cd /etc/redhat-release
Scientific Linux release 5.10 (Boron)
  • Configure the EGI Trust Anchor repository
]# cd /etc/yum.repos.d/
]# cat egi-trustanchors.repo
  • Install the latest EUGridPMA CA rpms
]# yum clean all
]# yum install -y ca-policy-egi-core
  • Configure the EPEL repository:
]# cd /etc/yum.repos.d/
]# cat /etc/yum.repos.d/epel.repo
name=Extra Packages for Enterprise Linux 5 - $basearch

name=Extra Packages for Enterprise Linux 5 - $basearch - Debug

name=Extra Packages for Enterprise Linux 5 - $basearch - Source
  • Install the latest epel release
]# yum clean all
]# yum install -y epel-release --nogpgcheck

SELinux configuration

Be sure that SELinux is disabled (or permissive). Details on how to disable SELinux are here [12]

]# getenforce


Start the sendmail service at boot. Configure access rules to allow connections and open the firewall on port 25.

]# /etc/init.d/sendmail start
]# chkconfig --level 2345 sendmail on

]# cat /etc/hosts.allow
sendmail: localhost

]# cat /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -s -j ACCEPT


Use NTP to synchronize the time of the server

]# ntpdate
]# /etc/init.d/ntpd start
]# chkconfig --level 2345 ntpd on


Install and configure the fetch-crl

]# yum install -y fetch-crl
]# /etc/init.d/fetch-crl-cron start
]# chkconfig --level 2345 fetch-crl-cron on

Host Certificates

Navigate the interactive map and search for your closest Certification Authorities [13] or, alternatively, buy a multi-domain COMODO [14] SSL certificate.

Public and Private keys of the host certificate have to be copied in /etc/grid-security/

]# ll /etc/grid-security/host*
-rw-r--r--  1 root root 1627 Mar 10 14:55 /etc/grid-security/hostcert.pem
-rw-------  1 root root 1680 Mar 10 14:55 /etc/grid-security/hostkey.pem

Configure VOMS Trust Anchors

The VOMS-clients APIs need local configuration to validate the signature on Attribute Certificates issued by trusted VOMS servers.

The VOMS clients and APIs look for trust information in the /etc/grid-security/vomsdir directory.

The vomsdir directory contains a directory for each trusted VO. Inside each VO two types of files can be found:

  • An LSC file contains a description of the certificate chain of the certificate used by a VOMS server to sign VOMS attributes.
  • An X509 certificates used by the VOMS server to sign attributes.

These files are commonly named using the following pattern:


where hostname is the host where the VOMS server is running.

When both .lsc and .pem files are present for a given VO, the .lsc file takes precedence. The .lsc file contains a list of X.509 subject strings, one on each line, encoded in OpenSSL slash-separate syntax, describing the certificate chain (up and including the CA that issued the certificate). For instance, the VOMS server has the following .lsc file:


warning Install in /etc/grid-security/vomsdir/ directory the .lsc for each trusted VO that you want to support.

download An example of /etc/grid-security/vomsdir/ directory can be downloaded from here [15].

Configure VOMS server endpoints

The list of known VOMS server is maintained in vomses files. A vomses file is a simple text file which contains one or more lines formatted as follows:

"vo_name"       "hostname"      "port"  "dn"    "aliases"


  • vo_name is the name of the VO served by the VOMS server,
  • hostname is the hostname where the VOMS server is running,
  • port is the port where the VOMS server is listening for incoming requests,
  • dn is the subject of certificate of the VOMS server, and the
  • aliases is an alias that can be used for this VOMS server (this is typically identical to the vo_name).

System wide VOMSES configuration is maintained in the /etc/vomses file or directory. If the /etc/vomses/ is a directory, all the files contained in such directory are parsed looking fro VOMS contact information.

warning Install in the /etc/vomses the contact information for each trust VO you want to support!

download An example of VOMS contact information can be downloaded from [16]

Chapter II - Installation & Configuration

This chapter introduces the manual installation of the SafeNet eToken PKI client library on a Linux system, the software that enables eToken USB operations and the implementation of eToken PKI-based solutions.

Software Requirements

The software also includes all the necessary files and drivers to support the eToken management. During the installation, the needed libraries and drivers will be installed in /usr/local/bin, /usr/local/lib and /usr/local/etc.

warning Before to start, please check if pcsc- packages are already installed on your server.

]# rpm -e pcsc-lite-1.4.4-4.el5_5 \
          pcsc-lite-libs-1.4.4-4.el5_5 \
          pcsc-lite-doc-1.4.4-4.el5_5 \
          pcsc-lite-devel-1.4.4-4.el5_5 \
          ccid-1.3.8-2.el5.i386 \
          ifd-egate-0.05-17.el5.i386 \
          coolkey-1.1.0-16.1.el5.i386 \

download Download the correct software packages:

  • pcsc-lite-1.3.3-1.el4.rf.i386.rpm [17]
  • pcsc-lite-libs-1.3.3-1.el4.rf.i386.rpm [18]
  • pcsc-lite-ccid-1.2.0-1.el4.rf.i386.rpm [19]
]# rpm -ivh pcsc-lite-1.3.3-1.el4.rf.i386.rpm \
            pcsc-lite-ccid-1.2.0-1.el4.rf.i386.rpm \

     Preparing...            ########################################### [100%]
     1:pcsc-lite-libs        ########################################### [ 33%]
     2:pcsc-lite-ccid        ########################################### [ 67%]
     3:pcsc-lite             ########################################### [100%]

Before installing the eToken PKI Client, please check if the PC/SC-Lite pcscd daemon is running:

]# /etc/init.d/pcscd start

Install PKI_Client library

warning Contact the SafeNet Inc. and install the latest eToken PKI Client (ver. 4.55-34) software on your system.

]$ rpm -ivh pkiclient-full-4.55-34.i386.rpm

Preparing...             ########################################### [100%]
Stopping PC/SC smart card daemon (pcscd): [ OK ]
        1:pkiclient-full ########################################### [100%]
Checking installation of pcsc from source... None.
Starting PC/SC smart card daemon (pcscd): [ OK ]
Adding eToken security provider...Done.
PKIClient installation completed.

Configure additional libraries

download Download the appropriate libraries [20] for your system and save it as Mkproxy-rhel4.tar.gz.

The archive contains all the requires libraries for RHEL4 and RHEL5.

]# tar zxf Mkproxy-rhel4.tar.gz
]# chown -R root.root etoken-pro/
]# tree etoken-pro/
|-- bin
| |-- cardos-info
| |-- mkproxy
| |-- openssl
| `-- pkcs11-tool
|-- etc
| |-- hotplug.d
| | `-- usb
| |  `-- etoken.hotplug
| |-- init.d
| | |-- etokend
| | `-- etsrvd
| |-- openssl.cnf
| |-- reader.conf.d
| | `-- etoken.conf
| `-- udev
|    `-- rules.d
|    `-- 20-etoken.rules
`-- lib

Untar the archive and copy the files to their respective locations.

  • Copy binary files
]# cp -rp etoken-pro/bin/cardos-info /usr/local/bin/
]# cp -rp etoken-pro/bin/mkproxy /usr/local/bin/
]# cp -rp etoken-pro/bin/pkcs11-tool /usr/local/bin/
]# cp -rp etoken-pro/bin/openssl /usr/local/bin/
  • Copy libraries
]# cp -rp etoken-pro/lib/ /usr/local/lib
]# cp -rp etoken-pro/lib/ /usr/local/lib
]# cp -rp etoken-pro/lib/ /usr/local/lib
  • Copy configuration files
]# cp -rp etoken-pro/etc/openssl.cnf /usr/local/etc
  • Set the PKCS11_MOD environment variable

Edit the /usr/local/bin/mkproxy script and change the PKCS11_MOD variable settings:

export PKCS11_MOD="/usr/lib/"
  • Create symbolic links
]# cd /usr/lib/
]# ln -s /usr/lib/
]# ln -s /usr/lib/

]# ll*
   lrwxrwxrwx 1 root root 29 Feb 17 09:47 -> /usr/lib/
   lrwxrwxrwx 1 root root 29 Feb 17 09:52 -> /usr/lib/
   lrwxrwxrwx 1 root root 20 Feb 17 09:04 ->
   -rwxr-xr-x 1 root root 92047 Jan 26 2007

To administer the USB eToken PRO 64KB and add a new robot certificate, please refer to the Appendix I.

  • Testing
]# export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib
]# pkcs11-tool -L --module=/usr/lib/

Available slots:
**Slot 0** AKS ifdh 00 00
     token label: **eToken**
     token manuf: Aladdin Ltd.
     token model: eToken
     token flags: rng, login required, PIN initialized, token initialized, other flags=0x200
     serial num : 001c3401
**Slot 1** AKS ifdh 01 00
     token label: **eToken1**
     token manuf: Aladdin Ltd. token model: eToken
     token flags: rng, login required, PIN initialized, token initialized, other flags=0x200
     serial num : 001c0c05

The current version of PKI_Client supports up to 16 different slots! Each slot can host a USB eToken PRO smart card.

  • Generating a standard proxy certificate
]# mkproxy
Starting Aladdin eToken PRO proxy generation
Found X.509 certificate on eToken:
  label: (eTCAPI) MrBayes's GILDA ID
  id: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Your identity: /C=IT/O=GILDA/OU=Robots/L=INFN Catania/CN=MrBayes
Generating a 512 bit RSA private key
writing new private key to 'proxykey.FM6588'
engine "pkcs11" set. Signature ok
subject=/C=IT/O=GILDA/OU=Robots/L=INFN Catania/CN=MrBayes/CN=proxy Getting CA Private Key
PKCS#11 token PIN: *******
Your proxy is valid until: Wed Jan 16 01:22:01 CET 2012

Chapter III - Installing Apache Tomcat

  • The instructions below are for installing version Java 7 Update 1 (7u1).
]# rpm -e java-1.4.2-gcj-compat- \
          antlr-2.7.6-4jpp.2.x86_64 gjdoc-0.7.7-12.el5.x86_64

]# rpm -ivh jdk-7u1-linux-i586.rpm
  • Download and extract the eTokens-2.0.5 directory with all the needed configuration files in the root’s home directory.

download Download an example of configuration files for the eToken from here [21] and save it as eTokens-2.0.5.tar.gz.

]# tar zxf eTokens-2.0.5.tar.gz
]# tree -L 2 eTokens-2.0.5
|-- config
| |-- eToken.cfg
  |-- eToken1.cfg
  |-- ..

The config directory MUST contain a configuration file for each USB eToken PRO 32/64KB smart card plugged into the server.

]# cat eTokens-2.0.5/config/eToken.cfg
name = **eToken** *Insert here an unique name for the new etoken*
library = /usr/lib/
description = **Aladdin eToken PRO 64K 4.2B**
slot = **0** *Insert here an unique slot id for the new token*

attributes(*,CKO_PRIVATE_KEY,*) = { CKA_SIGN = true }
attributes(*,CKO_PRIVATE_KEY,CKK_DH) = { CKA_SIGN = null }
attributes(*,CKO_PRIVATE_KEY,CKK_RSA) = { CKA_DECRYPT = true }

warning If you are using USB eToken PRO 32KB, please change the description as follows:

description = **Aladdin eToken PRO 32K 4.2B**

download Download the latest release of Apache Tomcat. For this wiki we used the following version: apache-tomcat-7.0.34

  • Creating a Java Keystore from scratch containing a self-signed certificate

Make a temporary copy of hostcert.pem and hostkey.pem files

]# cp /etc/grid-security/hostcert.pem /root
]# cp /etc/grid-security/hostkey.pem /root

Convert both, the key and the certificate into DER format using openssl command:

]# openssl pkcs8 -topk8 -nocrypt \
                 -in hostkey.pem -inform PEM \
                 -out key.der -outform DER

]# openssl x509 -in hostcert.pem \
                -inform PEM \
                -out cert.der \
                -outform DER
  • Import private and certificate into the Java Keystore

download Download the following Java source code [22] and save it as

Edit the file containing the following settings for the Java JKS

// Change this if you want another password by default
String keypass = "**changeit**"; <== Change it!

// Change this if you want another alias by default
String defaultalias = "****"; <== Change it!

If (keystorename == null)
        Keystorename = System.getProperty("user.home")
        + System.getProperty("file.separator")
        + "**eTokenServerSSL**"; // <== Change it!

alert Please change “” with the host of the server you want to configure.

  • Compile and execute the Java file:
]# javac
]# java ImportKey key.der cert.der
Using keystore-file : /root/eTokenServerSSL One certificate, no chain.
Key and certificate stored.
Alias: Password: changeit

Now we have a JKS containig:

  • the key and the certificate stored in the eTokenServerSSL file,
  • using as alias and
  • changeit as password.

Move the JKS to the Apache-Tomcat root directory

]# mv /root/eTokenServerSSL apache-tomcat-7.0.34/eTokenServerSSL
  • SSL Configuration

Add the new SSL connector on port 8443 in the server.xml file

]# cat apache-tomcat-7.0.34/conf/server.xml

<Connector port="8082" protocol="HTTP/1.1" connectionTimeout="20000" redirectoPrt="8443">
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                       maxThreads="150" scheme="https" secure="true"
                       clientAuth="false" sslProtocol="TLS"
                       keyAlias="" keystorePass="changeit"/>

Edit the /etc/sysconfig/iptables file in order to accept incoming connections on ports 8082 and 8443.

  • How to start, stop and check the Apache Tomcat server
  1. Configure the JAVA_HOME env. variable
]# cat ~/.bash_profile
# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
       . ~/.bashrc

# User specific environment and startup programs


export PATH
export JAVA_HOME
  1. Start and check the application server as follows:
]# cd /root/apache-tomcat-7.0.34/
]# ./bin/
Using CATALINA_BASE: /root/apache-tomcat-7.0.34
Using CATALINA_HOME: /root/apache-tomcat-7.0.34
Using CATALINA_TMPDIR: /root/apache-tomcat-7.0.34/temp
Using JRE_HOME: /usr
Using CLASSPATH: /root/apache-tomcat-7.0.34/bin/bootstrap.jar:\
  1. Stop the application server as follows:
]# ./bin/shutdown
Using CATALINA_BASE: /root/apache-tomcat-7.0.34
Using CATALINA_HOME: /root/apache-tomcat-7.0.34
Using CATALINA_TMPDIR: /root/apache-tomcat-7.0.34/temp
Using JRE_HOME: /usr
Using CLASSPATH: /root/apache-tomcat-7.0.34/bin/bootstrap.jar:\
  • Install external libraries

download Download and save the external libraries [23] as lib.tar.gz

]# tar zxf lib.tar.gz
]# cp ./lib/*.jar /root/apache-tomcat-7.0.34/lib
  • Deploy the WAR files
]# cd /root/apache-tomcat-7.0.34/

Create the following **** configuration file with the following settings:
# **VOMS Settings**
# Standard location of configuration files
# Default VOMS proxy lifetime (default 12h)

# **Token Settings**            # <== Change here
PIN=******                                 # <== Add PIN here

# **Proxy Settings**
# Default proxy lifetime (default 12h) PROXY_LIFETIME=24
# Number of bits in key {512|1024|2048|4096}

# **Administrative Settings**                   # <== Change here  # <== Change here # <== Change here

Create the following **** configuration file with the following settings:
# **MyProxy Settings**           # <== Change here
# Default MyProxy proxy lifetime (default 1 week)
# Default temp long-term proxy path
MYPROXY_PATH=/root/apache-tomcat-7.0.53/temp  # <== Change here

download Download the servlet for the eTokenServer [24] and save it as eTokenServer.war

download Download the servlet for the MyProxyServer [25] and save it as MyProxyServer.war

]# cp eTokenServer.war webapps/
]# cp MyProxyServer.war webapps/
]# ./bin/ stop && sleep 5

]# cp -f webapps/eTokenServer/WEB-INF/classes/infn/eToken/
]# cp -f webapps/MyProxyServer/WEB-INF/classes/infn/MyProxy/

]# ./bin/ start
]# tail -f logs/eToken.out
]# tail -f logs/MyProxy.out
  • Configure tomcat to start-up on boot

Create the following script:

]# cat /etc/init.d/tomcat
# chkconfig: 2345 91 91
# description: Start up the Tomcat servlet engine.

. /etc/init.d/functions

case "$1" in
             if [ -f $CATALINA_HOME/bin/ ];
                     echo $"Starting Tomcat"
                     /bin/su root $CATALINA_HOME/bin/
             if [ -f $CATALINA_HOME/bin/ ];
                     echo $"Stopping Tomcat"
                     /bin/su root $CATALINA_HOME/bin/
             echo $"Usage: $0 {start|stop}"
             exit 1
     exit $RETVAL

 ]# chmod a+x tomcat
  • Update the run level for the tomcat service
]# chkconfig --level 2345 --add tomcat
]# chkconfig --list tomcat
   tomcat 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Chapter IV - Usage

In this chapter is show the administrator (only restricted access) web interface to interact with the RESTful “ligth-weight” crypto library which is configured for:

  1. browsing the digital certificates available on the different smart cards;
  2. generating VOMS-proxy for a given X.509 digital certificate.
  • Accessing the RESTFul crypto library via WEB

The root resource of the library is deployed at the URL https://<etoken_server>:8443/eTokenServer as shown in the figure below:


The creation of a request to access the generic USB smat card and generates a proxy certificate is performed in few steps.

  • First and foremost we have to select a valid digital certificate from the list of available certificates (first accordion).
  • Afterwards, depending by the selected certificate, it will be possible to select a list of FQANs attributes which will be taken into account during the proxy creation process.
  • If necessary FQANs order can be changed in step 3:
  • Before to complete, some additional options can be specified in the 4th. step to customize the proxy requestID:
  • At the end, the complete requestID is available in step 5:

Chapter V - Some RESTful APIs

REST is an architectural style which defines a set of constraints that, when applied to the architecture of a distributed system, induces desiderable properties like lookse coupling and horizontal scalability. RESTful web services are the result of applying these constraints to services that utilize web standards such as URIs, HTTP, XML, and JSON. Such services become part of the fabric of the web and can take advantage of years of web engineering to satisfy their clients’ needs. The Java API for RESTful web services (JAX-RS) is a new API that aims to make development of RESTful web services in Java simple and intuitive.

In this chapter will be presented some examples of RESTful APIs used to request proxies certificates, list available robot certificates in the server-side and register long-term proxies on the MyProxy server.

Create RFC 3820 complaint proxy (simple use case):


Create RFC 3820 complaint proxy (with some additional info to account real users):


Create full-legacy Globus proxy (old fashioned proxy):


Create full-legacy proxy (with more FQANs):


Create plain proxy (without VOMS ACs):


Get the list of avilable robot certificates in the server (in JSON format):


Get the MyProxy settings used by the eToken server (in JSON format):


Register long-term proxy on the MyProxy server (only for expert user):


Appendix I - Administration of the eToken smart cards

This appendix provides a brief explaination of the eToken Properties (etProps) and the various configuration options available to the user.

eToken Properties provides users with a configuration tool to perform basic token management such as password changes, viewing information, and viewing of certificates on the eToken.

This appendix includes the following sections:

  • Initializing the eToken PRO 32/64 KBytes USB smart card;
  • Importing new certificates;
  • Renaming a token.

The eToken Properties application displays all the available tokens connected to the server as show in the below figure:


In the right pane, the user may select any of the following actions which are enabled:

1.) Rename eToken - set a label for the given token;

2.) Change Password - changes the eToken user password;

3.) Unlock eToken - resets the user password via a challenge response mechanism (pnly enabled when an administrator password has been initialized on the eToken);

4.) View eToken Info - provides detailed information about the eToken;

5.) Disconnect eToken Virtual - disconnects the eToken Virtual with an option for deleting it.

The toolbar along the top contains these functions:

1.) Advanced - switches to the Advanced view;

2.) Refresh - refreshes the data for all connected tokens;

3.) About - displayes information about the product version;

4.) Help - launches the online help.

  • Renaming the eToken

The token name may be personalized. To rename a token:

1.) In the left pane of the eToken Properties window, select the token to be renamed.

2.) Click Rename eToken in the right pane, and the Rename eToken dialog box is displayed as shown in the below figure:


3.) Enter the new name in the New eToken name field.

4.) Click OK. The new token name is displayed in the eToken Properties window.

  • Initializing the eToken

The eToken initialization option restores an eToken to irs initial state. It removes all objects stored on the eToken since manufacture, frees up memory, and resets the eToken password, allowing administrators to initialize the eToken according to specific organizational requirements or security modes.

The following data is initialized:

  • eToken name;
  • User password;
  • Administrator password;
  • Maximum number of login failures (for user and administrator passwords);
  • Requirement to change the password on the first login;
  • Initialization key.

To initialize the eToken:

1.) Click on Advanced from the toolbar to switch to the Advanced view.

2.) Select the eToken you want to initialize.

3.) Click Initialize eToken on the toolbar, or right-click the token name in the left pane and select Initialize eToken from the shortcut menu. The eToken Initialization Parameters dialog box opens.


4.) Enter a name for the eToken in the eToken Name field. If no name is entered, the default name, “eToken”, is applied.

5.) Select Create User Password to initialize the token with an eToken user password. Otherwise, the token is initialized without an eToken password, and it will not be usable for eToken applications.

6.) If Create User Password is selected, enter a new eToken user password in the Create User Password and Confirm fields.

7.) I nthe Set maximum number of logon failures fields, enter a vaule between 1 and 15. This counter specifies the number of times the user or administrator can attempt to log on to the eToken with an incorrect password before the eToken is locked. The default setting for the maximum number of incorrect logon attempts is 15.

8.) To configure advanced settings, click Advanced. The eToken Advanced Settings dialog box opens.

9.) Check Load 2048-bit RSA key support

warning All eTokens are configured with the following default password 1234567890.

  • To import a certificate

1.) Click on Advanced from the toolbar to switch to thre Advanced view.

2.) Select the eToken where you want to upload a new certificate.

3.) Click Import Certificate on the toolbar, or right-click the token name in the left pane and select Import Certificate from the shortcut menu. The Import Certificate dialog box opens.


4.) Select whether the certificate to import is on your personal computer store on the computer, or on a file. If you select the personal certificate store, a list of available certificates is displayed. Only certificates that can be imported on to the eToken are listed. These are:

  • Certificates with a private key already on the eToken;
  • Certificates that may be imported from the computer together with its private key.

5.) If you select Import a certificate from a file, the Choose a certificate dialog box opens.

6.) Select the certificate to import and click Open.

7.) If the certificate requires a password, a Password dialog box opens.

8.) Enter the certificate password. A dialog box opens asking if you want to store the CA certificate on the eToken.

9.) Select No. The only certificate is imported and a confirmation message is shown.

Appendix II - Increase “Open Files Limit”

alert If you are getting the error “Too many open files (24)” then your application is hitting max open file limit allowed by Linux.

Check limits of the running process:

  • Find the process-ID (PID):
]# ps aux | grep -i process-name
  • Suppose XXX is the PID, then run the command to check limits:
]# cat /proc/XXX/limits

To increase the limit you have to:

  1. Append the following settings to set the user-limit
]# cat /etc/security/limits.conf

*          hard    nofile  50000
*          soft    nofile  50000
root       hard    nofile  50000
root       soft    nofile  50000

Once you have saved the file, you have to logout and login again.

  1. Set the higher than user-limit set above.
]# cat /etc/sysctl.conf

fs.file-max = 2097152

Run the command

]# sysctl -p
  1. Verify the new limits. Use the following command to see max limit of the file descriptors:
]# cat /proc/sys/fs/file-max

Appendix III - Configure GlassFish settings

To set JVM settings, please add the following GLASSFISH_OPTS settings in

               -XX:NewSize=467215m -XX:MaxNewSize=467215m \
               -XX:PermSize=467215m -XX:MaxPerSize=467215m \


  • Private key in PKCS#8

    Cannot load end entity credentials from certificate file: /etc/grid-security/hostcert.pem and key file: /etc/grid-security/hostkey.pem

]# cd /etc/grid-security/
]# mv hostkey.pem hostkey-pk8.pem
]# openssl rsa -in hostkey-pk8.pem -out hostkey.pem
]# chmod 400 hostkey.pem

]# cd <apache-tomcat>
]# ./bin/ stop
]# ./bin/ start

For further information, please read the document [26]

Log Files

  • The log messages for the eTokenServer are stored in <apache-tomcat>/logs/eToken.out
  • The log messages for the MyProxyServer are stored in <apache-tomcat>/logs/MyProxy.out
  • In case of errors and debug, please check these additional log files:
]# <apache-tomcat>/logs/catalina.out
]# <apache-tomcat>/logs/localhost.<date>.log


Please feel free to contact us any time if you have any questions or comments.


Roberto BARBERA - Italian National Institute of Nuclear Physics (INFN),

Giuseppe LA ROCCA - Italian National Institute of Nuclear Physics (INFN),

Salvatore MONFORTE - Italian National Institute of Nuclear Physics (INFN)