[Pki-users] Utimaco HSM "Not Found" problem

Christina Fu cfu at redhat.com
Thu Apr 22 21:50:36 UTC 2010 

Arshad,

I'm curious.  The unsupported modules are supposed to be picked up by 
the configuration module.  That means, you don't need to add those 
configModules in the CS.cfg.
Can you try doing that? 

If that works, I'd be interested in knowing if the token name with space 
contributed to any part of the issue too.

Chistina

Arshad Noor wrote:
> Hi Christina,
>
> Good to hear from you again.
>
> I changed the token name and removed the space, but nothing changed,
> unfortunately:
>
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
>   1. NSS Internal PKCS #11 Module
>          slots: 2 slots attached
>         status: loaded
>
>          slot: NSS Internal Cryptographic Services
>         token: NSS Generic Crypto Services
>
>          slot: NSS User Private Key and Certificate Services
>         token: NSS Certificate DB
>
>   2. CryptoServer
>         library name: /usr/bin/libcs2_pkcs11.so
>          slots: 1 slot attached
>         status: loaded
>
>          slot: CryptoServer Device '/dev/cs2' - Slot No: 0
>         token: CBUAETEST
> -----------------------------------------------------------
>
> The debug file for the new CA instance shows:
>
> -------------------------------------------
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: display()
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got 
> module NSS Internal PKCS #11 Module
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: supported 
> modules count= 4
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got from 
> config module: NSS Internal PKCS #11 Module
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: module 
> found: NSS Internal PKCS #11 Module
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
> nick name=NSS Generic Crypto Services
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
> logged in?false
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token is 
> present?true
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token NSS 
> Generic Crypto Services not to be added
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
> nick name=Internal Key Storage Token
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
> logged in?true
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token is 
> present?true
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding 
> module NSS Internal PKCS #11 Module
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got from 
> config module: nfast
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding 
> module nfast
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got from 
> config module: lunasa
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding 
> module lunasa
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got from 
> config module: CryptoServer
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding 
> module CryptoServer
> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel subpanelno =9
> -------------------------------------------
>
> The CS.cfg for this instance has the following:
>
> -------------------------------------------
> preop.configModules.count=4
> ...
> preop.configModules.module3.commonName=CryptoServer
> preop.configModules.module3.imagePath=../img/clearpixel.gif
> preop.configModules.module3.userFriendlyName=Utimacos's CryptoServer 
> Hardware Security Module
> preop.module.token=CBUAETEST
> -------------------------------------------
>
> Arshad Noor
> StrongAuth, Inc.
>
> Christina Fu wrote:
>> Hi Arshad,
>>
>> Just a thought.  Did you try removing the space for your token name?
>>
>> Christina
>>
>> Arshad Noor wrote:
>>> Can someone from the DogTag team explain the process by which
>>> the installation servlet "finds" PKCS11 modules/HSMs and logs
>>> into them?  Alternatively, if you can point me to the specific
>>> source module that performs this, I'd be happy to look at it
>>> myself.
>>>
>>> I'm still baffled by our inability to have the installation
>>> servlet find the Utimaco HSM module, despite the fact that
>>> modutil sees it:
>>>
>>> $ pet105:~> modutil -dbdir /var/lib/subca01/alias -nocertdb -list
>>>
>>> Listing of PKCS #11 Modules
>>> -----------------------------------------------------------
>>>   1. NSS Internal PKCS #11 Module
>>>          slots: 2 slots attached
>>>         status: loaded
>>>
>>>          slot: NSS Internal Cryptographic Services
>>>         token: NSS Generic Crypto Services
>>>
>>>          slot: NSS User Private Key and Certificate Services
>>>         token: NSS Certificate DB
>>>
>>>   2. CryptoServer
>>>         library name: /usr/bin/libcs2_pkcs11.so
>>>          slots: 1 slot attached
>>>         status: loaded
>>>
>>>          slot: CryptoServer Device '/dev/cs2' - Slot No: 0
>>>         token: CBUAE TEST
>>> -----------------------------------------------------------
>>>
>>>
>>> There were some SELinux errors, but I fixed all of them; despite
>>> all calls now being successful, the installation servlet will
>>> still not see the HSM.
>>>
>>> Thanks.
>>>
>>> Arshad Noor
>>> StrongAuth, Inc.
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>

More information about the Pki-users mailing list