[Pki-users] Utimaco HSM "Not Found" problem
Arshad Noor
arshad.noor at strongauth.com
Thu Apr 22 21:57:14 UTC 2010
So, if I understand you correctly, you want me to:
1) Make sure that the module is configured correctly in the
new CA instance's alias/secmod.db file; and
2) Remove all references to the new HSM from CS.cfg, use a
default CS.cfg, so that your configuration module code
adds it to CS.cfg based on what's configured in secmod.db?
Will get back to you in about 15 minutes.
Arshad Noor
StrongAuth, Inc.
Christina Fu wrote:
> Arshad,
>
> I'm curious. The unsupported modules are supposed to be picked up by
> the configuration module. That means, you don't need to add those
> configModules in the CS.cfg.
> Can you try doing that?
> If that works, I'd be interested in knowing if the token name with space
> contributed to any part of the issue too.
>
> Chistina
>
> Arshad Noor wrote:
>> Hi Christina,
>>
>> Good to hear from you again.
>>
>> I changed the token name and removed the space, but nothing changed,
>> unfortunately:
>>
>> Listing of PKCS #11 Modules
>> -----------------------------------------------------------
>> 1. NSS Internal PKCS #11 Module
>> slots: 2 slots attached
>> status: loaded
>>
>> slot: NSS Internal Cryptographic Services
>> token: NSS Generic Crypto Services
>>
>> slot: NSS User Private Key and Certificate Services
>> token: NSS Certificate DB
>>
>> 2. CryptoServer
>> library name: /usr/bin/libcs2_pkcs11.so
>> slots: 1 slot attached
>> status: loaded
>>
>> slot: CryptoServer Device '/dev/cs2' - Slot No: 0
>> token: CBUAETEST
>> -----------------------------------------------------------
>>
>> The debug file for the new CA instance shows:
>>
>> -------------------------------------------
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: display()
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got
>> module NSS Internal PKCS #11 Module
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: supported
>> modules count= 4
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got from
>> config module: NSS Internal PKCS #11 Module
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: module
>> found: NSS Internal PKCS #11 Module
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token
>> nick name=NSS Generic Crypto Services
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token
>> logged in?false
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token is
>> present?true
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token NSS
>> Generic Crypto Services not to be added
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token
>> nick name=Internal Key Storage Token
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token
>> logged in?true
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token is
>> present?true
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding
>> module NSS Internal PKCS #11 Module
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got from
>> config module: nfast
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding
>> module nfast
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got from
>> config module: lunasa
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding
>> module lunasa
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got from
>> config module: CryptoServer
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding
>> module CryptoServer
>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel subpanelno =9
>> -------------------------------------------
>>
>> The CS.cfg for this instance has the following:
>>
>> -------------------------------------------
>> preop.configModules.count=4
>> ...
>> preop.configModules.module3.commonName=CryptoServer
>> preop.configModules.module3.imagePath=../img/clearpixel.gif
>> preop.configModules.module3.userFriendlyName=Utimacos's CryptoServer
>> Hardware Security Module
>> preop.module.token=CBUAETEST
>> -------------------------------------------
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>> Christina Fu wrote:
>>> Hi Arshad,
>>>
>>> Just a thought. Did you try removing the space for your token name?
>>>
>>> Christina
>>>
>>> Arshad Noor wrote:
>>>> Can someone from the DogTag team explain the process by which
>>>> the installation servlet "finds" PKCS11 modules/HSMs and logs
>>>> into them? Alternatively, if you can point me to the specific
>>>> source module that performs this, I'd be happy to look at it
>>>> myself.
>>>>
>>>> I'm still baffled by our inability to have the installation
>>>> servlet find the Utimaco HSM module, despite the fact that
>>>> modutil sees it:
>>>>
>>>> $ pet105:~> modutil -dbdir /var/lib/subca01/alias -nocertdb -list
>>>>
>>>> Listing of PKCS #11 Modules
>>>> -----------------------------------------------------------
>>>> 1. NSS Internal PKCS #11 Module
>>>> slots: 2 slots attached
>>>> status: loaded
>>>>
>>>> slot: NSS Internal Cryptographic Services
>>>> token: NSS Generic Crypto Services
>>>>
>>>> slot: NSS User Private Key and Certificate Services
>>>> token: NSS Certificate DB
>>>>
>>>> 2. CryptoServer
>>>> library name: /usr/bin/libcs2_pkcs11.so
>>>> slots: 1 slot attached
>>>> status: loaded
>>>>
>>>> slot: CryptoServer Device '/dev/cs2' - Slot No: 0
>>>> token: CBUAE TEST
>>>> -----------------------------------------------------------
>>>>
>>>>
>>>> There were some SELinux errors, but I fixed all of them; despite
>>>> all calls now being successful, the installation servlet will
>>>> still not see the HSM.
>>>>
>>>> Thanks.
>>>>
>>>> Arshad Noor
>>>> StrongAuth, Inc.
>>>>
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>
>
More information about the Pki-users
mailing list