[Pki-users] Utimaco HSM "Not Found" problem

Arshad Noor arshad.noor at strongauth.com
Thu Apr 22 22:43:03 UTC 2010 

I'm afraid it didn't pick up the new module, Christina.  modutil
shows it correctly, but as you can see from the attached PNG, the
servlet did not find the HSM.

Based on Michael StJohn's postings and some feedback I have from
the vendor, it appears that the 32-bit version of DogTag may be
working; but we're testing on a 64-bit version of Fedora 11 and
DogTag.  Could that be causing the problem?  The PKCS11 library
from the HSM vendor is 64-bit.

Arshad Noor
StrongAuth, Inc.

Arshad Noor wrote:
> So, if I understand you correctly, you want me to:
> 
> 1) Make sure that the module is configured correctly in the
>    new CA instance's alias/secmod.db file; and
> 
> 2) Remove all references to the new HSM from CS.cfg, use a
>    default CS.cfg, so that your configuration module code
>    adds it to CS.cfg based on what's configured in secmod.db?
> 
> Will get back to you in about 15 minutes.
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> Christina Fu wrote:
>> Arshad,
>>
>> I'm curious.  The unsupported modules are supposed to be picked up by 
>> the configuration module.  That means, you don't need to add those 
>> configModules in the CS.cfg.
>> Can you try doing that?
>> If that works, I'd be interested in knowing if the token name with 
>> space contributed to any part of the issue too.
>>
>> Chistina
>>
>> Arshad Noor wrote:
>>> Hi Christina,
>>>
>>> Good to hear from you again.
>>>
>>> I changed the token name and removed the space, but nothing changed,
>>> unfortunately:
>>>
>>> Listing of PKCS #11 Modules
>>> -----------------------------------------------------------
>>>   1. NSS Internal PKCS #11 Module
>>>          slots: 2 slots attached
>>>         status: loaded
>>>
>>>          slot: NSS Internal Cryptographic Services
>>>         token: NSS Generic Crypto Services
>>>
>>>          slot: NSS User Private Key and Certificate Services
>>>         token: NSS Certificate DB
>>>
>>>   2. CryptoServer
>>>         library name: /usr/bin/libcs2_pkcs11.so
>>>          slots: 1 slot attached
>>>         status: loaded
>>>
>>>          slot: CryptoServer Device '/dev/cs2' - Slot No: 0
>>>         token: CBUAETEST
>>> -----------------------------------------------------------
>>>
>>> The debug file for the new CA instance shows:
>>>
>>> -------------------------------------------
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: display()
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got 
>>> module NSS Internal PKCS #11 Module
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: 
>>> supported modules count= 4
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got from 
>>> config module: NSS Internal PKCS #11 Module
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: module 
>>> found: NSS Internal PKCS #11 Module
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
>>> nick name=NSS Generic Crypto Services
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
>>> logged in?false
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token is 
>>> present?true
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
>>> NSS Generic Crypto Services not to be added
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
>>> nick name=Internal Key Storage Token
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
>>> logged in?true
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token is 
>>> present?true
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding 
>>> module NSS Internal PKCS #11 Module
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got from 
>>> config module: nfast
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding 
>>> module nfast
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got from 
>>> config module: lunasa
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding 
>>> module lunasa
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got from 
>>> config module: CryptoServer
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding 
>>> module CryptoServer
>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel 
>>> subpanelno =9
>>> -------------------------------------------
>>>
>>> The CS.cfg for this instance has the following:
>>>
>>> -------------------------------------------
>>> preop.configModules.count=4
>>> ...
>>> preop.configModules.module3.commonName=CryptoServer
>>> preop.configModules.module3.imagePath=../img/clearpixel.gif
>>> preop.configModules.module3.userFriendlyName=Utimacos's CryptoServer 
>>> Hardware Security Module
>>> preop.module.token=CBUAETEST
>>> -------------------------------------------
>>>
>>> Arshad Noor
>>> StrongAuth, Inc.
>>>
>>> Christina Fu wrote:
>>>> Hi Arshad,
>>>>
>>>> Just a thought.  Did you try removing the space for your token name?
>>>>
>>>> Christina
>>>>
>>>> Arshad Noor wrote:
>>>>> Can someone from the DogTag team explain the process by which
>>>>> the installation servlet "finds" PKCS11 modules/HSMs and logs
>>>>> into them?  Alternatively, if you can point me to the specific
>>>>> source module that performs this, I'd be happy to look at it
>>>>> myself.
>>>>>
>>>>> I'm still baffled by our inability to have the installation
>>>>> servlet find the Utimaco HSM module, despite the fact that
>>>>> modutil sees it:
>>>>>
>>>>> $ pet105:~> modutil -dbdir /var/lib/subca01/alias -nocertdb -list
>>>>>
>>>>> Listing of PKCS #11 Modules
>>>>> -----------------------------------------------------------
>>>>>   1. NSS Internal PKCS #11 Module
>>>>>          slots: 2 slots attached
>>>>>         status: loaded
>>>>>
>>>>>          slot: NSS Internal Cryptographic Services
>>>>>         token: NSS Generic Crypto Services
>>>>>
>>>>>          slot: NSS User Private Key and Certificate Services
>>>>>         token: NSS Certificate DB
>>>>>
>>>>>   2. CryptoServer
>>>>>         library name: /usr/bin/libcs2_pkcs11.so
>>>>>          slots: 1 slot attached
>>>>>         status: loaded
>>>>>
>>>>>          slot: CryptoServer Device '/dev/cs2' - Slot No: 0
>>>>>         token: CBUAE TEST
>>>>> -----------------------------------------------------------
>>>>>
>>>>>
>>>>> There were some SELinux errors, but I fixed all of them; despite
>>>>> all calls now being successful, the installation servlet will
>>>>> still not see the HSM.
>>>>>
>>>>> Thanks.
>>>>>
>>>>> Arshad Noor
>>>>> StrongAuth, Inc.
>>>>>
>>>>> _______________________________________________
>>>>> Pki-users mailing list
>>>>> Pki-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>
>>
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list