[Pki-users] Utimaco HSM "Not Found" problem

Chandrasekar Kannan ckannan at redhat.com
Thu Apr 22 23:38:12 UTC 2010 

On 04/22/2010 03:43 PM, Arshad Noor wrote:
> I'm afraid it didn't pick up the new module, Christina.  modutil
> shows it correctly, but as you can see from the attached PNG, the
> servlet did not find the HSM.

Looks like the NSS layer has no problems identifying the token.
can you use this tool and see if the JSS layer can see it as well ?

http://www.redhat.com/docs/manuals/cert-system/8.0/cli/html/TokenInfo.html


>
> Based on Michael StJohn's postings and some feedback I have from
> the vendor, it appears that the 32-bit version of DogTag may be
> working; but we're testing on a 64-bit version of Fedora 11 and
> DogTag.  Could that be causing the problem?  The PKCS11 library
> from the HSM vendor is 64-bit.
>
> Arshad Noor
> StrongAuth, Inc.
>
> Arshad Noor wrote:
>> So, if I understand you correctly, you want me to:
>>
>> 1) Make sure that the module is configured correctly in the
>>    new CA instance's alias/secmod.db file; and
>>
>> 2) Remove all references to the new HSM from CS.cfg, use a
>>    default CS.cfg, so that your configuration module code
>>    adds it to CS.cfg based on what's configured in secmod.db?
>>
>> Will get back to you in about 15 minutes.
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>> Christina Fu wrote:
>>> Arshad,
>>>
>>> I'm curious.  The unsupported modules are supposed to be picked up 
>>> by the configuration module.  That means, you don't need to add 
>>> those configModules in the CS.cfg.
>>> Can you try doing that?
>>> If that works, I'd be interested in knowing if the token name with 
>>> space contributed to any part of the issue too.
>>>
>>> Chistina
>>>
>>> Arshad Noor wrote:
>>>> Hi Christina,
>>>>
>>>> Good to hear from you again.
>>>>
>>>> I changed the token name and removed the space, but nothing changed,
>>>> unfortunately:
>>>>
>>>> Listing of PKCS #11 Modules
>>>> -----------------------------------------------------------
>>>>   1. NSS Internal PKCS #11 Module
>>>>          slots: 2 slots attached
>>>>         status: loaded
>>>>
>>>>          slot: NSS Internal Cryptographic Services
>>>>         token: NSS Generic Crypto Services
>>>>
>>>>          slot: NSS User Private Key and Certificate Services
>>>>         token: NSS Certificate DB
>>>>
>>>>   2. CryptoServer
>>>>         library name: /usr/bin/libcs2_pkcs11.so
>>>>          slots: 1 slot attached
>>>>         status: loaded
>>>>
>>>>          slot: CryptoServer Device '/dev/cs2' - Slot No: 0
>>>>         token: CBUAETEST
>>>> -----------------------------------------------------------
>>>>
>>>> The debug file for the new CA instance shows:
>>>>
>>>> -------------------------------------------
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: display()
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got 
>>>> module NSS Internal PKCS #11 Module
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: 
>>>> supported modules count= 4
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got 
>>>> from config module: NSS Internal PKCS #11 Module
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: module 
>>>> found: NSS Internal PKCS #11 Module
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
>>>> nick name=NSS Generic Crypto Services
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
>>>> logged in?false
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
>>>> is present?true
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
>>>> NSS Generic Crypto Services not to be added
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
>>>> nick name=Internal Key Storage Token
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
>>>> logged in?true
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
>>>> is present?true
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding 
>>>> module NSS Internal PKCS #11 Module
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got 
>>>> from config module: nfast
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding 
>>>> module nfast
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got 
>>>> from config module: lunasa
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding 
>>>> module lunasa
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got 
>>>> from config module: CryptoServer
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding 
>>>> module CryptoServer
>>>> [22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel 
>>>> subpanelno =9
>>>> -------------------------------------------
>>>>
>>>> The CS.cfg for this instance has the following:
>>>>
>>>> -------------------------------------------
>>>> preop.configModules.count=4
>>>> ...
>>>> preop.configModules.module3.commonName=CryptoServer
>>>> preop.configModules.module3.imagePath=../img/clearpixel.gif
>>>> preop.configModules.module3.userFriendlyName=Utimacos's 
>>>> CryptoServer Hardware Security Module
>>>> preop.module.token=CBUAETEST
>>>> -------------------------------------------
>>>>
>>>> Arshad Noor
>>>> StrongAuth, Inc.
>>>>
>>>> Christina Fu wrote:
>>>>> Hi Arshad,
>>>>>
>>>>> Just a thought.  Did you try removing the space for your token name?
>>>>>
>>>>> Christina
>>>>>
>>>>> Arshad Noor wrote:
>>>>>> Can someone from the DogTag team explain the process by which
>>>>>> the installation servlet "finds" PKCS11 modules/HSMs and logs
>>>>>> into them?  Alternatively, if you can point me to the specific
>>>>>> source module that performs this, I'd be happy to look at it
>>>>>> myself.
>>>>>>
>>>>>> I'm still baffled by our inability to have the installation
>>>>>> servlet find the Utimaco HSM module, despite the fact that
>>>>>> modutil sees it:
>>>>>>
>>>>>> $ pet105:~> modutil -dbdir /var/lib/subca01/alias -nocertdb -list
>>>>>>
>>>>>> Listing of PKCS #11 Modules
>>>>>> -----------------------------------------------------------
>>>>>>   1. NSS Internal PKCS #11 Module
>>>>>>          slots: 2 slots attached
>>>>>>         status: loaded
>>>>>>
>>>>>>          slot: NSS Internal Cryptographic Services
>>>>>>         token: NSS Generic Crypto Services
>>>>>>
>>>>>>          slot: NSS User Private Key and Certificate Services
>>>>>>         token: NSS Certificate DB
>>>>>>
>>>>>>   2. CryptoServer
>>>>>>         library name: /usr/bin/libcs2_pkcs11.so
>>>>>>          slots: 1 slot attached
>>>>>>         status: loaded
>>>>>>
>>>>>>          slot: CryptoServer Device '/dev/cs2' - Slot No: 0
>>>>>>         token: CBUAE TEST
>>>>>> -----------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> There were some SELinux errors, but I fixed all of them; despite
>>>>>> all calls now being successful, the installation servlet will
>>>>>> still not see the HSM.
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> Arshad Noor
>>>>>> StrongAuth, Inc.
>>>>>>
>>>>>> _______________________________________________
>>>>>> Pki-users mailing list
>>>>>> Pki-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>
>>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list