[Pki-users] Utimaco HSM "Not Found" problem
Christina Fu
cfu at redhat.com
Tue Apr 27 02:46:25 UTC 2010
Chandrasekar Kannan wrote:
> On 04/26/2010 09:51 AM, Arshad Noor wrote:
>> Do you have any update on the JSS issue, Chandrasekar? Thanks.
>
> I don't. We may need to debug the JSS code to figure out
> what the problem is....
>
>
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>> Arshad Noor wrote:
>>> No luck.
>>>
>>> -------------
>>> # pet105:~> setenforce 0
>>> # pet105:~> TokenInfo /var/lib/subca01/alias
>>> Database Path: /var/lib/subca01/alias
>>> Found external module 'NSS Internal PKCS #11 Module'
>>> # pet105:~>
>>> -------------
>>>
>>> Output from audit.log:
>>>
>>> -------------
>>> type=MAC_STATUS msg=audit(1271980444.565:345): enforcing=0
>>> old_enforcing=1 auid=500 ses=5
>>> type=SYSCALL msg=audit(1271980444.565:345): arch=c000003e syscall=1
>>> success=yes exit=1 a0=3 a1=7fff300dfb20 a2=1 a3=fffffff8 items=0
>>> ppid=32217 pid=32292 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>> egid=0 sgid=0 fsgid=0 tty=pts4 ses=5 comm="setenforce"
>>> exe="/usr/sbin/setenforce"
>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>>> -------------
>>>
>>> Arshad Noor
>>> StrongAuth, Inc.
>>>
>>> Chandrasekar Kannan wrote:
>>>> On 04/22/2010 04:44 PM, Arshad Noor wrote:
>>>>> Interesting; it did not:
>>>>>
>>>>> # pet105:~> modutil -dbdir /var/lib/subca01/alias/ -nocertdb -list
>>>>>
>>>>> Listing of PKCS #11 Modules
>>>>> -----------------------------------------------------------
>>>>> 1. NSS Internal PKCS #11 Module
>>>>> slots: 2 slots attached
>>>>> status: loaded
>>>>>
>>>>> slot: NSS Internal Cryptographic Services
>>>>> token: NSS Generic Crypto Services
>>>>>
>>>>> slot: NSS User Private Key and Certificate Services
>>>>> token: NSS Certificate DB
>>>>>
>>>>> 2. CryptoServer
>>>>> library name: /usr/bin/libcs2_pkcs11.so
>>>>> slots: 1 slot attached
>>>>> status: loaded
>>>>>
>>>>> slot: CryptoServer Device '/dev/cs2' - Slot No: 0
>>>>> token: CBUAETEST
>>>>> -----------------------------------------------------------
>>>>> # pet105:~> TokenInfo /var/lib/subca01/alias
>>>>> Database Path: /var/lib/subca01/alias
>>>>> Found external module 'NSS Internal PKCS #11 Module'
>>>>> # pet105:~>
>>>>>
>>>>> And there were no SELinux errors in the audit log.
>>>>
>>>> Can you 'setenforce 0' (putting selinux to permissive mode )
>>>> and try one more time ?.
>>>>
>>>>
>>>>>
>>>>> Arshad Noor
>>>>> StrongAuth, Inc.
>>>>>
>>>>>
>>>>> Chandrasekar Kannan wrote:
>>>>>>
>>>>>> Looks like the NSS layer has no problems identifying the token.
>>>>>> can you use this tool and see if the JSS layer can see it as well ?
>>>>>>
>>>>>> http://www.redhat.com/docs/manuals/cert-system/8.0/cli/html/TokenInfo.html
>>>>>>
>>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
Actually, I did spend some time looking into JSS code. The result was
inconclusive. The code appeared to be reasonable. I do suspect,
however, without looking closely at the code, that somehow the module is
unloaded somewhere along the way.
I'm curious whether this is an issue on this particular HSM, or if it's
a matter of handling external modules (including software modules) in
general.
Has anyone had any success installing/using certicom module on this
platform, for example?
Again, I did not see any email from another member (StJohns?) that you
mentioned claiming success with Utimaco HSM on a 32 bit machine... could
you please forward the email?
Another thing is, I'm not familiar with Utimaco HSM, but you might want
to find out how to turn on debugger.
Otherwise, try turning on NSS debugging, which might give you some clue.
Christina
More information about the Pki-users
mailing list