[Pki-users] Problems with Luna PCI HSM and dogtag 1.3

Christina Fu cfu at redhat.com
Thu May 24 21:49:43 UTC 2012 

I have not worked on a Luna PCI HSM, but did you try the following to 
see if it provides you with any clue on the status of the token?
modutil -dbdir /var/lib/igi-ca/alias -list lunapci

And another suggestion is to add the token/password in the password.conf 
file before you start the configuration.

Christina

On 05/24/2012 05:34 AM, Riccardo Brunetti wrote:
>
> Dear pki-users.
> We are setting up a CA subsystem using dogtag 1.3 on CentOS-5.8 and a 
> HSM Luna PCI3000 (SafeNet).
> The HSM card seems to be correctly installed in the system and, using 
> the command line utilities, we could create a partition on the HSM to 
> store the crypto data.
>
> Unfortunately, when I run pkicreate and then the configuration wizard 
> in order to configure the CA subsystem, the HSM modules seems not to 
> be detected and the system still uses the software "NSS Internal PKCS 
> #11 Module".
>
> I also tried to manually load the pkcs#11 module using the command:
>
> # modutil -dbdir /var/lib/igi-ca/alias -nocertdb -add lunapci -libfile 
> /usr/lunapci/lib/libCryptoki2_64.so
>
> and the output of the list command is the following:
>
> # modutil -dbdir /var/lib/igi-ca/alias -list
>
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
>   1. NSS Internal PKCS #11 Module
>      slots: 2 slots attached
>     status: loaded
>
>      slot: NSS Internal Cryptographic Services
>     token: NSS Generic Crypto Services
>
>      slot: NSS User Private Key and Certificate Services
>     token: NSS Certificate DB
>
>   2. lunapci
>     library name: /usr/lunapci/lib/libCryptoki2_64.so
>      slots: 1 slot attached
>     status: loaded
>
>      slot: Viper PCI Card
>     token: turintest
> -----------------------------------------------------------
>
> Moreover this is the output of TokenInfo command:
>
> # TokenInfo /var/lib/igi-ca/alias/
>
> Database Path: /var/lib/igi-ca/alias/
> Found external module 'NSS Internal PKCS #11 Module'
> Found external module 'lunapci'
> Found external token 'turintest'
>
> Despite all of that, when the configuration wizard comes to the "Key 
> Store" page the module is not listed.
> I then tried to include it manually in the CS.cfg file:
>
> preop.configModules.module0.commonName=lunapci
> preop.configModules.module0.imagePath=../img/clearpixel.gif
> preop.configModules.module0.userFriendlyName=lunapci
>
> and in this case it is listed but in Status "Not Found"
>
> How can I solve this issue? Do you have some suggestions?
>
> Thank you very much
> R. Brunetti
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list