[Pki-users] Configuring external PKCS#11 Module (softhsm) with DogTag
John Magne
jmagne at redhat.com
Tue Aug 6 16:53:34 UTC 2013
Jayak:
Thanks for the info. Will have to take a closer look at this when I can have a moment. Will try to as soon as possible, lots of stuff going on right this second.
----- Original Message -----
From: "Jayakishore Thunga" <jayakishore.thunga at hotmail.com>
To: "John Magne" <jmagne at redhat.com>
Cc: pki-users at redhat.com
Sent: Tuesday, August 6, 2013 2:29:15 AM
Subject: RE: [Pki-users] Configuring external PKCS#11 Module (softhsm) with DogTag
Hi Jack,
test installation with the internal module is fine.
Please find attached wizard image, doesn't give an option to select token under "SOFTHSM PKCS#11 MODULE".
Here is debug log--------------------------------------[06/Aug/2013:14:33:54][http-9445-1]: BaseServlet:service() uri = /ca/admin/console/config/login[06/Aug/2013:14:33:54][http-9445-1]: BaseServlet::service() param name='pin' value='(sensitive)'[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Welcome[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Key Store[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=ConfigHSMLogin[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Security Domain[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Display Certificate Chain[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Subsystem Type[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Display Certificate Chain[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Import Keys and Certificates[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=PKI Hierarchy[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Internal Database[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Key Pairs[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Subject Names[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Requests and Certificates[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Export Keys and Certificates[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Save Keys and Certificates[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Import CA's Certificate Chain[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Administrator[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Import Administrator's Certificate[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel name=Done[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: done[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: process[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet:service() uri = /ca/admin/console/config/wizard[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: op=display[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: size=19[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: in display[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: firstpanel[06/Aug/2013:14:33:54][http-9445-1]: WizardServlet: panel=com.netscape.cms.servlet.csadmin.WelcomePanel at 1f2af1c[06/Aug/2013:14:33:54][http-9445-1]: WelcomePanel: display()[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet: process[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet:service() uri = /ca/admin/console/config/wizard[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet::service() param name='p' value='0'[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet::service() param name='op' value='next'[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet: op=next[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet: size=19[06/Aug/2013:14:33:55][http-9445-1]: WizardServlet: in next 0[06/Aug/2013:14:33:56][http-9445-1]: getNextPanel input p=0[06/Aug/2013:14:33:56][http-9445-1]: getNextPanel output p=1[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: display()[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: got module NSS Internal PKCS #11 Module[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: got module SOFTHSM PKCS#11 MODULE[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: supported modules count= 2[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: got from config module: NSS Internal PKCS #11 Module[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: module found: NSS Internal PKCS #11 Module[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token nick name=NSS Generic Crypto Services[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token logged in?false[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token is present?true[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token NSS Generic Crypto Services not to be added[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token nick name=Internal Key Storage Token[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token logged in?true[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: token is present?true[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: adding module NSS Internal PKCS #11 Module[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: got from config module: SOFTHSM PKCS#11 MODULE[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: module found: SOFTHSM PKCS#11 MODULE[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel: adding module SOFTHSM PKCS#11 MODULE[06/Aug/2013:14:33:56][http-9445-1]: ModulePanel subpanelno =2[06/Aug/2013:14:33:56][http-9445-1]: panel no=1[06/Aug/2013:14:33:56][http-9445-1]: panel name=module[06/Aug/2013:14:33:56][http-9445-1]: total number of panels=19
CS.cfg changes--------------------------preop.configModules.count=2preop.configModules.module0.commonName=NSS Internal PKCS #11 Modulepreop.configModules.module0.imagePath=../img/clearpixel.gifpreop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Modulepreop.configModules.module1.commonName=SOFTHSM PKCS#11 MODULEpreop.configModules.module1.imagePath=../img/clearpixel.gifpreop.configModules.module1.userFriendlyName=SOFTHSM PKCS#11 MODULE
preop.module.token=softhsm
modutil -dbdir . -list (in /var/lib/pki-ca/alias)--------------------------Listing of PKCS #11 Modules----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded
slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services token: NSS Certificate DB
2. SOFTHSM PKCS#11 MODULE library name: /usr/lib/softhsm/libsofthsm.so slots: 1 slot attached status: loaded
slot: SoftHSM token: softhsm
Br,Kishore8105176926
> Date: Mon, 5 Aug 2013 13:18:43 -0400
> From: jmagne at redhat.com
> To: jayakishore.thunga at hotmail.com
> CC: pki-users at redhat.com
> Subject: Re: [Pki-users] Configuring external PKCS#11 Module (softhsm) with DogTag
>
> You should get to a screen on the wizard that asks you to choose a module?
>
> You are not seeing this?
>
> TAke a look at the end of the log file /var/lib/pki-ca/logs/debug and see if anything sticks out with respect to your token.
>
>
> Also, you might want to run through a test installation with the internal module just to see if you can get a regular CA running ok.
>
> thanks,
> jack
>
>
> ----- Original Message -----
> From: "Jayakishore Thunga" <jayakishore.thunga at hotmail.com>
> To: pki-users at redhat.com
> Sent: Monday, August 5, 2013 2:01:06 AM
> Subject: [Pki-users] Configuring external PKCS#11 Module (softhsm) with DogTag
>
> Hi ,
>
> I am configuring external HSM called SoftHSM to certificate system. Here is my configuration
> DogTag 9.0
> Fedora 15
>
> After pkicreate, i created softhsm entry into the db. Here are the details
>
> [root at fed15vmnew alias]# modutil -dbdir . -nocertdb -list
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
> 1. NSS Internal PKCS #11 Module
> slots: 2 slots attached
> status: loaded
>
> slot: NSS Internal Cryptographic Services
> token: NSS Generic Crypto Services
>
> slot: NSS User Private Key and Certificate Services
> token: NSS Certificate DB
>
> 2. SOFTHSM PKCS #11 Module
> library name: /usr/lib/softhsm/libsofthsm.so
> slots: 1 slot attached
> status: loaded
>
> slot: SoftHSM
> token: softhsm
> -----------------------------------------------------------
>
>
> [root at fed15vmnew alias]# modutil -dbdir . -nocertdb -list "SOFTHSM PKCS #11 Module"
> -----------------------------------------------------------
> Name: SOFTHSM PKCS #11 Module
> Library file: /usr/lib/softhsm/libsofthsm.so
> Manufacturer: SoftHSM
> Description: Implementation of PKCS11
> PKCS #11 Version 2.20
> Library Version: 1.3
> Cipher Enable Flags: None
> Default Mechanism Flags: RSA
>
> Slot: SoftHSM
> Slot Mechanism Flags: RSA
> Manufacturer: SoftHSM
> Type: Software
> Version Number: 1.3
> Firmware Version: 1.3
> Status: Enabled
> Token Name: softhsm
> Token Manufacturer: SoftHSM
> Token Model: SoftHSM
> Token Serial Number: 1
> Token Version: 1.3
> Token Firmware Version: 1.3
> Access: NOT Write Protected
> Login Type: Login required
> User Pin: Initialized
>
> /var/lib/pki-ca/conf/password.conf
> added this line
> hardware-softhsm=12345
> &
> Modified /var/lib/pki-ca/conf/ serverCertNick.conf
> softhsm:Server-Cert cert-pki-ca
>
> After this, configuration link doesn't open https://fed15vmnew.newnet.local:9445/ca/admin/console/config/login?pin=mgjpN14xJzgNR97RW7dt
> If password.conf & serverCertNick.conf are unmodified then, configuration link opens and SoftHSM module is listed as Found, but doesn't allow to set it as default for the CA system.
>
> Please help in setting up external HSM to be configured with certificate system.
>
> Thanks,
>
> Br,
> Kishore
> 8105176926
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
Ja
More information about the Pki-users
mailing list