From: Leonardo L. P. da M. <ba...@gm...> - 2008-10-20 11:25:26
|
I've read the HSM manual and checked that my Security world is a fips level 2. The NFAST_HOME is ok. I think this a security issue. I'm gonna try with the system administrator. Thanks. On Sun, Oct 19, 2008 at 8:12 AM, Tomas Gustavsson <to...@pr...> wrote: > > I think you should be able to see if your security world is in fips > level 2 using nfkminfo commands. > > Otherwise "nCipher.sworld not found" sounds like it can not find the > security world. Did you set NFAST_HOME env variable? > > Cheers, > Tomas > > Leonardo L. P. da Mata wrote: >> Ok, i'm abble to create CAs using nCipher HSM, as I've mentioned >> (thanks to http://www.linagora.org/ people). Now i need to import >> external keys and CAs in this HSM. >> >> I've tried to use the steps "Importing an existing CA or sub-CA to >> EJBCA." on the user's manual, but I'm getting some errors. >> >> First of all, i didn't create the small world, some old administrators >> done this job and i can't do it again. >> I don't know if my security world is a fips 140-2 level 2 as mentioned >> in: ("The security world has to be initialized in the default FIPS >> 140-2 Level 2 for this to work. "). >> >> After using: >> c:\nfast\bin\generatekey.exe --import -c cardset jcecsp >> pemreadfile=teste.pem type=RSA keystore=temp.keysto >> re >> >> And type parameter of the x509 certificate, I'm getting: >> >> Card reading complete. >> >> Subprocess failed >> Arguments: java.exe com.ncipher.provider.tools.ImportKey --keystore temp.keystor >> e --alias imported --ident e48cade40f1528f531b372817ddc969bae071de3 --type com.n >> cipher.provider.km.KMRSAPrivateKey --certificate C:/nfast/kmdata/tmp/3128_basili >> sco.cert << { >> } >> Errors: >> FATAL: java.security.KeyStoreException nCipher.sworld not found >> >> >> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally >> nfgk_operate: SoftwareFailed >> >> >> Is this an issue because i have a different fips level? >> >> >> Just to make sure, what's the difference between a recovery key and a >> normal key (as the tool asks "recovery: Key recovery? (yes/no) [yes] >>> ")? >> >> Thanks again >> >> >> >> >> >> On Wed, Oct 15, 2008 at 6:51 PM, Leonardo L. P. da Mata >> <ba...@gm...> wrote: >>> I've started a new installation from scratch... >>> It worked. >>> >>> Every time you start jboss you need to use nCipherJboss.cmd/.sh , even >>> in the first time (generating the AdminCA1). This is something that >>> should be better explained in the documentation. This when you need to >>> use nCipher HSM :-). >>> >>> In my last installation, i was using the >>> security.provider.1=com.ncipher.provider.km.nCipherKM >>> as default security provider in >>> JAVA_HOME/jre/lib/security/java.security >>> >>> But since i couldn't reproduce the error, and changing back to the >>> original, the error persists. I guess that this isn't a security >>> problem. >>> >>> >>> I will keep testing the software and updating this thread. >>> >>> Thanks again. >>> >>> >>> On Wed, Oct 15, 2008 at 5:02 PM, Johan Eklund <ejb...@pr...> wrote: >>>> I vaguely recall this as caused by not listing the nCipher provider in some >>>> JRE configfile.. might have been in JREHOME/lib/security/ or something like >>>> that.. my theory is that it is using the regular JCE provider on a nCipher >>>> keystore or maybe vice versa.. but this is pretty vague memories.. =/ >>>> >>>> /Johan >>>> >>>> Leonardo L. P. da Mata skrev: >>>>> Hello, i've configured ejbca with JCE keys. >>>>> After the installation i'm getting a strange error. >>>>> "java.io.IOException: Bad KeyStore file, expecting a 40 character line." >>>>> >>>>> it seens that the keystore cannot be loaded. >>>>> Is the keystore used when starting ejbca the keystore that stores the >>>>> keys for SSL?(:-o) >>>>> >>>>> ejbca.properties contains: >>>>> ca.tokentype=org.ejbca.core.model.ca.catoken.NFastCAToken >>>>> ca.tokenpassword=password >>>>> >>>>> and catoken.properties contains: >>>>> keyStore baac258f773b0eb0ac1277e807207f0c63065ced >>>>> defaultKey defaultRoot1 >>>>> certSignKey signRoot1 >>>>> crlSignKey signRoot1 >>>>> testKey testRoot1 >>>>> >>>>> these configuration was done before the installation. >>>>> >>>>> should i use a different keyStore?? >>>>> Is there any problem configuring the default CA with soft and then >>>>> using ncipher HSM to generate other CAs? >>>>> >>>>> Thanks. >>>>> >>>>> >>>>> INFO: WSSERVLET14: JAX-WS servlet initializing >>>>> 16:20:18,890 INFO [EARDeployer] Started J2EE application: >>>>> file:/C:/jboss-4.2.3. >>>>> GA/server/default/deploy/ejbca.ear >>>>> 16:20:19,015 INFO [Http11Protocol] Starting Coyote HTTP/1.1 on >>>>> http-0.0.0.0-808 >>>>> 0 >>>>> 16:20:19,031 ERROR [Http11Protocol] Error starting endpoint >>>>> java.io.IOException: Bad KeyStore file, expecting a 40 character line. >>>>> at >>>>> com.ncipher.provider.km.KMKeyStore.engineLoad(KMKeyStore.java:674) >>>>> at java.security.KeyStore.load(KeyStore.java:1185) >>>>> at >>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocket >>>>> Factory.java:319) >>>>> at >>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESoc >>>>> ketFactory.java:259) >>>>> at >>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSE >>>>> SocketFactory.java:410) >>>>> at >>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFact >>>>> ory.java:378) >>>>> at >>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESo >>>>> cketFactory.java:135) >>>>> at >>>>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497) >>>>> at >>>>> org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514) >>>>> at >>>>> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203 >>>>> ) >>>>> at >>>>> org.apache.catalina.connector.Connector.start(Connector.java:1146) >>>>> at >>>>> org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6 >>>>> 01) >>>>> at >>>>> org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav >>>>> a:638) >>>>> at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source) >>>>> at >>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces >>>>> sorImpl.java:25) >>>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>>> at >>>>> org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati >>>>> onListenerProxy.java:153) >>>>> at $Proxy46.handleNotification(Unknown Source) >>>>> at >>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat >>>>> ion(JBossNotificationBroadcasterSupport.java:127) >>>>> at >>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio >>>>> n(JBossNotificationBroadcasterSupport.java:108) >>>>> at >>>>> org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9 >>>>> 16) >>>>> at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497) >>>>> at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362) >>>>> at org.jboss.Main.boot(Main.java:200) >>>>> at org.jboss.Main$1.run(Main.java:508) >>>>> at java.lang.Thread.run(Thread.java:619) >>>>> 16:20:19,046 WARN [JBossWeb] Failed to startConnectors >>>>> LifecycleException: service.getName(): "jboss.web"; Protocol handler >>>>> start fai >>>>> led: java.io.IOException: Bad KeyStore file, expecting a 40 character >>>>> line. >>>>> at >>>>> org.apache.catalina.connector.Connector.start(Connector.java:1153) >>>>> at >>>>> org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6 >>>>> 01) >>>>> at >>>>> org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav >>>>> a:638) >>>>> at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source) >>>>> at >>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces >>>>> sorImpl.java:25) >>>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>>> at >>>>> org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati >>>>> onListenerProxy.java:153) >>>>> at $Proxy46.handleNotification(Unknown Source) >>>>> at >>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat >>>>> ion(JBossNotificationBroadcasterSupport.java:127) >>>>> at >>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio >>>>> n(JBossNotificationBroadcasterSupport.java:108) >>>>> at >>>>> org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9 >>>>> 16) >>>>> at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497) >>>>> at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362) >>>>> at org.jboss.Main.boot(Main.java:200) >>>>> at org.jboss.Main$1.run(Main.java:508) >>>>> at java.lang.Thread.run(Thread.java:619) >>>>> 16:20:19,062 INFO [Server] JBoss (MX MicroKernel) [4.2.3.GA (build: >>>>> SVNTag=JBos >>>>> s_4_2_3_GA date=200807181439)] Started in 4m:25s:750ms >>>>> >>>>> >>>>> On Tue, Oct 14, 2008 at 4:24 PM, Leonardo L. P. da Mata >>>>> <ba...@gm...> wrote: >>>>> >>>>>> To illustrate how am I import the keys, I've imported again, and here >>>>>> is the result: >>>>>> >>>>>> c:\nfast\bin\generatekey --import -c mscapi pkcs11 >>>>>> pemreadfile=teste.pem type=RSA >>>>>> recovery: Key recovery? (yes/no) [yes] > >>>>>> plainname: Key name? [] > imported3 >>>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) >>>>>> [no] >>>>>> key generation parameters: >>>>>> operation Operation to perform >>>>>> import >>>>>> application Application >>>>>> pkcs11 >>>>>> protect Protected by >>>>>> token >>>>>> slot Slot to read cards from 0 >>>>>> recovery Key recovery >>>>>> yes >>>>>> verify Verify security of key >>>>>> yes >>>>>> type Key type >>>>>> RSA >>>>>> pemreadfile PEM file containing RSA key >>>>>> teste.pe >>>>>> m >>>>>> plainname Key name >>>>>> imported >>>>>> 3 >>>>>> nvram Store blob in NVRAM (will require administrator cardset) >>>>>> no >>>>>> >>>>>> Loading `mscapi': >>>>>> Module 1: 0 cards of 1 read >>>>>> Module 1 slot 0: `mscapi' #1 (`oper') >>>>>> Module 1 slot 0:- passphrase supplied - reading card >>>>>> Card reading complete. >>>>>> >>>>>> Key successfully imported. >>>>>> Path to key: >>>>>> C:\nfast\kmdata\local\key_pkcs11_uc3d9fa9461f5ada90d40e0b1a2420099ea70834bb-9108857e16ec3ee22b9a23373e9c6f24eac8d70b >>>>>> >>>>>> >>>>>> >>>>>> It seems that the key is correctly imported. "This is surely possible, >>>>>> but we have not done it so we can't provide you with finished commands >>>>>> for importing keys for PKCS#11." . Do you think that the message >>>>>> saying "Key successfully imported." is not true? >>>>>> >>>>>> 1)I will try the JCE way. >>>>>> 2)Since there's no difference between creating a new one, and >>>>>> importing, the options are a little bit confusing. Maybe the >>>>>> documentation must be more "step by step" like.. :-) >>>>>> 3) I notice that also. >>>>>> >>>>>> >>>>>> I will check for other ways to use the HSM and keep giving feedback here. >>>>>> >>>>>> Thanks for all the help provided.. >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Oct 14, 2008 at 3:57 PM, Ejbca support >>>>>> <ejb...@pr...> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> 1) The Howto article is created for the NFastToken way of using nCipher, >>>>>>> not PKCS#11. You can use nCipher using: >>>>>>> - PKCS#11 >>>>>>> - NFast JCE Provider >>>>>>> >>>>>>> Both ways work, but the howto for importing keys is done for the JCE >>>>>>> provider. >>>>>>> When trying to start JBoss using the JCE provider did you use >>>>>>> EJBCA/bin/nCipherJboss.sh and did you have the nCipher JCE/JCA provider >>>>>>> installed (it is separate packages in the nCipher install). >>>>>>> >>>>>>> When nfkminfo says: >>>>>>> ----- >>>>>>> >>>>>>> jboss@host$ $NFAST_HOME/bin/nfkminfo -k >>>>>>> AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed >>>>>>> AppName jcecsp Ident >>>>>>> f7e825134fe23f58b1575d8efb487babe7ebd1ed-key-832c8a89fe813dc99ae61e094fe5d195ca3e405d >>>>>>> ----- >>>>>>> jcecsp means the keys can only be used by the JCE-provider. nCipher does >>>>>>> it so you have different targets depending on which API you are using. If >>>>>>> you want to use PKCS#11 you need to import the keys in another way. >>>>>>> This is surely possible, but we have not done it so we can't provide you >>>>>>> with finished commands for importing keys for PKCS#11. >>>>>>> >>>>>>> >>>>>>> 2) There is no option for creating an "imported CA", you simply create a >>>>>>> CA as usual and provide the correct parameters as CAToken parameters. >>>>>>> From EJBCAs view there is no difference between a CA with keys >>>>>>> generated in the HSM or created in the HSM. From EJBCAs view the keys >>>>>>> ARE simply in the HSM and are used in the HSM. >>>>>>> >>>>>>> Simply create a new CA using keys on the HSM. Enter a name for the new >>>>>>> CA and click 'Create CA'. >>>>>>> >>>>>>> Which options do not exist? Perhaps the wording "When importing a >>>>>>> sub-CA" is confusing? Since you don't import a CA, you simply create a >>>>>>> CA as usual. >>>>>>> >>>>>>> 3) "Import CA certificate" is for something completely different, don't >>>>>>> use that. This function simply imports a CA certificate (as you >>>>>>> noticed), so you can have external CA certificates imported for various >>>>>>> verification reasons. >>>>>>> >>>>>>> Cheers, >>>>>>> Tomas >>>>>>> ----- >>>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and >>>>>>> training for EJBCA. Please see www.primekey.se or contact >>>>>>> in...@pr... for more information. >>>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf >>>>>>> http://download.primekey.se/documents/ejbca_training.pdf >>>>>>> >>>>>>> >>>>>>> Leonardo L. P. da Mata wrote: >>>>>>> >>>>>>>> Hey, so, I've read the documentation, but i think there are some >>>>>>>> lacks... >>>>>>>> Just to make sure, to use the nCipher nShield, i should use the pkcs11 >>>>>>>> interface, right? I've tried to start jboss using the ncipher >>>>>>>> interface, but it didn't wok. So i suppose that this kind of hsm must >>>>>>>> use the pkcs11 interface. >>>>>>>> >>>>>>>> On the screen: >>>>>>>> https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp >>>>>>>> >>>>>>>> i can't find the option mentioned in the documentation, there's no >>>>>>>> "create new CA 'ImportedCA'" option, and when i click in the create >>>>>>>> button, there's no option that can be selected as impotedCA. >>>>>>>> >>>>>>>> There are "Import CA keystore" and "import CA certificate". but when i >>>>>>>> use the option "import CA certificate" i can import my CA certificate, >>>>>>>> but the key is not stored in the HSM. the CA Token Type is set to Null >>>>>>>> after the import. >>>>>>>> >>>>>>>> We must provide more than 1 type of security solution, that's why I'm >>>>>>>> testing booth generating keys inside HSM and generating outside and >>>>>>>> importing then. >>>>>>>> >>>>>>>> The next step i will try is to generate User certificates into smart >>>>>>>> cards, but I'm already testing http://www.hardtokenmgmt.org/. >>>>>>>> >>>>>>>> Thanks, I appreciate the help. Hope to help the company that I'm >>>>>>>> working for to be another reference installation. >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <to...@pr...> >>>>>>>> wrote: >>>>>>>> >>>>>>>> >>>>>>>>> Hi Leonardo, >>>>>>>>> >>>>>>>>> Did you read the chapter in the User Guide at ejbca.org called >>>>>>>>> "Importing an existing CA or sub-CA to EJBCA"? It's under the >>>>>>>>> HSM->nCopher section. This text explains exactly how you can import >>>>>>>>> existing keys (stored on disc) to create a CA in EJBCA. >>>>>>>>> It also explains how you create the CA in EJBCA. >>>>>>>>> >>>>>>>>> We have done this and it works, no options in JBoss. Since the keys >>>>>>>>> are >>>>>>>>> imported into nCipher, it is simply just like any other CA with keys >>>>>>>>> on >>>>>>>>> the nCipher HSM. There is no difference between this CA and a CA where >>>>>>>>> keys are generated inside the HSM (which is the recommended way for >>>>>>>>> security reasons of-course). >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Tomas >>>>>>>>> ----- >>>>>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and >>>>>>>>> training for EJBCA. Please see www.primekey.se or contact >>>>>>>>> in...@pr... for more information. >>>>>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf >>>>>>>>> http://download.primekey.se/documents/ejbca_training.pdf >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Leonardo L. P. da Mata wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> I'm developing the pki infrastructure for the Official Press of Minas >>>>>>>>>> Gerais Estate ,in Brazil, and I'm having some problems on generating >>>>>>>>>> keys outside a HSM and importing then inside the HSM. >>>>>>>>>> >>>>>>>>>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was >>>>>>>>>> able to import the keys using generatekey --import, the keys are >>>>>>>>>> listed using nfkminfo tool, but i don't know how to use these keys to >>>>>>>>>> create a new CA. Is it possible to use external keys to create new >>>>>>>>>> CAs? >>>>>>>>>> >>>>>>>>>> Is there any special change to use imported keys in the >>>>>>>>>> administration >>>>>>>>>> GUI? Do I need to set parameters when I start JBOSS to use external >>>>>>>>>> keys? >>>>>>>>>> >>>>>>>>>> Is there any other source of information different then ejbca.org? >>>>>>>>>> >>>>>>>>>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA >>>>>>>>>> >>>>>>>>>> Thanks. >>>>>>>>>> >>>>>>>>>> BTW, we are planning to develop the tools as free-software. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------- >>>>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's >>>>>>>>> challenge >>>>>>>>> Build the coolest Linux based applications with Moblin SDK & win great >>>>>>>>> prizes >>>>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the >>>>>>>>> world >>>>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >>>>>>>>> _______________________________________________ >>>>>>>>> Ejbca-develop mailing list >>>>>>>>> Ejb...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------- >>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's >>>>>>> challenge >>>>>>> Build the coolest Linux based applications with Moblin SDK & win great >>>>>>> prizes >>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the >>>>>>> world >>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >>>>>>> _______________________________________________ >>>>>>> Ejbca-develop mailing list >>>>>>> Ejb...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>>> >>>>>>> >>>>>> -- >>>>>> Leonardo Luiz Padovani da Mata >>>>>> ba...@gm... >>>>>> >>>>>> "May the force be with you, always" >>>>>> "Nerd Pride... eu tenho. Voce tem?" >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> -- >>>> PrimeKey Solutions offers a commercial EJBCA support subscription and >>>> training for EJBCA. Please see www.primekey.se or contact in...@pr... >>>> for more information. >>>> http://download.primekey.se/documents/ejbca_subscription.pdf >>>> http://download.primekey.se/documents/ejbca_training.pdf >>>> >>>> >>>> >>>> ------------------------------------------------------------------------- >>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge >>>> Build the coolest Linux based applications with Moblin SDK & win great >>>> prizes >>>> Grand prize is a trip for two to an Open Source event anywhere in the world >>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> >>>> >>> >>> >>> -- >>> Leonardo Luiz Padovani da Mata >>> ba...@gm... >>> >>> "May the force be with you, always" >>> "Nerd Pride... eu tenho. Voce tem?" >>> >> >> >> > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > -- Leonardo Luiz Padovani da Mata ba...@gm... "May the force be with you, always" "Nerd Pride... eu tenho. Voce tem?" |