Menu
▾
▴
Re: [Ejbca-develop] Using external key with ncipher HSM
|
From: Leonardo L. P. da M. <ba...@gm...> - 2008-10-30 17:24:19
|
it was hanging on oppening the library (wrong pkcs11 interface). i've
changed to opensc-pkcs11.dll, but now it can't reconize my cards...
On Thu, Oct 30, 2008 at 8:05 AM, EJBCA Support
<ejb...@pr...> wrote:
> Hi Leonardo
>
> I'm assuming you are using the java web start deployment of Tolima. The
> htmf log files are stored in <USER_HOME>/.hardtokenmgmt<n>_<n>.log can
> you send it to me.
>
> Which tokens are you using and which pkcs11 driver?
>
> // Regards Philip
>
> Leonardo L. P. da Mata skrev:
>> Hey, i've advanced a lot in the ejbca installation and it's
>> integration with htmf, but i still can't use htmf correct. I'm sending
>> this message here because the htmf list has no discussion at all.
>>
>> so, i'm using java 6 and intert explorer to access tolima. I've
>> generated an administrator card, and it seems to work (i can use this
>> card with other applications to sign).
>>
>> after the administrator authenthicate in the htmf, the ejbca send a message:
>> 19:09:11,390 INFO [Log4jLogDevice] 29 de Outubro de 2008 19h9min11s
>> BRST, CAId : -1688117755, AUTHORIZATION,
>> EVENT_INFO_AUTHORIZEDTORESOURCE, Administrator : C LIENTCERT,
>> Certificate SNR : 3964574de5f7dca8, CN=AdminCA1,O=EJBCA Sample,C=SE,
>> User : No user involved, Certificate : No certificate involved,
>> Comment : Resour ce :
>>
>> and the htmf hangs with no answer and no debug information.
>>
>> Anyone have any idea why this isn't working?
>>
>> BTW, the ant deploy of htmf doesn't substitute all variables correct,
>> the $*.hostname variables are beeing deployed without beeing
>> substituded. Maybe this is a bug of htmf (TOLIMA)
>>
>>
>> Thanks.
>>
>> On Tue, Oct 21, 2008 at 5:34 AM, Tomas Gustavsson <to...@pr...> wrote:
>>
>>> Thanks added it to docs for next release.
>>>
>>> Cheers,
>>> Tomas
>>>
>>>
>>> Leonardo L. P. da Mata wrote:
>>>
>>>> So, after some time trying to find the problem, i think i could get it solved.
>>>> The eviroment variable JDK_HOME must be set correct for this to work.
>>>> This is a problem with ncipher software that is not well documented,
>>>> but i think it is important to put a note in the User's Guide.
>>>>
>>>> Command used:
>>>> C:\Documents and
>>>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
>>>> --import -c mscapi jcecsp pemreadfile=unprotected.pem
>>>> keystore=temp.keystore type=RSA alias=imported1
>>>> Result:
>>>> recovery: Key recovery? (yes/no) [yes] >
>>>> keystorepass: JCE key store password? (hidden)
>>>> x509country: Country code? [] >
>>>> x509province: State or province? [] >
>>>> x509locality: City or locality? [] >
>>>> x509org: Organisation? [] >
>>>> x509orgunit: Organisation unit? [] >
>>>> x509dnscommon: Domain name? [] >
>>>> x509email: Email address? [] >
>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>>>> key generation parameters:
>>>> operation Operation to perform import
>>>>
>>>> application Application jcecsp
>>>>
>>>> protect Protected by token
>>>> slot Slot to read cards from 0
>>>> recovery Key recovery yes
>>>> verify Verify security of key yes
>>>> type Key type RSA
>>>> pemreadfile PEM file containing RSA key unprot
>>>> ected.pem
>>>> keystore Filename of JCE key store temp.k
>>>> eystore
>>>> keystorepass JCE key store password <hidde
>>>> n>
>>>> alias JCE key alias import
>>>> ed1
>>>> x509country Country code
>>>> x509province State or province
>>>> x509locality City or locality
>>>> x509org Organisation
>>>> x509orgunit Organisation unit
>>>> x509dnscommon Domain name
>>>> x509email Email address
>>>> nvram Store blob in NVRAM (will require administrator cardset) no
>>>>
>>>> Loading `mscapi':
>>>> Module 1: 0 cards of 1 read
>>>> Module 1 slot 0: `mscapi' #1 (`oper')
>>>> Module 1 slot 0:- passphrase supplied - reading card
>>>> Card reading complete.
>>>>
>>>> Subprocess failed
>>>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
>>>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
>>>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
>>>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
>>>> }
>>>> Errors:
>>>> FATAL: error creating temp.keystore
>>>>
>>>>
>>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
>>>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
>>>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
>>>> nfgk_operate: SoftwareFailed
>>>>
>>>>
>>>>
>>>> I still need to test if the key is working correct, but when i list
>>>> keys with nfkminfo, i can see the new imported keys.
>>>>
>>>> Thanks.
>>>>
>>>>
>>>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
>>>> <ba...@gm...> wrote:
>>>>
>>>>> Hey Brune, the Security World is ok. I've checked the file
>>>>> permissions, and apparently this is not an issue, because i'm getting
>>>>> the same problem using the system administrator.
>>>>>
>>>>> I'm following the steps of ejbca user's guide. When importing a file,
>>>>> i can't access the keystore of the HSM:
>>>>>
>>>>> keystore: Filename of JCE key store? []
>>>>>
>>>>>> temp.keystore
>>>>>>
>>>>> ERROR: keystore: key store key is missing
>>>>> keystore: Filename of JCE key store? []
>>>>>
>>>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
>>>>>>
>>>>> ERROR: keystore: cannot open file
>>>>> keystore: Filename of JCE key store? []
>>>>>
>>>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
>>>>>>
>>>>> ERROR: keystore: invalid keystore
>>>>> ERROR: keystore: key store key is missing
>>>>> keystore: Filename of JCE key store? []
>>>>> ERROR: keystore: invalid filename
>>>>> keystore: Filename of JCE key store? []
>>>>>
>>>>>> c:\nfast\kmdata\local\
>>>>>>
>>>>> ERROR: keystore: cannot open file
>>>>> keystore: Filename of JCE key store? []
>>>>>
>>>>>
>>>>>
>>>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
>>>>> mentioned in the user guide:
>>>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
>>>>> Ctrl-Z and Enter"
>>>>>
>>>>> Thanks again.
>>>>>
>>>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <as...@as...> wrote:
>>>>>
>>>>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
>>>>>>
>>>>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
>>>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>>>>>>> with the system administrator.
>>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> in order to create some key protected by the HSM, you need to create a
>>>>>> Security World, and OCS (Operator Card Set). This procedure is well
>>>>>> documented in the HSM documentations. However I may help if you trouble
>>>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>>>>>>
>>>>>> If you really already have a security world, check the file permissions,
>>>>>> I don't know how is going on windows, but on unix environnement,
>>>>>> nCipher's default permissions only allow root to read/write the security
>>>>>> world's files.
>>>>>>
>>>>>> BEst regards
>>>>>>
>>>>>> --
>>>>>> http://asyd.net/home/ - Home Page
>>>>>> http://guses.org/home/ - French Speaking (Open)Solaris User Group
>>>>>>
>>>>>> -------------------------------------------------------------------------
>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>>> _______________________________________________
>>>>>> Ejbca-develop mailing list
>>>>>> Ejb...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>>
>>>>>>
>>>>> --
>>>>> Leonardo Luiz Padovani da Mata
>>>>> ba...@gm...
>>>>>
>>>>> "May the force be with you, always"
>>>>> "Nerd Pride... eu tenho. Voce tem?"
>>>>>
>>>>>
>>>>
>>>>
>>> -------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> _______________________________________________
>>> Ejbca-develop mailing list
>>> Ejb...@li...
>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>
>>>
>>
>>
>>
>>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
--
Leonardo Luiz Padovani da Mata
ba...@gm...
"May the force be with you, always"
"Nerd Pride... eu tenho. Voce tem?"
|