From: Leonardo L. P. da M. <ba...@gm...> - 2008-10-30 17:24:19
|
it was hanging on oppening the library (wrong pkcs11 interface). i've changed to opensc-pkcs11.dll, but now it can't reconize my cards... On Thu, Oct 30, 2008 at 8:05 AM, EJBCA Support <ejb...@pr...> wrote: > Hi Leonardo > > I'm assuming you are using the java web start deployment of Tolima. The > htmf log files are stored in <USER_HOME>/.hardtokenmgmt<n>_<n>.log can > you send it to me. > > Which tokens are you using and which pkcs11 driver? > > // Regards Philip > > Leonardo L. P. da Mata skrev: >> Hey, i've advanced a lot in the ejbca installation and it's >> integration with htmf, but i still can't use htmf correct. I'm sending >> this message here because the htmf list has no discussion at all. >> >> so, i'm using java 6 and intert explorer to access tolima. I've >> generated an administrator card, and it seems to work (i can use this >> card with other applications to sign). >> >> after the administrator authenthicate in the htmf, the ejbca send a message: >> 19:09:11,390 INFO [Log4jLogDevice] 29 de Outubro de 2008 19h9min11s >> BRST, CAId : -1688117755, AUTHORIZATION, >> EVENT_INFO_AUTHORIZEDTORESOURCE, Administrator : C LIENTCERT, >> Certificate SNR : 3964574de5f7dca8, CN=AdminCA1,O=EJBCA Sample,C=SE, >> User : No user involved, Certificate : No certificate involved, >> Comment : Resour ce : >> >> and the htmf hangs with no answer and no debug information. >> >> Anyone have any idea why this isn't working? >> >> BTW, the ant deploy of htmf doesn't substitute all variables correct, >> the $*.hostname variables are beeing deployed without beeing >> substituded. Maybe this is a bug of htmf (TOLIMA) >> >> >> Thanks. >> >> On Tue, Oct 21, 2008 at 5:34 AM, Tomas Gustavsson <to...@pr...> wrote: >> >>> Thanks added it to docs for next release. >>> >>> Cheers, >>> Tomas >>> >>> >>> Leonardo L. P. da Mata wrote: >>> >>>> So, after some time trying to find the problem, i think i could get it solved. >>>> The eviroment variable JDK_HOME must be set correct for this to work. >>>> This is a problem with ncipher software that is not well documented, >>>> but i think it is important to put a note in the User's Guide. >>>> >>>> Command used: >>>> C:\Documents and >>>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe >>>> --import -c mscapi jcecsp pemreadfile=unprotected.pem >>>> keystore=temp.keystore type=RSA alias=imported1 >>>> Result: >>>> recovery: Key recovery? (yes/no) [yes] > >>>> keystorepass: JCE key store password? (hidden) >>>> x509country: Country code? [] > >>>> x509province: State or province? [] > >>>> x509locality: City or locality? [] > >>>> x509org: Organisation? [] > >>>> x509orgunit: Organisation unit? [] > >>>> x509dnscommon: Domain name? [] > >>>> x509email: Email address? [] > >>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no] >>>> key generation parameters: >>>> operation Operation to perform import >>>> >>>> application Application jcecsp >>>> >>>> protect Protected by token >>>> slot Slot to read cards from 0 >>>> recovery Key recovery yes >>>> verify Verify security of key yes >>>> type Key type RSA >>>> pemreadfile PEM file containing RSA key unprot >>>> ected.pem >>>> keystore Filename of JCE key store temp.k >>>> eystore >>>> keystorepass JCE key store password <hidde >>>> n> >>>> alias JCE key alias import >>>> ed1 >>>> x509country Country code >>>> x509province State or province >>>> x509locality City or locality >>>> x509org Organisation >>>> x509orgunit Organisation unit >>>> x509dnscommon Domain name >>>> x509email Email address >>>> nvram Store blob in NVRAM (will require administrator cardset) no >>>> >>>> Loading `mscapi': >>>> Module 1: 0 cards of 1 read >>>> Module 1 slot 0: `mscapi' #1 (`oper') >>>> Module 1 slot 0:- passphrase supplied - reading card >>>> Card reading complete. >>>> >>>> Subprocess failed >>>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher. >>>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d >>>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate >>>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456 >>>> } >>>> Errors: >>>> FATAL: error creating temp.keystore >>>> >>>> >>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally >>>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34 >>>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory >>>> nfgk_operate: SoftwareFailed >>>> >>>> >>>> >>>> I still need to test if the key is working correct, but when i list >>>> keys with nfkminfo, i can see the new imported keys. >>>> >>>> Thanks. >>>> >>>> >>>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata >>>> <ba...@gm...> wrote: >>>> >>>>> Hey Brune, the Security World is ok. I've checked the file >>>>> permissions, and apparently this is not an issue, because i'm getting >>>>> the same problem using the system administrator. >>>>> >>>>> I'm following the steps of ejbca user's guide. When importing a file, >>>>> i can't access the keystore of the HSM: >>>>> >>>>> keystore: Filename of JCE key store? [] >>>>> >>>>>> temp.keystore >>>>>> >>>>> ERROR: keystore: key store key is missing >>>>> keystore: Filename of JCE key store? [] >>>>> >>>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785 >>>>>> >>>>> ERROR: keystore: cannot open file >>>>> keystore: Filename of JCE key store? [] >>>>> >>>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785 >>>>>> >>>>> ERROR: keystore: invalid keystore >>>>> ERROR: keystore: key store key is missing >>>>> keystore: Filename of JCE key store? [] >>>>> ERROR: keystore: invalid filename >>>>> keystore: Filename of JCE key store? [] >>>>> >>>>>> c:\nfast\kmdata\local\ >>>>>> >>>>> ERROR: keystore: cannot open file >>>>> keystore: Filename of JCE key store? [] >>>>> >>>>> >>>>> >>>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as >>>>> mentioned in the user guide: >>>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press >>>>> Ctrl-Z and Enter" >>>>> >>>>> Thanks again. >>>>> >>>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <as...@as...> wrote: >>>>> >>>>>> On Mon 20 October, Leonardo L. P. da Mata wrote: >>>>>> >>>>>>> I've read the HSM manual and checked that my Security world is a fips level 2. >>>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try >>>>>>> with the system administrator. >>>>>>> >>>>>> Hi, >>>>>> >>>>>> in order to create some key protected by the HSM, you need to create a >>>>>> Security World, and OCS (Operator Card Set). This procedure is well >>>>>> documented in the HSM documentations. However I may help if you trouble >>>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher). >>>>>> >>>>>> If you really already have a security world, check the file permissions, >>>>>> I don't know how is going on windows, but on unix environnement, >>>>>> nCipher's default permissions only allow root to read/write the security >>>>>> world's files. >>>>>> >>>>>> BEst regards >>>>>> >>>>>> -- >>>>>> http://asyd.net/home/ - Home Page >>>>>> http://guses.org/home/ - French Speaking (Open)Solaris User Group >>>>>> >>>>>> ------------------------------------------------------------------------- >>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge >>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes >>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world >>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >>>>>> _______________________________________________ >>>>>> Ejbca-develop mailing list >>>>>> Ejb...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>> >>>>>> >>>>> -- >>>>> Leonardo Luiz Padovani da Mata >>>>> ba...@gm... >>>>> >>>>> "May the force be with you, always" >>>>> "Nerd Pride... eu tenho. Voce tem?" >>>>> >>>>> >>>> >>>> >>> ------------------------------------------------------------------------- >>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge >>> Build the coolest Linux based applications with Moblin SDK & win great prizes >>> Grand prize is a trip for two to an Open Source event anywhere in the world >>> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >>> >> >> >> >> > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > -- Leonardo Luiz Padovani da Mata ba...@gm... "May the force be with you, always" "Nerd Pride... eu tenho. Voce tem?" |