Menu
▾
▴
Re: [Ejbca-develop] reconnect to PKCS#11 USB token
|
From: Michael S. <mi...@st...> - 2015-02-17 08:27:54
|
Tomas Gustavsson wrote: > To reproduce, what do you mean by changed/removed? You just pulled the > smart card from the reader, or did you do something else? In case the token cannot be recovered in the same manner, e.g. hardware damage, one is stuck. One cannot reach the Crypto Token UI anymore. Or there might be the case where you want to add a new token with the old keys and some new keys but preserve the old Crypto Token configuration for some time without having the old token plugged in. Ciao, Michael. > On February 16, 2015 9:44:23 PM GMT+01:00, "Michael Ströder" <mi...@st...> wrote: >> Branko Majic wrote: >>> It's a more low-level issue with how the PKCS#11 security provider is >>> implemented in Java. >>> >>> Basically, you have no way to tell the PKCS#11 Java security provider >>> to reestablish a new session. There's also a bunch of cashing >> happening >>> there, so if you create keys etc outside of EJBCA's running JVM, you >>> won't see them in EJBCA. >>> >>> Fixing this would require quite a bit more effort, unfortunately >>> (implementing a custom Java security provider, and maintaining it). >> >> Even worse (with SVN revision 20683): >> When a crypto token was changed/removed you won't be able to access the >> "Crypto Tokens" UI in the adminweb anymore (see below) even after >> restarting >> JBOSS... :-( >> >> Ciao, Michael. >> >> 21:43:44,424 ERROR >> [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/ejbca/adminweb].[Faces >> Servlet]] (http--0.0.0.0-8443-1) Servlet.service() for servlet Faces >> Servlet >> threw exception: java.lang.RuntimeException: Attempted to find a slot >> for a >> PKCS#11 crypto token, but it did not exists. Perhaps the token was >> removed? |