Error between EJBCA and HSM

Help
2013-08-07
2013-08-08
  • Quintiliano

    Quintiliano - 2013-08-07

    Good morning,

    I'm looking for any help or advice about the problem below.
    My setup:

    Ejbca 4.0.10
    Jboss 5.1.0GA
    Mysql
    RedHat Linux

    I've had setup EJBCA and it's up and running since november last.

    From early June till now i'm getting an odd error and already made a lot of tests and researchs about it but I has been unable to solve it by myself.
    The setup didn't changed since november. No new firewall rules, no new softwares or servers. Only the normal operation.

    The parcial solution came from SignServer Forums https://sourceforge.net/p/signserver/discussion/668766/thread/7b0c841a/

    I'm using EJBCA + Safenet HSM LunaSA 4 and, after a few operations on it the following error pop's up on Jboss:

    2013-07-23 20:26:05,541 ERROR [org.ejbca.core.ejb.ca.sign.RSASignSessionBean] (EJB-Timer-1374190107950[target=jboss.j2ee:ear=ejbca.ear,jar=ejbca-ejb.jar,name=ServiceSessionBean,service=EJB3]) Error creating certificate:
    java.security.ProviderException: Token has been removed
    at sun.security.pkcs11.Session.id(Session.java:91)
    at sun.security.pkcs11.SessionManager.ensureValid(SessionManager.java:156)
    at sun.security.pkcs11.SessionManager.getOpSession(SessionManager.java:139)
    at sun.security.pkcs11.Token.getOpSession(Token.java:268)
    at sun.security.pkcs11.P11Signature.initialize(P11Signature.java:301)
    at sun.security.pkcs11.P11Signature.engineInitSign(P11Signature.java:393)
    at java.security.Signature$Delegate.engineInitSign(Signature.java:1113)
    at java.security.Signature.initSign(Signature.java:497)
    at org.bouncycastle.x509.X509Util.calculateSignature(Unknown Source)
    at org.bouncycastle.x509.X509V3CertificateGenerator.generate(Unknown Source)
    at org.bouncycastle.x509.X509V3CertificateGenerator.generate(Unknown Source)
    at org.ejbca.core.model.ca.caadmin.X509CA.generateCertificate(X509CA.java:761)
    at org.ejbca.core.model.ca.caadmin.X509CA.generateCertificate(X509CA.java:534)

    At the HSM side I always get the same message:
    NTLA client 172.16.111.211 has disconnected.

    Without the solution presente in above topic,

    TCPKeepAlive=1
    ClientKeepAlive=20

    I can't generate any LCR or certificate.
    With the above solution, this error pop's up once or maybe twice a day and i have to restart the jboss to bring things back in place.

    I had my firewall switched off but it didn't matter at all. Replaced the switch which was between the server and HSM and for last I managed to connect the HSM straigth to the server but none of it solve the question.

    I'm wondering between some application error, HSM error or network problem.

    I already made a brand new install in another server for testing this issue but the error still happened.

    Anyone already got something similar to it? Got any solutions?

    I'm glad for any help.

    Best regards

     
  • Tomas Gustavsson

    Since it is obviously the network connection that breaks when you actually do some PKCS#11 operations. Did you check with SafeNet support?
    Perhaps you upgraded something else on the server, network stack, java JDK etc.

    This is nothing that I have seen at least, except in one case where the TCPKeepAlive helped, so there was some firewall in the middle.

     
  • Quintiliano

    Quintiliano - 2013-08-08

    I had ran many test with the network and nothing seems to make diference.
    In the end of tests, the firewall was down and the HSM was connected directly to the server.
    There wasn't any change at all within the server. Nor in the network stack, nor with Java.
    With the solution you'd mention i managed to make EJBCA back to operation, with some errors but it works. without it i can't do anything with HSM.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks