Menu
▾
▴
Re: [Ejbca-develop] Slot management with ejbca and nCipher
|
From: Daniel J. <Dan...@e-...> - 2013-07-10 11:08:42
|
Hi Manuel,
Yes I have all seems to be OK. I have generated three keys: defaultSRV,
cryptSRV and cryptSRV.
When I create an AC, I have no key corresponding with these aliases and i
obtain the log you can see below:
2013-07-09 14:05:51,511 DEBUG
[org.ejbca.core.model.ca.catoken.CATokenContainerImpl]
(WorkerThread#0[127.0.0.1:51200]) CA Token is CATOKENTYPE_HSM
2013-07-09 14:05:51,511 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) >init: sSlotLabelKey=slot,
Signaturealg=SHA1WithRSA
2013-07-09 14:05:51,511 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) Prop: {hardTokenEncrypt=cryptSRV,
sharedLibrary=/opt/nfast/toolkits/pkcs11/libcknfast.so, pin=hidden,
defaultKey=defaultSRV, slotListIndex=0 , keyEncryptKey=cryptSRV,
testKey=testSRV}
2013-07-09 14:05:51,512 DEBUG [org.ejbca.util.CryptoProviderTools]
(WorkerThread#0[127.0.0.1:51200]) MaxAllowedKeyLength for DES is:
2147483647
2013-07-09 14:05:51,512 DEBUG [org.ejbca.util.StringTools]
(WorkerThread#0[127.0.0.1:51200]) Using cleartext autoactivation pin
2013-07-09 14:05:51,512 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) <init: sSlotLabelKey=slot,
Signaturealg=SHA1WithRSA
2013-07-09 14:05:51,514 DEBUG
[org.ejbca.core.model.ca.catoken.PKCS11CAToken]
(WorkerThread#0[127.0.0.1:51200]) Loading key from slot '0' using pin.
2013-07-09 14:05:51,515 ERROR
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) Can not read private key with alias
'defaultSRV' from keystore, got null. If the key was generated after the
latest application server start then restart the application server.
2013-07-09 14:05:51,515 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) Existing alias: defaultSRV
2013-07-09 14:05:51,515 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) Existing alias: cryptSRV
2013-07-09 14:05:51,515 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) Existing alias: testSRV
2013-07-09 14:05:51,515 ERROR
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) Can not read private key with alias
'cryptSRV' from keystore, got null. If the key was generated after the
latest application server start then restart the application server.
2013-07-09 14:05:51,516 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) Existing alias: defaultSRV
2013-07-09 14:05:51,516 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) Existing alias: cryptSRV
2013-07-09 14:05:51,516 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) Existing alias: testSRV
2013-07-09 14:05:51,516 ERROR
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) Can not read private key with alias
'testSRV' from keystore, got null. If the key was generated after the
latest application server start then restart the application server.
2013-07-09 14:05:51,516 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) Existing alias: defaultSRV
2013-07-09 14:05:51,516 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) Existing alias: cryptSRV
2013-07-09 14:05:51,516 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) Existing alias: testSRV
2013-07-09 14:05:51,516 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) Testing keys with alias defaultSRV
2013-07-09 14:05:51,516 INFO [org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) No keys with alias defaultSRV exists.
2013-07-09 14:05:51,517 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) Testing keys with alias cryptSRV
2013-07-09 14:05:51,517 INFO [org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) No keys with alias cryptSRV exists.
2013-07-09 14:05:51,517 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) Testing keys with alias testSRV
2013-07-09 14:05:51,517 INFO [org.ejbca.core.model.ca.catoken.BaseCAToken]
(WorkerThread#0[127.0.0.1:51200]) No keys with alias testSRV exists.
2013-07-09 14:05:51,518 ERROR
[org.ejbca.core.model.ca.catoken.PKCS11CAToken]
(WorkerThread#0[127.0.0.1:51200]) Failed to initialize PKCS11 provider
slot '0'.
Kind regards
Daniel JAMET
Direction DPM
Tél : +33 1 55 23 31 70
dan...@e-...
____________________________
Société d'Exploitation de Réseaux et de Services Sécurisés
Immeuble "Le Linéa"
1, rue du Général Leclerc
92800 PUTEAUX
De : Manuel Dejonghe <ma...@de...>
A : ejb...@li...
Date : 10/07/2013 12:05
Objet : Re: [Ejbca-develop] Slot management with ejbca and nCipher
Hi Daniel,
I must say that I have no knowledge about nCipher, and my idea might
be very stupid, but have you maybe tried to do the operation on
slotIndex 0 ?
hope that helps,
Manuel
On Wed, Jul 10, 2013 at 11:57 AM, Daniel JAMET <Dan...@e-...>
wrote:
> I don't understand why i can't create key with clientToolBox for the
> following reason: slotListIndex is 1 but token only has 1 slots
>
> ckinfo display:
>
> PKCS#11 library CK_INFO
> interface version 2.01
> flags 0
> manufacturerID "nCipher Corp. Ltd "
> libraryDescription "nCipher PKCS#11 1.71.21 "
> implementation version 1.71
>
> slots[0] CK_SLOT_INFO
> slotDescription "Racine
> "
> manufacturerID "nCipher Corp. Ltd "
> flags 6
> flags & CKF_REMOVABLE_DEVICE
> flags & CKF_HW_SLOT
> hardware version 0.00
> firmware version 0.00
>
>
> slots[0] Token not present
> slots[1] CK_SLOT_INFO
> slotDescription "SRV
> "
> manufacturerID "nCipher Corp. Ltd "
> flags 6
> flags & CKF_REMOVABLE_DEVICE
> flags & CKF_HW_SLOT
> hardware version 0.00
> firmware version 0.00
>
>
> slots[1] Token not present
>
>
> I have created the file /opt/nfast/cknfastrc :
>
> CKNFAST_LOADSHARING=1
> CKNFAST_NO_ACCELERATOR_SLOTS=1
> CKNFAST_NO_UNWRAP=1
> CKNFAST_OVERRIDE_SECURITY_ASSURANCES=import
> # CKNFAST_DEBUG=10
> # CKNFAST_DEBUGFILE=/tmp/nfast.debug
>
> the trace log is:
>
> 2013-07-10 09:36:01,053 DEBUG [org.ejbca.util.keystore.KeyTools] name =
> libcknfast.so-slot1
> library = /opt/nfast/toolkits/pkcs11/libcknfast.so
> slotListIndex = 1
> attributes(*, *, *) = {
> CKA_TOKEN = true
> }
> attributes(*, CKO_PUBLIC_KEY, *) = {
> CKA_ENCRYPT = true
> CKA_VERIFY = true
> CKA_WRAP = true
> }
> attributes(*, CKO_PRIVATE_KEY, *) = {
> CKA_PRIVATE = true
> CKA_SENSITIVE = true
> CKA_EXTRACTABLE = false
> CKA_DECRYPT = true
> CKA_SIGN = true
> CKA_UNWRAP = true
> }
>
> 2013-07-10 09:36:01,054 DEBUG [org.ejbca.util.keystore.KeyTools]
> {SLOT_ID=[1],
PKCS11_NATIVE_MODULE=/opt/nfast/toolkits/pkcs11/libcknfast.so}
> 2013-07-10 09:36:01,058 INFO [org.ejbca.util.keystore.KeyTools] Using
SUN
> PKCS11 provider: sun.security.pkcs11.SunPKCS11
> 2013-07-10 09:36:01,156 ERROR [org.ejbca.util.keystore.KeyTools] Error
> constructing pkcs11 provider: null
> 2013-07-10 09:36:01,158 ERROR [org.ejbca.ui.cli.HSMKeyTool] Command
> 'PKCS11HSMKeyTool generate /opt/nfast/toolkits/pkcs11/libcknfast.so null
> pkcs11 4096 defaultSRV i1' could not be executed.
> java.io.IOException: Error constructing pkcs11 provider: null
> at
> org.ejbca.util.keystore.KeyTools.getP11Provider(KeyTools.java:908)
> at
> org.ejbca.util.keystore.KeyTools.getP11Provider(KeyTools.java:864)
> at
>
org.ejbca.util.keystore.KeyStoreContainerP11.getInstance(KeyStoreContainerP11.java:51)
> at
>
org.ejbca.util.keystore.KeyStoreContainerFactory.getInstance(KeyStoreContainerFactory.java:55)
> at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:137)
> at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:290)
> at
> org.ejbca.ui.cli.PKCS11HSMKeyTool.execute(PKCS11HSMKeyTool.java:47)
> at
> org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
> at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:70)
> Caused by: java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
> at
>
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
> at
>
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at
java.lang.reflect.Constructor.newInstance(Constructor.java:532)
> at
> org.ejbca.util.keystore.KeyTools.getP11Provider(KeyTools.java:905)
> ... 8 more
> Caused by: java.security.ProviderException: Initialization failed
> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:358)
> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:107)
> ... 13 more
> Caused by: java.security.ProviderException: slotListIndex is 1 but token
> only has 1 slots
> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:340)
> ... 14 more
>
>
> ckinfo give the index 1 for SRV. How do yo explain this ?
>
> Kind regards
>
> Daniel JAMET
> Direction DPM
> Tél : +33 1 55 23 31 70
> dan...@e-...
> ____________________________
> Société d'Exploitation de Réseaux et de Services Sécurisés
> Immeuble "Le Linéa"
> 1, rue du Général Leclerc
> 92800 PUTEAUX
>
>
------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
>
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Ejbca-develop mailing list
Ejb...@li...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
|
