From: Daniel J. <Dan...@e-...> - 2013-07-10 11:41:24
|
No. The keys are generated but not usable with EJBCA for crate an CA. thanks, Daniel JAMET Direction DPM Tél : +33 1 55 23 31 70 dan...@e-... ____________________________ Société d'Exploitation de Réseaux et de Services Sécurisés Immeuble "Le Linéa" 1, rue du Général Leclerc 92800 PUTEAUX De : Manuel Dejonghe <ma...@de...> A : ejbca-develop <ejb...@li...> Date : 10/07/2013 13:29 Objet : Re: [Ejbca-develop] Slot management with ejbca and nCipher So the initial problem is solved now ? I am even much less likely to be able help with your next problem. sorry, Manuel On Wed, Jul 10, 2013 at 1:08 PM, Daniel JAMET <Dan...@e-...> wrote: > Hi Manuel, > > Yes I have all seems to be OK. I have generated three keys: defaultSRV, > cryptSRV and cryptSRV. > > When I create an AC, I have no key corresponding with these aliases and i > obtain the log you can see below: > > 2013-07-09 14:05:51,511 DEBUG > [org.ejbca.core.model.ca.catoken.CATokenContainerImpl] > (WorkerThread#0[127.0.0.1:51200]) CA Token is CATOKENTYPE_HSM > 2013-07-09 14:05:51,511 DEBUG [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) >init: sSlotLabelKey=slot, > Signaturealg=SHA1WithRSA > 2013-07-09 14:05:51,511 DEBUG [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) Prop: {hardTokenEncrypt=cryptSRV, > sharedLibrary=/opt/nfast/toolkits/pkcs11/libcknfast.so, pin=hidden, > defaultKey=defaultSRV, slotListIndex=0 , keyEncryptKey=cryptSRV, > testKey=testSRV} > 2013-07-09 14:05:51,512 DEBUG [org.ejbca.util.CryptoProviderTools] > (WorkerThread#0[127.0.0.1:51200]) MaxAllowedKeyLength for DES is: 2147483647 > 2013-07-09 14:05:51,512 DEBUG [org.ejbca.util.StringTools] > (WorkerThread#0[127.0.0.1:51200]) Using cleartext autoactivation pin > 2013-07-09 14:05:51,512 DEBUG [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) <init: sSlotLabelKey=slot, > Signaturealg=SHA1WithRSA > 2013-07-09 14:05:51,514 DEBUG > [org.ejbca.core.model.ca.catoken.PKCS11CAToken] > (WorkerThread#0[127.0.0.1:51200]) Loading key from slot '0' using pin. > 2013-07-09 14:05:51,515 ERROR [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) Can not read private key with alias > 'defaultSRV' from keystore, got null. If the key was generated after the > latest application server start then restart the application server. > 2013-07-09 14:05:51,515 DEBUG [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) Existing alias: defaultSRV > 2013-07-09 14:05:51,515 DEBUG [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) Existing alias: cryptSRV > 2013-07-09 14:05:51,515 DEBUG [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) Existing alias: testSRV > 2013-07-09 14:05:51,515 ERROR [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) Can not read private key with alias > 'cryptSRV' from keystore, got null. If the key was generated after the > latest application server start then restart the application server. > 2013-07-09 14:05:51,516 DEBUG [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) Existing alias: defaultSRV > 2013-07-09 14:05:51,516 DEBUG [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) Existing alias: cryptSRV > 2013-07-09 14:05:51,516 DEBUG [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) Existing alias: testSRV > 2013-07-09 14:05:51,516 ERROR [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) Can not read private key with alias > 'testSRV' from keystore, got null. If the key was generated after the latest > application server start then restart the application server. > 2013-07-09 14:05:51,516 DEBUG [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) Existing alias: defaultSRV > 2013-07-09 14:05:51,516 DEBUG [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) Existing alias: cryptSRV > 2013-07-09 14:05:51,516 DEBUG [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) Existing alias: testSRV > 2013-07-09 14:05:51,516 DEBUG [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) Testing keys with alias defaultSRV > 2013-07-09 14:05:51,516 INFO [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) No keys with alias defaultSRV exists. > 2013-07-09 14:05:51,517 DEBUG [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) Testing keys with alias cryptSRV > 2013-07-09 14:05:51,517 INFO [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) No keys with alias cryptSRV exists. > 2013-07-09 14:05:51,517 DEBUG [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) Testing keys with alias testSRV > 2013-07-09 14:05:51,517 INFO [org.ejbca.core.model.ca.catoken.BaseCAToken] > (WorkerThread#0[127.0.0.1:51200]) No keys with alias testSRV exists. > 2013-07-09 14:05:51,518 ERROR > [org.ejbca.core.model.ca.catoken.PKCS11CAToken] > (WorkerThread#0[127.0.0.1:51200]) Failed to initialize PKCS11 provider slot > '0'. > > > Kind regards > > Daniel JAMET > Direction DPM > Tél : +33 1 55 23 31 70 > dan...@e-... > ____________________________ > Société d'Exploitation de Réseaux et de Services Sécurisés > Immeuble "Le Linéa" > 1, rue du Général Leclerc > 92800 PUTEAUX > > > > > De : Manuel Dejonghe <ma...@de...> > A : ejb...@li... > Date : 10/07/2013 12:05 > Objet : Re: [Ejbca-develop] Slot management with ejbca and nCipher > ________________________________ > > > > Hi Daniel, > I must say that I have no knowledge about nCipher, and my idea might > be very stupid, but have you maybe tried to do the operation on > slotIndex 0 ? > > hope that helps, > Manuel > > On Wed, Jul 10, 2013 at 11:57 AM, Daniel JAMET <Dan...@e-...> > wrote: >> I don't understand why i can't create key with clientToolBox for the >> following reason: slotListIndex is 1 but token only has 1 slots >> >> ckinfo display: >> >> PKCS#11 library CK_INFO >> interface version 2.01 >> flags 0 >> manufacturerID "nCipher Corp. Ltd " >> libraryDescription "nCipher PKCS#11 1.71.21 " >> implementation version 1.71 >> >> slots[0] CK_SLOT_INFO >> slotDescription "Racine >> " >> manufacturerID "nCipher Corp. Ltd " >> flags 6 >> flags & CKF_REMOVABLE_DEVICE >> flags & CKF_HW_SLOT >> hardware version 0.00 >> firmware version 0.00 >> >> >> slots[0] Token not present >> slots[1] CK_SLOT_INFO >> slotDescription "SRV >> " >> manufacturerID "nCipher Corp. Ltd " >> flags 6 >> flags & CKF_REMOVABLE_DEVICE >> flags & CKF_HW_SLOT >> hardware version 0.00 >> firmware version 0.00 >> >> >> slots[1] Token not present >> >> >> I have created the file /opt/nfast/cknfastrc : >> >> CKNFAST_LOADSHARING=1 >> CKNFAST_NO_ACCELERATOR_SLOTS=1 >> CKNFAST_NO_UNWRAP=1 >> CKNFAST_OVERRIDE_SECURITY_ASSURANCES=import >> # CKNFAST_DEBUG=10 >> # CKNFAST_DEBUGFILE=/tmp/nfast.debug >> >> the trace log is: >> >> 2013-07-10 09:36:01,053 DEBUG [org.ejbca.util.keystore.KeyTools] name = >> libcknfast.so-slot1 >> library = /opt/nfast/toolkits/pkcs11/libcknfast.so >> slotListIndex = 1 >> attributes(*, *, *) = { >> CKA_TOKEN = true >> } >> attributes(*, CKO_PUBLIC_KEY, *) = { >> CKA_ENCRYPT = true >> CKA_VERIFY = true >> CKA_WRAP = true >> } >> attributes(*, CKO_PRIVATE_KEY, *) = { >> CKA_PRIVATE = true >> CKA_SENSITIVE = true >> CKA_EXTRACTABLE = false >> CKA_DECRYPT = true >> CKA_SIGN = true >> CKA_UNWRAP = true >> } >> >> 2013-07-10 09:36:01,054 DEBUG [org.ejbca.util.keystore.KeyTools] >> {SLOT_ID=[1], >> PKCS11_NATIVE_MODULE=/opt/nfast/toolkits/pkcs11/libcknfast.so} >> 2013-07-10 09:36:01,058 INFO [org.ejbca.util.keystore.KeyTools] Using SUN >> PKCS11 provider: sun.security.pkcs11.SunPKCS11 >> 2013-07-10 09:36:01,156 ERROR [org.ejbca.util.keystore.KeyTools] Error >> constructing pkcs11 provider: null >> 2013-07-10 09:36:01,158 ERROR [org.ejbca.ui.cli.HSMKeyTool] Command >> 'PKCS11HSMKeyTool generate /opt/nfast/toolkits/pkcs11/libcknfast.so null >> pkcs11 4096 defaultSRV i1' could not be executed. >> java.io.IOException: Error constructing pkcs11 provider: null >> at >> org.ejbca.util.keystore.KeyTools.getP11Provider(KeyTools.java:908) >> at >> org.ejbca.util.keystore.KeyTools.getP11Provider(KeyTools.java:864) >> at >> >> org.ejbca.util.keystore.KeyStoreContainerP11.getInstance(KeyStoreContainerP11.java:51) >> at >> >> org.ejbca.util.keystore.KeyStoreContainerFactory.getInstance(KeyStoreContainerFactory.java:55) >> at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:137) >> at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:290) >> at >> org.ejbca.ui.cli.PKCS11HSMKeyTool.execute(PKCS11HSMKeyTool.java:47) >> at >> org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40) >> at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:70) >> Caused by: java.lang.reflect.InvocationTargetException >> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >> Method) >> at >> >> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) >> at >> >> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >> at java.lang.reflect.Constructor.newInstance(Constructor.java:532) >> at >> org.ejbca.util.keystore.KeyTools.getP11Provider(KeyTools.java:905) >> ... 8 more >> Caused by: java.security.ProviderException: Initialization failed >> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:358) >> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:107) >> ... 13 more >> Caused by: java.security.ProviderException: slotListIndex is 1 but token >> only has 1 slots >> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:340) >> ... 14 more >> >> >> ckinfo give the index 1 for SRV. How do yo explain this ? >> >> Kind regards >> >> Daniel JAMET >> Direction DPM >> Tél : +33 1 55 23 31 70 >> dan...@e-... >> ____________________________ >> Société d'Exploitation de Réseaux et de Services Sécurisés >> Immeuble "Le Linéa" >> 1, rue du Général Leclerc >> 92800 PUTEAUX >> >> >> ------------------------------------------------------------------------------ >> See everything from the browser to the database with AppDynamics >> Get end-to-end visibility with application monitoring from AppDynamics >> Isolate bottlenecks and diagnose root cause in seconds. >> Start your free trial of AppDynamics Pro today! >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Ejbca-develop mailing list Ejb...@li... https://lists.sourceforge.net/lists/listinfo/ejbca-develop |