Menu
▾
▴
Re: [Ejbca-develop] Slot management with ejbca and nCipher
|
From: Daniel J. <Dan...@e-...> - 2013-07-10 11:41:24
|
No.
The keys are generated but not usable with EJBCA for crate an CA.
thanks,
Daniel JAMET
Direction DPM
Tél : +33 1 55 23 31 70
dan...@e-...
____________________________
Société d'Exploitation de Réseaux et de Services Sécurisés
Immeuble "Le Linéa"
1, rue du Général Leclerc
92800 PUTEAUX
De : Manuel Dejonghe <ma...@de...>
A : ejbca-develop <ejb...@li...>
Date : 10/07/2013 13:29
Objet : Re: [Ejbca-develop] Slot management with ejbca and nCipher
So the initial problem is solved now ?
I am even much less likely to be able help with your next problem.
sorry,
Manuel
On Wed, Jul 10, 2013 at 1:08 PM, Daniel JAMET <Dan...@e-...>
wrote:
> Hi Manuel,
>
> Yes I have all seems to be OK. I have generated three keys: defaultSRV,
> cryptSRV and cryptSRV.
>
> When I create an AC, I have no key corresponding with these aliases and
i
> obtain the log you can see below:
>
> 2013-07-09 14:05:51,511 DEBUG
> [org.ejbca.core.model.ca.catoken.CATokenContainerImpl]
> (WorkerThread#0[127.0.0.1:51200]) CA Token is CATOKENTYPE_HSM
> 2013-07-09 14:05:51,511 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) >init: sSlotLabelKey=slot,
> Signaturealg=SHA1WithRSA
> 2013-07-09 14:05:51,511 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) Prop: {hardTokenEncrypt=cryptSRV,
> sharedLibrary=/opt/nfast/toolkits/pkcs11/libcknfast.so, pin=hidden,
> defaultKey=defaultSRV, slotListIndex=0 , keyEncryptKey=cryptSRV,
> testKey=testSRV}
> 2013-07-09 14:05:51,512 DEBUG [org.ejbca.util.CryptoProviderTools]
> (WorkerThread#0[127.0.0.1:51200]) MaxAllowedKeyLength for DES is:
2147483647
> 2013-07-09 14:05:51,512 DEBUG [org.ejbca.util.StringTools]
> (WorkerThread#0[127.0.0.1:51200]) Using cleartext autoactivation pin
> 2013-07-09 14:05:51,512 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) <init: sSlotLabelKey=slot,
> Signaturealg=SHA1WithRSA
> 2013-07-09 14:05:51,514 DEBUG
> [org.ejbca.core.model.ca.catoken.PKCS11CAToken]
> (WorkerThread#0[127.0.0.1:51200]) Loading key from slot '0' using pin.
> 2013-07-09 14:05:51,515 ERROR
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) Can not read private key with alias
> 'defaultSRV' from keystore, got null. If the key was generated after the
> latest application server start then restart the application server.
> 2013-07-09 14:05:51,515 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) Existing alias: defaultSRV
> 2013-07-09 14:05:51,515 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) Existing alias: cryptSRV
> 2013-07-09 14:05:51,515 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) Existing alias: testSRV
> 2013-07-09 14:05:51,515 ERROR
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) Can not read private key with alias
> 'cryptSRV' from keystore, got null. If the key was generated after the
> latest application server start then restart the application server.
> 2013-07-09 14:05:51,516 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) Existing alias: defaultSRV
> 2013-07-09 14:05:51,516 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) Existing alias: cryptSRV
> 2013-07-09 14:05:51,516 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) Existing alias: testSRV
> 2013-07-09 14:05:51,516 ERROR
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) Can not read private key with alias
> 'testSRV' from keystore, got null. If the key was generated after the
latest
> application server start then restart the application server.
> 2013-07-09 14:05:51,516 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) Existing alias: defaultSRV
> 2013-07-09 14:05:51,516 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) Existing alias: cryptSRV
> 2013-07-09 14:05:51,516 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) Existing alias: testSRV
> 2013-07-09 14:05:51,516 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) Testing keys with alias defaultSRV
> 2013-07-09 14:05:51,516 INFO
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) No keys with alias defaultSRV exists.
> 2013-07-09 14:05:51,517 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) Testing keys with alias cryptSRV
> 2013-07-09 14:05:51,517 INFO
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) No keys with alias cryptSRV exists.
> 2013-07-09 14:05:51,517 DEBUG
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) Testing keys with alias testSRV
> 2013-07-09 14:05:51,517 INFO
[org.ejbca.core.model.ca.catoken.BaseCAToken]
> (WorkerThread#0[127.0.0.1:51200]) No keys with alias testSRV exists.
> 2013-07-09 14:05:51,518 ERROR
> [org.ejbca.core.model.ca.catoken.PKCS11CAToken]
> (WorkerThread#0[127.0.0.1:51200]) Failed to initialize PKCS11 provider
slot
> '0'.
>
>
> Kind regards
>
> Daniel JAMET
> Direction DPM
> Tél : +33 1 55 23 31 70
> dan...@e-...
> ____________________________
> Société d'Exploitation de Réseaux et de Services Sécurisés
> Immeuble "Le Linéa"
> 1, rue du Général Leclerc
> 92800 PUTEAUX
>
>
>
>
> De : Manuel Dejonghe <ma...@de...>
> A : ejb...@li...
> Date : 10/07/2013 12:05
> Objet : Re: [Ejbca-develop] Slot management with ejbca and
nCipher
> ________________________________
>
>
>
> Hi Daniel,
> I must say that I have no knowledge about nCipher, and my idea might
> be very stupid, but have you maybe tried to do the operation on
> slotIndex 0 ?
>
> hope that helps,
> Manuel
>
> On Wed, Jul 10, 2013 at 11:57 AM, Daniel JAMET <Dan...@e-...>
> wrote:
>> I don't understand why i can't create key with clientToolBox for the
>> following reason: slotListIndex is 1 but token only has 1 slots
>>
>> ckinfo display:
>>
>> PKCS#11 library CK_INFO
>> interface version 2.01
>> flags 0
>> manufacturerID "nCipher Corp. Ltd "
>> libraryDescription "nCipher PKCS#11 1.71.21 "
>> implementation version 1.71
>>
>> slots[0] CK_SLOT_INFO
>> slotDescription "Racine
>> "
>> manufacturerID "nCipher Corp. Ltd "
>> flags 6
>> flags & CKF_REMOVABLE_DEVICE
>> flags & CKF_HW_SLOT
>> hardware version 0.00
>> firmware version 0.00
>>
>>
>> slots[0] Token not present
>> slots[1] CK_SLOT_INFO
>> slotDescription "SRV
>> "
>> manufacturerID "nCipher Corp. Ltd "
>> flags 6
>> flags & CKF_REMOVABLE_DEVICE
>> flags & CKF_HW_SLOT
>> hardware version 0.00
>> firmware version 0.00
>>
>>
>> slots[1] Token not present
>>
>>
>> I have created the file /opt/nfast/cknfastrc :
>>
>> CKNFAST_LOADSHARING=1
>> CKNFAST_NO_ACCELERATOR_SLOTS=1
>> CKNFAST_NO_UNWRAP=1
>> CKNFAST_OVERRIDE_SECURITY_ASSURANCES=import
>> # CKNFAST_DEBUG=10
>> # CKNFAST_DEBUGFILE=/tmp/nfast.debug
>>
>> the trace log is:
>>
>> 2013-07-10 09:36:01,053 DEBUG [org.ejbca.util.keystore.KeyTools] name =
>> libcknfast.so-slot1
>> library = /opt/nfast/toolkits/pkcs11/libcknfast.so
>> slotListIndex = 1
>> attributes(*, *, *) = {
>> CKA_TOKEN = true
>> }
>> attributes(*, CKO_PUBLIC_KEY, *) = {
>> CKA_ENCRYPT = true
>> CKA_VERIFY = true
>> CKA_WRAP = true
>> }
>> attributes(*, CKO_PRIVATE_KEY, *) = {
>> CKA_PRIVATE = true
>> CKA_SENSITIVE = true
>> CKA_EXTRACTABLE = false
>> CKA_DECRYPT = true
>> CKA_SIGN = true
>> CKA_UNWRAP = true
>> }
>>
>> 2013-07-10 09:36:01,054 DEBUG [org.ejbca.util.keystore.KeyTools]
>> {SLOT_ID=[1],
>> PKCS11_NATIVE_MODULE=/opt/nfast/toolkits/pkcs11/libcknfast.so}
>> 2013-07-10 09:36:01,058 INFO [org.ejbca.util.keystore.KeyTools] Using
SUN
>> PKCS11 provider: sun.security.pkcs11.SunPKCS11
>> 2013-07-10 09:36:01,156 ERROR [org.ejbca.util.keystore.KeyTools] Error
>> constructing pkcs11 provider: null
>> 2013-07-10 09:36:01,158 ERROR [org.ejbca.ui.cli.HSMKeyTool] Command
>> 'PKCS11HSMKeyTool generate /opt/nfast/toolkits/pkcs11/libcknfast.so
null
>> pkcs11 4096 defaultSRV i1' could not be executed.
>> java.io.IOException: Error constructing pkcs11 provider: null
>> at
>> org.ejbca.util.keystore.KeyTools.getP11Provider(KeyTools.java:908)
>> at
>> org.ejbca.util.keystore.KeyTools.getP11Provider(KeyTools.java:864)
>> at
>>
>>
org.ejbca.util.keystore.KeyStoreContainerP11.getInstance(KeyStoreContainerP11.java:51)
>> at
>>
>>
org.ejbca.util.keystore.KeyStoreContainerFactory.getInstance(KeyStoreContainerFactory.java:55)
>> at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:137)
>> at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:290)
>> at
>> org.ejbca.ui.cli.PKCS11HSMKeyTool.execute(PKCS11HSMKeyTool.java:47)
>> at
>> org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
>> at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:70)
>> Caused by: java.lang.reflect.InvocationTargetException
>> at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>> Method)
>> at
>>
>>
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>> at
>>
>>
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>> at
java.lang.reflect.Constructor.newInstance(Constructor.java:532)
>> at
>> org.ejbca.util.keystore.KeyTools.getP11Provider(KeyTools.java:905)
>> ... 8 more
>> Caused by: java.security.ProviderException: Initialization failed
>> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:358)
>> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:107)
>> ... 13 more
>> Caused by: java.security.ProviderException: slotListIndex is 1 but
token
>> only has 1 slots
>> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:340)
>> ... 14 more
>>
>>
>> ckinfo give the index 1 for SRV. How do yo explain this ?
>>
>> Kind regards
>>
>> Daniel JAMET
>> Direction DPM
>> Tél : +33 1 55 23 31 70
>> dan...@e-...
>> ____________________________
>> Société d'Exploitation de Réseaux et de Services Sécurisés
>> Immeuble "Le Linéa"
>> 1, rue du Général Leclerc
>> 92800 PUTEAUX
>>
>>
>>
------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>>
>>
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejb...@li...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>
>
------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
>
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Ejbca-develop mailing list
Ejb...@li...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
|