SignServer 3.2.0 with Safenet ProtectServer E

[knivez]

SignServer 3.2.0 with Safenet ProtectServer External

Hi,

I am trying to work on with SignServer 3.2.0 using a Safenet ProtectServer External.
This is my first time to use signserver and I succesfully installed the default settings.
Now, I tried to modify the qs_pdfsigner_configuration.properties to work with an HSM using the PKCS11CryptoToken.

I changed the properties with these values:

GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH = org.signserver.server.cryptotokens.PKCS11CryptoToken
WORKERGENID1.sharedLibrary=/opt/PTK/lib/libjcryptoki.so
WORKERGENID1.slotListIndex=0
WORKERGENID1.defaultKey=defaultKey
WORKERGENID1.pin=1111111111

commented out:

#WORKERGENID1.KEYDATA=...
#WORKERGENID1.SIGNERCERTCHAIN=...

I did these steps:

 bin/signserver.sh setproperties qs_pdfsigner_configuration.properties
bin/signserver.sh reload 2

After reload I got this:

18:06:03,852 WARN  [StringTools] De-obfuscation not possible due to weak crypto policy.
18:06:03,852 INFO  [KeyTools] Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
18:06:03,934 ERROR [BaseCAToken] Can not read private key with alias 'defaultKey' from keystore, got null. If the key was generated after the latest application server start then restart the application server.
18:06:03,934 INFO  [BaseCAToken] No keys with alias defaultKey exists.
18:06:03,934 ERROR [PKCS11CAToken] Failed to initialize PKCS11 provider slot '0'.
java.lang.Exception: Activation test failed
18:06:03,934 ERROR [PKCS11CryptoToken] Error auto activating PKCS11CryptoToken : Failed to initialize PKCS11 provider slot '0'.
org.signserver.common.CryptoTokenAuthenticationFailureException: Failed to initialize PKCS11 provider slot '0'.

What does
WORKERGENID1.defaultKey, WORKERGENID1.pin signify in this setting.

I hope anyone can enlighten me on this.

Thanks,
Knivez

[Anonymous]

It seems you haven't created they key in the HSM.
This must (at least in EJBCA) be done using an external program like clientToolBox.

Anders

[knivez]

I actually generated a key pair and selfsigned in the HSM using ctcert command. and named it defaultKey. The pin is actually the user pin on slot 0.

Do I need to install EJBCA on the same machine with the Signserver?

Thanks,
Knivez

[Anonymous]

I will check with our guru but It could be a permission issue to the shared library as well.

You don't need to install EJBCA but there is a nice PKCS11Tool which verifies that a HSM works in the Java invironment.

Anders

[Anonymous]

More info (from Markus):

You have probably not installed the strong crypto policy files needed by the SUN/Oracle JDK

You can test your keys using:

  bin/signserver.sh testkey 2 all -v

Regards,
Anders

[knivez]

I have tried to use pkcs11-tool and got this result

[root@minglanilla signserver]# pkcs11-tool --module=/opt/PTK/lib/libcryptoki.so --login -O
Using slot 0 with a present token (0x0)
Logging in to "testCA".
Please enter User PIN:
Public Key Object; RSA 2048 bits
  label:      defaultKey
  ID:         5b119569f216d7c23abfabb30e6fabec49aa7165
  Usage:      encrypt, verify, wrap
Private Key Object; RSA
  label:      defaultKey
  ID:         5b119569f216d7c23abfabb30e6fabec49aa7165
  Usage:      decrypt, sign, unwrap, derive
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
Certificate Object, type = X.509 cert
  label:      defaultKey
  ID:         5b119569f216d7c23abfabb30e6fabec49aa7165

I tried to signed a pdf using the http://10.194.50.234:8080/signserver/demo/pdfsign.jsp and I got a

exception
javax.servlet.ServletException: org.signserver.common.CryptoTokenOfflineException: no such key
    org.signserver.web.GenericProcessServlet.processRequest(GenericProcessServlet.java:351)
    org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:245)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
    org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
root cause
org.signserver.common.CryptoTokenOfflineException: no such key
    org.signserver.server.cryptotokens.CryptoTokenBase.getPrivateKey(CryptoTokenBase.java:157)
    org.signserver.module.pdfsigner.PDFSigner.addSignatureToPDFDocument(PDFSigner.java:276)
    org.signserver.module.pdfsigner.PDFSigner.processData(PDFSigner.java:236)
    ...

Why is it that it cannot find the defaultkey?
What should be the value in WORKERGENID1.defaultKey=?

For the strong crypto policy, did you mean the jce policy?
Here the content of ../jre/lib/security

[root@minglanilla opt]# ll /usr/java/jdk1.6.0_25/jre/lib/security
total 128
-rw-r--r--. 1 root root    92 Apr 14 16:36 blacklist
-rw-r--r--. 1 root root 81202 Apr 14 16:36 cacerts
-rw-r--r--. 1 root root  2253 Apr 14 16:36 java.policy
-rw-r--r--. 1 root root 11087 Apr 14 16:36 java.security
-rw-r--r--. 1 root root   109 Apr 14 16:57 javaws.policy
-rw-r--r--. 1 root root  2940 Apr 14 16:34 local_policy.jar
-rw-r--r--. 1 root root 14189 Apr 14 16:36 trusted.libraries
-rw-r--r--. 1 root root  2469 Apr 14 16:34 US_export_policy.jar

I tried running the bin/signserver.sh testkey 2 all -v
and just got this output

[root@minglanilla signserver]# ./bin/signserver.sh testkey 2 all -v
Assuming JBoss JNDI provider...
===========================================
Executing Command on host : 10.194.50.234
===========================================
Enter authorization code:
0    [main] INFO  org.signserver.cli.TestKeyCommand  - Will test all keys
[root@minglanilla signserver]#

[Anonymous]

Hi Knivez,

You may try with EJBCA's clientToolBox.  There is a risk/chance that there is an incompatibility between Java's handling of keys and the pkcs11-tool.   Using the clientToolBox you can also test keys.

Anders

[knivez]

Anders,

I think I got the PDF Signer working with a Safenet Protect Toolkit HSM

Here's what I did:

1. I  follow the instructions on setting up a CA for Safenet ProtectServer
    http://pki.cms.caltech.edu/ejbca/doc/adminguide.html#SafeNet%20ProtectServer

2. Modified the qs_pdfsigner_configuration.properties with this info
        WORKERGENID1.sharedLibrary=/opt/PTK/lib/libcryptoki.so
        WORKERGENID1.slotListIndex=5
        WORKERGENID1.defaultKey=defaultSign
        WORKERGENID1.pin=1111111111

3.  Did the following commands
        bin/signserver.sh setproperties qs_pdfsigner_configuration.properties
        bin/signserver.sh reload 2
        bin/signserver.sh activatecryptotoken 2 1111111111
        ctcert x -ldefault -fdefault.pem -s5  //export a self-signed certificate from slot 5 token
        bin/signserver.sh uploadsignercertificate 2 glob default.pem

4. Restarted jboss and then it has found the key and performed signing request.

I think my issue here is that I did not do the activatecryptotoken after I reload the workerid

Thank you for your support. 'Til my next questions…

Knivez

[knivez]

Hi Guys,

I have an issue here using the Safenet HSM. Everytime I create an instance of a client to connect to the signer, the HSM's Open Session increased by 1 for every instance.

In the snippet below, the current open session value is 7 and I ran 7 instances of client.
When I tried to end 1 client at a time the open session did not decrement.
The only way to close the session is to shutdown/restart jboss.

Is there a way to close the opened session in Signserver?
I am thinking this is the cause of the signserver or jboss to stop.

[jboss@cfwtest ~]$ ctconf
ProtectToolkit C Configuration Utility $Revision: 7630 $
Copyright (c) Safenet, Inc. 2008
Current Adapter Configuration for Device 0:
Model             : PSG:PL220
Serial Number     : 92408219
Adapter Clock     : 13/03/2012 09:21:40 (+8:00)
Battery Status    : GOOD
Security Mode     : No Clear PINs Auth Protection No Public Crypto Tamper Before Upgrade Increased Security Level
Transport Mode    : None
FM Support        : Enabled
FM Status         : "CCert Signer V1.08" is active.
Open Session Count: 7
Number of Slots   : 2
RTC Adjustment Access Control: Disabled

Regards,
Knivez

[Tomas Gustavsson]

This should be normal and not cause any problems. PKCS#11 sessions are expensive to establish so Java pools them.

There is no way to close opened sessions (controlled by java and not possible to close).

Regards,
Tomas

---

PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/

[knivez]

Ok, I had observed that the Opened Session goes down to 1 for some time after I stopped the client.

I had also encountered an issue about TCP CLOSE_WAIT which occurs after 24 hours of running the flood test on the server.
Is this a Jboss issue? I am using jboss-4.2.3.GA and signserver-3.2.0. What version of jboss do you recommend?

Regards,
Kevin

[root@cfwtest ~]# netstat -ltnap | grep 8443
tcp        0      0 0.0.0.0:8443                0.0.0.0:*                   LISTEN      11296/java
tcp       38      0 192.168.25.177:8443         192.168.25.108:53840         CLOSE_WAIT  11296/java
tcp        1      0 192.168.25.177:8443         192.168.25.108:36904         CLOSE_WAIT  11296/java
tcp       38      0 192.168.25.177:8443         192.168.25.108:53845         CLOSE_WAIT  11296/java
tcp       38      0 192.168.25.177:8443         192.168.25.91:45835         CLOSE_WAIT  11296/java
tcp        1      0 192.168.25.177:8443         192.168.25.91:45850         CLOSE_WAIT  11296/java
tcp        1      0 192.168.25.177:8443         192.168.25.113:36902         CLOSE_WAIT  11296/java
... and a lot more
[root@cfwtest ~]# netstat -ltnap | grep 8443 | wc -l
95
[root@cfwtest ~]# ps -efa | grep jboss
jboss    11268     1  0 Mar14 ?        00:00:00 /bin/sh /opt/jboss/bin/run.sh -c default
jboss    11296 11268 30 Mar14 ?        13:58:08 /opt/java/bin/java -Dprogram.name=run.sh -server -Xms512m -Xmx512m -Djava.net.preferIPv4Stack=true -Djava.endorsed.dirs=/opt/jboss/lib/endorsed -classpath /opt/jboss/bin/run.jar:/opt/java/lib/tools.jar org.jboss.Main -c default
root     24577  2259  0 09:19 ?        00:00:00 sshd: jboss [priv]
jboss    24580 24577  0 09:19 ?        00:00:00 sshd: jboss@pts/0
jboss    24581 24580  0 09:19 pts/0    00:00:00 -bash
root     24630  2259  0 09:37 ?        00:00:00 sshd: jboss [priv]
jboss    24634 24630  0 09:37 ?        00:00:00 sshd: jboss@notty
jboss    24635 24634  0 09:37 ?        00:00:00 /usr/libexec/openssh/sftp-server
root     24860 24654  0 09:57 pts/0    00:00:00 grep jboss
[root@cfwtest ~]# ctconf
ProtectToolkit C Configuration Utility $Revision: 7630 $
Copyright (c) Safenet, Inc. 2008
Current Adapter Configuration for Device 0:
...
Open Session Count: 15
Number of Slots   : 2
...
[root@cfwtest ~]#

[Tomas Gustavsson]

What is a flood test? JBoss 4.2.3 has genrallly proven to be very reliable in production (if you harden it for security).

/Tomas

[knivez]

Flood test is similar to stress testing. We execute several instances of a client that loops the call to the server.
It is also done in 2-4 machines. This created a CLOSE_WAIT issue on TCP an
d the application server stops responding to the new requests. I am trying to integrate jboss native in Jboss-4.2.3 and will see how it goes.

Regards,
Knivez