SignServer 3.2.0 with Safenet ProtectServer External
Hi,
I am trying to work on with SignServer 3.2.0 using a Safenet ProtectServer External.
This is my first time to use signserver and I succesfully installed the default settings.
Now, I tried to modify the qs_pdfsigner_configuration.properties to work with an HSM using the PKCS11CryptoToken.
exception
javax.servlet.ServletException: org.signserver.common.CryptoTokenOfflineException: no such key
org.signserver.web.GenericProcessServlet.processRequest(GenericProcessServlet.java:351)
org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:245)
javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
root cause
org.signserver.common.CryptoTokenOfflineException: no such key
org.signserver.server.cryptotokens.CryptoTokenBase.getPrivateKey(CryptoTokenBase.java:157)
org.signserver.module.pdfsigner.PDFSigner.addSignatureToPDFDocument(PDFSigner.java:276)
org.signserver.module.pdfsigner.PDFSigner.processData(PDFSigner.java:236)
...
Why is it that it cannot find the defaultkey?
What should be the value in WORKERGENID1.defaultKey=?
For the strong crypto policy, did you mean the jce policy?
Here the content of ../jre/lib/security
I tried running the bin/signserver.sh testkey 2 all -v
and just got this output
[root@minglanilla signserver]# ./bin/signserver.sh testkey 2 all -v
Assuming JBoss JNDI provider...
===========================================
Executing Command on host : 10.194.50.234
===========================================
Enter authorization code:
0 [main] INFO org.signserver.cli.TestKeyCommand - Will test all keys
[root@minglanilla signserver]#
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2011-09-27
Hi Knivez,
You may try with EJBCA's clientToolBox. There is a risk/chance that there is an incompatibility between Java's handling of keys and the pkcs11-tool. Using the clientToolBox you can also test keys.
Anders
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
2. Modified the qs_pdfsigner_configuration.properties with this info
WORKERGENID1.sharedLibrary=/opt/PTK/lib/libcryptoki.so
WORKERGENID1.slotListIndex=5
WORKERGENID1.defaultKey=defaultSign
WORKERGENID1.pin=1111111111
3. Did the following commands
bin/signserver.sh setproperties qs_pdfsigner_configuration.properties
bin/signserver.sh reload 2
bin/signserver.sh activatecryptotoken 2 1111111111
ctcert x -ldefault -fdefault.pem -s5 //export a self-signed certificate from slot 5 token
bin/signserver.sh uploadsignercertificate 2 glob default.pem
4. Restarted jboss and then it has found the key and performed signing request.
I think my issue here is that I did not do the activatecryptotoken after I reload the workerid
Thank you for your support. 'Til my next questions…
Knivez
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have an issue here using the Safenet HSM. Everytime I create an instance of a client to connect to the signer, the HSM's Open Session increased by 1 for every instance.
In the snippet below, the current open session value is 7 and I ran 7 instances of client.
When I tried to end 1 client at a time the open session did not decrement.
The only way to close the session is to shutdown/restart jboss.
Is there a way to close the opened session in Signserver?
I am thinking this is the cause of the signserver or jboss to stop.
[jboss@cfwtest ~]$ ctconf
ProtectToolkit C Configuration Utility $Revision: 7630 $
Copyright (c) Safenet, Inc. 2008
Current Adapter Configuration for Device 0:
Model : PSG:PL220
Serial Number : 92408219
Adapter Clock : 13/03/2012 09:21:40 (+8:00)
Battery Status : GOOD
Security Mode : No Clear PINs Auth Protection No Public Crypto Tamper Before Upgrade Increased Security Level
Transport Mode : None
FM Support : Enabled
FM Status : "CCert Signer V1.08" is active.
Open Session Count: 7
Number of Slots : 2
RTC Adjustment Access Control: Disabled
Regards,
Knivez
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Ok, I had observed that the Opened Session goes down to 1 for some time after I stopped the client.
I had also encountered an issue about TCP CLOSE_WAIT which occurs after 24 hours of running the flood test on the server.
Is this a Jboss issue? I am using jboss-4.2.3.GA and signserver-3.2.0. What version of jboss do you recommend?
Flood test is similar to stress testing. We execute several instances of a client that loops the call to the server.
It is also done in 2-4 machines. This created a CLOSE_WAIT issue on TCP an
d the application server stops responding to the new requests. I am trying to integrate jboss native in Jboss-4.2.3 and will see how it goes.
Regards,
Knivez
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
SignServer 3.2.0 with Safenet ProtectServer External
Hi,
I am trying to work on with SignServer 3.2.0 using a Safenet ProtectServer External.
This is my first time to use signserver and I succesfully installed the default settings.
Now, I tried to modify the qs_pdfsigner_configuration.properties to work with an HSM using the PKCS11CryptoToken.
I changed the properties with these values:
commented out:
I did these steps:
After reload I got this:
What does
WORKERGENID1.defaultKey, WORKERGENID1.pin signify in this setting.
I hope anyone can enlighten me on this.
Thanks,
Knivez
It seems you haven't created they key in the HSM.
This must (at least in EJBCA) be done using an external program like clientToolBox.
Anders
I actually generated a key pair and selfsigned in the HSM using ctcert command. and named it defaultKey. The pin is actually the user pin on slot 0.
Do I need to install EJBCA on the same machine with the Signserver?
Thanks,
Knivez
I will check with our guru but It could be a permission issue to the shared library as well.
You don't need to install EJBCA but there is a nice PKCS11Tool which verifies that a HSM works in the Java invironment.
Anders
More info (from Markus):
You have probably not installed the strong crypto policy files needed by the SUN/Oracle JDK
You can test your keys using:
bin/signserver.sh testkey 2 all -v
Regards,
Anders
I have tried to use pkcs11-tool and got this result
I tried to signed a pdf using the http://10.194.50.234:8080/signserver/demo/pdfsign.jsp and I got a
Why is it that it cannot find the defaultkey?
What should be the value in WORKERGENID1.defaultKey=?
For the strong crypto policy, did you mean the jce policy?
Here the content of ../jre/lib/security
I tried running the bin/signserver.sh testkey 2 all -v
and just got this output
Hi Knivez,
You may try with EJBCA's clientToolBox. There is a risk/chance that there is an incompatibility between Java's handling of keys and the pkcs11-tool. Using the clientToolBox you can also test keys.
Anders
Anders,
I think I got the PDF Signer working with a Safenet Protect Toolkit HSM
Here's what I did:
1. I follow the instructions on setting up a CA for Safenet ProtectServer
http://pki.cms.caltech.edu/ejbca/doc/adminguide.html#SafeNet%20ProtectServer
2. Modified the qs_pdfsigner_configuration.properties with this info
WORKERGENID1.sharedLibrary=/opt/PTK/lib/libcryptoki.so
WORKERGENID1.slotListIndex=5
WORKERGENID1.defaultKey=defaultSign
WORKERGENID1.pin=1111111111
3. Did the following commands
bin/signserver.sh setproperties qs_pdfsigner_configuration.properties
bin/signserver.sh reload 2
bin/signserver.sh activatecryptotoken 2 1111111111
ctcert x -ldefault -fdefault.pem -s5 //export a self-signed certificate from slot 5 token
bin/signserver.sh uploadsignercertificate 2 glob default.pem
4. Restarted jboss and then it has found the key and performed signing request.
I think my issue here is that I did not do the activatecryptotoken after I reload the workerid
Thank you for your support. 'Til my next questions…
Knivez
Hi Guys,
I have an issue here using the Safenet HSM. Everytime I create an instance of a client to connect to the signer, the HSM's Open Session increased by 1 for every instance.
In the snippet below, the current open session value is 7 and I ran 7 instances of client.
When I tried to end 1 client at a time the open session did not decrement.
The only way to close the session is to shutdown/restart jboss.
Is there a way to close the opened session in Signserver?
I am thinking this is the cause of the signserver or jboss to stop.
Regards,
Knivez
This should be normal and not cause any problems. PKCS#11 sessions are expensive to establish so Java pools them.
There is no way to close opened sessions (controlled by java and not possible to close).
Regards,
Tomas
PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
Ok, I had observed that the Opened Session goes down to 1 for some time after I stopped the client.
I had also encountered an issue about TCP CLOSE_WAIT which occurs after 24 hours of running the flood test on the server.
Is this a Jboss issue? I am using jboss-4.2.3.GA and signserver-3.2.0. What version of jboss do you recommend?
Regards,
Kevin
What is a flood test? JBoss 4.2.3 has genrallly proven to be very reliable in production (if you harden it for security).
/Tomas
Flood test is similar to stress testing. We execute several instances of a client that loops the call to the server.
It is also done in 2-4 machines. This created a CLOSE_WAIT issue on TCP an
d the application server stops responding to the new requests. I am trying to integrate jboss native in Jboss-4.2.3 and will see how it goes.
Regards,
Knivez