[SignServer-develop] Luna SA configuration problem

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi -- I'm having a problem setting up my SignServer to talk to a Luna SA
HSM.

I've set up SignServer and tested the MRTDSODSigner repeatedly with soft
keys, so the rest of its configuration appears to be correct.

The link between the Luna SA and the server is also set up correctly;
running Luna's VTL tool shows the partition is visible like so:

----
[root@localhost bin]# ./vtl verify

The following Luna SA Slots/Partitions were found:

Slot    Serial #    Label
====    ========    =====
 1    520030014     epassport
----

But when I try to run SignServer's activatecryptotoken command, I get one
of two failure results.  If I specify the slot name with these parameters:

SLOTLABELTYPE=SLOT_NAME
SLOTLABELVALUE=epassport

then when I run bin/signserver.sh activatecryptotoken, it fails in the init
function:

----
Trying to activate crypto token of worker with id : 6

Crypto token is offline: org.signserver.common.SignServerException: Failed
to initialize crypto token: Token label 'epassport' not found.
----

On the other hand, if I specify the slot number or slot index with these
parameters:

SLOTLABELTYPE=SLOT_NUMBER
SLOTLABELVALUE=1

or

SLOTLABELTYPE=SLOT_INDEX
SLOTLABELVALUE=0

then the activatecryptotoken command gets past the init function, but fails
when it actually tries to activate:

----
Trying to activate crypto token of worker with id : 5

Crypto token authentication failed: Activate failed: Failed to initialize
PKCS11 provider slot '0'.: KeyStore instantiation failed: PKCS11 not found:
no such algorithm: PKCS11 for provider SunPKCS11-libCryptoki2_64.so-slot0
----

In both cases the following lines have been uncommented in
signserver_deploy.properties:

cryptotoken.p11.lib.20.name=SafeNet Luna SA
cryptotoken.p11.lib.20.file=/usr/safenet/lunaclient/lib/libCryptoki2_64.so

For what it's worth, the server is running CentOS 7 and JDK 1.8.  And
Luna's crypto provider has been added to jre/lib/security/java.security:

security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=com.safenetinc.luna.provider.LunaProvider
security.provider.4=sun.security.ec.SunEC
security.provider.5=com.sun.net.ssl.internal.ssl.Provider
security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC

So...  what could be missing, that it's not finding the PKCS11 algorithms?

Cheers,
Jon Blum