« Return to Thread: Using external key with ncipher HSM
Re: Using external key with ncipher HSM
by Johan Eklund
::
Rate this Message:
I vaguely recall this as caused by not listing the nCipher provider in
some JRE configfile.. might have been in JREHOME/lib/security/ or
something like that.. my theory is that it is using the regular JCE
provider on a nCipher keystore or maybe vice versa.. but this is pretty
vague memories.. =/
/Johan
Leonardo L. P. da Mata skrev:
> Hello, i've configured ejbca with JCE keys.
> After the installation i'm getting a strange error.
> "java.io.IOException: Bad KeyStore file, expecting a 40 character line."
>
> it seens that the keystore cannot be loaded.
> Is the keystore used when starting ejbca the keystore that stores the
> keys for SSL?(:-o)
>
> ejbca.properties contains:
> ca.tokentype=org.ejbca.core.model.ca.catoken.NFastCAToken
> ca.tokenpassword=password
>
> and catoken.properties contains:
> keyStore baac258f773b0eb0ac1277e807207f0c63065ced
> defaultKey defaultRoot1
> certSignKey signRoot1
> crlSignKey signRoot1
> testKey testRoot1
>
> these configuration was done before the installation.
>
> should i use a different keyStore??
> Is there any problem configuring the default CA with soft and then
> using ncipher HSM to generate other CAs?
>
> Thanks.
>
>
> INFO: WSSERVLET14: JAX-WS servlet initializing
> 16:20:18,890 INFO [EARDeployer] Started J2EE application: file:/C:/jboss-4.2.3.
> GA/server/default/deploy/ejbca.ear
> 16:20:19,015 INFO [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-808
> 0
> 16:20:19,031 ERROR [Http11Protocol] Error starting endpoint
> java.io.IOException: Bad KeyStore file, expecting a 40 character line.
> at com.ncipher.provider.km.KMKeyStore.engineLoad(KMKeyStore.java:674)
> at java.security.KeyStore.load(KeyStore.java:1185)
> at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocket
> Factory.java:319)
> at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESoc
> ketFactory.java:259)
> at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSE
> SocketFactory.java:410)
> at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFact
> ory.java:378)
> at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESo
> cketFactory.java:135)
> at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
> at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
> at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203
> )
> at org.apache.catalina.connector.Connector.start(Connector.java:1146)
> at org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
> 01)
> at org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
> a:638)
> at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
> onListenerProxy.java:153)
> at $Proxy46.handleNotification(Unknown Source)
> at org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
> ion(JBossNotificationBroadcasterSupport.java:127)
> at org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
> n(JBossNotificationBroadcasterSupport.java:108)
> at org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
> 16)
> at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
> at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
> at org.jboss.Main.boot(Main.java:200)
> at org.jboss.Main$1.run(Main.java:508)
> at java.lang.Thread.run(Thread.java:619)
> 16:20:19,046 WARN [JBossWeb] Failed to startConnectors
> LifecycleException: service.getName(): "jboss.web"; Protocol handler start fai
> led: java.io.IOException: Bad KeyStore file, expecting a 40 character line.
> at org.apache.catalina.connector.Connector.start(Connector.java:1153)
> at org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
> 01)
> at org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
> a:638)
> at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
> onListenerProxy.java:153)
> at $Proxy46.handleNotification(Unknown Source)
> at org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
> ion(JBossNotificationBroadcasterSupport.java:127)
> at org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
> n(JBossNotificationBroadcasterSupport.java:108)
> at org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
> 16)
> at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
> at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
> at org.jboss.Main.boot(Main.java:200)
> at org.jboss.Main$1.run(Main.java:508)
> at java.lang.Thread.run(Thread.java:619)
> 16:20:19,062 INFO [Server] JBoss (MX MicroKernel) [4.2.3.GA (build: SVNTag=JBos
> s_4_2_3_GA date=200807181439)] Started in 4m:25s:750ms
>
>
> On Tue, Oct 14, 2008 at 4:24 PM, Leonardo L. P. da Mata
> <barroca@...> wrote:
>
>> To illustrate how am I import the keys, I've imported again, and here
>> is the result:
>>
>> c:\nfast\bin\generatekey --import -c mscapi pkcs11
>> pemreadfile=teste.pem type=RSA
>> recovery: Key recovery? (yes/no) [yes] >
>> plainname: Key name? [] > imported3
>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>>
>> key generation parameters:
>> operation Operation to perform import
>> application Application pkcs11
>> protect Protected by token
>> slot Slot to read cards from 0
>> recovery Key recovery yes
>> verify Verify security of key yes
>> type Key type RSA
>> pemreadfile PEM file containing RSA key teste.pe
>> m
>> plainname Key name imported
>> 3
>> nvram Store blob in NVRAM (will require administrator cardset) no
>>
>> Loading `mscapi':
>> Module 1: 0 cards of 1 read
>> Module 1 slot 0: `mscapi' #1 (`oper')
>> Module 1 slot 0:- passphrase supplied - reading card
>> Card reading complete.
>>
>> Key successfully imported.
>> Path to key: C:\nfast\kmdata\local\key_pkcs11_uc3d9fa9461f5ada90d40e0b1a2420099ea70834bb-9108857e16ec3ee22b9a23373e9c6f24eac8d70b
>>
>>
>>
>> It seems that the key is correctly imported. "This is surely possible,
>> but we have not done it so we can't provide you with finished commands
>> for importing keys for PKCS#11." . Do you think that the message
>> saying "Key successfully imported." is not true?
>>
>> 1)I will try the JCE way.
>> 2)Since there's no difference between creating a new one, and
>> importing, the options are a little bit confusing. Maybe the
>> documentation must be more "step by step" like.. :-)
>> 3) I notice that also.
>>
>>
>> I will check for other ways to use the HSM and keep giving feedback here.
>>
>> Thanks for all the help provided..
>>
>>
>>
>> On Tue, Oct 14, 2008 at 3:57 PM, Ejbca support
>> <ejbca-support@...> wrote:
>>
>>> Hi,
>>>
>>> 1) The Howto article is created for the NFastToken way of using nCipher,
>>> not PKCS#11. You can use nCipher using:
>>> - PKCS#11
>>> - NFast JCE Provider
>>>
>>> Both ways work, but the howto for importing keys is done for the JCE
>>> provider.
>>> When trying to start JBoss using the JCE provider did you use
>>> EJBCA/bin/nCipherJboss.sh and did you have the nCipher JCE/JCA provider
>>> installed (it is separate packages in the nCipher install).
>>>
>>> When nfkminfo says:
>>> -----
>>>
>>> jboss@host$ $NFAST_HOME/bin/nfkminfo -k
>>> AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed
>>> AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed-key-832c8a89fe813dc99ae61e094fe5d195ca3e405d
>>> -----
>>> jcecsp means the keys can only be used by the JCE-provider. nCipher does it so you have different targets depending on which API you are using. If you want to use PKCS#11 you need to import the keys in another way.
>>> This is surely possible, but we have not done it so we can't provide you with finished commands for importing keys for PKCS#11.
>>>
>>>
>>> 2) There is no option for creating an "imported CA", you simply create a
>>> CA as usual and provide the correct parameters as CAToken parameters.
>>> From EJBCAs view there is no difference between a CA with keys
>>> generated in the HSM or created in the HSM. From EJBCAs view the keys
>>> ARE simply in the HSM and are used in the HSM.
>>>
>>> Simply create a new CA using keys on the HSM. Enter a name for the new
>>> CA and click 'Create CA'.
>>>
>>> Which options do not exist? Perhaps the wording "When importing a
>>> sub-CA" is confusing? Since you don't import a CA, you simply create a
>>> CA as usual.
>>>
>>> 3) "Import CA certificate" is for something completely different, don't
>>> use that. This function simply imports a CA certificate (as you
>>> noticed), so you can have external CA certificates imported for various
>>> verification reasons.
>>>
>>> Cheers,
>>> Tomas
>>> -----
>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>> training for EJBCA. Please see www.primekey.se or contact
>>> info@... for more information.
>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>
>>>
>>> Leonardo L. P. da Mata wrote:
>>>
>>>> Hey, so, I've read the documentation, but i think there are some lacks...
>>>> Just to make sure, to use the nCipher nShield, i should use the pkcs11
>>>> interface, right? I've tried to start jboss using the ncipher
>>>> interface, but it didn't wok. So i suppose that this kind of hsm must
>>>> use the pkcs11 interface.
>>>>
>>>> On the screen:
>>>> https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
>>>>
>>>> i can't find the option mentioned in the documentation, there's no
>>>> "create new CA 'ImportedCA'" option, and when i click in the create
>>>> button, there's no option that can be selected as impotedCA.
>>>>
>>>> There are "Import CA keystore" and "import CA certificate". but when i
>>>> use the option "import CA certificate" i can import my CA certificate,
>>>> but the key is not stored in the HSM. the CA Token Type is set to Null
>>>> after the import.
>>>>
>>>> We must provide more than 1 type of security solution, that's why I'm
>>>> testing booth generating keys inside HSM and generating outside and
>>>> importing then.
>>>>
>>>> The next step i will try is to generate User certificates into smart
>>>> cards, but I'm already testing http://www.hardtokenmgmt.org/.
>>>>
>>>> Thanks, I appreciate the help. Hope to help the company that I'm
>>>> working for to be another reference installation.
>>>>
>>>>
>>>> On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...> wrote:
>>>>
>>>>
>>>>> Hi Leonardo,
>>>>>
>>>>> Did you read the chapter in the User Guide at ejbca.org called
>>>>> "Importing an existing CA or sub-CA to EJBCA"? It's under the
>>>>> HSM->nCopher section. This text explains exactly how you can import
>>>>> existing keys (stored on disc) to create a CA in EJBCA.
>>>>> It also explains how you create the CA in EJBCA.
>>>>>
>>>>> We have done this and it works, no options in JBoss. Since the keys are
>>>>> imported into nCipher, it is simply just like any other CA with keys on
>>>>> the nCipher HSM. There is no difference between this CA and a CA where
>>>>> keys are generated inside the HSM (which is the recommended way for
>>>>> security reasons of-course).
>>>>>
>>>>> Regards,
>>>>> Tomas
>>>>> -----
>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>>> training for EJBCA. Please see www.primekey.se or contact
>>>>> info@... for more information.
>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Leonardo L. P. da Mata wrote:
>>>>>
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I'm developing the pki infrastructure for the Official Press of Minas
>>>>>> Gerais Estate ,in Brazil, and I'm having some problems on generating
>>>>>> keys outside a HSM and importing then inside the HSM.
>>>>>>
>>>>>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>>>>>> able to import the keys using generatekey --import, the keys are
>>>>>> listed using nfkminfo tool, but i don't know how to use these keys to
>>>>>> create a new CA. Is it possible to use external keys to create new
>>>>>> CAs?
>>>>>>
>>>>>> Is there any special change to use imported keys in the administration
>>>>>> GUI? Do I need to set parameters when I start JBOSS to use external
>>>>>> keys?
>>>>>>
>>>>>> Is there any other source of information different then ejbca.org?
>>>>>>
>>>>>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> BTW, we are planning to develop the tools as free-software.
>>>>>>
>>>>>>
>>>>>>
>>>>> -------------------------------------------------------------------------
>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>> _______________________________________________
>>>>> Ejbca-develop mailing list
>>>>> Ejbca-develop@...
>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>> -------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> _______________________________________________
>>> Ejbca-develop mailing list
>>> Ejbca-develop@...
>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>
>>>
>>
>> --
>> Leonardo Luiz Padovani da Mata
>> barroca@...
>>
>> "May the force be with you, always"
>> "Nerd Pride... eu tenho. Voce tem?"
>>
>>
>
>
>
>
--
PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@... for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
some JRE configfile.. might have been in JREHOME/lib/security/ or
something like that.. my theory is that it is using the regular JCE
provider on a nCipher keystore or maybe vice versa.. but this is pretty
vague memories.. =/
/Johan
Leonardo L. P. da Mata skrev:
> Hello, i've configured ejbca with JCE keys.
> After the installation i'm getting a strange error.
> "java.io.IOException: Bad KeyStore file, expecting a 40 character line."
>
> it seens that the keystore cannot be loaded.
> Is the keystore used when starting ejbca the keystore that stores the
> keys for SSL?(:-o)
>
> ejbca.properties contains:
> ca.tokentype=org.ejbca.core.model.ca.catoken.NFastCAToken
> ca.tokenpassword=password
>
> and catoken.properties contains:
> keyStore baac258f773b0eb0ac1277e807207f0c63065ced
> defaultKey defaultRoot1
> certSignKey signRoot1
> crlSignKey signRoot1
> testKey testRoot1
>
> these configuration was done before the installation.
>
> should i use a different keyStore??
> Is there any problem configuring the default CA with soft and then
> using ncipher HSM to generate other CAs?
>
> Thanks.
>
>
> INFO: WSSERVLET14: JAX-WS servlet initializing
> 16:20:18,890 INFO [EARDeployer] Started J2EE application: file:/C:/jboss-4.2.3.
> GA/server/default/deploy/ejbca.ear
> 16:20:19,015 INFO [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-808
> 0
> 16:20:19,031 ERROR [Http11Protocol] Error starting endpoint
> java.io.IOException: Bad KeyStore file, expecting a 40 character line.
> at com.ncipher.provider.km.KMKeyStore.engineLoad(KMKeyStore.java:674)
> at java.security.KeyStore.load(KeyStore.java:1185)
> at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocket
> Factory.java:319)
> at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESoc
> ketFactory.java:259)
> at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSE
> SocketFactory.java:410)
> at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFact
> ory.java:378)
> at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESo
> cketFactory.java:135)
> at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
> at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
> at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203
> )
> at org.apache.catalina.connector.Connector.start(Connector.java:1146)
> at org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
> 01)
> at org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
> a:638)
> at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
> onListenerProxy.java:153)
> at $Proxy46.handleNotification(Unknown Source)
> at org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
> ion(JBossNotificationBroadcasterSupport.java:127)
> at org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
> n(JBossNotificationBroadcasterSupport.java:108)
> at org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
> 16)
> at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
> at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
> at org.jboss.Main.boot(Main.java:200)
> at org.jboss.Main$1.run(Main.java:508)
> at java.lang.Thread.run(Thread.java:619)
> 16:20:19,046 WARN [JBossWeb] Failed to startConnectors
> LifecycleException: service.getName(): "jboss.web"; Protocol handler start fai
> led: java.io.IOException: Bad KeyStore file, expecting a 40 character line.
> at org.apache.catalina.connector.Connector.start(Connector.java:1153)
> at org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
> 01)
> at org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
> a:638)
> at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
> onListenerProxy.java:153)
> at $Proxy46.handleNotification(Unknown Source)
> at org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
> ion(JBossNotificationBroadcasterSupport.java:127)
> at org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
> n(JBossNotificationBroadcasterSupport.java:108)
> at org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
> 16)
> at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
> at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
> at org.jboss.Main.boot(Main.java:200)
> at org.jboss.Main$1.run(Main.java:508)
> at java.lang.Thread.run(Thread.java:619)
> 16:20:19,062 INFO [Server] JBoss (MX MicroKernel) [4.2.3.GA (build: SVNTag=JBos
> s_4_2_3_GA date=200807181439)] Started in 4m:25s:750ms
>
>
> On Tue, Oct 14, 2008 at 4:24 PM, Leonardo L. P. da Mata
> <barroca@...> wrote:
>
>> To illustrate how am I import the keys, I've imported again, and here
>> is the result:
>>
>> c:\nfast\bin\generatekey --import -c mscapi pkcs11
>> pemreadfile=teste.pem type=RSA
>> recovery: Key recovery? (yes/no) [yes] >
>> plainname: Key name? [] > imported3
>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>>
>> key generation parameters:
>> operation Operation to perform import
>> application Application pkcs11
>> protect Protected by token
>> slot Slot to read cards from 0
>> recovery Key recovery yes
>> verify Verify security of key yes
>> type Key type RSA
>> pemreadfile PEM file containing RSA key teste.pe
>> m
>> plainname Key name imported
>> 3
>> nvram Store blob in NVRAM (will require administrator cardset) no
>>
>> Loading `mscapi':
>> Module 1: 0 cards of 1 read
>> Module 1 slot 0: `mscapi' #1 (`oper')
>> Module 1 slot 0:- passphrase supplied - reading card
>> Card reading complete.
>>
>> Key successfully imported.
>> Path to key: C:\nfast\kmdata\local\key_pkcs11_uc3d9fa9461f5ada90d40e0b1a2420099ea70834bb-9108857e16ec3ee22b9a23373e9c6f24eac8d70b
>>
>>
>>
>> It seems that the key is correctly imported. "This is surely possible,
>> but we have not done it so we can't provide you with finished commands
>> for importing keys for PKCS#11." . Do you think that the message
>> saying "Key successfully imported." is not true?
>>
>> 1)I will try the JCE way.
>> 2)Since there's no difference between creating a new one, and
>> importing, the options are a little bit confusing. Maybe the
>> documentation must be more "step by step" like.. :-)
>> 3) I notice that also.
>>
>>
>> I will check for other ways to use the HSM and keep giving feedback here.
>>
>> Thanks for all the help provided..
>>
>>
>>
>> On Tue, Oct 14, 2008 at 3:57 PM, Ejbca support
>> <ejbca-support@...> wrote:
>>
>>> Hi,
>>>
>>> 1) The Howto article is created for the NFastToken way of using nCipher,
>>> not PKCS#11. You can use nCipher using:
>>> - PKCS#11
>>> - NFast JCE Provider
>>>
>>> Both ways work, but the howto for importing keys is done for the JCE
>>> provider.
>>> When trying to start JBoss using the JCE provider did you use
>>> EJBCA/bin/nCipherJboss.sh and did you have the nCipher JCE/JCA provider
>>> installed (it is separate packages in the nCipher install).
>>>
>>> When nfkminfo says:
>>> -----
>>>
>>> jboss@host$ $NFAST_HOME/bin/nfkminfo -k
>>> AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed
>>> AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed-key-832c8a89fe813dc99ae61e094fe5d195ca3e405d
>>> -----
>>> jcecsp means the keys can only be used by the JCE-provider. nCipher does it so you have different targets depending on which API you are using. If you want to use PKCS#11 you need to import the keys in another way.
>>> This is surely possible, but we have not done it so we can't provide you with finished commands for importing keys for PKCS#11.
>>>
>>>
>>> 2) There is no option for creating an "imported CA", you simply create a
>>> CA as usual and provide the correct parameters as CAToken parameters.
>>> From EJBCAs view there is no difference between a CA with keys
>>> generated in the HSM or created in the HSM. From EJBCAs view the keys
>>> ARE simply in the HSM and are used in the HSM.
>>>
>>> Simply create a new CA using keys on the HSM. Enter a name for the new
>>> CA and click 'Create CA'.
>>>
>>> Which options do not exist? Perhaps the wording "When importing a
>>> sub-CA" is confusing? Since you don't import a CA, you simply create a
>>> CA as usual.
>>>
>>> 3) "Import CA certificate" is for something completely different, don't
>>> use that. This function simply imports a CA certificate (as you
>>> noticed), so you can have external CA certificates imported for various
>>> verification reasons.
>>>
>>> Cheers,
>>> Tomas
>>> -----
>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>> training for EJBCA. Please see www.primekey.se or contact
>>> info@... for more information.
>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>
>>>
>>> Leonardo L. P. da Mata wrote:
>>>
>>>> Hey, so, I've read the documentation, but i think there are some lacks...
>>>> Just to make sure, to use the nCipher nShield, i should use the pkcs11
>>>> interface, right? I've tried to start jboss using the ncipher
>>>> interface, but it didn't wok. So i suppose that this kind of hsm must
>>>> use the pkcs11 interface.
>>>>
>>>> On the screen:
>>>> https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
>>>>
>>>> i can't find the option mentioned in the documentation, there's no
>>>> "create new CA 'ImportedCA'" option, and when i click in the create
>>>> button, there's no option that can be selected as impotedCA.
>>>>
>>>> There are "Import CA keystore" and "import CA certificate". but when i
>>>> use the option "import CA certificate" i can import my CA certificate,
>>>> but the key is not stored in the HSM. the CA Token Type is set to Null
>>>> after the import.
>>>>
>>>> We must provide more than 1 type of security solution, that's why I'm
>>>> testing booth generating keys inside HSM and generating outside and
>>>> importing then.
>>>>
>>>> The next step i will try is to generate User certificates into smart
>>>> cards, but I'm already testing http://www.hardtokenmgmt.org/.
>>>>
>>>> Thanks, I appreciate the help. Hope to help the company that I'm
>>>> working for to be another reference installation.
>>>>
>>>>
>>>> On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...> wrote:
>>>>
>>>>
>>>>> Hi Leonardo,
>>>>>
>>>>> Did you read the chapter in the User Guide at ejbca.org called
>>>>> "Importing an existing CA or sub-CA to EJBCA"? It's under the
>>>>> HSM->nCopher section. This text explains exactly how you can import
>>>>> existing keys (stored on disc) to create a CA in EJBCA.
>>>>> It also explains how you create the CA in EJBCA.
>>>>>
>>>>> We have done this and it works, no options in JBoss. Since the keys are
>>>>> imported into nCipher, it is simply just like any other CA with keys on
>>>>> the nCipher HSM. There is no difference between this CA and a CA where
>>>>> keys are generated inside the HSM (which is the recommended way for
>>>>> security reasons of-course).
>>>>>
>>>>> Regards,
>>>>> Tomas
>>>>> -----
>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>>> training for EJBCA. Please see www.primekey.se or contact
>>>>> info@... for more information.
>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Leonardo L. P. da Mata wrote:
>>>>>
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I'm developing the pki infrastructure for the Official Press of Minas
>>>>>> Gerais Estate ,in Brazil, and I'm having some problems on generating
>>>>>> keys outside a HSM and importing then inside the HSM.
>>>>>>
>>>>>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>>>>>> able to import the keys using generatekey --import, the keys are
>>>>>> listed using nfkminfo tool, but i don't know how to use these keys to
>>>>>> create a new CA. Is it possible to use external keys to create new
>>>>>> CAs?
>>>>>>
>>>>>> Is there any special change to use imported keys in the administration
>>>>>> GUI? Do I need to set parameters when I start JBOSS to use external
>>>>>> keys?
>>>>>>
>>>>>> Is there any other source of information different then ejbca.org?
>>>>>>
>>>>>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> BTW, we are planning to develop the tools as free-software.
>>>>>>
>>>>>>
>>>>>>
>>>>> -------------------------------------------------------------------------
>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>> _______________________________________________
>>>>> Ejbca-develop mailing list
>>>>> Ejbca-develop@...
>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>> -------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> _______________________________________________
>>> Ejbca-develop mailing list
>>> Ejbca-develop@...
>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>
>>>
>>
>> --
>> Leonardo Luiz Padovani da Mata
>> barroca@...
>>
>> "May the force be with you, always"
>> "Nerd Pride... eu tenho. Voce tem?"
>>
>>
>
>
>
>
--
PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@... for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
smime.p7s (3K) « Return to Thread: Using external key with ncipher HSM
| Free embeddable forum powered by Nabble | Forum Help |
