Re: Using external key with ncipher HSM

> I've started a new installation from scratch...
> It worked.
>
> Every time you start jboss you need to use nCipherJboss.cmd/.sh , even
> in the first time (generating the AdminCA1). This is something that
> should be better explained in the documentation. This when you need to
> use nCipher HSM :-).
>
> In my last installation, i was using the
> security.provider.1=com.ncipher.provider.km.nCipherKM
> as default security provider in
> JAVA_HOME/jre/lib/security/java.security
>
> But since i couldn't reproduce the error, and changing back to the
> original, the error persists. I guess that this isn't a security
> problem.
>
>
> I will keep testing the software and updating this thread.
>
> Thanks again.
>
>
> On Wed, Oct 15, 2008 at 5:02 PM, Johan Eklund <ejbca-support@...> wrote:
>> I vaguely recall this as caused by not listing the nCipher provider in some
>> JRE configfile.. might have been in JREHOME/lib/security/ or something like
>> that.. my theory is that it is using the regular JCE provider on a nCipher
>> keystore or maybe vice versa.. but this is pretty vague memories.. =/
>>
>> /Johan
>>
>> Leonardo L. P. da Mata skrev:
>>>
>>> Hello, i've configured ejbca with JCE keys.
>>> After the installation i'm getting a strange error.
>>> "java.io.IOException: Bad KeyStore file, expecting a 40 character line."
>>>
>>> it seens that the keystore cannot be loaded.
>>> Is the keystore used when starting ejbca the keystore that stores the
>>> keys for SSL?(:-o)
>>>
>>> ejbca.properties contains:
>>> ca.tokentype=org.ejbca.core.model.ca.catoken.NFastCAToken
>>> ca.tokenpassword=password
>>>
>>> and catoken.properties contains:
>>> keyStore baac258f773b0eb0ac1277e807207f0c63065ced
>>> defaultKey defaultRoot1
>>> certSignKey signRoot1
>>> crlSignKey signRoot1
>>> testKey testRoot1
>>>
>>> these configuration was done before the installation.
>>>
>>> should i use a different keyStore??
>>> Is there any problem configuring the default CA with soft and then
>>> using ncipher HSM to generate other CAs?
>>>
>>> Thanks.
>>>
>>>
>>> INFO: WSSERVLET14: JAX-WS servlet initializing
>>> 16:20:18,890 INFO  [EARDeployer] Started J2EE application:
>>> file:/C:/jboss-4.2.3.
>>> GA/server/default/deploy/ejbca.ear
>>> 16:20:19,015 INFO  [Http11Protocol] Starting Coyote HTTP/1.1 on
>>> http-0.0.0.0-808
>>> 0
>>> 16:20:19,031 ERROR [Http11Protocol] Error starting endpoint
>>> java.io.IOException: Bad KeyStore file, expecting a 40 character line.
>>>        at
>>> com.ncipher.provider.km.KMKeyStore.engineLoad(KMKeyStore.java:674)
>>>        at java.security.KeyStore.load(KeyStore.java:1185)
>>>        at
>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocket
>>> Factory.java:319)
>>>        at
>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESoc
>>> ketFactory.java:259)
>>>        at
>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSE
>>> SocketFactory.java:410)
>>>        at
>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFact
>>> ory.java:378)
>>>        at
>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESo
>>> cketFactory.java:135)
>>>        at
>>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
>>>        at
>>> org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
>>>        at
>>> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203
>>> )
>>>        at
>>> org.apache.catalina.connector.Connector.start(Connector.java:1146)
>>>        at
>>> org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
>>> 01)
>>>        at
>>> org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
>>> a:638)
>>>        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
>>>        at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>> sorImpl.java:25)
>>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>>        at
>>> org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
>>> onListenerProxy.java:153)
>>>        at $Proxy46.handleNotification(Unknown Source)
>>>        at
>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
>>> ion(JBossNotificationBroadcasterSupport.java:127)
>>>        at
>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
>>> n(JBossNotificationBroadcasterSupport.java:108)
>>>        at
>>> org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
>>> 16)
>>>        at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
>>>        at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
>>>        at org.jboss.Main.boot(Main.java:200)
>>>        at org.jboss.Main$1.run(Main.java:508)
>>>        at java.lang.Thread.run(Thread.java:619)
>>> 16:20:19,046 WARN  [JBossWeb] Failed to startConnectors
>>> LifecycleException:  service.getName(): "jboss.web";  Protocol handler
>>> start fai
>>> led: java.io.IOException: Bad KeyStore file, expecting a 40 character
>>> line.
>>>        at
>>> org.apache.catalina.connector.Connector.start(Connector.java:1153)
>>>        at
>>> org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
>>> 01)
>>>        at
>>> org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
>>> a:638)
>>>        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
>>>        at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>> sorImpl.java:25)
>>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>>        at
>>> org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
>>> onListenerProxy.java:153)
>>>        at $Proxy46.handleNotification(Unknown Source)
>>>        at
>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
>>> ion(JBossNotificationBroadcasterSupport.java:127)
>>>        at
>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
>>> n(JBossNotificationBroadcasterSupport.java:108)
>>>        at
>>> org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
>>> 16)
>>>        at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
>>>        at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
>>>        at org.jboss.Main.boot(Main.java:200)
>>>        at org.jboss.Main$1.run(Main.java:508)
>>>        at java.lang.Thread.run(Thread.java:619)
>>> 16:20:19,062 INFO  [Server] JBoss (MX MicroKernel) [4.2.3.GA (build:
>>> SVNTag=JBos
>>> s_4_2_3_GA date=200807181439)] Started in 4m:25s:750ms
>>>
>>>
>>> On Tue, Oct 14, 2008 at 4:24 PM, Leonardo L. P. da Mata
>>> <barroca@...> wrote:
>>>
>>>>
>>>> To illustrate how am I import the keys,  I've imported again, and here
>>>> is the result:
>>>>
>>>> c:\nfast\bin\generatekey --import -c mscapi pkcs11
>>>> pemreadfile=teste.pem type=RSA
>>>> recovery: Key recovery? (yes/no) [yes] >
>>>> plainname: Key name? [] > imported3
>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no)
>>>> [no]
>>>>    key generation parameters:
>>>>  operation    Operation to perform
>>>>  import
>>>>  application  Application
>>>> pkcs11
>>>>  protect      Protected by
>>>>  token
>>>>  slot         Slot to read cards from                                   0
>>>>  recovery     Key recovery
>>>>  yes
>>>>  verify       Verify security of key
>>>>  yes
>>>>  type         Key type
>>>>  RSA
>>>>  pemreadfile  PEM file containing RSA key
>>>> teste.pe
>>>> m
>>>>  plainname    Key name
>>>>  imported
>>>> 3
>>>>  nvram        Store blob in NVRAM (will require administrator cardset)
>>>>  no
>>>>
>>>> Loading `mscapi':
>>>>  Module 1: 0 cards of 1 read
>>>>  Module 1 slot 0: `mscapi' #1 (`oper')
>>>>  Module 1 slot 0:- passphrase supplied - reading card
>>>> Card reading complete.
>>>>
>>>> Key successfully imported.
>>>> Path to key:
>>>> C:\nfast\kmdata\local\key_pkcs11_uc3d9fa9461f5ada90d40e0b1a2420099ea70834bb-9108857e16ec3ee22b9a23373e9c6f24eac8d70b
>>>>
>>>>
>>>>
>>>> It seems that the key is correctly imported. "This is surely possible,
>>>> but we have not done it so we can't provide you with finished commands
>>>> for importing keys for PKCS#11." . Do you think that the message
>>>> saying "Key successfully imported." is not true?
>>>>
>>>> 1)I will try the JCE way.
>>>> 2)Since there's no difference between creating a new one, and
>>>> importing, the options are a little bit confusing. Maybe the
>>>> documentation must be more "step by step" like.. :-)
>>>> 3) I notice that also.
>>>>
>>>>
>>>> I will check for other ways to use the HSM and keep giving feedback here.
>>>>
>>>> Thanks for all the help provided..
>>>>
>>>>
>>>>
>>>> On Tue, Oct 14, 2008 at 3:57 PM, Ejbca support
>>>> <ejbca-support@...> wrote:
>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> 1) The Howto article is created for the NFastToken way of using nCipher,
>>>>> not PKCS#11. You can use nCipher using:
>>>>> - PKCS#11
>>>>> - NFast JCE Provider
>>>>>
>>>>> Both ways work, but the howto for importing keys is done for the JCE
>>>>> provider.
>>>>> When trying to start JBoss using the JCE provider did you use
>>>>> EJBCA/bin/nCipherJboss.sh and did you have the nCipher JCE/JCA provider
>>>>> installed (it is separate packages in the nCipher install).
>>>>>
>>>>> When nfkminfo says:
>>>>> -----
>>>>>
>>>>> jboss@host$ $NFAST_HOME/bin/nfkminfo -k
>>>>>  AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed
>>>>>  AppName jcecsp Ident
>>>>> f7e825134fe23f58b1575d8efb487babe7ebd1ed-key-832c8a89fe813dc99ae61e094fe5d195ca3e405d
>>>>> -----
>>>>> jcecsp means the keys can only be used by the JCE-provider. nCipher does
>>>>> it so you have different targets depending on which API you are using. If
>>>>> you want to use PKCS#11 you need to import the keys in another way.
>>>>> This is surely possible, but we have not done it so we can't provide you
>>>>> with finished commands for importing keys for PKCS#11.
>>>>>
>>>>>
>>>>> 2) There is no option for creating an "imported CA", you simply create a
>>>>> CA as usual and provide the correct parameters as CAToken parameters.
>>>>>  From EJBCAs view there is no difference between a CA with keys
>>>>> generated in the HSM or created in the HSM. From EJBCAs view the keys
>>>>> ARE simply in the HSM and are used in the HSM.
>>>>>
>>>>> Simply create a new CA using keys on the HSM. Enter a name for the new
>>>>> CA and click 'Create CA'.
>>>>>
>>>>> Which options do not exist? Perhaps the wording "When importing a
>>>>> sub-CA" is confusing? Since you don't import a CA, you simply create a
>>>>> CA as usual.
>>>>>
>>>>> 3) "Import CA certificate" is for something completely different, don't
>>>>> use that. This function simply imports a CA certificate (as you
>>>>> noticed), so you can have external CA certificates imported for various
>>>>> verification reasons.
>>>>>
>>>>> Cheers,
>>>>> Tomas
>>>>> -----
>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>>> training for EJBCA. Please see www.primekey.se or contact
>>>>> info@... for more information.
>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>>
>>>>>
>>>>> Leonardo L. P. da Mata wrote:
>>>>>
>>>>>>
>>>>>> Hey, so, I've read the documentation, but i think there are some
>>>>>> lacks...
>>>>>> Just to make sure, to use the nCipher nShield, i should use the pkcs11
>>>>>> interface, right? I've tried to start jboss using the ncipher
>>>>>> interface, but it didn't wok. So i suppose that this kind of hsm must
>>>>>> use the pkcs11 interface.
>>>>>>
>>>>>> On the screen:
>>>>>> https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
>>>>>>
>>>>>> i can't find the option mentioned in the documentation, there's no
>>>>>> "create new CA 'ImportedCA'" option, and when i click in the create
>>>>>> button, there's no option that can be selected as impotedCA.
>>>>>>
>>>>>> There are "Import CA keystore" and "import CA certificate". but when i
>>>>>> use the option "import CA certificate" i can import my CA certificate,
>>>>>> but the key is not stored in the HSM. the CA Token Type is set to Null
>>>>>> after the import.
>>>>>>
>>>>>> We must provide more than 1 type of security solution, that's why I'm
>>>>>> testing booth generating keys inside HSM and generating outside and
>>>>>> importing then.
>>>>>>
>>>>>> The next step i will try is to generate User certificates into smart
>>>>>> cards, but I'm already testing http://www.hardtokenmgmt.org/.
>>>>>>
>>>>>> Thanks, I appreciate the help. Hope to help the company that I'm
>>>>>> working for to be another reference installation.
>>>>>>
>>>>>>
>>>>>> On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...>
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Hi Leonardo,
>>>>>>>
>>>>>>> Did you read the chapter in the User Guide at ejbca.org called
>>>>>>> "Importing an existing CA or sub-CA to EJBCA"? It's under the
>>>>>>> HSM->nCopher section. This text explains exactly how you can import
>>>>>>> existing keys (stored on disc) to create a CA in EJBCA.
>>>>>>> It also explains how you create the CA in EJBCA.
>>>>>>>
>>>>>>> We have done this and it works, no options in JBoss. Since the keys
>>>>>>> are
>>>>>>> imported into nCipher, it is simply just like any other CA with keys
>>>>>>> on
>>>>>>> the nCipher HSM. There is no difference between this CA and a CA where
>>>>>>> keys are generated inside the HSM (which is the recommended way for
>>>>>>> security reasons of-course).
>>>>>>>
>>>>>>> Regards,
>>>>>>> Tomas
>>>>>>> -----
>>>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>>>>> training for EJBCA. Please see www.primekey.se or contact
>>>>>>> info@... for more information.
>>>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Leonardo L. P. da Mata wrote:
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I'm developing the pki infrastructure for the Official Press of Minas
>>>>>>>> Gerais Estate ,in  Brazil, and I'm having some problems on generating
>>>>>>>> keys outside a HSM and importing then inside the HSM.
>>>>>>>>
>>>>>>>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>>>>>>>> able to import the keys using generatekey --import, the keys are
>>>>>>>> listed using nfkminfo tool, but i don't know how to use these keys to
>>>>>>>> create a new CA. Is it possible to use external keys to create new
>>>>>>>> CAs?
>>>>>>>>
>>>>>>>> Is there any special change to use imported keys in the
>>>>>>>> administration
>>>>>>>> GUI? Do I need to set parameters when I start JBOSS to use external
>>>>>>>> keys?
>>>>>>>>
>>>>>>>> Is there any other source of information different then ejbca.org?
>>>>>>>>
>>>>>>>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>> BTW, we are planning to develop the tools as free-software.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -------------------------------------------------------------------------
>>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>>>>>> challenge
>>>>>>> Build the coolest Linux based applications with Moblin SDK & win great
>>>>>>> prizes
>>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the
>>>>>>> world
>>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>>>> _______________________________________________
>>>>>>> Ejbca-develop mailing list
>>>>>>> Ejbca-develop@...
>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> -------------------------------------------------------------------------
>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>>>> challenge
>>>>> Build the coolest Linux based applications with Moblin SDK & win great
>>>>> prizes
>>>>> Grand prize is a trip for two to an Open Source event anywhere in the
>>>>> world
>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>> _______________________________________________
>>>>> Ejbca-develop mailing list
>>>>> Ejbca-develop@...
>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>
>>>>>
>>>>
>>>> --
>>>> Leonardo Luiz Padovani da Mata
>>>> barroca@...
>>>>
>>>> "May the force be with you, always"
>>>> "Nerd Pride... eu tenho. Voce tem?"
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>> training for EJBCA. Please see www.primekey.se or contact info@...
>> for more information.
>> http://download.primekey.se/documents/ejbca_subscription.pdf
>> http://download.primekey.se/documents/ejbca_training.pdf
>>
>>
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great
>> prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejbca-develop@...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>>
>
>
>
> --
> Leonardo Luiz Padovani da Mata
> barroca@...
>
> "May the force be with you, always"
> "Nerd Pride... eu tenho. Voce tem?"
>