Re: Using external key with ncipher HSM

> Ok, i'm abble to create CAs using nCipher HSM, as I've mentioned
> (thanks to http://www.linagora.org/ people). Now i need to import
> external keys and CAs in this HSM.
>
> I've tried to use the steps "Importing an existing CA or sub-CA to
> EJBCA." on the user's manual, but I'm getting some errors.
>
> First of all, i didn't create the small world, some old administrators
> done this job and i can't do it again.
> I don't know if my security world is a fips 140-2 level 2 as mentioned
> in: ("The security world has to be initialized in the default FIPS
> 140-2 Level 2 for this to work. ").
>
> After using:
> c:\nfast\bin\generatekey.exe --import -c cardset jcecsp
> pemreadfile=teste.pem type=RSA keystore=temp.keysto
> re
>
> And type parameter of the x509 certificate, I'm getting:
>
> Card reading complete.
>
> Subprocess failed
> Arguments: java.exe com.ncipher.provider.tools.ImportKey --keystore temp.keystor
> e --alias imported --ident e48cade40f1528f531b372817ddc969bae071de3 --type com.n
> cipher.provider.km.KMRSAPrivateKey --certificate C:/nfast/kmdata/tmp/3128_basili
> sco.cert << {
> }
> Errors:
> FATAL: java.security.KeyStoreException nCipher.sworld not found
>
>
> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
> nfgk_operate: SoftwareFailed
>
>
> Is this an issue because i have a different fips level?
>
>
> Just to make sure, what's the difference between a recovery key and a
> normal key (as the tool asks "recovery: Key recovery? (yes/no) [yes]
>> ")?
>
> Thanks again
>
>
>
>
>
> On Wed, Oct 15, 2008 at 6:51 PM, Leonardo L. P. da Mata
> <barroca@...> wrote:
>> I've started a new installation from scratch...
>> It worked.
>>
>> Every time you start jboss you need to use nCipherJboss.cmd/.sh , even
>> in the first time (generating the AdminCA1). This is something that
>> should be better explained in the documentation. This when you need to
>> use nCipher HSM :-).
>>
>> In my last installation, i was using the
>> security.provider.1=com.ncipher.provider.km.nCipherKM
>> as default security provider in
>> JAVA_HOME/jre/lib/security/java.security
>>
>> But since i couldn't reproduce the error, and changing back to the
>> original, the error persists. I guess that this isn't a security
>> problem.
>>
>>
>> I will keep testing the software and updating this thread.
>>
>> Thanks again.
>>
>>
>> On Wed, Oct 15, 2008 at 5:02 PM, Johan Eklund <ejbca-support@...> wrote:
>>> I vaguely recall this as caused by not listing the nCipher provider in some
>>> JRE configfile.. might have been in JREHOME/lib/security/ or something like
>>> that.. my theory is that it is using the regular JCE provider on a nCipher
>>> keystore or maybe vice versa.. but this is pretty vague memories.. =/
>>>
>>> /Johan
>>>
>>> Leonardo L. P. da Mata skrev:
>>>> Hello, i've configured ejbca with JCE keys.
>>>> After the installation i'm getting a strange error.
>>>> "java.io.IOException: Bad KeyStore file, expecting a 40 character line."
>>>>
>>>> it seens that the keystore cannot be loaded.
>>>> Is the keystore used when starting ejbca the keystore that stores the
>>>> keys for SSL?(:-o)
>>>>
>>>> ejbca.properties contains:
>>>> ca.tokentype=org.ejbca.core.model.ca.catoken.NFastCAToken
>>>> ca.tokenpassword=password
>>>>
>>>> and catoken.properties contains:
>>>> keyStore baac258f773b0eb0ac1277e807207f0c63065ced
>>>> defaultKey defaultRoot1
>>>> certSignKey signRoot1
>>>> crlSignKey signRoot1
>>>> testKey testRoot1
>>>>
>>>> these configuration was done before the installation.
>>>>
>>>> should i use a different keyStore??
>>>> Is there any problem configuring the default CA with soft and then
>>>> using ncipher HSM to generate other CAs?
>>>>
>>>> Thanks.
>>>>
>>>>
>>>> INFO: WSSERVLET14: JAX-WS servlet initializing
>>>> 16:20:18,890 INFO  [EARDeployer] Started J2EE application:
>>>> file:/C:/jboss-4.2.3.
>>>> GA/server/default/deploy/ejbca.ear
>>>> 16:20:19,015 INFO  [Http11Protocol] Starting Coyote HTTP/1.1 on
>>>> http-0.0.0.0-808
>>>> 0
>>>> 16:20:19,031 ERROR [Http11Protocol] Error starting endpoint
>>>> java.io.IOException: Bad KeyStore file, expecting a 40 character line.
>>>>        at
>>>> com.ncipher.provider.km.KMKeyStore.engineLoad(KMKeyStore.java:674)
>>>>        at java.security.KeyStore.load(KeyStore.java:1185)
>>>>        at
>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocket
>>>> Factory.java:319)
>>>>        at
>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESoc
>>>> ketFactory.java:259)
>>>>        at
>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSE
>>>> SocketFactory.java:410)
>>>>        at
>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFact
>>>> ory.java:378)
>>>>        at
>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESo
>>>> cketFactory.java:135)
>>>>        at
>>>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
>>>>        at
>>>> org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
>>>>        at
>>>> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203
>>>> )
>>>>        at
>>>> org.apache.catalina.connector.Connector.start(Connector.java:1146)
>>>>        at
>>>> org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
>>>> 01)
>>>>        at
>>>> org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
>>>> a:638)
>>>>        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
>>>>        at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>>> sorImpl.java:25)
>>>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>>>        at
>>>> org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
>>>> onListenerProxy.java:153)
>>>>        at $Proxy46.handleNotification(Unknown Source)
>>>>        at
>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
>>>> ion(JBossNotificationBroadcasterSupport.java:127)
>>>>        at
>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
>>>> n(JBossNotificationBroadcasterSupport.java:108)
>>>>        at
>>>> org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
>>>> 16)
>>>>        at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
>>>>        at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
>>>>        at org.jboss.Main.boot(Main.java:200)
>>>>        at org.jboss.Main$1.run(Main.java:508)
>>>>        at java.lang.Thread.run(Thread.java:619)
>>>> 16:20:19,046 WARN  [JBossWeb] Failed to startConnectors
>>>> LifecycleException:  service.getName(): "jboss.web";  Protocol handler
>>>> start fai
>>>> led: java.io.IOException: Bad KeyStore file, expecting a 40 character
>>>> line.
>>>>        at
>>>> org.apache.catalina.connector.Connector.start(Connector.java:1153)
>>>>        at
>>>> org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
>>>> 01)
>>>>        at
>>>> org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
>>>> a:638)
>>>>        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
>>>>        at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>>> sorImpl.java:25)
>>>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>>>        at
>>>> org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
>>>> onListenerProxy.java:153)
>>>>        at $Proxy46.handleNotification(Unknown Source)
>>>>        at
>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
>>>> ion(JBossNotificationBroadcasterSupport.java:127)
>>>>        at
>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
>>>> n(JBossNotificationBroadcasterSupport.java:108)
>>>>        at
>>>> org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
>>>> 16)
>>>>        at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
>>>>        at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
>>>>        at org.jboss.Main.boot(Main.java:200)
>>>>        at org.jboss.Main$1.run(Main.java:508)
>>>>        at java.lang.Thread.run(Thread.java:619)
>>>> 16:20:19,062 INFO  [Server] JBoss (MX MicroKernel) [4.2.3.GA (build:
>>>> SVNTag=JBos
>>>> s_4_2_3_GA date=200807181439)] Started in 4m:25s:750ms
>>>>
>>>>
>>>> On Tue, Oct 14, 2008 at 4:24 PM, Leonardo L. P. da Mata
>>>> <barroca@...> wrote:
>>>>
>>>>> To illustrate how am I import the keys,  I've imported again, and here
>>>>> is the result:
>>>>>
>>>>> c:\nfast\bin\generatekey --import -c mscapi pkcs11
>>>>> pemreadfile=teste.pem type=RSA
>>>>> recovery: Key recovery? (yes/no) [yes] >
>>>>> plainname: Key name? [] > imported3
>>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no)
>>>>> [no]
>>>>>    key generation parameters:
>>>>>  operation    Operation to perform
>>>>>  import
>>>>>  application  Application
>>>>> pkcs11
>>>>>  protect      Protected by
>>>>>  token
>>>>>  slot         Slot to read cards from                                   0
>>>>>  recovery     Key recovery
>>>>>  yes
>>>>>  verify       Verify security of key
>>>>>  yes
>>>>>  type         Key type
>>>>>  RSA
>>>>>  pemreadfile  PEM file containing RSA key
>>>>> teste.pe
>>>>> m
>>>>>  plainname    Key name
>>>>>  imported
>>>>> 3
>>>>>  nvram        Store blob in NVRAM (will require administrator cardset)
>>>>>  no
>>>>>
>>>>> Loading `mscapi':
>>>>>  Module 1: 0 cards of 1 read
>>>>>  Module 1 slot 0: `mscapi' #1 (`oper')
>>>>>  Module 1 slot 0:- passphrase supplied - reading card
>>>>> Card reading complete.
>>>>>
>>>>> Key successfully imported.
>>>>> Path to key:
>>>>> C:\nfast\kmdata\local\key_pkcs11_uc3d9fa9461f5ada90d40e0b1a2420099ea70834bb-9108857e16ec3ee22b9a23373e9c6f24eac8d70b
>>>>>
>>>>>
>>>>>
>>>>> It seems that the key is correctly imported. "This is surely possible,
>>>>> but we have not done it so we can't provide you with finished commands
>>>>> for importing keys for PKCS#11." . Do you think that the message
>>>>> saying "Key successfully imported." is not true?
>>>>>
>>>>> 1)I will try the JCE way.
>>>>> 2)Since there's no difference between creating a new one, and
>>>>> importing, the options are a little bit confusing. Maybe the
>>>>> documentation must be more "step by step" like.. :-)
>>>>> 3) I notice that also.
>>>>>
>>>>>
>>>>> I will check for other ways to use the HSM and keep giving feedback here.
>>>>>
>>>>> Thanks for all the help provided..
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Oct 14, 2008 at 3:57 PM, Ejbca support
>>>>> <ejbca-support@...> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> 1) The Howto article is created for the NFastToken way of using nCipher,
>>>>>> not PKCS#11. You can use nCipher using:
>>>>>> - PKCS#11
>>>>>> - NFast JCE Provider
>>>>>>
>>>>>> Both ways work, but the howto for importing keys is done for the JCE
>>>>>> provider.
>>>>>> When trying to start JBoss using the JCE provider did you use
>>>>>> EJBCA/bin/nCipherJboss.sh and did you have the nCipher JCE/JCA provider
>>>>>> installed (it is separate packages in the nCipher install).
>>>>>>
>>>>>> When nfkminfo says:
>>>>>> -----
>>>>>>
>>>>>> jboss@host$ $NFAST_HOME/bin/nfkminfo -k
>>>>>>  AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed
>>>>>>  AppName jcecsp Ident
>>>>>> f7e825134fe23f58b1575d8efb487babe7ebd1ed-key-832c8a89fe813dc99ae61e094fe5d195ca3e405d
>>>>>> -----
>>>>>> jcecsp means the keys can only be used by the JCE-provider. nCipher does
>>>>>> it so you have different targets depending on which API you are using. If
>>>>>> you want to use PKCS#11 you need to import the keys in another way.
>>>>>> This is surely possible, but we have not done it so we can't provide you
>>>>>> with finished commands for importing keys for PKCS#11.
>>>>>>
>>>>>>
>>>>>> 2) There is no option for creating an "imported CA", you simply create a
>>>>>> CA as usual and provide the correct parameters as CAToken parameters.
>>>>>>  From EJBCAs view there is no difference between a CA with keys
>>>>>> generated in the HSM or created in the HSM. From EJBCAs view the keys
>>>>>> ARE simply in the HSM and are used in the HSM.
>>>>>>
>>>>>> Simply create a new CA using keys on the HSM. Enter a name for the new
>>>>>> CA and click 'Create CA'.
>>>>>>
>>>>>> Which options do not exist? Perhaps the wording "When importing a
>>>>>> sub-CA" is confusing? Since you don't import a CA, you simply create a
>>>>>> CA as usual.
>>>>>>
>>>>>> 3) "Import CA certificate" is for something completely different, don't
>>>>>> use that. This function simply imports a CA certificate (as you
>>>>>> noticed), so you can have external CA certificates imported for various
>>>>>> verification reasons.
>>>>>>
>>>>>> Cheers,
>>>>>> Tomas
>>>>>> -----
>>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>>>> training for EJBCA. Please see www.primekey.se or contact
>>>>>> info@... for more information.
>>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>>>
>>>>>>
>>>>>> Leonardo L. P. da Mata wrote:
>>>>>>
>>>>>>> Hey, so, I've read the documentation, but i think there are some
>>>>>>> lacks...
>>>>>>> Just to make sure, to use the nCipher nShield, i should use the pkcs11
>>>>>>> interface, right? I've tried to start jboss using the ncipher
>>>>>>> interface, but it didn't wok. So i suppose that this kind of hsm must
>>>>>>> use the pkcs11 interface.
>>>>>>>
>>>>>>> On the screen:
>>>>>>> https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
>>>>>>>
>>>>>>> i can't find the option mentioned in the documentation, there's no
>>>>>>> "create new CA 'ImportedCA'" option, and when i click in the create
>>>>>>> button, there's no option that can be selected as impotedCA.
>>>>>>>
>>>>>>> There are "Import CA keystore" and "import CA certificate". but when i
>>>>>>> use the option "import CA certificate" i can import my CA certificate,
>>>>>>> but the key is not stored in the HSM. the CA Token Type is set to Null
>>>>>>> after the import.
>>>>>>>
>>>>>>> We must provide more than 1 type of security solution, that's why I'm
>>>>>>> testing booth generating keys inside HSM and generating outside and
>>>>>>> importing then.
>>>>>>>
>>>>>>> The next step i will try is to generate User certificates into smart
>>>>>>> cards, but I'm already testing http://www.hardtokenmgmt.org/.
>>>>>>>
>>>>>>> Thanks, I appreciate the help. Hope to help the company that I'm
>>>>>>> working for to be another reference installation.
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...>
>>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>> Hi Leonardo,
>>>>>>>>
>>>>>>>> Did you read the chapter in the User Guide at ejbca.org called
>>>>>>>> "Importing an existing CA or sub-CA to EJBCA"? It's under the
>>>>>>>> HSM->nCopher section. This text explains exactly how you can import
>>>>>>>> existing keys (stored on disc) to create a CA in EJBCA.
>>>>>>>> It also explains how you create the CA in EJBCA.
>>>>>>>>
>>>>>>>> We have done this and it works, no options in JBoss. Since the keys
>>>>>>>> are
>>>>>>>> imported into nCipher, it is simply just like any other CA with keys
>>>>>>>> on
>>>>>>>> the nCipher HSM. There is no difference between this CA and a CA where
>>>>>>>> keys are generated inside the HSM (which is the recommended way for
>>>>>>>> security reasons of-course).
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Tomas
>>>>>>>> -----
>>>>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>>>>>> training for EJBCA. Please see www.primekey.se or contact
>>>>>>>> info@... for more information.
>>>>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>>>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Leonardo L. P. da Mata wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I'm developing the pki infrastructure for the Official Press of Minas
>>>>>>>>> Gerais Estate ,in  Brazil, and I'm having some problems on generating
>>>>>>>>> keys outside a HSM and importing then inside the HSM.
>>>>>>>>>
>>>>>>>>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>>>>>>>>> able to import the keys using generatekey --import, the keys are
>>>>>>>>> listed using nfkminfo tool, but i don't know how to use these keys to
>>>>>>>>> create a new CA. Is it possible to use external keys to create new
>>>>>>>>> CAs?
>>>>>>>>>
>>>>>>>>> Is there any special change to use imported keys in the
>>>>>>>>> administration
>>>>>>>>> GUI? Do I need to set parameters when I start JBOSS to use external
>>>>>>>>> keys?
>>>>>>>>>
>>>>>>>>> Is there any other source of information different then ejbca.org?
>>>>>>>>>
>>>>>>>>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>>>>>>>>
>>>>>>>>> Thanks.
>>>>>>>>>
>>>>>>>>> BTW, we are planning to develop the tools as free-software.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> -------------------------------------------------------------------------
>>>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>>>>>>> challenge
>>>>>>>> Build the coolest Linux based applications with Moblin SDK & win great
>>>>>>>> prizes
>>>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the
>>>>>>>> world
>>>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>>>>> _______________________________________________
>>>>>>>> Ejbca-develop mailing list
>>>>>>>> Ejbca-develop@...
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------------
>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>>>>> challenge
>>>>>> Build the coolest Linux based applications with Moblin SDK & win great
>>>>>> prizes
>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the
>>>>>> world
>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>>> _______________________________________________
>>>>>> Ejbca-develop mailing list
>>>>>> Ejbca-develop@...
>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>>
>>>>>>
>>>>> --
>>>>> Leonardo Luiz Padovani da Mata
>>>>> barroca@...
>>>>>
>>>>> "May the force be with you, always"
>>>>> "Nerd Pride... eu tenho. Voce tem?"
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>> training for EJBCA. Please see www.primekey.se or contact info@...
>>> for more information.
>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>
>>>
>>>
>>> -------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>> Build the coolest Linux based applications with Moblin SDK & win great
>>> prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> _______________________________________________
>>> Ejbca-develop mailing list
>>> Ejbca-develop@...
>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>
>>>
>>
>>
>> --
>> Leonardo Luiz Padovani da Mata
>> barroca@...
>>
>> "May the force be with you, always"
>> "Nerd Pride... eu tenho. Voce tem?"
>>
>
>
>