Re: Using external key with ncipher HSM

> That means opensc cannot recognize the format of your cards.
> Which card are you using? Did you format it with opensc?
>
> El Jueves, 30 de Octubre de 2008 18:25:09 Leonardo L. P. da Mata escribió:
>> i mean, the htmf could open the library, but couldn't use it to read
>> the cards. It says that the card is not supported.
>>
>>
>> On Thu, Oct 30, 2008 at 3:24 PM, Leonardo L. P. da Mata
>> <barroca@...> wrote:
>> > it was hanging on oppening the library (wrong pkcs11 interface). i've
>> > changed to opensc-pkcs11.dll, but now it can't reconize my cards...
>> >
>> >
>> >
>> > On Thu, Oct 30, 2008 at 8:05 AM, EJBCA Support
>> > <ejbca-support@...> wrote:
>> >> Hi Leonardo
>> >>
>> >> I'm assuming you are using the java web start deployment of Tolima. The
>> >> htmf log files are stored in <USER_HOME>/.hardtokenmgmt<n>_<n>.log can
>> >> you send it to me.
>> >>
>> >> Which tokens are you using and which pkcs11 driver?
>> >>
>> >> // Regards Philip
>> >>
>> >> Leonardo L. P. da Mata skrev:
>> >>> Hey, i've advanced a lot in the ejbca installation and it's
>> >>> integration with htmf, but i still can't use htmf correct. I'm sending
>> >>> this message here because the htmf list has no discussion at all.
>> >>>
>> >>> so, i'm using java 6 and intert explorer to access tolima. I've
>> >>> generated an administrator card, and it seems to work (i can use this
>> >>> card with other applications to sign).
>> >>>
>> >>> after the administrator authenthicate in the htmf, the ejbca send a message:
>> >>>   19:09:11,390 INFO [Log4jLogDevice] 29 de Outubro de 2008 19h9min11s
>> >>> BRST, CAId : -1688117755, AUTHORIZATION,
>> >>> EVENT_INFO_AUTHORIZEDTORESOURCE, Administrator : C LIENTCERT,
>> >>> Certificate SNR : 3964574de5f7dca8, CN=AdminCA1,O=EJBCA Sample,C=SE,
>> >>> User : No user involved, Certificate : No certificate involved,
>> >>> Comment : Resour ce :
>> >>>
>> >>> and the htmf hangs with no answer and no debug information.
>> >>>
>> >>> Anyone have any idea why this isn't working?
>> >>>
>> >>> BTW, the ant deploy of htmf doesn't substitute all variables correct,
>> >>> the $*.hostname variables are beeing deployed without beeing
>> >>> substituded. Maybe this is a bug of htmf (TOLIMA)
>> >>>
>> >>>
>> >>> Thanks.
>> >>>
>> >>> On Tue, Oct 21, 2008 at 5:34 AM, Tomas Gustavsson <tomas@...> wrote:
>> >>>
>> >>>> Thanks added it to docs for next release.
>> >>>>
>> >>>> Cheers,
>> >>>> Tomas
>> >>>>
>> >>>>
>> >>>> Leonardo L. P. da Mata wrote:
>> >>>>
>> >>>>> So, after some time trying to find the problem, i think i could get it solved.
>> >>>>> The eviroment variable JDK_HOME must be set correct for this to work.
>> >>>>> This is a problem with ncipher software that is not well documented,
>> >>>>> but i think it is important to put a note in the User's Guide.
>> >>>>>
>> >>>>> Command used:
>> >>>>> C:\Documents and
>> >>>>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
>> >>>>> --import -c mscapi jcecsp pemreadfile=unprotected.pem
>> >>>>> keystore=temp.keystore type=RSA alias=imported1
>> >>>>> Result:
>> >>>>> recovery: Key recovery? (yes/no) [yes] >
>> >>>>> keystorepass: JCE key store password? (hidden)
>> >>>>> x509country: Country code? [] >
>> >>>>> x509province: State or province? [] >
>> >>>>> x509locality: City or locality? [] >
>> >>>>> x509org: Organisation? [] >
>> >>>>> x509orgunit: Organisation unit? [] >
>> >>>>> x509dnscommon: Domain name? [] >
>> >>>>> x509email: Email address? [] >
>> >>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>> >>>>> key generation parameters:
>> >>>>>  operation      Operation to perform                                      import
>> >>>>>
>> >>>>>  application    Application                                               jcecsp
>> >>>>>
>> >>>>>  protect        Protected by                                              token
>> >>>>>  slot           Slot to read cards from                                   0
>> >>>>>  recovery       Key recovery                                              yes
>> >>>>>  verify         Verify security of key                                    yes
>> >>>>>  type           Key type                                                  RSA
>> >>>>>  pemreadfile    PEM file containing RSA key                               unprot
>> >>>>> ected.pem
>> >>>>>  keystore       Filename of JCE key store                                 temp.k
>> >>>>> eystore
>> >>>>>  keystorepass   JCE key store password                                    <hidde
>> >>>>> n>
>> >>>>>  alias          JCE key alias                                             import
>> >>>>> ed1
>> >>>>>  x509country    Country code
>> >>>>>  x509province   State or province
>> >>>>>  x509locality   City or locality
>> >>>>>  x509org        Organisation
>> >>>>>  x509orgunit    Organisation unit
>> >>>>>  x509dnscommon  Domain name
>> >>>>>  x509email      Email address
>> >>>>>  nvram          Store blob in NVRAM (will require administrator cardset)  no
>> >>>>>
>> >>>>> Loading `mscapi':
>> >>>>>  Module 1: 0 cards of 1 read
>> >>>>>  Module 1 slot 0: `mscapi' #1 (`oper')
>> >>>>>  Module 1 slot 0:- passphrase supplied - reading card
>> >>>>> Card reading complete.
>> >>>>>
>> >>>>> Subprocess failed
>> >>>>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
>> >>>>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
>> >>>>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
>> >>>>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
>> >>>>> }
>> >>>>> Errors:
>> >>>>> FATAL: error creating temp.keystore
>> >>>>>
>> >>>>>
>> >>>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
>> >>>>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
>> >>>>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
>> >>>>> nfgk_operate: SoftwareFailed
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> I still need to test if the key is working correct, but when i list
>> >>>>> keys with nfkminfo, i can see the new imported keys.
>> >>>>>
>> >>>>> Thanks.
>> >>>>>
>> >>>>>
>> >>>>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
>> >>>>> <barroca@...> wrote:
>> >>>>>
>> >>>>>> Hey Brune, the Security World is ok. I've checked  the file
>> >>>>>> permissions, and apparently this is not an issue, because i'm getting
>> >>>>>> the same problem using the system administrator.
>> >>>>>>
>> >>>>>> I'm following the steps of ejbca user's guide. When importing a file,
>> >>>>>> i can't access the keystore of the HSM:
>> >>>>>>
>> >>>>>> keystore: Filename of JCE key store? []
>> >>>>>>
>> >>>>>>> temp.keystore
>> >>>>>>>
>> >>>>>> ERROR: keystore: key store key is missing
>> >>>>>> keystore: Filename of JCE key store? []
>> >>>>>>
>> >>>>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
>> >>>>>>>
>> >>>>>> ERROR: keystore: cannot open file
>> >>>>>> keystore: Filename of JCE key store? []
>> >>>>>>
>> >>>>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
>> >>>>>>>
>> >>>>>> ERROR: keystore: invalid keystore
>> >>>>>> ERROR: keystore: key store key is missing
>> >>>>>> keystore: Filename of JCE key store? []
>> >>>>>> ERROR: keystore: invalid filename
>> >>>>>> keystore: Filename of JCE key store? []
>> >>>>>>
>> >>>>>>> c:\nfast\kmdata\local\
>> >>>>>>>
>> >>>>>> ERROR: keystore: cannot open file
>> >>>>>> keystore: Filename of JCE key store? []
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
>> >>>>>> mentioned in the user guide:
>> >>>>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
>> >>>>>> Ctrl-Z and Enter"
>> >>>>>>
>> >>>>>> Thanks again.
>> >>>>>>
>> >>>>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
>> >>>>>>
>> >>>>>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
>> >>>>>>>
>> >>>>>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
>> >>>>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>> >>>>>>>> with the system administrator.
>> >>>>>>>>
>> >>>>>>> Hi,
>> >>>>>>>
>> >>>>>>> in order to create some key protected by the HSM, you need to create a
>> >>>>>>> Security World, and OCS (Operator Card Set). This procedure is well
>> >>>>>>> documented in the HSM documentations. However I may help if you trouble
>> >>>>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>> >>>>>>>
>> >>>>>>> If you really already have a security world, check the file permissions,
>> >>>>>>> I don't know how is going on windows, but on unix environnement,
>> >>>>>>> nCipher's default permissions only allow root to read/write the security
>> >>>>>>> world's files.
>> >>>>>>>
>> >>>>>>> BEst regards
>> >>>>>>>
>> >>>>>>> --
>> >>>>>>> http://asyd.net/home/   - Home Page
>> >>>>>>> http://guses.org/home/  - French Speaking (Open)Solaris User Group
>> >>>>>>>
>> >>>>>>> -------------------------------------------------------------------------
>> >>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >>>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >>>>>>> _______________________________________________
>> >>>>>>> Ejbca-develop mailing list
>> >>>>>>> Ejbca-develop@...
>> >>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >>>>>>>
>> >>>>>>>
>> >>>>>> --
>> >>>>>> Leonardo Luiz Padovani da Mata
>> >>>>>> barroca@...
>> >>>>>>
>> >>>>>> "May the force be with you, always"
>> >>>>>> "Nerd Pride... eu tenho. Voce tem?"
>> >>>>>>
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>> -------------------------------------------------------------------------
>> >>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >>>> _______________________________________________
>> >>>> Ejbca-develop mailing list
>> >>>> Ejbca-develop@...
>> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >>>>
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>
>> >>
>> >> -------------------------------------------------------------------------
>> >> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> _______________________________________________
>> >> Ejbca-develop mailing list
>> >> Ejbca-develop@...
>> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >>
>> >
>> >
>> >
>> > --
>> > Leonardo Luiz Padovani da Mata
>> > barroca@...
>> >
>> > "May the force be with you, always"
>> > "Nerd Pride... eu tenho. Voce tem?"
>> >
>>
>>
>>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>