|
»
« Return to Thread: Using external key with ncipher HSM
Re: Using external key with ncipher HSM
by Leonardo L. P. da Mata
::
Rate this Message:
yes, they work well with firefox, but the htmf could not reconize
them... maybe i did something wrong during the initialization of those
cards.
do you why those american banknotes won't work?
On Thu, Oct 30, 2008 at 4:41 PM, Miguel Angel Tormo Alfaro
<mlists@...> wrote:
> OK then. So your starcos cards should work with the opensc-pkcs11.dll, but not the american banknote ones...
> I understand your starcos cards work well with firefox and opensc-pkcs11.dll, right?
>
> El Jueves, 30 de Octubre de 2008 19:26:16 Leonardo L. P. da Mata escribió:
>> i have 2 different kinds of cards, starcos and american banknote cards..
>>
>> the starcos card have been initialized with opensc and they work for
>> the browser ssl authentication.
>> the american banknote cards came initialized from the factory (i don't
>> know why people do that).
>>
>>
>>
>> On Thu, Oct 30, 2008 at 3:35 PM, Miguel Angel Tormo Alfaro
>> <mlists@...> wrote:
>> > That means opensc cannot recognize the format of your cards.
>> > Which card are you using? Did you format it with opensc?
>> >
>> > El Jueves, 30 de Octubre de 2008 18:25:09 Leonardo L. P. da Mata escribió:
>> >> i mean, the htmf could open the library, but couldn't use it to read
>> >> the cards. It says that the card is not supported.
>> >>
>> >>
>> >> On Thu, Oct 30, 2008 at 3:24 PM, Leonardo L. P. da Mata
>> >> <barroca@...> wrote:
>> >> > it was hanging on oppening the library (wrong pkcs11 interface). i've
>> >> > changed to opensc-pkcs11.dll, but now it can't reconize my cards...
>> >> >
>> >> >
>> >> >
>> >> > On Thu, Oct 30, 2008 at 8:05 AM, EJBCA Support
>> >> > <ejbca-support@...> wrote:
>> >> >> Hi Leonardo
>> >> >>
>> >> >> I'm assuming you are using the java web start deployment of Tolima. The
>> >> >> htmf log files are stored in <USER_HOME>/.hardtokenmgmt<n>_<n>.log can
>> >> >> you send it to me.
>> >> >>
>> >> >> Which tokens are you using and which pkcs11 driver?
>> >> >>
>> >> >> // Regards Philip
>> >> >>
>> >> >> Leonardo L. P. da Mata skrev:
>> >> >>> Hey, i've advanced a lot in the ejbca installation and it's
>> >> >>> integration with htmf, but i still can't use htmf correct. I'm sending
>> >> >>> this message here because the htmf list has no discussion at all.
>> >> >>>
>> >> >>> so, i'm using java 6 and intert explorer to access tolima. I've
>> >> >>> generated an administrator card, and it seems to work (i can use this
>> >> >>> card with other applications to sign).
>> >> >>>
>> >> >>> after the administrator authenthicate in the htmf, the ejbca send a message:
>> >> >>> 19:09:11,390 INFO [Log4jLogDevice] 29 de Outubro de 2008 19h9min11s
>> >> >>> BRST, CAId : -1688117755, AUTHORIZATION,
>> >> >>> EVENT_INFO_AUTHORIZEDTORESOURCE, Administrator : C LIENTCERT,
>> >> >>> Certificate SNR : 3964574de5f7dca8, CN=AdminCA1,O=EJBCA Sample,C=SE,
>> >> >>> User : No user involved, Certificate : No certificate involved,
>> >> >>> Comment : Resour ce :
>> >> >>>
>> >> >>> and the htmf hangs with no answer and no debug information.
>> >> >>>
>> >> >>> Anyone have any idea why this isn't working?
>> >> >>>
>> >> >>> BTW, the ant deploy of htmf doesn't substitute all variables correct,
>> >> >>> the $*.hostname variables are beeing deployed without beeing
>> >> >>> substituded. Maybe this is a bug of htmf (TOLIMA)
>> >> >>>
>> >> >>>
>> >> >>> Thanks.
>> >> >>>
>> >> >>> On Tue, Oct 21, 2008 at 5:34 AM, Tomas Gustavsson <tomas@...> wrote:
>> >> >>>
>> >> >>>> Thanks added it to docs for next release.
>> >> >>>>
>> >> >>>> Cheers,
>> >> >>>> Tomas
>> >> >>>>
>> >> >>>>
>> >> >>>> Leonardo L. P. da Mata wrote:
>> >> >>>>
>> >> >>>>> So, after some time trying to find the problem, i think i could get it solved.
>> >> >>>>> The eviroment variable JDK_HOME must be set correct for this to work.
>> >> >>>>> This is a problem with ncipher software that is not well documented,
>> >> >>>>> but i think it is important to put a note in the User's Guide.
>> >> >>>>>
>> >> >>>>> Command used:
>> >> >>>>> C:\Documents and
>> >> >>>>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
>> >> >>>>> --import -c mscapi jcecsp pemreadfile=unprotected.pem
>> >> >>>>> keystore=temp.keystore type=RSA alias=imported1
>> >> >>>>> Result:
>> >> >>>>> recovery: Key recovery? (yes/no) [yes] >
>> >> >>>>> keystorepass: JCE key store password? (hidden)
>> >> >>>>> x509country: Country code? [] >
>> >> >>>>> x509province: State or province? [] >
>> >> >>>>> x509locality: City or locality? [] >
>> >> >>>>> x509org: Organisation? [] >
>> >> >>>>> x509orgunit: Organisation unit? [] >
>> >> >>>>> x509dnscommon: Domain name? [] >
>> >> >>>>> x509email: Email address? [] >
>> >> >>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>> >> >>>>> key generation parameters:
>> >> >>>>> operation Operation to perform import
>> >> >>>>>
>> >> >>>>> application Application jcecsp
>> >> >>>>>
>> >> >>>>> protect Protected by token
>> >> >>>>> slot Slot to read cards from 0
>> >> >>>>> recovery Key recovery yes
>> >> >>>>> verify Verify security of key yes
>> >> >>>>> type Key type RSA
>> >> >>>>> pemreadfile PEM file containing RSA key unprot
>> >> >>>>> ected.pem
>> >> >>>>> keystore Filename of JCE key store temp.k
>> >> >>>>> eystore
>> >> >>>>> keystorepass JCE key store password <hidde
>> >> >>>>> n>
>> >> >>>>> alias JCE key alias import
>> >> >>>>> ed1
>> >> >>>>> x509country Country code
>> >> >>>>> x509province State or province
>> >> >>>>> x509locality City or locality
>> >> >>>>> x509org Organisation
>> >> >>>>> x509orgunit Organisation unit
>> >> >>>>> x509dnscommon Domain name
>> >> >>>>> x509email Email address
>> >> >>>>> nvram Store blob in NVRAM (will require administrator cardset) no
>> >> >>>>>
>> >> >>>>> Loading `mscapi':
>> >> >>>>> Module 1: 0 cards of 1 read
>> >> >>>>> Module 1 slot 0: `mscapi' #1 (`oper')
>> >> >>>>> Module 1 slot 0:- passphrase supplied - reading card
>> >> >>>>> Card reading complete.
>> >> >>>>>
>> >> >>>>> Subprocess failed
>> >> >>>>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
>> >> >>>>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
>> >> >>>>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
>> >> >>>>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
>> >> >>>>> }
>> >> >>>>> Errors:
>> >> >>>>> FATAL: error creating temp.keystore
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
>> >> >>>>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
>> >> >>>>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
>> >> >>>>> nfgk_operate: SoftwareFailed
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> I still need to test if the key is working correct, but when i list
>> >> >>>>> keys with nfkminfo, i can see the new imported keys.
>> >> >>>>>
>> >> >>>>> Thanks.
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
>> >> >>>>> <barroca@...> wrote:
>> >> >>>>>
>> >> >>>>>> Hey Brune, the Security World is ok. I've checked the file
>> >> >>>>>> permissions, and apparently this is not an issue, because i'm getting
>> >> >>>>>> the same problem using the system administrator.
>> >> >>>>>>
>> >> >>>>>> I'm following the steps of ejbca user's guide. When importing a file,
>> >> >>>>>> i can't access the keystore of the HSM:
>> >> >>>>>>
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>>
>> >> >>>>>>> temp.keystore
>> >> >>>>>>>
>> >> >>>>>> ERROR: keystore: key store key is missing
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>>
>> >> >>>>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
>> >> >>>>>>>
>> >> >>>>>> ERROR: keystore: cannot open file
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>>
>> >> >>>>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
>> >> >>>>>>>
>> >> >>>>>> ERROR: keystore: invalid keystore
>> >> >>>>>> ERROR: keystore: key store key is missing
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>> ERROR: keystore: invalid filename
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>>
>> >> >>>>>>> c:\nfast\kmdata\local\
>> >> >>>>>>>
>> >> >>>>>> ERROR: keystore: cannot open file
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
>> >> >>>>>> mentioned in the user guide:
>> >> >>>>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
>> >> >>>>>> Ctrl-Z and Enter"
>> >> >>>>>>
>> >> >>>>>> Thanks again.
>> >> >>>>>>
>> >> >>>>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
>> >> >>>>>>
>> >> >>>>>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
>> >> >>>>>>>
>> >> >>>>>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
>> >> >>>>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>> >> >>>>>>>> with the system administrator.
>> >> >>>>>>>>
>> >> >>>>>>> Hi,
>> >> >>>>>>>
>> >> >>>>>>> in order to create some key protected by the HSM, you need to create a
>> >> >>>>>>> Security World, and OCS (Operator Card Set). This procedure is well
>> >> >>>>>>> documented in the HSM documentations. However I may help if you trouble
>> >> >>>>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>> >> >>>>>>>
>> >> >>>>>>> If you really already have a security world, check the file permissions,
>> >> >>>>>>> I don't know how is going on windows, but on unix environnement,
>> >> >>>>>>> nCipher's default permissions only allow root to read/write the security
>> >> >>>>>>> world's files.
>> >> >>>>>>>
>> >> >>>>>>> BEst regards
>> >> >>>>>>>
>> >> >>>>>>> --
>> >> >>>>>>> http://asyd.net/home/ - Home Page
>> >> >>>>>>> http://guses.org/home/ - French Speaking (Open)Solaris User Group
>> >> >>>>>>>
>> >> >>>>>>> -------------------------------------------------------------------------
>> >> >>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >>>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >>>>>>> _______________________________________________
>> >> >>>>>>> Ejbca-develop mailing list
>> >> >>>>>>> Ejbca-develop@...
>> >> >>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >>>>>>>
>> >> >>>>>>>
>> >> >>>>>> --
>> >> >>>>>> Leonardo Luiz Padovani da Mata
>> >> >>>>>> barroca@...
>> >> >>>>>>
>> >> >>>>>> "May the force be with you, always"
>> >> >>>>>> "Nerd Pride... eu tenho. Voce tem?"
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>> -------------------------------------------------------------------------
>> >> >>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >>>> _______________________________________________
>> >> >>>> Ejbca-develop mailing list
>> >> >>>> Ejbca-develop@...
>> >> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >>>>
>> >> >>>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>
>> >> >>
>> >> >> -------------------------------------------------------------------------
>> >> >> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >> _______________________________________________
>> >> >> Ejbca-develop mailing list
>> >> >> Ejbca-develop@...
>> >> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Leonardo Luiz Padovani da Mata
>> >> > barroca@...
>> >> >
>> >> > "May the force be with you, always"
>> >> > "Nerd Pride... eu tenho. Voce tem?"
>> >> >
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > -------------------------------------------------------------------------
>> > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> > Build the coolest Linux based applications with Moblin SDK & win great prizes
>> > Grand prize is a trip for two to an Open Source event anywhere in the world
>> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> > _______________________________________________
>> > Ejbca-develop mailing list
>> > Ejbca-develop@...
>> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >
>>
>>
>>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
--
Leonardo Luiz Padovani da Mata
barroca@...
"May the force be with you, always"
"Nerd Pride... eu tenho. Voce tem?"
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
them... maybe i did something wrong during the initialization of those
cards.
do you why those american banknotes won't work?
On Thu, Oct 30, 2008 at 4:41 PM, Miguel Angel Tormo Alfaro
<mlists@...> wrote:
> OK then. So your starcos cards should work with the opensc-pkcs11.dll, but not the american banknote ones...
> I understand your starcos cards work well with firefox and opensc-pkcs11.dll, right?
>
> El Jueves, 30 de Octubre de 2008 19:26:16 Leonardo L. P. da Mata escribió:
>> i have 2 different kinds of cards, starcos and american banknote cards..
>>
>> the starcos card have been initialized with opensc and they work for
>> the browser ssl authentication.
>> the american banknote cards came initialized from the factory (i don't
>> know why people do that).
>>
>>
>>
>> On Thu, Oct 30, 2008 at 3:35 PM, Miguel Angel Tormo Alfaro
>> <mlists@...> wrote:
>> > That means opensc cannot recognize the format of your cards.
>> > Which card are you using? Did you format it with opensc?
>> >
>> > El Jueves, 30 de Octubre de 2008 18:25:09 Leonardo L. P. da Mata escribió:
>> >> i mean, the htmf could open the library, but couldn't use it to read
>> >> the cards. It says that the card is not supported.
>> >>
>> >>
>> >> On Thu, Oct 30, 2008 at 3:24 PM, Leonardo L. P. da Mata
>> >> <barroca@...> wrote:
>> >> > it was hanging on oppening the library (wrong pkcs11 interface). i've
>> >> > changed to opensc-pkcs11.dll, but now it can't reconize my cards...
>> >> >
>> >> >
>> >> >
>> >> > On Thu, Oct 30, 2008 at 8:05 AM, EJBCA Support
>> >> > <ejbca-support@...> wrote:
>> >> >> Hi Leonardo
>> >> >>
>> >> >> I'm assuming you are using the java web start deployment of Tolima. The
>> >> >> htmf log files are stored in <USER_HOME>/.hardtokenmgmt<n>_<n>.log can
>> >> >> you send it to me.
>> >> >>
>> >> >> Which tokens are you using and which pkcs11 driver?
>> >> >>
>> >> >> // Regards Philip
>> >> >>
>> >> >> Leonardo L. P. da Mata skrev:
>> >> >>> Hey, i've advanced a lot in the ejbca installation and it's
>> >> >>> integration with htmf, but i still can't use htmf correct. I'm sending
>> >> >>> this message here because the htmf list has no discussion at all.
>> >> >>>
>> >> >>> so, i'm using java 6 and intert explorer to access tolima. I've
>> >> >>> generated an administrator card, and it seems to work (i can use this
>> >> >>> card with other applications to sign).
>> >> >>>
>> >> >>> after the administrator authenthicate in the htmf, the ejbca send a message:
>> >> >>> 19:09:11,390 INFO [Log4jLogDevice] 29 de Outubro de 2008 19h9min11s
>> >> >>> BRST, CAId : -1688117755, AUTHORIZATION,
>> >> >>> EVENT_INFO_AUTHORIZEDTORESOURCE, Administrator : C LIENTCERT,
>> >> >>> Certificate SNR : 3964574de5f7dca8, CN=AdminCA1,O=EJBCA Sample,C=SE,
>> >> >>> User : No user involved, Certificate : No certificate involved,
>> >> >>> Comment : Resour ce :
>> >> >>>
>> >> >>> and the htmf hangs with no answer and no debug information.
>> >> >>>
>> >> >>> Anyone have any idea why this isn't working?
>> >> >>>
>> >> >>> BTW, the ant deploy of htmf doesn't substitute all variables correct,
>> >> >>> the $*.hostname variables are beeing deployed without beeing
>> >> >>> substituded. Maybe this is a bug of htmf (TOLIMA)
>> >> >>>
>> >> >>>
>> >> >>> Thanks.
>> >> >>>
>> >> >>> On Tue, Oct 21, 2008 at 5:34 AM, Tomas Gustavsson <tomas@...> wrote:
>> >> >>>
>> >> >>>> Thanks added it to docs for next release.
>> >> >>>>
>> >> >>>> Cheers,
>> >> >>>> Tomas
>> >> >>>>
>> >> >>>>
>> >> >>>> Leonardo L. P. da Mata wrote:
>> >> >>>>
>> >> >>>>> So, after some time trying to find the problem, i think i could get it solved.
>> >> >>>>> The eviroment variable JDK_HOME must be set correct for this to work.
>> >> >>>>> This is a problem with ncipher software that is not well documented,
>> >> >>>>> but i think it is important to put a note in the User's Guide.
>> >> >>>>>
>> >> >>>>> Command used:
>> >> >>>>> C:\Documents and
>> >> >>>>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
>> >> >>>>> --import -c mscapi jcecsp pemreadfile=unprotected.pem
>> >> >>>>> keystore=temp.keystore type=RSA alias=imported1
>> >> >>>>> Result:
>> >> >>>>> recovery: Key recovery? (yes/no) [yes] >
>> >> >>>>> keystorepass: JCE key store password? (hidden)
>> >> >>>>> x509country: Country code? [] >
>> >> >>>>> x509province: State or province? [] >
>> >> >>>>> x509locality: City or locality? [] >
>> >> >>>>> x509org: Organisation? [] >
>> >> >>>>> x509orgunit: Organisation unit? [] >
>> >> >>>>> x509dnscommon: Domain name? [] >
>> >> >>>>> x509email: Email address? [] >
>> >> >>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>> >> >>>>> key generation parameters:
>> >> >>>>> operation Operation to perform import
>> >> >>>>>
>> >> >>>>> application Application jcecsp
>> >> >>>>>
>> >> >>>>> protect Protected by token
>> >> >>>>> slot Slot to read cards from 0
>> >> >>>>> recovery Key recovery yes
>> >> >>>>> verify Verify security of key yes
>> >> >>>>> type Key type RSA
>> >> >>>>> pemreadfile PEM file containing RSA key unprot
>> >> >>>>> ected.pem
>> >> >>>>> keystore Filename of JCE key store temp.k
>> >> >>>>> eystore
>> >> >>>>> keystorepass JCE key store password <hidde
>> >> >>>>> n>
>> >> >>>>> alias JCE key alias import
>> >> >>>>> ed1
>> >> >>>>> x509country Country code
>> >> >>>>> x509province State or province
>> >> >>>>> x509locality City or locality
>> >> >>>>> x509org Organisation
>> >> >>>>> x509orgunit Organisation unit
>> >> >>>>> x509dnscommon Domain name
>> >> >>>>> x509email Email address
>> >> >>>>> nvram Store blob in NVRAM (will require administrator cardset) no
>> >> >>>>>
>> >> >>>>> Loading `mscapi':
>> >> >>>>> Module 1: 0 cards of 1 read
>> >> >>>>> Module 1 slot 0: `mscapi' #1 (`oper')
>> >> >>>>> Module 1 slot 0:- passphrase supplied - reading card
>> >> >>>>> Card reading complete.
>> >> >>>>>
>> >> >>>>> Subprocess failed
>> >> >>>>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
>> >> >>>>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
>> >> >>>>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
>> >> >>>>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
>> >> >>>>> }
>> >> >>>>> Errors:
>> >> >>>>> FATAL: error creating temp.keystore
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
>> >> >>>>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
>> >> >>>>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
>> >> >>>>> nfgk_operate: SoftwareFailed
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> I still need to test if the key is working correct, but when i list
>> >> >>>>> keys with nfkminfo, i can see the new imported keys.
>> >> >>>>>
>> >> >>>>> Thanks.
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
>> >> >>>>> <barroca@...> wrote:
>> >> >>>>>
>> >> >>>>>> Hey Brune, the Security World is ok. I've checked the file
>> >> >>>>>> permissions, and apparently this is not an issue, because i'm getting
>> >> >>>>>> the same problem using the system administrator.
>> >> >>>>>>
>> >> >>>>>> I'm following the steps of ejbca user's guide. When importing a file,
>> >> >>>>>> i can't access the keystore of the HSM:
>> >> >>>>>>
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>>
>> >> >>>>>>> temp.keystore
>> >> >>>>>>>
>> >> >>>>>> ERROR: keystore: key store key is missing
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>>
>> >> >>>>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
>> >> >>>>>>>
>> >> >>>>>> ERROR: keystore: cannot open file
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>>
>> >> >>>>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
>> >> >>>>>>>
>> >> >>>>>> ERROR: keystore: invalid keystore
>> >> >>>>>> ERROR: keystore: key store key is missing
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>> ERROR: keystore: invalid filename
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>>
>> >> >>>>>>> c:\nfast\kmdata\local\
>> >> >>>>>>>
>> >> >>>>>> ERROR: keystore: cannot open file
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
>> >> >>>>>> mentioned in the user guide:
>> >> >>>>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
>> >> >>>>>> Ctrl-Z and Enter"
>> >> >>>>>>
>> >> >>>>>> Thanks again.
>> >> >>>>>>
>> >> >>>>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
>> >> >>>>>>
>> >> >>>>>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
>> >> >>>>>>>
>> >> >>>>>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
>> >> >>>>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>> >> >>>>>>>> with the system administrator.
>> >> >>>>>>>>
>> >> >>>>>>> Hi,
>> >> >>>>>>>
>> >> >>>>>>> in order to create some key protected by the HSM, you need to create a
>> >> >>>>>>> Security World, and OCS (Operator Card Set). This procedure is well
>> >> >>>>>>> documented in the HSM documentations. However I may help if you trouble
>> >> >>>>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>> >> >>>>>>>
>> >> >>>>>>> If you really already have a security world, check the file permissions,
>> >> >>>>>>> I don't know how is going on windows, but on unix environnement,
>> >> >>>>>>> nCipher's default permissions only allow root to read/write the security
>> >> >>>>>>> world's files.
>> >> >>>>>>>
>> >> >>>>>>> BEst regards
>> >> >>>>>>>
>> >> >>>>>>> --
>> >> >>>>>>> http://asyd.net/home/ - Home Page
>> >> >>>>>>> http://guses.org/home/ - French Speaking (Open)Solaris User Group
>> >> >>>>>>>
>> >> >>>>>>> -------------------------------------------------------------------------
>> >> >>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >>>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >>>>>>> _______________________________________________
>> >> >>>>>>> Ejbca-develop mailing list
>> >> >>>>>>> Ejbca-develop@...
>> >> >>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >>>>>>>
>> >> >>>>>>>
>> >> >>>>>> --
>> >> >>>>>> Leonardo Luiz Padovani da Mata
>> >> >>>>>> barroca@...
>> >> >>>>>>
>> >> >>>>>> "May the force be with you, always"
>> >> >>>>>> "Nerd Pride... eu tenho. Voce tem?"
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>> -------------------------------------------------------------------------
>> >> >>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >>>> _______________________________________________
>> >> >>>> Ejbca-develop mailing list
>> >> >>>> Ejbca-develop@...
>> >> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >>>>
>> >> >>>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>
>> >> >>
>> >> >> -------------------------------------------------------------------------
>> >> >> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >> _______________________________________________
>> >> >> Ejbca-develop mailing list
>> >> >> Ejbca-develop@...
>> >> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Leonardo Luiz Padovani da Mata
>> >> > barroca@...
>> >> >
>> >> > "May the force be with you, always"
>> >> > "Nerd Pride... eu tenho. Voce tem?"
>> >> >
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > -------------------------------------------------------------------------
>> > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> > Build the coolest Linux based applications with Moblin SDK & win great prizes
>> > Grand prize is a trip for two to an Open Source event anywhere in the world
>> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> > _______________________________________________
>> > Ejbca-develop mailing list
>> > Ejbca-develop@...
>> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >
>>
>>
>>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
--
Leonardo Luiz Padovani da Mata
barroca@...
"May the force be with you, always"
"Nerd Pride... eu tenho. Voce tem?"
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
« Return to Thread: Using external key with ncipher HSM
| Free embeddable forum powered by Nabble | Forum Help |
