|
»
« Return to Thread: Using external key with ncipher HSM
Re: Using external key with ncipher HSM
by Leonardo L. P. da Mata
::
Rate this Message:
yes, i´ve checked.. they are not supported... I bought the cards
initialized, because the main use of those cards is to store specific
certificates of the brazilian SSN number.(e-CPF or e-CNPJ)
i´m trying to contact the manufacturer of the card to get some
information about the format, and see if i can get it to work..
I will get other brands of cards and try.
Thanks.
On Thu, Oct 30, 2008 at 6:40 PM, Miguel Angel Tormo Alfaro
<mlists@...> wrote:
> Well, your american banknotes won't work with opensc mainly because they weren't initialized by opensc so their internal format is only understanable by the application which did the initialization.
> On the other hand, you should check the opensc website or ask the mainling list to see if those cards are supported, I think they're not.
>
> El Jueves, 30 de Octubre de 2008 19:49:30 Leonardo L. P. da Mata escribió:
>> yes, they work well with firefox, but the htmf could not reconize
>> them... maybe i did something wrong during the initialization of those
>> cards.
>>
>> do you why those american banknotes won't work?
>>
>> On Thu, Oct 30, 2008 at 4:41 PM, Miguel Angel Tormo Alfaro
>> <mlists@...> wrote:
>> > OK then. So your starcos cards should work with the opensc-pkcs11.dll, but not the american banknote ones...
>> > I understand your starcos cards work well with firefox and opensc-pkcs11.dll, right?
>> >
>> > El Jueves, 30 de Octubre de 2008 19:26:16 Leonardo L. P. da Mata escribió:
>> >> i have 2 different kinds of cards, starcos and american banknote cards..
>> >>
>> >> the starcos card have been initialized with opensc and they work for
>> >> the browser ssl authentication.
>> >> the american banknote cards came initialized from the factory (i don't
>> >> know why people do that).
>> >>
>> >>
>> >>
>> >> On Thu, Oct 30, 2008 at 3:35 PM, Miguel Angel Tormo Alfaro
>> >> <mlists@...> wrote:
>> >> > That means opensc cannot recognize the format of your cards.
>> >> > Which card are you using? Did you format it with opensc?
>> >> >
>> >> > El Jueves, 30 de Octubre de 2008 18:25:09 Leonardo L. P. da Mata escribió:
>> >> >> i mean, the htmf could open the library, but couldn't use it to read
>> >> >> the cards. It says that the card is not supported.
>> >> >>
>> >> >>
>> >> >> On Thu, Oct 30, 2008 at 3:24 PM, Leonardo L. P. da Mata
>> >> >> <barroca@...> wrote:
>> >> >> > it was hanging on oppening the library (wrong pkcs11 interface). i've
>> >> >> > changed to opensc-pkcs11.dll, but now it can't reconize my cards...
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > On Thu, Oct 30, 2008 at 8:05 AM, EJBCA Support
>> >> >> > <ejbca-support@...> wrote:
>> >> >> >> Hi Leonardo
>> >> >> >>
>> >> >> >> I'm assuming you are using the java web start deployment of Tolima. The
>> >> >> >> htmf log files are stored in <USER_HOME>/.hardtokenmgmt<n>_<n>.log can
>> >> >> >> you send it to me.
>> >> >> >>
>> >> >> >> Which tokens are you using and which pkcs11 driver?
>> >> >> >>
>> >> >> >> // Regards Philip
>> >> >> >>
>> >> >> >> Leonardo L. P. da Mata skrev:
>> >> >> >>> Hey, i've advanced a lot in the ejbca installation and it's
>> >> >> >>> integration with htmf, but i still can't use htmf correct. I'm sending
>> >> >> >>> this message here because the htmf list has no discussion at all.
>> >> >> >>>
>> >> >> >>> so, i'm using java 6 and intert explorer to access tolima. I've
>> >> >> >>> generated an administrator card, and it seems to work (i can use this
>> >> >> >>> card with other applications to sign).
>> >> >> >>>
>> >> >> >>> after the administrator authenthicate in the htmf, the ejbca send a message:
>> >> >> >>> 19:09:11,390 INFO [Log4jLogDevice] 29 de Outubro de 2008 19h9min11s
>> >> >> >>> BRST, CAId : -1688117755, AUTHORIZATION,
>> >> >> >>> EVENT_INFO_AUTHORIZEDTORESOURCE, Administrator : C LIENTCERT,
>> >> >> >>> Certificate SNR : 3964574de5f7dca8, CN=AdminCA1,O=EJBCA Sample,C=SE,
>> >> >> >>> User : No user involved, Certificate : No certificate involved,
>> >> >> >>> Comment : Resour ce :
>> >> >> >>>
>> >> >> >>> and the htmf hangs with no answer and no debug information.
>> >> >> >>>
>> >> >> >>> Anyone have any idea why this isn't working?
>> >> >> >>>
>> >> >> >>> BTW, the ant deploy of htmf doesn't substitute all variables correct,
>> >> >> >>> the $*.hostname variables are beeing deployed without beeing
>> >> >> >>> substituded. Maybe this is a bug of htmf (TOLIMA)
>> >> >> >>>
>> >> >> >>>
>> >> >> >>> Thanks.
>> >> >> >>>
>> >> >> >>> On Tue, Oct 21, 2008 at 5:34 AM, Tomas Gustavsson <tomas@...> wrote:
>> >> >> >>>
>> >> >> >>>> Thanks added it to docs for next release.
>> >> >> >>>>
>> >> >> >>>> Cheers,
>> >> >> >>>> Tomas
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>> Leonardo L. P. da Mata wrote:
>> >> >> >>>>
>> >> >> >>>>> So, after some time trying to find the problem, i think i could get it solved.
>> >> >> >>>>> The eviroment variable JDK_HOME must be set correct for this to work.
>> >> >> >>>>> This is a problem with ncipher software that is not well documented,
>> >> >> >>>>> but i think it is important to put a note in the User's Guide.
>> >> >> >>>>>
>> >> >> >>>>> Command used:
>> >> >> >>>>> C:\Documents and
>> >> >> >>>>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
>> >> >> >>>>> --import -c mscapi jcecsp pemreadfile=unprotected.pem
>> >> >> >>>>> keystore=temp.keystore type=RSA alias=imported1
>> >> >> >>>>> Result:
>> >> >> >>>>> recovery: Key recovery? (yes/no) [yes] >
>> >> >> >>>>> keystorepass: JCE key store password? (hidden)
>> >> >> >>>>> x509country: Country code? [] >
>> >> >> >>>>> x509province: State or province? [] >
>> >> >> >>>>> x509locality: City or locality? [] >
>> >> >> >>>>> x509org: Organisation? [] >
>> >> >> >>>>> x509orgunit: Organisation unit? [] >
>> >> >> >>>>> x509dnscommon: Domain name? [] >
>> >> >> >>>>> x509email: Email address? [] >
>> >> >> >>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>> >> >> >>>>> key generation parameters:
>> >> >> >>>>> operation Operation to perform import
>> >> >> >>>>>
>> >> >> >>>>> application Application jcecsp
>> >> >> >>>>>
>> >> >> >>>>> protect Protected by token
>> >> >> >>>>> slot Slot to read cards from 0
>> >> >> >>>>> recovery Key recovery yes
>> >> >> >>>>> verify Verify security of key yes
>> >> >> >>>>> type Key type RSA
>> >> >> >>>>> pemreadfile PEM file containing RSA key unprot
>> >> >> >>>>> ected.pem
>> >> >> >>>>> keystore Filename of JCE key store temp.k
>> >> >> >>>>> eystore
>> >> >> >>>>> keystorepass JCE key store password <hidde
>> >> >> >>>>> n>
>> >> >> >>>>> alias JCE key alias import
>> >> >> >>>>> ed1
>> >> >> >>>>> x509country Country code
>> >> >> >>>>> x509province State or province
>> >> >> >>>>> x509locality City or locality
>> >> >> >>>>> x509org Organisation
>> >> >> >>>>> x509orgunit Organisation unit
>> >> >> >>>>> x509dnscommon Domain name
>> >> >> >>>>> x509email Email address
>> >> >> >>>>> nvram Store blob in NVRAM (will require administrator cardset) no
>> >> >> >>>>>
>> >> >> >>>>> Loading `mscapi':
>> >> >> >>>>> Module 1: 0 cards of 1 read
>> >> >> >>>>> Module 1 slot 0: `mscapi' #1 (`oper')
>> >> >> >>>>> Module 1 slot 0:- passphrase supplied - reading card
>> >> >> >>>>> Card reading complete.
>> >> >> >>>>>
>> >> >> >>>>> Subprocess failed
>> >> >> >>>>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
>> >> >> >>>>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
>> >> >> >>>>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
>> >> >> >>>>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
>> >> >> >>>>> }
>> >> >> >>>>> Errors:
>> >> >> >>>>> FATAL: error creating temp.keystore
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
>> >> >> >>>>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
>> >> >> >>>>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
>> >> >> >>>>> nfgk_operate: SoftwareFailed
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>> I still need to test if the key is working correct, but when i list
>> >> >> >>>>> keys with nfkminfo, i can see the new imported keys.
>> >> >> >>>>>
>> >> >> >>>>> Thanks.
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
>> >> >> >>>>> <barroca@...> wrote:
>> >> >> >>>>>
>> >> >> >>>>>> Hey Brune, the Security World is ok. I've checked the file
>> >> >> >>>>>> permissions, and apparently this is not an issue, because i'm getting
>> >> >> >>>>>> the same problem using the system administrator.
>> >> >> >>>>>>
>> >> >> >>>>>> I'm following the steps of ejbca user's guide. When importing a file,
>> >> >> >>>>>> i can't access the keystore of the HSM:
>> >> >> >>>>>>
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>>
>> >> >> >>>>>>> temp.keystore
>> >> >> >>>>>>>
>> >> >> >>>>>> ERROR: keystore: key store key is missing
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>>
>> >> >> >>>>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
>> >> >> >>>>>>>
>> >> >> >>>>>> ERROR: keystore: cannot open file
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>>
>> >> >> >>>>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
>> >> >> >>>>>>>
>> >> >> >>>>>> ERROR: keystore: invalid keystore
>> >> >> >>>>>> ERROR: keystore: key store key is missing
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>> ERROR: keystore: invalid filename
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>>
>> >> >> >>>>>>> c:\nfast\kmdata\local\
>> >> >> >>>>>>>
>> >> >> >>>>>> ERROR: keystore: cannot open file
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>>
>> >> >> >>>>>>
>> >> >> >>>>>>
>> >> >> >>>>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
>> >> >> >>>>>> mentioned in the user guide:
>> >> >> >>>>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
>> >> >> >>>>>> Ctrl-Z and Enter"
>> >> >> >>>>>>
>> >> >> >>>>>> Thanks again.
>> >> >> >>>>>>
>> >> >> >>>>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
>> >> >> >>>>>>
>> >> >> >>>>>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
>> >> >> >>>>>>>
>> >> >> >>>>>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
>> >> >> >>>>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>> >> >> >>>>>>>> with the system administrator.
>> >> >> >>>>>>>>
>> >> >> >>>>>>> Hi,
>> >> >> >>>>>>>
>> >> >> >>>>>>> in order to create some key protected by the HSM, you need to create a
>> >> >> >>>>>>> Security World, and OCS (Operator Card Set). This procedure is well
>> >> >> >>>>>>> documented in the HSM documentations. However I may help if you trouble
>> >> >> >>>>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>> >> >> >>>>>>>
>> >> >> >>>>>>> If you really already have a security world, check the file permissions,
>> >> >> >>>>>>> I don't know how is going on windows, but on unix environnement,
>> >> >> >>>>>>> nCipher's default permissions only allow root to read/write the security
>> >> >> >>>>>>> world's files.
>> >> >> >>>>>>>
>> >> >> >>>>>>> BEst regards
>> >> >> >>>>>>>
>> >> >> >>>>>>> --
>> >> >> >>>>>>> http://asyd.net/home/ - Home Page
>> >> >> >>>>>>> http://guses.org/home/ - French Speaking (Open)Solaris User Group
>> >> >> >>>>>>>
>> >> >> >>>>>>> -------------------------------------------------------------------------
>> >> >> >>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >> >>>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >> >>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >> >>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >> >>>>>>> _______________________________________________
>> >> >> >>>>>>> Ejbca-develop mailing list
>> >> >> >>>>>>> Ejbca-develop@...
>> >> >> >>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >> >>>>>>>
>> >> >> >>>>>>>
>> >> >> >>>>>> --
>> >> >> >>>>>> Leonardo Luiz Padovani da Mata
>> >> >> >>>>>> barroca@...
>> >> >> >>>>>>
>> >> >> >>>>>> "May the force be with you, always"
>> >> >> >>>>>> "Nerd Pride... eu tenho. Voce tem?"
>> >> >> >>>>>>
>> >> >> >>>>>>
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>> -------------------------------------------------------------------------
>> >> >> >>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >> >>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >> >>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >> >>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >> >>>> _______________________________________________
>> >> >> >>>> Ejbca-develop mailing list
>> >> >> >>>> Ejbca-develop@...
>> >> >> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>
>> >> >> >>
>> >> >> >> -------------------------------------------------------------------------
>> >> >> >> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >> >> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >> >> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >> >> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >> >> _______________________________________________
>> >> >> >> Ejbca-develop mailing list
>> >> >> >> Ejbca-develop@...
>> >> >> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > Leonardo Luiz Padovani da Mata
>> >> >> > barroca@...
>> >> >> >
>> >> >> > "May the force be with you, always"
>> >> >> > "Nerd Pride... eu tenho. Voce tem?"
>> >> >> >
>> >> >>
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > -------------------------------------------------------------------------
>> >> > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> > Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> > Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> > _______________________________________________
>> >> > Ejbca-develop mailing list
>> >> > Ejbca-develop@...
>> >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > -------------------------------------------------------------------------
>> > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> > Build the coolest Linux based applications with Moblin SDK & win great prizes
>> > Grand prize is a trip for two to an Open Source event anywhere in the world
>> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> > _______________________________________________
>> > Ejbca-develop mailing list
>> > Ejbca-develop@...
>> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >
>>
>>
>>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
--
Leonardo Luiz Padovani da Mata
barroca@...
"May the force be with you, always"
"Nerd Pride... eu tenho. Voce tem?"
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
initialized, because the main use of those cards is to store specific
certificates of the brazilian SSN number.(e-CPF or e-CNPJ)
i´m trying to contact the manufacturer of the card to get some
information about the format, and see if i can get it to work..
I will get other brands of cards and try.
Thanks.
On Thu, Oct 30, 2008 at 6:40 PM, Miguel Angel Tormo Alfaro
<mlists@...> wrote:
> Well, your american banknotes won't work with opensc mainly because they weren't initialized by opensc so their internal format is only understanable by the application which did the initialization.
> On the other hand, you should check the opensc website or ask the mainling list to see if those cards are supported, I think they're not.
>
> El Jueves, 30 de Octubre de 2008 19:49:30 Leonardo L. P. da Mata escribió:
>> yes, they work well with firefox, but the htmf could not reconize
>> them... maybe i did something wrong during the initialization of those
>> cards.
>>
>> do you why those american banknotes won't work?
>>
>> On Thu, Oct 30, 2008 at 4:41 PM, Miguel Angel Tormo Alfaro
>> <mlists@...> wrote:
>> > OK then. So your starcos cards should work with the opensc-pkcs11.dll, but not the american banknote ones...
>> > I understand your starcos cards work well with firefox and opensc-pkcs11.dll, right?
>> >
>> > El Jueves, 30 de Octubre de 2008 19:26:16 Leonardo L. P. da Mata escribió:
>> >> i have 2 different kinds of cards, starcos and american banknote cards..
>> >>
>> >> the starcos card have been initialized with opensc and they work for
>> >> the browser ssl authentication.
>> >> the american banknote cards came initialized from the factory (i don't
>> >> know why people do that).
>> >>
>> >>
>> >>
>> >> On Thu, Oct 30, 2008 at 3:35 PM, Miguel Angel Tormo Alfaro
>> >> <mlists@...> wrote:
>> >> > That means opensc cannot recognize the format of your cards.
>> >> > Which card are you using? Did you format it with opensc?
>> >> >
>> >> > El Jueves, 30 de Octubre de 2008 18:25:09 Leonardo L. P. da Mata escribió:
>> >> >> i mean, the htmf could open the library, but couldn't use it to read
>> >> >> the cards. It says that the card is not supported.
>> >> >>
>> >> >>
>> >> >> On Thu, Oct 30, 2008 at 3:24 PM, Leonardo L. P. da Mata
>> >> >> <barroca@...> wrote:
>> >> >> > it was hanging on oppening the library (wrong pkcs11 interface). i've
>> >> >> > changed to opensc-pkcs11.dll, but now it can't reconize my cards...
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > On Thu, Oct 30, 2008 at 8:05 AM, EJBCA Support
>> >> >> > <ejbca-support@...> wrote:
>> >> >> >> Hi Leonardo
>> >> >> >>
>> >> >> >> I'm assuming you are using the java web start deployment of Tolima. The
>> >> >> >> htmf log files are stored in <USER_HOME>/.hardtokenmgmt<n>_<n>.log can
>> >> >> >> you send it to me.
>> >> >> >>
>> >> >> >> Which tokens are you using and which pkcs11 driver?
>> >> >> >>
>> >> >> >> // Regards Philip
>> >> >> >>
>> >> >> >> Leonardo L. P. da Mata skrev:
>> >> >> >>> Hey, i've advanced a lot in the ejbca installation and it's
>> >> >> >>> integration with htmf, but i still can't use htmf correct. I'm sending
>> >> >> >>> this message here because the htmf list has no discussion at all.
>> >> >> >>>
>> >> >> >>> so, i'm using java 6 and intert explorer to access tolima. I've
>> >> >> >>> generated an administrator card, and it seems to work (i can use this
>> >> >> >>> card with other applications to sign).
>> >> >> >>>
>> >> >> >>> after the administrator authenthicate in the htmf, the ejbca send a message:
>> >> >> >>> 19:09:11,390 INFO [Log4jLogDevice] 29 de Outubro de 2008 19h9min11s
>> >> >> >>> BRST, CAId : -1688117755, AUTHORIZATION,
>> >> >> >>> EVENT_INFO_AUTHORIZEDTORESOURCE, Administrator : C LIENTCERT,
>> >> >> >>> Certificate SNR : 3964574de5f7dca8, CN=AdminCA1,O=EJBCA Sample,C=SE,
>> >> >> >>> User : No user involved, Certificate : No certificate involved,
>> >> >> >>> Comment : Resour ce :
>> >> >> >>>
>> >> >> >>> and the htmf hangs with no answer and no debug information.
>> >> >> >>>
>> >> >> >>> Anyone have any idea why this isn't working?
>> >> >> >>>
>> >> >> >>> BTW, the ant deploy of htmf doesn't substitute all variables correct,
>> >> >> >>> the $*.hostname variables are beeing deployed without beeing
>> >> >> >>> substituded. Maybe this is a bug of htmf (TOLIMA)
>> >> >> >>>
>> >> >> >>>
>> >> >> >>> Thanks.
>> >> >> >>>
>> >> >> >>> On Tue, Oct 21, 2008 at 5:34 AM, Tomas Gustavsson <tomas@...> wrote:
>> >> >> >>>
>> >> >> >>>> Thanks added it to docs for next release.
>> >> >> >>>>
>> >> >> >>>> Cheers,
>> >> >> >>>> Tomas
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>> Leonardo L. P. da Mata wrote:
>> >> >> >>>>
>> >> >> >>>>> So, after some time trying to find the problem, i think i could get it solved.
>> >> >> >>>>> The eviroment variable JDK_HOME must be set correct for this to work.
>> >> >> >>>>> This is a problem with ncipher software that is not well documented,
>> >> >> >>>>> but i think it is important to put a note in the User's Guide.
>> >> >> >>>>>
>> >> >> >>>>> Command used:
>> >> >> >>>>> C:\Documents and
>> >> >> >>>>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
>> >> >> >>>>> --import -c mscapi jcecsp pemreadfile=unprotected.pem
>> >> >> >>>>> keystore=temp.keystore type=RSA alias=imported1
>> >> >> >>>>> Result:
>> >> >> >>>>> recovery: Key recovery? (yes/no) [yes] >
>> >> >> >>>>> keystorepass: JCE key store password? (hidden)
>> >> >> >>>>> x509country: Country code? [] >
>> >> >> >>>>> x509province: State or province? [] >
>> >> >> >>>>> x509locality: City or locality? [] >
>> >> >> >>>>> x509org: Organisation? [] >
>> >> >> >>>>> x509orgunit: Organisation unit? [] >
>> >> >> >>>>> x509dnscommon: Domain name? [] >
>> >> >> >>>>> x509email: Email address? [] >
>> >> >> >>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>> >> >> >>>>> key generation parameters:
>> >> >> >>>>> operation Operation to perform import
>> >> >> >>>>>
>> >> >> >>>>> application Application jcecsp
>> >> >> >>>>>
>> >> >> >>>>> protect Protected by token
>> >> >> >>>>> slot Slot to read cards from 0
>> >> >> >>>>> recovery Key recovery yes
>> >> >> >>>>> verify Verify security of key yes
>> >> >> >>>>> type Key type RSA
>> >> >> >>>>> pemreadfile PEM file containing RSA key unprot
>> >> >> >>>>> ected.pem
>> >> >> >>>>> keystore Filename of JCE key store temp.k
>> >> >> >>>>> eystore
>> >> >> >>>>> keystorepass JCE key store password <hidde
>> >> >> >>>>> n>
>> >> >> >>>>> alias JCE key alias import
>> >> >> >>>>> ed1
>> >> >> >>>>> x509country Country code
>> >> >> >>>>> x509province State or province
>> >> >> >>>>> x509locality City or locality
>> >> >> >>>>> x509org Organisation
>> >> >> >>>>> x509orgunit Organisation unit
>> >> >> >>>>> x509dnscommon Domain name
>> >> >> >>>>> x509email Email address
>> >> >> >>>>> nvram Store blob in NVRAM (will require administrator cardset) no
>> >> >> >>>>>
>> >> >> >>>>> Loading `mscapi':
>> >> >> >>>>> Module 1: 0 cards of 1 read
>> >> >> >>>>> Module 1 slot 0: `mscapi' #1 (`oper')
>> >> >> >>>>> Module 1 slot 0:- passphrase supplied - reading card
>> >> >> >>>>> Card reading complete.
>> >> >> >>>>>
>> >> >> >>>>> Subprocess failed
>> >> >> >>>>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
>> >> >> >>>>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
>> >> >> >>>>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
>> >> >> >>>>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
>> >> >> >>>>> }
>> >> >> >>>>> Errors:
>> >> >> >>>>> FATAL: error creating temp.keystore
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
>> >> >> >>>>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
>> >> >> >>>>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
>> >> >> >>>>> nfgk_operate: SoftwareFailed
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>> I still need to test if the key is working correct, but when i list
>> >> >> >>>>> keys with nfkminfo, i can see the new imported keys.
>> >> >> >>>>>
>> >> >> >>>>> Thanks.
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
>> >> >> >>>>> <barroca@...> wrote:
>> >> >> >>>>>
>> >> >> >>>>>> Hey Brune, the Security World is ok. I've checked the file
>> >> >> >>>>>> permissions, and apparently this is not an issue, because i'm getting
>> >> >> >>>>>> the same problem using the system administrator.
>> >> >> >>>>>>
>> >> >> >>>>>> I'm following the steps of ejbca user's guide. When importing a file,
>> >> >> >>>>>> i can't access the keystore of the HSM:
>> >> >> >>>>>>
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>>
>> >> >> >>>>>>> temp.keystore
>> >> >> >>>>>>>
>> >> >> >>>>>> ERROR: keystore: key store key is missing
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>>
>> >> >> >>>>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
>> >> >> >>>>>>>
>> >> >> >>>>>> ERROR: keystore: cannot open file
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>>
>> >> >> >>>>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
>> >> >> >>>>>>>
>> >> >> >>>>>> ERROR: keystore: invalid keystore
>> >> >> >>>>>> ERROR: keystore: key store key is missing
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>> ERROR: keystore: invalid filename
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>>
>> >> >> >>>>>>> c:\nfast\kmdata\local\
>> >> >> >>>>>>>
>> >> >> >>>>>> ERROR: keystore: cannot open file
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>>
>> >> >> >>>>>>
>> >> >> >>>>>>
>> >> >> >>>>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
>> >> >> >>>>>> mentioned in the user guide:
>> >> >> >>>>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
>> >> >> >>>>>> Ctrl-Z and Enter"
>> >> >> >>>>>>
>> >> >> >>>>>> Thanks again.
>> >> >> >>>>>>
>> >> >> >>>>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
>> >> >> >>>>>>
>> >> >> >>>>>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
>> >> >> >>>>>>>
>> >> >> >>>>>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
>> >> >> >>>>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>> >> >> >>>>>>>> with the system administrator.
>> >> >> >>>>>>>>
>> >> >> >>>>>>> Hi,
>> >> >> >>>>>>>
>> >> >> >>>>>>> in order to create some key protected by the HSM, you need to create a
>> >> >> >>>>>>> Security World, and OCS (Operator Card Set). This procedure is well
>> >> >> >>>>>>> documented in the HSM documentations. However I may help if you trouble
>> >> >> >>>>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>> >> >> >>>>>>>
>> >> >> >>>>>>> If you really already have a security world, check the file permissions,
>> >> >> >>>>>>> I don't know how is going on windows, but on unix environnement,
>> >> >> >>>>>>> nCipher's default permissions only allow root to read/write the security
>> >> >> >>>>>>> world's files.
>> >> >> >>>>>>>
>> >> >> >>>>>>> BEst regards
>> >> >> >>>>>>>
>> >> >> >>>>>>> --
>> >> >> >>>>>>> http://asyd.net/home/ - Home Page
>> >> >> >>>>>>> http://guses.org/home/ - French Speaking (Open)Solaris User Group
>> >> >> >>>>>>>
>> >> >> >>>>>>> -------------------------------------------------------------------------
>> >> >> >>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >> >>>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >> >>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >> >>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >> >>>>>>> _______________________________________________
>> >> >> >>>>>>> Ejbca-develop mailing list
>> >> >> >>>>>>> Ejbca-develop@...
>> >> >> >>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >> >>>>>>>
>> >> >> >>>>>>>
>> >> >> >>>>>> --
>> >> >> >>>>>> Leonardo Luiz Padovani da Mata
>> >> >> >>>>>> barroca@...
>> >> >> >>>>>>
>> >> >> >>>>>> "May the force be with you, always"
>> >> >> >>>>>> "Nerd Pride... eu tenho. Voce tem?"
>> >> >> >>>>>>
>> >> >> >>>>>>
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>> -------------------------------------------------------------------------
>> >> >> >>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >> >>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >> >>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >> >>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >> >>>> _______________________________________________
>> >> >> >>>> Ejbca-develop mailing list
>> >> >> >>>> Ejbca-develop@...
>> >> >> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>
>> >> >> >>
>> >> >> >> -------------------------------------------------------------------------
>> >> >> >> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >> >> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >> >> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >> >> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >> >> _______________________________________________
>> >> >> >> Ejbca-develop mailing list
>> >> >> >> Ejbca-develop@...
>> >> >> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > Leonardo Luiz Padovani da Mata
>> >> >> > barroca@...
>> >> >> >
>> >> >> > "May the force be with you, always"
>> >> >> > "Nerd Pride... eu tenho. Voce tem?"
>> >> >> >
>> >> >>
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > -------------------------------------------------------------------------
>> >> > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> > Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> > Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> > _______________________________________________
>> >> > Ejbca-develop mailing list
>> >> > Ejbca-develop@...
>> >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > -------------------------------------------------------------------------
>> > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> > Build the coolest Linux based applications with Moblin SDK & win great prizes
>> > Grand prize is a trip for two to an Open Source event anywhere in the world
>> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> > _______________________________________________
>> > Ejbca-develop mailing list
>> > Ejbca-develop@...
>> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >
>>
>>
>>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
--
Leonardo Luiz Padovani da Mata
barroca@...
"May the force be with you, always"
"Nerd Pride... eu tenho. Voce tem?"
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
« Return to Thread: Using external key with ncipher HSM
| Free embeddable forum powered by Nabble | Forum Help |
