Using external key with ncipher HSM

> Hello,
>
> I'm developing the pki infrastructure for the Official Press of Minas
> Gerais Estate ,in  Brazil, and I'm having some problems on generating
> keys outside a HSM and importing then inside the HSM.
>
> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
> able to import the keys using generatekey --import, the keys are
> listed using nfkminfo tool, but i don't know how to use these keys to
> create a new CA. Is it possible to use external keys to create new
> CAs?
>
> Is there any special change to use imported keys in the administration
> GUI? Do I need to set parameters when I start JBOSS to use external
> keys?
>
> Is there any other source of information different then ejbca.org?
>
> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>
> Thanks.
>
> BTW, we are planning to develop the tools as free-software.
>

>
> Hi Leonardo,
>
> Did you read the chapter in the User Guide at ejbca.org called
> "Importing an existing CA or sub-CA to EJBCA"? It's under the
> HSM->nCopher section. This text explains exactly how you can import
> existing keys (stored on disc) to create a CA in EJBCA.
> It also explains how you create the CA in EJBCA.
>
> We have done this and it works, no options in JBoss. Since the keys are
> imported into nCipher, it is simply just like any other CA with keys on
> the nCipher HSM. There is no difference between this CA and a CA where
> keys are generated inside the HSM (which is the recommended way for
> security reasons of-course).
>
> Regards,
> Tomas
> -----
> PrimeKey Solutions offers a commercial EJBCA support subscription and
> training for EJBCA. Please see www.primekey.se or contact
> info@... for more information.
> http://download.primekey.se/documents/ejbca_subscription.pdf
> http://download.primekey.se/documents/ejbca_training.pdf
>
>
>
>
>
> Leonardo L. P. da Mata wrote:
>> Hello,
>>
>> I'm developing the pki infrastructure for the Official Press of Minas
>> Gerais Estate ,in  Brazil, and I'm having some problems on generating
>> keys outside a HSM and importing then inside the HSM.
>>
>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>> able to import the keys using generatekey --import, the keys are
>> listed using nfkminfo tool, but i don't know how to use these keys to
>> create a new CA. Is it possible to use external keys to create new
>> CAs?
>>
>> Is there any special change to use imported keys in the administration
>> GUI? Do I need to set parameters when I start JBOSS to use external
>> keys?
>>
>> Is there any other source of information different then ejbca.org?
>>
>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>
>> Thanks.
>>
>> BTW, we are planning to develop the tools as free-software.
>>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

> Hey, so, I've read the documentation, but i think there are some lacks...
> Just to make sure, to use the nCipher nShield, i should use the pkcs11
> interface, right? I've tried to start jboss using the ncipher
> interface, but it didn't wok. So i suppose that this kind of hsm must
> use the pkcs11 interface.
>
> On the screen:
> https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
>
> i can't find the option mentioned in the documentation, there's no
> "create new CA 'ImportedCA'" option, and when i click in the create
> button, there's no option that can be selected as impotedCA.
>
> There are "Import CA keystore" and "import CA certificate". but when i
> use the option "import CA certificate" i can import my CA certificate,
> but the key is not stored in the HSM. the CA Token Type is set to Null
> after the import.
>
> We must provide more than 1 type of security solution, that's why I'm
> testing booth generating keys inside HSM and generating outside and
> importing then.
>
> The next step i will try is to generate User certificates into smart
> cards, but I'm already testing http://www.hardtokenmgmt.org/.
>
> Thanks, I appreciate the help. Hope to help the company that I'm
> working for to be another reference installation.
>
>
> On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...> wrote:
>  
>> Hi Leonardo,
>>
>> Did you read the chapter in the User Guide at ejbca.org called
>> "Importing an existing CA or sub-CA to EJBCA"? It's under the
>> HSM->nCopher section. This text explains exactly how you can import
>> existing keys (stored on disc) to create a CA in EJBCA.
>> It also explains how you create the CA in EJBCA.
>>
>> We have done this and it works, no options in JBoss. Since the keys are
>> imported into nCipher, it is simply just like any other CA with keys on
>> the nCipher HSM. There is no difference between this CA and a CA where
>> keys are generated inside the HSM (which is the recommended way for
>> security reasons of-course).
>>
>> Regards,
>> Tomas
>> -----
>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>> training for EJBCA. Please see www.primekey.se or contact
>> info@... for more information.
>> http://download.primekey.se/documents/ejbca_subscription.pdf
>> http://download.primekey.se/documents/ejbca_training.pdf
>>
>>
>>
>>
>>
>> Leonardo L. P. da Mata wrote:
>>    
>>> Hello,
>>>
>>> I'm developing the pki infrastructure for the Official Press of Minas
>>> Gerais Estate ,in  Brazil, and I'm having some problems on generating
>>> keys outside a HSM and importing then inside the HSM.
>>>
>>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>>> able to import the keys using generatekey --import, the keys are
>>> listed using nfkminfo tool, but i don't know how to use these keys to
>>> create a new CA. Is it possible to use external keys to create new
>>> CAs?
>>>
>>> Is there any special change to use imported keys in the administration
>>> GUI? Do I need to set parameters when I start JBOSS to use external
>>> keys?
>>>
>>> Is there any other source of information different then ejbca.org?
>>>
>>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>>
>>> Thanks.
>>>
>>> BTW, we are planning to develop the tools as free-software.
>>>
>>>      
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejbca-develop@...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>>    
>
>
>
>  

>
> Hi,
>
> 1) The Howto article is created for the NFastToken way of using nCipher,
> not PKCS#11. You can use nCipher using:
> - PKCS#11
> - NFast JCE Provider
>
> Both ways work, but the howto for importing keys is done for the JCE
> provider.
> When trying to start JBoss using the JCE provider did you use
> EJBCA/bin/nCipherJboss.sh and did you have the nCipher JCE/JCA provider
> installed (it is separate packages in the nCipher install).
>
> When nfkminfo says:
> -----
>
> jboss@host$ $NFAST_HOME/bin/nfkminfo -k
>  AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed
>  AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed-key-832c8a89fe813dc99ae61e094fe5d195ca3e405d
> -----
> jcecsp means the keys can only be used by the JCE-provider. nCipher does it so you have different targets depending on which API you are using. If you want to use PKCS#11 you need to import the keys in another way.
> This is surely possible, but we have not done it so we can't provide you with finished commands for importing keys for PKCS#11.
>
>
> 2) There is no option for creating an "imported CA", you simply create a
> CA as usual and provide the correct parameters as CAToken parameters.
>  From EJBCAs view there is no difference between a CA with keys
> generated in the HSM or created in the HSM. From EJBCAs view the keys
> ARE simply in the HSM and are used in the HSM.
>
> Simply create a new CA using keys on the HSM. Enter a name for the new
> CA and click 'Create CA'.
>
> Which options do not exist? Perhaps the wording "When importing a
> sub-CA" is confusing? Since you don't import a CA, you simply create a
> CA as usual.
>
> 3) "Import CA certificate" is for something completely different, don't
> use that. This function simply imports a CA certificate (as you
> noticed), so you can have external CA certificates imported for various
> verification reasons.
>
> Cheers,
> Tomas
> -----
> PrimeKey Solutions offers a commercial EJBCA support subscription and
> training for EJBCA. Please see www.primekey.se or contact
> info@... for more information.
> http://download.primekey.se/documents/ejbca_subscription.pdf
> http://download.primekey.se/documents/ejbca_training.pdf
>
>
> Leonardo L. P. da Mata wrote:
>> Hey, so, I've read the documentation, but i think there are some lacks...
>> Just to make sure, to use the nCipher nShield, i should use the pkcs11
>> interface, right? I've tried to start jboss using the ncipher
>> interface, but it didn't wok. So i suppose that this kind of hsm must
>> use the pkcs11 interface.
>>
>> On the screen:
>> https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
>>
>> i can't find the option mentioned in the documentation, there's no
>> "create new CA 'ImportedCA'" option, and when i click in the create
>> button, there's no option that can be selected as impotedCA.
>>
>> There are "Import CA keystore" and "import CA certificate". but when i
>> use the option "import CA certificate" i can import my CA certificate,
>> but the key is not stored in the HSM. the CA Token Type is set to Null
>> after the import.
>>
>> We must provide more than 1 type of security solution, that's why I'm
>> testing booth generating keys inside HSM and generating outside and
>> importing then.
>>
>> The next step i will try is to generate User certificates into smart
>> cards, but I'm already testing http://www.hardtokenmgmt.org/.
>>
>> Thanks, I appreciate the help. Hope to help the company that I'm
>> working for to be another reference installation.
>>
>>
>> On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...> wrote:
>>
>>> Hi Leonardo,
>>>
>>> Did you read the chapter in the User Guide at ejbca.org called
>>> "Importing an existing CA or sub-CA to EJBCA"? It's under the
>>> HSM->nCopher section. This text explains exactly how you can import
>>> existing keys (stored on disc) to create a CA in EJBCA.
>>> It also explains how you create the CA in EJBCA.
>>>
>>> We have done this and it works, no options in JBoss. Since the keys are
>>> imported into nCipher, it is simply just like any other CA with keys on
>>> the nCipher HSM. There is no difference between this CA and a CA where
>>> keys are generated inside the HSM (which is the recommended way for
>>> security reasons of-course).
>>>
>>> Regards,
>>> Tomas
>>> -----
>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>> training for EJBCA. Please see www.primekey.se or contact
>>> info@... for more information.
>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>
>>>
>>>
>>>
>>>
>>> Leonardo L. P. da Mata wrote:
>>>
>>>> Hello,
>>>>
>>>> I'm developing the pki infrastructure for the Official Press of Minas
>>>> Gerais Estate ,in  Brazil, and I'm having some problems on generating
>>>> keys outside a HSM and importing then inside the HSM.
>>>>
>>>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>>>> able to import the keys using generatekey --import, the keys are
>>>> listed using nfkminfo tool, but i don't know how to use these keys to
>>>> create a new CA. Is it possible to use external keys to create new
>>>> CAs?
>>>>
>>>> Is there any special change to use imported keys in the administration
>>>> GUI? Do I need to set parameters when I start JBOSS to use external
>>>> keys?
>>>>
>>>> Is there any other source of information different then ejbca.org?
>>>>
>>>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>>>
>>>> Thanks.
>>>>
>>>> BTW, we are planning to develop the tools as free-software.
>>>>
>>>>
>>> -------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> _______________________________________________
>>> Ejbca-develop mailing list
>>> Ejbca-develop@...
>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>
>>>
>>
>>
>>
>>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

> To illustrate how am I import the keys,  I've imported again, and here
> is the result:
>
> c:\nfast\bin\generatekey --import -c mscapi pkcs11
> pemreadfile=teste.pem type=RSA
> recovery: Key recovery? (yes/no) [yes] >
> plainname: Key name? [] > imported3
> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>>
> key generation parameters:
>  operation    Operation to perform                                      import
>  application  Application                                               pkcs11
>  protect      Protected by                                              token
>  slot         Slot to read cards from                                   0
>  recovery     Key recovery                                              yes
>  verify       Verify security of key                                    yes
>  type         Key type                                                  RSA
>  pemreadfile  PEM file containing RSA key                               teste.pe
> m
>  plainname    Key name                                                  imported
> 3
>  nvram        Store blob in NVRAM (will require administrator cardset)  no
>
> Loading `mscapi':
>  Module 1: 0 cards of 1 read
>  Module 1 slot 0: `mscapi' #1 (`oper')
>  Module 1 slot 0:- passphrase supplied - reading card
> Card reading complete.
>
> Key successfully imported.
> Path to key: C:\nfast\kmdata\local\key_pkcs11_uc3d9fa9461f5ada90d40e0b1a2420099ea70834bb-9108857e16ec3ee22b9a23373e9c6f24eac8d70b
>
>
>
> It seems that the key is correctly imported. "This is surely possible,
> but we have not done it so we can't provide you with finished commands
> for importing keys for PKCS#11." . Do you think that the message
> saying "Key successfully imported." is not true?
>
> 1)I will try the JCE way.
> 2)Since there's no difference between creating a new one, and
> importing, the options are a little bit confusing. Maybe the
> documentation must be more "step by step" like.. :-)
> 3) I notice that also.
>
>
> I will check for other ways to use the HSM and keep giving feedback here.
>
> Thanks for all the help provided..
>
>
>
> On Tue, Oct 14, 2008 at 3:57 PM, Ejbca support
> <ejbca-support@...> wrote:
>>
>> Hi,
>>
>> 1) The Howto article is created for the NFastToken way of using nCipher,
>> not PKCS#11. You can use nCipher using:
>> - PKCS#11
>> - NFast JCE Provider
>>
>> Both ways work, but the howto for importing keys is done for the JCE
>> provider.
>> When trying to start JBoss using the JCE provider did you use
>> EJBCA/bin/nCipherJboss.sh and did you have the nCipher JCE/JCA provider
>> installed (it is separate packages in the nCipher install).
>>
>> When nfkminfo says:
>> -----
>>
>> jboss@host$ $NFAST_HOME/bin/nfkminfo -k
>>  AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed
>>  AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed-key-832c8a89fe813dc99ae61e094fe5d195ca3e405d
>> -----
>> jcecsp means the keys can only be used by the JCE-provider. nCipher does it so you have different targets depending on which API you are using. If you want to use PKCS#11 you need to import the keys in another way.
>> This is surely possible, but we have not done it so we can't provide you with finished commands for importing keys for PKCS#11.
>>
>>
>> 2) There is no option for creating an "imported CA", you simply create a
>> CA as usual and provide the correct parameters as CAToken parameters.
>>  From EJBCAs view there is no difference between a CA with keys
>> generated in the HSM or created in the HSM. From EJBCAs view the keys
>> ARE simply in the HSM and are used in the HSM.
>>
>> Simply create a new CA using keys on the HSM. Enter a name for the new
>> CA and click 'Create CA'.
>>
>> Which options do not exist? Perhaps the wording "When importing a
>> sub-CA" is confusing? Since you don't import a CA, you simply create a
>> CA as usual.
>>
>> 3) "Import CA certificate" is for something completely different, don't
>> use that. This function simply imports a CA certificate (as you
>> noticed), so you can have external CA certificates imported for various
>> verification reasons.
>>
>> Cheers,
>> Tomas
>> -----
>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>> training for EJBCA. Please see www.primekey.se or contact
>> info@... for more information.
>> http://download.primekey.se/documents/ejbca_subscription.pdf
>> http://download.primekey.se/documents/ejbca_training.pdf
>>
>>
>> Leonardo L. P. da Mata wrote:
>>> Hey, so, I've read the documentation, but i think there are some lacks...
>>> Just to make sure, to use the nCipher nShield, i should use the pkcs11
>>> interface, right? I've tried to start jboss using the ncipher
>>> interface, but it didn't wok. So i suppose that this kind of hsm must
>>> use the pkcs11 interface.
>>>
>>> On the screen:
>>> https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
>>>
>>> i can't find the option mentioned in the documentation, there's no
>>> "create new CA 'ImportedCA'" option, and when i click in the create
>>> button, there's no option that can be selected as impotedCA.
>>>
>>> There are "Import CA keystore" and "import CA certificate". but when i
>>> use the option "import CA certificate" i can import my CA certificate,
>>> but the key is not stored in the HSM. the CA Token Type is set to Null
>>> after the import.
>>>
>>> We must provide more than 1 type of security solution, that's why I'm
>>> testing booth generating keys inside HSM and generating outside and
>>> importing then.
>>>
>>> The next step i will try is to generate User certificates into smart
>>> cards, but I'm already testing http://www.hardtokenmgmt.org/.
>>>
>>> Thanks, I appreciate the help. Hope to help the company that I'm
>>> working for to be another reference installation.
>>>
>>>
>>> On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...> wrote:
>>>
>>>> Hi Leonardo,
>>>>
>>>> Did you read the chapter in the User Guide at ejbca.org called
>>>> "Importing an existing CA or sub-CA to EJBCA"? It's under the
>>>> HSM->nCopher section. This text explains exactly how you can import
>>>> existing keys (stored on disc) to create a CA in EJBCA.
>>>> It also explains how you create the CA in EJBCA.
>>>>
>>>> We have done this and it works, no options in JBoss. Since the keys are
>>>> imported into nCipher, it is simply just like any other CA with keys on
>>>> the nCipher HSM. There is no difference between this CA and a CA where
>>>> keys are generated inside the HSM (which is the recommended way for
>>>> security reasons of-course).
>>>>
>>>> Regards,
>>>> Tomas
>>>> -----
>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>> training for EJBCA. Please see www.primekey.se or contact
>>>> info@... for more information.
>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Leonardo L. P. da Mata wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I'm developing the pki infrastructure for the Official Press of Minas
>>>>> Gerais Estate ,in  Brazil, and I'm having some problems on generating
>>>>> keys outside a HSM and importing then inside the HSM.
>>>>>
>>>>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>>>>> able to import the keys using generatekey --import, the keys are
>>>>> listed using nfkminfo tool, but i don't know how to use these keys to
>>>>> create a new CA. Is it possible to use external keys to create new
>>>>> CAs?
>>>>>
>>>>> Is there any special change to use imported keys in the administration
>>>>> GUI? Do I need to set parameters when I start JBOSS to use external
>>>>> keys?
>>>>>
>>>>> Is there any other source of information different then ejbca.org?
>>>>>
>>>>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>>>>
>>>>> Thanks.
>>>>>
>>>>> BTW, we are planning to develop the tools as free-software.
>>>>>
>>>>>
>>>> -------------------------------------------------------------------------
>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>> _______________________________________________
>>>> Ejbca-develop mailing list
>>>> Ejbca-develop@...
>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejbca-develop@...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>
>
>
> --
> Leonardo Luiz Padovani da Mata
> barroca@...
>
> "May the force be with you, always"
> "Nerd Pride... eu tenho. Voce tem?"
>

> I vaguely recall this as caused by not listing the nCipher provider in some
> JRE configfile.. might have been in JREHOME/lib/security/ or something like
> that.. my theory is that it is using the regular JCE provider on a nCipher
> keystore or maybe vice versa.. but this is pretty vague memories.. =/
>
> /Johan
>
> Leonardo L. P. da Mata skrev:
>>
>> Hello, i've configured ejbca with JCE keys.
>> After the installation i'm getting a strange error.
>> "java.io.IOException: Bad KeyStore file, expecting a 40 character line."
>>
>> it seens that the keystore cannot be loaded.
>> Is the keystore used when starting ejbca the keystore that stores the
>> keys for SSL?(:-o)
>>
>> ejbca.properties contains:
>> ca.tokentype=org.ejbca.core.model.ca.catoken.NFastCAToken
>> ca.tokenpassword=password
>>
>> and catoken.properties contains:
>> keyStore baac258f773b0eb0ac1277e807207f0c63065ced
>> defaultKey defaultRoot1
>> certSignKey signRoot1
>> crlSignKey signRoot1
>> testKey testRoot1
>>
>> these configuration was done before the installation.
>>
>> should i use a different keyStore??
>> Is there any problem configuring the default CA with soft and then
>> using ncipher HSM to generate other CAs?
>>
>> Thanks.
>>
>>
>> INFO: WSSERVLET14: JAX-WS servlet initializing
>> 16:20:18,890 INFO  [EARDeployer] Started J2EE application:
>> file:/C:/jboss-4.2.3.
>> GA/server/default/deploy/ejbca.ear
>> 16:20:19,015 INFO  [Http11Protocol] Starting Coyote HTTP/1.1 on
>> http-0.0.0.0-808
>> 0
>> 16:20:19,031 ERROR [Http11Protocol] Error starting endpoint
>> java.io.IOException: Bad KeyStore file, expecting a 40 character line.
>>        at
>> com.ncipher.provider.km.KMKeyStore.engineLoad(KMKeyStore.java:674)
>>        at java.security.KeyStore.load(KeyStore.java:1185)
>>        at
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocket
>> Factory.java:319)
>>        at
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESoc
>> ketFactory.java:259)
>>        at
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSE
>> SocketFactory.java:410)
>>        at
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFact
>> ory.java:378)
>>        at
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESo
>> cketFactory.java:135)
>>        at
>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
>>        at
>> org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
>>        at
>> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203
>> )
>>        at
>> org.apache.catalina.connector.Connector.start(Connector.java:1146)
>>        at
>> org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
>> 01)
>>        at
>> org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
>> a:638)
>>        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
>>        at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>> sorImpl.java:25)
>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>        at
>> org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
>> onListenerProxy.java:153)
>>        at $Proxy46.handleNotification(Unknown Source)
>>        at
>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
>> ion(JBossNotificationBroadcasterSupport.java:127)
>>        at
>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
>> n(JBossNotificationBroadcasterSupport.java:108)
>>        at
>> org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
>> 16)
>>        at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
>>        at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
>>        at org.jboss.Main.boot(Main.java:200)
>>        at org.jboss.Main$1.run(Main.java:508)
>>        at java.lang.Thread.run(Thread.java:619)
>> 16:20:19,046 WARN  [JBossWeb] Failed to startConnectors
>> LifecycleException:  service.getName(): "jboss.web";  Protocol handler
>> start fai
>> led: java.io.IOException: Bad KeyStore file, expecting a 40 character
>> line.
>>        at
>> org.apache.catalina.connector.Connector.start(Connector.java:1153)
>>        at
>> org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
>> 01)
>>        at
>> org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
>> a:638)
>>        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
>>        at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>> sorImpl.java:25)
>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>        at
>> org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
>> onListenerProxy.java:153)
>>        at $Proxy46.handleNotification(Unknown Source)
>>        at
>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
>> ion(JBossNotificationBroadcasterSupport.java:127)
>>        at
>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
>> n(JBossNotificationBroadcasterSupport.java:108)
>>        at
>> org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
>> 16)
>>        at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
>>        at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
>>        at org.jboss.Main.boot(Main.java:200)
>>        at org.jboss.Main$1.run(Main.java:508)
>>        at java.lang.Thread.run(Thread.java:619)
>> 16:20:19,062 INFO  [Server] JBoss (MX MicroKernel) [4.2.3.GA (build:
>> SVNTag=JBos
>> s_4_2_3_GA date=200807181439)] Started in 4m:25s:750ms
>>
>>
>> On Tue, Oct 14, 2008 at 4:24 PM, Leonardo L. P. da Mata
>> <barroca@...> wrote:
>>
>>>
>>> To illustrate how am I import the keys,  I've imported again, and here
>>> is the result:
>>>
>>> c:\nfast\bin\generatekey --import -c mscapi pkcs11
>>> pemreadfile=teste.pem type=RSA
>>> recovery: Key recovery? (yes/no) [yes] >
>>> plainname: Key name? [] > imported3
>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no)
>>> [no]
>>>    key generation parameters:
>>>  operation    Operation to perform
>>>  import
>>>  application  Application
>>> pkcs11
>>>  protect      Protected by
>>>  token
>>>  slot         Slot to read cards from                                   0
>>>  recovery     Key recovery
>>>  yes
>>>  verify       Verify security of key
>>>  yes
>>>  type         Key type
>>>  RSA
>>>  pemreadfile  PEM file containing RSA key
>>> teste.pe
>>> m
>>>  plainname    Key name
>>>  imported
>>> 3
>>>  nvram        Store blob in NVRAM (will require administrator cardset)
>>>  no
>>>
>>> Loading `mscapi':
>>>  Module 1: 0 cards of 1 read
>>>  Module 1 slot 0: `mscapi' #1 (`oper')
>>>  Module 1 slot 0:- passphrase supplied - reading card
>>> Card reading complete.
>>>
>>> Key successfully imported.
>>> Path to key:
>>> C:\nfast\kmdata\local\key_pkcs11_uc3d9fa9461f5ada90d40e0b1a2420099ea70834bb-9108857e16ec3ee22b9a23373e9c6f24eac8d70b
>>>
>>>
>>>
>>> It seems that the key is correctly imported. "This is surely possible,
>>> but we have not done it so we can't provide you with finished commands
>>> for importing keys for PKCS#11." . Do you think that the message
>>> saying "Key successfully imported." is not true?
>>>
>>> 1)I will try the JCE way.
>>> 2)Since there's no difference between creating a new one, and
>>> importing, the options are a little bit confusing. Maybe the
>>> documentation must be more "step by step" like.. :-)
>>> 3) I notice that also.
>>>
>>>
>>> I will check for other ways to use the HSM and keep giving feedback here.
>>>
>>> Thanks for all the help provided..
>>>
>>>
>>>
>>> On Tue, Oct 14, 2008 at 3:57 PM, Ejbca support
>>> <ejbca-support@...> wrote:
>>>
>>>>
>>>> Hi,
>>>>
>>>> 1) The Howto article is created for the NFastToken way of using nCipher,
>>>> not PKCS#11. You can use nCipher using:
>>>> - PKCS#11
>>>> - NFast JCE Provider
>>>>
>>>> Both ways work, but the howto for importing keys is done for the JCE
>>>> provider.
>>>> When trying to start JBoss using the JCE provider did you use
>>>> EJBCA/bin/nCipherJboss.sh and did you have the nCipher JCE/JCA provider
>>>> installed (it is separate packages in the nCipher install).
>>>>
>>>> When nfkminfo says:
>>>> -----
>>>>
>>>> jboss@host$ $NFAST_HOME/bin/nfkminfo -k
>>>>  AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed
>>>>  AppName jcecsp Ident
>>>> f7e825134fe23f58b1575d8efb487babe7ebd1ed-key-832c8a89fe813dc99ae61e094fe5d195ca3e405d
>>>> -----
>>>> jcecsp means the keys can only be used by the JCE-provider. nCipher does
>>>> it so you have different targets depending on which API you are using. If
>>>> you want to use PKCS#11 you need to import the keys in another way.
>>>> This is surely possible, but we have not done it so we can't provide you
>>>> with finished commands for importing keys for PKCS#11.
>>>>
>>>>
>>>> 2) There is no option for creating an "imported CA", you simply create a
>>>> CA as usual and provide the correct parameters as CAToken parameters.
>>>>  From EJBCAs view there is no difference between a CA with keys
>>>> generated in the HSM or created in the HSM. From EJBCAs view the keys
>>>> ARE simply in the HSM and are used in the HSM.
>>>>
>>>> Simply create a new CA using keys on the HSM. Enter a name for the new
>>>> CA and click 'Create CA'.
>>>>
>>>> Which options do not exist? Perhaps the wording "When importing a
>>>> sub-CA" is confusing? Since you don't import a CA, you simply create a
>>>> CA as usual.
>>>>
>>>> 3) "Import CA certificate" is for something completely different, don't
>>>> use that. This function simply imports a CA certificate (as you
>>>> noticed), so you can have external CA certificates imported for various
>>>> verification reasons.
>>>>
>>>> Cheers,
>>>> Tomas
>>>> -----
>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>> training for EJBCA. Please see www.primekey.se or contact
>>>> info@... for more information.
>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>
>>>>
>>>> Leonardo L. P. da Mata wrote:
>>>>
>>>>>
>>>>> Hey, so, I've read the documentation, but i think there are some
>>>>> lacks...
>>>>> Just to make sure, to use the nCipher nShield, i should use the pkcs11
>>>>> interface, right? I've tried to start jboss using the ncipher
>>>>> interface, but it didn't wok. So i suppose that this kind of hsm must
>>>>> use the pkcs11 interface.
>>>>>
>>>>> On the screen:
>>>>> https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
>>>>>
>>>>> i can't find the option mentioned in the documentation, there's no
>>>>> "create new CA 'ImportedCA'" option, and when i click in the create
>>>>> button, there's no option that can be selected as impotedCA.
>>>>>
>>>>> There are "Import CA keystore" and "import CA certificate". but when i
>>>>> use the option "import CA certificate" i can import my CA certificate,
>>>>> but the key is not stored in the HSM. the CA Token Type is set to Null
>>>>> after the import.
>>>>>
>>>>> We must provide more than 1 type of security solution, that's why I'm
>>>>> testing booth generating keys inside HSM and generating outside and
>>>>> importing then.
>>>>>
>>>>> The next step i will try is to generate User certificates into smart
>>>>> cards, but I'm already testing http://www.hardtokenmgmt.org/.
>>>>>
>>>>> Thanks, I appreciate the help. Hope to help the company that I'm
>>>>> working for to be another reference installation.
>>>>>
>>>>>
>>>>> On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...>
>>>>> wrote:
>>>>>
>>>>>
>>>>>>
>>>>>> Hi Leonardo,
>>>>>>
>>>>>> Did you read the chapter in the User Guide at ejbca.org called
>>>>>> "Importing an existing CA or sub-CA to EJBCA"? It's under the
>>>>>> HSM->nCopher section. This text explains exactly how you can import
>>>>>> existing keys (stored on disc) to create a CA in EJBCA.
>>>>>> It also explains how you create the CA in EJBCA.
>>>>>>
>>>>>> We have done this and it works, no options in JBoss. Since the keys
>>>>>> are
>>>>>> imported into nCipher, it is simply just like any other CA with keys
>>>>>> on
>>>>>> the nCipher HSM. There is no difference between this CA and a CA where
>>>>>> keys are generated inside the HSM (which is the recommended way for
>>>>>> security reasons of-course).
>>>>>>
>>>>>> Regards,
>>>>>> Tomas
>>>>>> -----
>>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>>>> training for EJBCA. Please see www.primekey.se or contact
>>>>>> info@... for more information.
>>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Leonardo L. P. da Mata wrote:
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I'm developing the pki infrastructure for the Official Press of Minas
>>>>>>> Gerais Estate ,in  Brazil, and I'm having some problems on generating
>>>>>>> keys outside a HSM and importing then inside the HSM.
>>>>>>>
>>>>>>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>>>>>>> able to import the keys using generatekey --import, the keys are
>>>>>>> listed using nfkminfo tool, but i don't know how to use these keys to
>>>>>>> create a new CA. Is it possible to use external keys to create new
>>>>>>> CAs?
>>>>>>>
>>>>>>> Is there any special change to use imported keys in the
>>>>>>> administration
>>>>>>> GUI? Do I need to set parameters when I start JBOSS to use external
>>>>>>> keys?
>>>>>>>
>>>>>>> Is there any other source of information different then ejbca.org?
>>>>>>>
>>>>>>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>> BTW, we are planning to develop the tools as free-software.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------------
>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>>>>> challenge
>>>>>> Build the coolest Linux based applications with Moblin SDK & win great
>>>>>> prizes
>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the
>>>>>> world
>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>>> _______________________________________________
>>>>>> Ejbca-develop mailing list
>>>>>> Ejbca-develop@...
>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> -------------------------------------------------------------------------
>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>>> challenge
>>>> Build the coolest Linux based applications with Moblin SDK & win great
>>>> prizes
>>>> Grand prize is a trip for two to an Open Source event anywhere in the
>>>> world
>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>> _______________________________________________
>>>> Ejbca-develop mailing list
>>>> Ejbca-develop@...
>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>
>>>>
>>>
>>> --
>>> Leonardo Luiz Padovani da Mata
>>> barroca@...
>>>
>>> "May the force be with you, always"
>>> "Nerd Pride... eu tenho. Voce tem?"
>>>
>>>
>>
>>
>>
>>
>
>
> --
> PrimeKey Solutions offers a commercial EJBCA support subscription and
> training for EJBCA. Please see www.primekey.se or contact info@...
> for more information.
> http://download.primekey.se/documents/ejbca_subscription.pdf
> http://download.primekey.se/documents/ejbca_training.pdf
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
>

> I've started a new installation from scratch...
> It worked.
>
> Every time you start jboss you need to use nCipherJboss.cmd/.sh , even
> in the first time (generating the AdminCA1). This is something that
> should be better explained in the documentation. This when you need to
> use nCipher HSM :-).
>
> In my last installation, i was using the
> security.provider.1=com.ncipher.provider.km.nCipherKM
> as default security provider in
> JAVA_HOME/jre/lib/security/java.security
>
> But since i couldn't reproduce the error, and changing back to the
> original, the error persists. I guess that this isn't a security
> problem.
>
>
> I will keep testing the software and updating this thread.
>
> Thanks again.
>
>
> On Wed, Oct 15, 2008 at 5:02 PM, Johan Eklund <ejbca-support@...> wrote:
>> I vaguely recall this as caused by not listing the nCipher provider in some
>> JRE configfile.. might have been in JREHOME/lib/security/ or something like
>> that.. my theory is that it is using the regular JCE provider on a nCipher
>> keystore or maybe vice versa.. but this is pretty vague memories.. =/
>>
>> /Johan
>>
>> Leonardo L. P. da Mata skrev:
>>>
>>> Hello, i've configured ejbca with JCE keys.
>>> After the installation i'm getting a strange error.
>>> "java.io.IOException: Bad KeyStore file, expecting a 40 character line."
>>>
>>> it seens that the keystore cannot be loaded.
>>> Is the keystore used when starting ejbca the keystore that stores the
>>> keys for SSL?(:-o)
>>>
>>> ejbca.properties contains:
>>> ca.tokentype=org.ejbca.core.model.ca.catoken.NFastCAToken
>>> ca.tokenpassword=password
>>>
>>> and catoken.properties contains:
>>> keyStore baac258f773b0eb0ac1277e807207f0c63065ced
>>> defaultKey defaultRoot1
>>> certSignKey signRoot1
>>> crlSignKey signRoot1
>>> testKey testRoot1
>>>
>>> these configuration was done before the installation.
>>>
>>> should i use a different keyStore??
>>> Is there any problem configuring the default CA with soft and then
>>> using ncipher HSM to generate other CAs?
>>>
>>> Thanks.
>>>
>>>
>>> INFO: WSSERVLET14: JAX-WS servlet initializing
>>> 16:20:18,890 INFO  [EARDeployer] Started J2EE application:
>>> file:/C:/jboss-4.2.3.
>>> GA/server/default/deploy/ejbca.ear
>>> 16:20:19,015 INFO  [Http11Protocol] Starting Coyote HTTP/1.1 on
>>> http-0.0.0.0-808
>>> 0
>>> 16:20:19,031 ERROR [Http11Protocol] Error starting endpoint
>>> java.io.IOException: Bad KeyStore file, expecting a 40 character line.
>>>        at
>>> com.ncipher.provider.km.KMKeyStore.engineLoad(KMKeyStore.java:674)
>>>        at java.security.KeyStore.load(KeyStore.java:1185)
>>>        at
>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocket
>>> Factory.java:319)
>>>        at
>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESoc
>>> ketFactory.java:259)
>>>        at
>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSE
>>> SocketFactory.java:410)
>>>        at
>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFact
>>> ory.java:378)
>>>        at
>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESo
>>> cketFactory.java:135)
>>>        at
>>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
>>>        at
>>> org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
>>>        at
>>> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203
>>> )
>>>        at
>>> org.apache.catalina.connector.Connector.start(Connector.java:1146)
>>>        at
>>> org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
>>> 01)
>>>        at
>>> org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
>>> a:638)
>>>        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
>>>        at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>> sorImpl.java:25)
>>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>>        at
>>> org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
>>> onListenerProxy.java:153)
>>>        at $Proxy46.handleNotification(Unknown Source)
>>>        at
>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
>>> ion(JBossNotificationBroadcasterSupport.java:127)
>>>        at
>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
>>> n(JBossNotificationBroadcasterSupport.java:108)
>>>        at
>>> org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
>>> 16)
>>>        at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
>>>        at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
>>>        at org.jboss.Main.boot(Main.java:200)
>>>        at org.jboss.Main$1.run(Main.java:508)
>>>        at java.lang.Thread.run(Thread.java:619)
>>> 16:20:19,046 WARN  [JBossWeb] Failed to startConnectors
>>> LifecycleException:  service.getName(): "jboss.web";  Protocol handler
>>> start fai
>>> led: java.io.IOException: Bad KeyStore file, expecting a 40 character
>>> line.
>>>        at
>>> org.apache.catalina.connector.Connector.start(Connector.java:1153)
>>>        at
>>> org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
>>> 01)
>>>        at
>>> org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
>>> a:638)
>>>        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
>>>        at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>> sorImpl.java:25)
>>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>>        at
>>> org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
>>> onListenerProxy.java:153)
>>>        at $Proxy46.handleNotification(Unknown Source)
>>>        at
>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
>>> ion(JBossNotificationBroadcasterSupport.java:127)
>>>        at
>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
>>> n(JBossNotificationBroadcasterSupport.java:108)
>>>        at
>>> org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
>>> 16)
>>>        at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
>>>        at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
>>>        at org.jboss.Main.boot(Main.java:200)
>>>        at org.jboss.Main$1.run(Main.java:508)
>>>        at java.lang.Thread.run(Thread.java:619)
>>> 16:20:19,062 INFO  [Server] JBoss (MX MicroKernel) [4.2.3.GA (build:
>>> SVNTag=JBos
>>> s_4_2_3_GA date=200807181439)] Started in 4m:25s:750ms
>>>
>>>
>>> On Tue, Oct 14, 2008 at 4:24 PM, Leonardo L. P. da Mata
>>> <barroca@...> wrote:
>>>
>>>>
>>>> To illustrate how am I import the keys,  I've imported again, and here
>>>> is the result:
>>>>
>>>> c:\nfast\bin\generatekey --import -c mscapi pkcs11
>>>> pemreadfile=teste.pem type=RSA
>>>> recovery: Key recovery? (yes/no) [yes] >
>>>> plainname: Key name? [] > imported3
>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no)
>>>> [no]
>>>>    key generation parameters:
>>>>  operation    Operation to perform
>>>>  import
>>>>  application  Application
>>>> pkcs11
>>>>  protect      Protected by
>>>>  token
>>>>  slot         Slot to read cards from                                   0
>>>>  recovery     Key recovery
>>>>  yes
>>>>  verify       Verify security of key
>>>>  yes
>>>>  type         Key type
>>>>  RSA
>>>>  pemreadfile  PEM file containing RSA key
>>>> teste.pe
>>>> m
>>>>  plainname    Key name
>>>>  imported
>>>> 3
>>>>  nvram        Store blob in NVRAM (will require administrator cardset)
>>>>  no
>>>>
>>>> Loading `mscapi':
>>>>  Module 1: 0 cards of 1 read
>>>>  Module 1 slot 0: `mscapi' #1 (`oper')
>>>>  Module 1 slot 0:- passphrase supplied - reading card
>>>> Card reading complete.
>>>>
>>>> Key successfully imported.
>>>> Path to key:
>>>> C:\nfast\kmdata\local\key_pkcs11_uc3d9fa9461f5ada90d40e0b1a2420099ea70834bb-9108857e16ec3ee22b9a23373e9c6f24eac8d70b
>>>>
>>>>
>>>>
>>>> It seems that the key is correctly imported. "This is surely possible,
>>>> but we have not done it so we can't provide you with finished commands
>>>> for importing keys for PKCS#11." . Do you think that the message
>>>> saying "Key successfully imported." is not true?
>>>>
>>>> 1)I will try the JCE way.
>>>> 2)Since there's no difference between creating a new one, and
>>>> importing, the options are a little bit confusing. Maybe the
>>>> documentation must be more "step by step" like.. :-)
>>>> 3) I notice that also.
>>>>
>>>>
>>>> I will check for other ways to use the HSM and keep giving feedback here.
>>>>
>>>> Thanks for all the help provided..
>>>>
>>>>
>>>>
>>>> On Tue, Oct 14, 2008 at 3:57 PM, Ejbca support
>>>> <ejbca-support@...> wrote:
>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> 1) The Howto article is created for the NFastToken way of using nCipher,
>>>>> not PKCS#11. You can use nCipher using:
>>>>> - PKCS#11
>>>>> - NFast JCE Provider
>>>>>
>>>>> Both ways work, but the howto for importing keys is done for the JCE
>>>>> provider.
>>>>> When trying to start JBoss using the JCE provider did you use
>>>>> EJBCA/bin/nCipherJboss.sh and did you have the nCipher JCE/JCA provider
>>>>> installed (it is separate packages in the nCipher install).
>>>>>
>>>>> When nfkminfo says:
>>>>> -----
>>>>>
>>>>> jboss@host$ $NFAST_HOME/bin/nfkminfo -k
>>>>>  AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed
>>>>>  AppName jcecsp Ident
>>>>> f7e825134fe23f58b1575d8efb487babe7ebd1ed-key-832c8a89fe813dc99ae61e094fe5d195ca3e405d
>>>>> -----
>>>>> jcecsp means the keys can only be used by the JCE-provider. nCipher does
>>>>> it so you have different targets depending on which API you are using. If
>>>>> you want to use PKCS#11 you need to import the keys in another way.
>>>>> This is surely possible, but we have not done it so we can't provide you
>>>>> with finished commands for importing keys for PKCS#11.
>>>>>
>>>>>
>>>>> 2) There is no option for creating an "imported CA", you simply create a
>>>>> CA as usual and provide the correct parameters as CAToken parameters.
>>>>>  From EJBCAs view there is no difference between a CA with keys
>>>>> generated in the HSM or created in the HSM. From EJBCAs view the keys
>>>>> ARE simply in the HSM and are used in the HSM.
>>>>>
>>>>> Simply create a new CA using keys on the HSM. Enter a name for the new
>>>>> CA and click 'Create CA'.
>>>>>
>>>>> Which options do not exist? Perhaps the wording "When importing a
>>>>> sub-CA" is confusing? Since you don't import a CA, you simply create a
>>>>> CA as usual.
>>>>>
>>>>> 3) "Import CA certificate" is for something completely different, don't
>>>>> use that. This function simply imports a CA certificate (as you
>>>>> noticed), so you can have external CA certificates imported for various
>>>>> verification reasons.
>>>>>
>>>>> Cheers,
>>>>> Tomas
>>>>> -----
>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>>> training for EJBCA. Please see www.primekey.se or contact
>>>>> info@... for more information.
>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>>
>>>>>
>>>>> Leonardo L. P. da Mata wrote:
>>>>>
>>>>>>
>>>>>> Hey, so, I've read the documentation, but i think there are some
>>>>>> lacks...
>>>>>> Just to make sure, to use the nCipher nShield, i should use the pkcs11
>>>>>> interface, right? I've tried to start jboss using the ncipher
>>>>>> interface, but it didn't wok. So i suppose that this kind of hsm must
>>>>>> use the pkcs11 interface.
>>>>>>
>>>>>> On the screen:
>>>>>> https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
>>>>>>
>>>>>> i can't find the option mentioned in the documentation, there's no
>>>>>> "create new CA 'ImportedCA'" option, and when i click in the create
>>>>>> button, there's no option that can be selected as impotedCA.
>>>>>>
>>>>>> There are "Import CA keystore" and "import CA certificate". but when i
>>>>>> use the option "import CA certificate" i can import my CA certificate,
>>>>>> but the key is not stored in the HSM. the CA Token Type is set to Null
>>>>>> after the import.
>>>>>>
>>>>>> We must provide more than 1 type of security solution, that's why I'm
>>>>>> testing booth generating keys inside HSM and generating outside and
>>>>>> importing then.
>>>>>>
>>>>>> The next step i will try is to generate User certificates into smart
>>>>>> cards, but I'm already testing http://www.hardtokenmgmt.org/.
>>>>>>
>>>>>> Thanks, I appreciate the help. Hope to help the company that I'm
>>>>>> working for to be another reference installation.
>>>>>>
>>>>>>
>>>>>> On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...>
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Hi Leonardo,
>>>>>>>
>>>>>>> Did you read the chapter in the User Guide at ejbca.org called
>>>>>>> "Importing an existing CA or sub-CA to EJBCA"? It's under the
>>>>>>> HSM->nCopher section. This text explains exactly how you can import
>>>>>>> existing keys (stored on disc) to create a CA in EJBCA.
>>>>>>> It also explains how you create the CA in EJBCA.
>>>>>>>
>>>>>>> We have done this and it works, no options in JBoss. Since the keys
>>>>>>> are
>>>>>>> imported into nCipher, it is simply just like any other CA with keys
>>>>>>> on
>>>>>>> the nCipher HSM. There is no difference between this CA and a CA where
>>>>>>> keys are generated inside the HSM (which is the recommended way for
>>>>>>> security reasons of-course).
>>>>>>>
>>>>>>> Regards,
>>>>>>> Tomas
>>>>>>> -----
>>>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>>>>> training for EJBCA. Please see www.primekey.se or contact
>>>>>>> info@... for more information.
>>>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Leonardo L. P. da Mata wrote:
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I'm developing the pki infrastructure for the Official Press of Minas
>>>>>>>> Gerais Estate ,in  Brazil, and I'm having some problems on generating
>>>>>>>> keys outside a HSM and importing then inside the HSM.
>>>>>>>>
>>>>>>>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>>>>>>>> able to import the keys using generatekey --import, the keys are
>>>>>>>> listed using nfkminfo tool, but i don't know how to use these keys to
>>>>>>>> create a new CA. Is it possible to use external keys to create new
>>>>>>>> CAs?
>>>>>>>>
>>>>>>>> Is there any special change to use imported keys in the
>>>>>>>> administration
>>>>>>>> GUI? Do I need to set parameters when I start JBOSS to use external
>>>>>>>> keys?
>>>>>>>>
>>>>>>>> Is there any other source of information different then ejbca.org?
>>>>>>>>
>>>>>>>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>> BTW, we are planning to develop the tools as free-software.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -------------------------------------------------------------------------
>>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>>>>>> challenge
>>>>>>> Build the coolest Linux based applications with Moblin SDK & win great
>>>>>>> prizes
>>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the
>>>>>>> world
>>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>>>> _______________________________________________
>>>>>>> Ejbca-develop mailing list
>>>>>>> Ejbca-develop@...
>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> -------------------------------------------------------------------------
>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>>>> challenge
>>>>> Build the coolest Linux based applications with Moblin SDK & win great
>>>>> prizes
>>>>> Grand prize is a trip for two to an Open Source event anywhere in the
>>>>> world
>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>> _______________________________________________
>>>>> Ejbca-develop mailing list
>>>>> Ejbca-develop@...
>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>
>>>>>
>>>>
>>>> --
>>>> Leonardo Luiz Padovani da Mata
>>>> barroca@...
>>>>
>>>> "May the force be with you, always"
>>>> "Nerd Pride... eu tenho. Voce tem?"
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>> training for EJBCA. Please see www.primekey.se or contact info@...
>> for more information.
>> http://download.primekey.se/documents/ejbca_subscription.pdf
>> http://download.primekey.se/documents/ejbca_training.pdf
>>
>>
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great
>> prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejbca-develop@...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>>
>
>
>
> --
> Leonardo Luiz Padovani da Mata
> barroca@...
>
> "May the force be with you, always"
> "Nerd Pride... eu tenho. Voce tem?"
>

> Ok, i'm abble to create CAs using nCipher HSM, as I've mentioned
> (thanks to http://www.linagora.org/ people). Now i need to import
> external keys and CAs in this HSM.
>
> I've tried to use the steps "Importing an existing CA or sub-CA to
> EJBCA." on the user's manual, but I'm getting some errors.
>
> First of all, i didn't create the small world, some old administrators
> done this job and i can't do it again.
> I don't know if my security world is a fips 140-2 level 2 as mentioned
> in: ("The security world has to be initialized in the default FIPS
> 140-2 Level 2 for this to work. ").
>
> After using:
> c:\nfast\bin\generatekey.exe --import -c cardset jcecsp
> pemreadfile=teste.pem type=RSA keystore=temp.keysto
> re
>
> And type parameter of the x509 certificate, I'm getting:
>
> Card reading complete.
>
> Subprocess failed
> Arguments: java.exe com.ncipher.provider.tools.ImportKey --keystore temp.keystor
> e --alias imported --ident e48cade40f1528f531b372817ddc969bae071de3 --type com.n
> cipher.provider.km.KMRSAPrivateKey --certificate C:/nfast/kmdata/tmp/3128_basili
> sco.cert << {
> }
> Errors:
> FATAL: java.security.KeyStoreException nCipher.sworld not found
>
>
> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
> nfgk_operate: SoftwareFailed
>
>
> Is this an issue because i have a different fips level?
>
>
> Just to make sure, what's the difference between a recovery key and a
> normal key (as the tool asks "recovery: Key recovery? (yes/no) [yes]
>> ")?
>
> Thanks again
>
>
>
>
>
> On Wed, Oct 15, 2008 at 6:51 PM, Leonardo L. P. da Mata
> <barroca@...> wrote:
>> I've started a new installation from scratch...
>> It worked.
>>
>> Every time you start jboss you need to use nCipherJboss.cmd/.sh , even
>> in the first time (generating the AdminCA1). This is something that
>> should be better explained in the documentation. This when you need to
>> use nCipher HSM :-).
>>
>> In my last installation, i was using the
>> security.provider.1=com.ncipher.provider.km.nCipherKM
>> as default security provider in
>> JAVA_HOME/jre/lib/security/java.security
>>
>> But since i couldn't reproduce the error, and changing back to the
>> original, the error persists. I guess that this isn't a security
>> problem.
>>
>>
>> I will keep testing the software and updating this thread.
>>
>> Thanks again.
>>
>>
>> On Wed, Oct 15, 2008 at 5:02 PM, Johan Eklund <ejbca-support@...> wrote:
>>> I vaguely recall this as caused by not listing the nCipher provider in some
>>> JRE configfile.. might have been in JREHOME/lib/security/ or something like
>>> that.. my theory is that it is using the regular JCE provider on a nCipher
>>> keystore or maybe vice versa.. but this is pretty vague memories.. =/
>>>
>>> /Johan
>>>
>>> Leonardo L. P. da Mata skrev:
>>>> Hello, i've configured ejbca with JCE keys.
>>>> After the installation i'm getting a strange error.
>>>> "java.io.IOException: Bad KeyStore file, expecting a 40 character line."
>>>>
>>>> it seens that the keystore cannot be loaded.
>>>> Is the keystore used when starting ejbca the keystore that stores the
>>>> keys for SSL?(:-o)
>>>>
>>>> ejbca.properties contains:
>>>> ca.tokentype=org.ejbca.core.model.ca.catoken.NFastCAToken
>>>> ca.tokenpassword=password
>>>>
>>>> and catoken.properties contains:
>>>> keyStore baac258f773b0eb0ac1277e807207f0c63065ced
>>>> defaultKey defaultRoot1
>>>> certSignKey signRoot1
>>>> crlSignKey signRoot1
>>>> testKey testRoot1
>>>>
>>>> these configuration was done before the installation.
>>>>
>>>> should i use a different keyStore??
>>>> Is there any problem configuring the default CA with soft and then
>>>> using ncipher HSM to generate other CAs?
>>>>
>>>> Thanks.
>>>>
>>>>
>>>> INFO: WSSERVLET14: JAX-WS servlet initializing
>>>> 16:20:18,890 INFO  [EARDeployer] Started J2EE application:
>>>> file:/C:/jboss-4.2.3.
>>>> GA/server/default/deploy/ejbca.ear
>>>> 16:20:19,015 INFO  [Http11Protocol] Starting Coyote HTTP/1.1 on
>>>> http-0.0.0.0-808
>>>> 0
>>>> 16:20:19,031 ERROR [Http11Protocol] Error starting endpoint
>>>> java.io.IOException: Bad KeyStore file, expecting a 40 character line.
>>>>        at
>>>> com.ncipher.provider.km.KMKeyStore.engineLoad(KMKeyStore.java:674)
>>>>        at java.security.KeyStore.load(KeyStore.java:1185)
>>>>        at
>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocket
>>>> Factory.java:319)
>>>>        at
>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESoc
>>>> ketFactory.java:259)
>>>>        at
>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSE
>>>> SocketFactory.java:410)
>>>>        at
>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFact
>>>> ory.java:378)
>>>>        at
>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESo
>>>> cketFactory.java:135)
>>>>        at
>>>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
>>>>        at
>>>> org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
>>>>        at
>>>> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203
>>>> )
>>>>        at
>>>> org.apache.catalina.connector.Connector.start(Connector.java:1146)
>>>>        at
>>>> org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
>>>> 01)
>>>>        at
>>>> org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
>>>> a:638)
>>>>        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
>>>>        at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>>> sorImpl.java:25)
>>>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>>>        at
>>>> org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
>>>> onListenerProxy.java:153)
>>>>        at $Proxy46.handleNotification(Unknown Source)
>>>>        at
>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
>>>> ion(JBossNotificationBroadcasterSupport.java:127)
>>>>        at
>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
>>>> n(JBossNotificationBroadcasterSupport.java:108)
>>>>        at
>>>> org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
>>>> 16)
>>>>        at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
>>>>        at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
>>>>        at org.jboss.Main.boot(Main.java:200)
>>>>        at org.jboss.Main$1.run(Main.java:508)
>>>>        at java.lang.Thread.run(Thread.java:619)
>>>> 16:20:19,046 WARN  [JBossWeb] Failed to startConnectors
>>>> LifecycleException:  service.getName(): "jboss.web";  Protocol handler
>>>> start fai
>>>> led: java.io.IOException: Bad KeyStore file, expecting a 40 character
>>>> line.
>>>>        at
>>>> org.apache.catalina.connector.Connector.start(Connector.java:1153)
>>>>        at
>>>> org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
>>>> 01)
>>>>        at
>>>> org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
>>>> a:638)
>>>>        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
>>>>        at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>>> sorImpl.java:25)
>>>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>>>        at
>>>> org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
>>>> onListenerProxy.java:153)
>>>>        at $Proxy46.handleNotification(Unknown Source)
>>>>        at
>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
>>>> ion(JBossNotificationBroadcasterSupport.java:127)
>>>>        at
>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
>>>> n(JBossNotificationBroadcasterSupport.java:108)
>>>>        at
>>>> org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
>>>> 16)
>>>>        at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
>>>>        at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
>>>>        at org.jboss.Main.boot(Main.java:200)
>>>>        at org.jboss.Main$1.run(Main.java:508)
>>>>        at java.lang.Thread.run(Thread.java:619)
>>>> 16:20:19,062 INFO  [Server] JBoss (MX MicroKernel) [4.2.3.GA (build:
>>>> SVNTag=JBos
>>>> s_4_2_3_GA date=200807181439)] Started in 4m:25s:750ms
>>>>
>>>>
>>>> On Tue, Oct 14, 2008 at 4:24 PM, Leonardo L. P. da Mata
>>>> <barroca@...> wrote:
>>>>
>>>>> To illustrate how am I import the keys,  I've imported again, and here
>>>>> is the result:
>>>>>
>>>>> c:\nfast\bin\generatekey --import -c mscapi pkcs11
>>>>> pemreadfile=teste.pem type=RSA
>>>>> recovery: Key recovery? (yes/no) [yes] >
>>>>> plainname: Key name? [] > imported3
>>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no)
>>>>> [no]
>>>>>    key generation parameters:
>>>>>  operation    Operation to perform
>>>>>  import
>>>>>  application  Application
>>>>> pkcs11
>>>>>  protect      Protected by
>>>>>  token
>>>>>  slot         Slot to read cards from                                   0
>>>>>  recovery     Key recovery
>>>>>  yes
>>>>>  verify       Verify security of key
>>>>>  yes
>>>>>  type         Key type
>>>>>  RSA
>>>>>  pemreadfile  PEM file containing RSA key
>>>>> teste.pe
>>>>> m
>>>>>  plainname    Key name
>>>>>  imported
>>>>> 3
>>>>>  nvram        Store blob in NVRAM (will require administrator cardset)
>>>>>  no
>>>>>
>>>>> Loading `mscapi':
>>>>>  Module 1: 0 cards of 1 read
>>>>>  Module 1 slot 0: `mscapi' #1 (`oper')
>>>>>  Module 1 slot 0:- passphrase supplied - reading card
>>>>> Card reading complete.
>>>>>
>>>>> Key successfully imported.
>>>>> Path to key:
>>>>> C:\nfast\kmdata\local\key_pkcs11_uc3d9fa9461f5ada90d40e0b1a2420099ea70834bb-9108857e16ec3ee22b9a23373e9c6f24eac8d70b
>>>>>
>>>>>
>>>>>
>>>>> It seems that the key is correctly imported. "This is surely possible,
>>>>> but we have not done it so we can't provide you with finished commands
>>>>> for importing keys for PKCS#11." . Do you think that the message
>>>>> saying "Key successfully imported." is not true?
>>>>>
>>>>> 1)I will try the JCE way.
>>>>> 2)Since there's no difference between creating a new one, and
>>>>> importing, the options are a little bit confusing. Maybe the
>>>>> documentation must be more "step by step" like.. :-)
>>>>> 3) I notice that also.
>>>>>
>>>>>
>>>>> I will check for other ways to use the HSM and keep giving feedback here.
>>>>>
>>>>> Thanks for all the help provided..
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Oct 14, 2008 at 3:57 PM, Ejbca support
>>>>> <ejbca-support@...> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> 1) The Howto article is created for the NFastToken way of using nCipher,
>>>>>> not PKCS#11. You can use nCipher using:
>>>>>> - PKCS#11
>>>>>> - NFast JCE Provider
>>>>>>
>>>>>> Both ways work, but the howto for importing keys is done for the JCE
>>>>>> provider.
>>>>>> When trying to start JBoss using the JCE provider did you use
>>>>>> EJBCA/bin/nCipherJboss.sh and did you have the nCipher JCE/JCA provider
>>>>>> installed (it is separate packages in the nCipher install).
>>>>>>
>>>>>> When nfkminfo says:
>>>>>> -----
>>>>>>
>>>>>> jboss@host$ $NFAST_HOME/bin/nfkminfo -k
>>>>>>  AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed
>>>>>>  AppName jcecsp Ident
>>>>>> f7e825134fe23f58b1575d8efb487babe7ebd1ed-key-832c8a89fe813dc99ae61e094fe5d195ca3e405d
>>>>>> -----
>>>>>> jcecsp means the keys can only be used by the JCE-provider. nCipher does
>>>>>> it so you have different targets depending on which API you are using. If
>>>>>> you want to use PKCS#11 you need to import the keys in another way.
>>>>>> This is surely possible, but we have not done it so we can't provide you
>>>>>> with finished commands for importing keys for PKCS#11.
>>>>>>
>>>>>>
>>>>>> 2) There is no option for creating an "imported CA", you simply create a
>>>>>> CA as usual and provide the correct parameters as CAToken parameters.
>>>>>>  From EJBCAs view there is no difference between a CA with keys
>>>>>> generated in the HSM or created in the HSM. From EJBCAs view the keys
>>>>>> ARE simply in the HSM and are used in the HSM.
>>>>>>
>>>>>> Simply create a new CA using keys on the HSM. Enter a name for the new
>>>>>> CA and click 'Create CA'.
>>>>>>
>>>>>> Which options do not exist? Perhaps the wording "When importing a
>>>>>> sub-CA" is confusing? Since you don't import a CA, you simply create a
>>>>>> CA as usual.
>>>>>>
>>>>>> 3) "Import CA certificate" is for something completely different, don't
>>>>>> use that. This function simply imports a CA certificate (as you
>>>>>> noticed), so you can have external CA certificates imported for various
>>>>>> verification reasons.
>>>>>>
>>>>>> Cheers,
>>>>>> Tomas
>>>>>> -----
>>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>>>> training for EJBCA. Please see www.primekey.se or contact
>>>>>> info@... for more information.
>>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>>>
>>>>>>
>>>>>> Leonardo L. P. da Mata wrote:
>>>>>>
>>>>>>> Hey, so, I've read the documentation, but i think there are some
>>>>>>> lacks...
>>>>>>> Just to make sure, to use the nCipher nShield, i should use the pkcs11
>>>>>>> interface, right? I've tried to start jboss using the ncipher
>>>>>>> interface, but it didn't wok. So i suppose that this kind of hsm must
>>>>>>> use the pkcs11 interface.
>>>>>>>
>>>>>>> On the screen:
>>>>>>> https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
>>>>>>>
>>>>>>> i can't find the option mentioned in the documentation, there's no
>>>>>>> "create new CA 'ImportedCA'" option, and when i click in the create
>>>>>>> button, there's no option that can be selected as impotedCA.
>>>>>>>
>>>>>>> There are "Import CA keystore" and "import CA certificate". but when i
>>>>>>> use the option "import CA certificate" i can import my CA certificate,
>>>>>>> but the key is not stored in the HSM. the CA Token Type is set to Null
>>>>>>> after the import.
>>>>>>>
>>>>>>> We must provide more than 1 type of security solution, that's why I'm
>>>>>>> testing booth generating keys inside HSM and generating outside and
>>>>>>> importing then.
>>>>>>>
>>>>>>> The next step i will try is to generate User certificates into smart
>>>>>>> cards, but I'm already testing http://www.hardtokenmgmt.org/.
>>>>>>>
>>>>>>> Thanks, I appreciate the help. Hope to help the company that I'm
>>>>>>> working for to be another reference installation.
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...>
>>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>> Hi Leonardo,
>>>>>>>>
>>>>>>>> Did you read the chapter in the User Guide at ejbca.org called
>>>>>>>> "Importing an existing CA or sub-CA to EJBCA"? It's under the
>>>>>>>> HSM->nCopher section. This text explains exactly how you can import
>>>>>>>> existing keys (stored on disc) to create a CA in EJBCA.
>>>>>>>> It also explains how you create the CA in EJBCA.
>>>>>>>>
>>>>>>>> We have done this and it works, no options in JBoss. Since the keys
>>>>>>>> are
>>>>>>>> imported into nCipher, it is simply just like any other CA with keys
>>>>>>>> on
>>>>>>>> the nCipher HSM. There is no difference between this CA and a CA where
>>>>>>>> keys are generated inside the HSM (which is the recommended way for
>>>>>>>> security reasons of-course).
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Tomas
>>>>>>>> -----
>>>>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>>>>>> training for EJBCA. Please see www.primekey.se or contact
>>>>>>>> info@... for more information.
>>>>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>>>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Leonardo L. P. da Mata wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I'm developing the pki infrastructure for the Official Press of Minas
>>>>>>>>> Gerais Estate ,in  Brazil, and I'm having some problems on generating
>>>>>>>>> keys outside a HSM and importing then inside the HSM.
>>>>>>>>>
>>>>>>>>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>>>>>>>>> able to import the keys using generatekey --import, the keys are
>>>>>>>>> listed using nfkminfo tool, but i don't know how to use these keys to
>>>>>>>>> create a new CA. Is it possible to use external keys to create new
>>>>>>>>> CAs?
>>>>>>>>>
>>>>>>>>> Is there any special change to use imported keys in the
>>>>>>>>> administration
>>>>>>>>> GUI? Do I need to set parameters when I start JBOSS to use external
>>>>>>>>> keys?
>>>>>>>>>
>>>>>>>>> Is there any other source of information different then ejbca.org?
>>>>>>>>>
>>>>>>>>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>>>>>>>>
>>>>>>>>> Thanks.
>>>>>>>>>
>>>>>>>>> BTW, we are planning to develop the tools as free-software.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> -------------------------------------------------------------------------
>>>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>>>>>>> challenge
>>>>>>>> Build the coolest Linux based applications with Moblin SDK & win great
>>>>>>>> prizes
>>>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the
>>>>>>>> world
>>>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>>>>> _______________________________________________
>>>>>>>> Ejbca-develop mailing list
>>>>>>>> Ejbca-develop@...
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------------
>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>>>>> challenge
>>>>>> Build the coolest Linux based applications with Moblin SDK & win great
>>>>>> prizes
>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the
>>>>>> world
>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>>> _______________________________________________
>>>>>> Ejbca-develop mailing list
>>>>>> Ejbca-develop@...
>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>>
>>>>>>
>>>>> --
>>>>> Leonardo Luiz Padovani da Mata
>>>>> barroca@...
>>>>>
>>>>> "May the force be with you, always"
>>>>> "Nerd Pride... eu tenho. Voce tem?"
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>> training for EJBCA. Please see www.primekey.se or contact info@...
>>> for more information.
>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>
>>>
>>>
>>> -------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>> Build the coolest Linux based applications with Moblin SDK & win great
>>> prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> _______________________________________________
>>> Ejbca-develop mailing list
>>> Ejbca-develop@...
>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>
>>>
>>
>>
>> --
>> Leonardo Luiz Padovani da Mata
>> barroca@...
>>
>> "May the force be with you, always"
>> "Nerd Pride... eu tenho. Voce tem?"
>>
>
>
>

>
> I think you should be able to see if your security world is in fips
> level 2 using nfkminfo commands.
>
> Otherwise "nCipher.sworld not found" sounds like it can not find the
> security world. Did you set NFAST_HOME env variable?
>
> Cheers,
> Tomas
>
> Leonardo L. P. da Mata wrote:
>> Ok, i'm abble to create CAs using nCipher HSM, as I've mentioned
>> (thanks to http://www.linagora.org/ people). Now i need to import
>> external keys and CAs in this HSM.
>>
>> I've tried to use the steps "Importing an existing CA or sub-CA to
>> EJBCA." on the user's manual, but I'm getting some errors.
>>
>> First of all, i didn't create the small world, some old administrators
>> done this job and i can't do it again.
>> I don't know if my security world is a fips 140-2 level 2 as mentioned
>> in: ("The security world has to be initialized in the default FIPS
>> 140-2 Level 2 for this to work. ").
>>
>> After using:
>> c:\nfast\bin\generatekey.exe --import -c cardset jcecsp
>> pemreadfile=teste.pem type=RSA keystore=temp.keysto
>> re
>>
>> And type parameter of the x509 certificate, I'm getting:
>>
>> Card reading complete.
>>
>> Subprocess failed
>> Arguments: java.exe com.ncipher.provider.tools.ImportKey --keystore temp.keystor
>> e --alias imported --ident e48cade40f1528f531b372817ddc969bae071de3 --type com.n
>> cipher.provider.km.KMRSAPrivateKey --certificate C:/nfast/kmdata/tmp/3128_basili
>> sco.cert << {
>> }
>> Errors:
>> FATAL: java.security.KeyStoreException nCipher.sworld not found
>>
>>
>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
>> nfgk_operate: SoftwareFailed
>>
>>
>> Is this an issue because i have a different fips level?
>>
>>
>> Just to make sure, what's the difference between a recovery key and a
>> normal key (as the tool asks "recovery: Key recovery? (yes/no) [yes]
>>> ")?
>>
>> Thanks again
>>
>>
>>
>>
>>
>> On Wed, Oct 15, 2008 at 6:51 PM, Leonardo L. P. da Mata
>> <barroca@...> wrote:
>>> I've started a new installation from scratch...
>>> It worked.
>>>
>>> Every time you start jboss you need to use nCipherJboss.cmd/.sh , even
>>> in the first time (generating the AdminCA1). This is something that
>>> should be better explained in the documentation. This when you need to
>>> use nCipher HSM :-).
>>>
>>> In my last installation, i was using the
>>> security.provider.1=com.ncipher.provider.km.nCipherKM
>>> as default security provider in
>>> JAVA_HOME/jre/lib/security/java.security
>>>
>>> But since i couldn't reproduce the error, and changing back to the
>>> original, the error persists. I guess that this isn't a security
>>> problem.
>>>
>>>
>>> I will keep testing the software and updating this thread.
>>>
>>> Thanks again.
>>>
>>>
>>> On Wed, Oct 15, 2008 at 5:02 PM, Johan Eklund <ejbca-support@...> wrote:
>>>> I vaguely recall this as caused by not listing the nCipher provider in some
>>>> JRE configfile.. might have been in JREHOME/lib/security/ or something like
>>>> that.. my theory is that it is using the regular JCE provider on a nCipher
>>>> keystore or maybe vice versa.. but this is pretty vague memories.. =/
>>>>
>>>> /Johan
>>>>
>>>> Leonardo L. P. da Mata skrev:
>>>>> Hello, i've configured ejbca with JCE keys.
>>>>> After the installation i'm getting a strange error.
>>>>> "java.io.IOException: Bad KeyStore file, expecting a 40 character line."
>>>>>
>>>>> it seens that the keystore cannot be loaded.
>>>>> Is the keystore used when starting ejbca the keystore that stores the
>>>>> keys for SSL?(:-o)
>>>>>
>>>>> ejbca.properties contains:
>>>>> ca.tokentype=org.ejbca.core.model.ca.catoken.NFastCAToken
>>>>> ca.tokenpassword=password
>>>>>
>>>>> and catoken.properties contains:
>>>>> keyStore baac258f773b0eb0ac1277e807207f0c63065ced
>>>>> defaultKey defaultRoot1
>>>>> certSignKey signRoot1
>>>>> crlSignKey signRoot1
>>>>> testKey testRoot1
>>>>>
>>>>> these configuration was done before the installation.
>>>>>
>>>>> should i use a different keyStore??
>>>>> Is there any problem configuring the default CA with soft and then
>>>>> using ncipher HSM to generate other CAs?
>>>>>
>>>>> Thanks.
>>>>>
>>>>>
>>>>> INFO: WSSERVLET14: JAX-WS servlet initializing
>>>>> 16:20:18,890 INFO  [EARDeployer] Started J2EE application:
>>>>> file:/C:/jboss-4.2.3.
>>>>> GA/server/default/deploy/ejbca.ear
>>>>> 16:20:19,015 INFO  [Http11Protocol] Starting Coyote HTTP/1.1 on
>>>>> http-0.0.0.0-808
>>>>> 0
>>>>> 16:20:19,031 ERROR [Http11Protocol] Error starting endpoint
>>>>> java.io.IOException: Bad KeyStore file, expecting a 40 character line.
>>>>>        at
>>>>> com.ncipher.provider.km.KMKeyStore.engineLoad(KMKeyStore.java:674)
>>>>>        at java.security.KeyStore.load(KeyStore.java:1185)
>>>>>        at
>>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocket
>>>>> Factory.java:319)
>>>>>        at
>>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESoc
>>>>> ketFactory.java:259)
>>>>>        at
>>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSE
>>>>> SocketFactory.java:410)
>>>>>        at
>>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFact
>>>>> ory.java:378)
>>>>>        at
>>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESo
>>>>> cketFactory.java:135)
>>>>>        at
>>>>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
>>>>>        at
>>>>> org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
>>>>>        at
>>>>> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203
>>>>> )
>>>>>        at
>>>>> org.apache.catalina.connector.Connector.start(Connector.java:1146)
>>>>>        at
>>>>> org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
>>>>> 01)
>>>>>        at
>>>>> org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
>>>>> a:638)
>>>>>        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
>>>>>        at
>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>>>> sorImpl.java:25)
>>>>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>>>>        at
>>>>> org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
>>>>> onListenerProxy.java:153)
>>>>>        at $Proxy46.handleNotification(Unknown Source)
>>>>>        at
>>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
>>>>> ion(JBossNotificationBroadcasterSupport.java:127)
>>>>>        at
>>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
>>>>> n(JBossNotificationBroadcasterSupport.java:108)
>>>>>        at
>>>>> org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
>>>>> 16)
>>>>>        at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
>>>>>        at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
>>>>>        at org.jboss.Main.boot(Main.java:200)
>>>>>        at org.jboss.Main$1.run(Main.java:508)
>>>>>        at java.lang.Thread.run(Thread.java:619)
>>>>> 16:20:19,046 WARN  [JBossWeb] Failed to startConnectors
>>>>> LifecycleException:  service.getName(): "jboss.web";  Protocol handler
>>>>> start fai
>>>>> led: java.io.IOException: Bad KeyStore file, expecting a 40 character
>>>>> line.
>>>>>        at
>>>>> org.apache.catalina.connector.Connector.start(Connector.java:1153)
>>>>>        at
>>>>> org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
>>>>> 01)
>>>>>        at
>>>>> org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
>>>>> a:638)
>>>>>        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
>>>>>        at
>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>>>> sorImpl.java:25)
>>>>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>>>>        at
>>>>> org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
>>>>> onListenerProxy.java:153)
>>>>>        at $Proxy46.handleNotification(Unknown Source)
>>>>>        at
>>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
>>>>> ion(JBossNotificationBroadcasterSupport.java:127)
>>>>>        at
>>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
>>>>> n(JBossNotificationBroadcasterSupport.java:108)
>>>>>        at
>>>>> org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
>>>>> 16)
>>>>>        at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
>>>>>        at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
>>>>>        at org.jboss.Main.boot(Main.java:200)
>>>>>        at org.jboss.Main$1.run(Main.java:508)
>>>>>        at java.lang.Thread.run(Thread.java:619)
>>>>> 16:20:19,062 INFO  [Server] JBoss (MX MicroKernel) [4.2.3.GA (build:
>>>>> SVNTag=JBos
>>>>> s_4_2_3_GA date=200807181439)] Started in 4m:25s:750ms
>>>>>
>>>>>
>>>>> On Tue, Oct 14, 2008 at 4:24 PM, Leonardo L. P. da Mata
>>>>> <barroca@...> wrote:
>>>>>
>>>>>> To illustrate how am I import the keys,  I've imported again, and here
>>>>>> is the result:
>>>>>>
>>>>>> c:\nfast\bin\generatekey --import -c mscapi pkcs11
>>>>>> pemreadfile=teste.pem type=RSA
>>>>>> recovery: Key recovery? (yes/no) [yes] >
>>>>>> plainname: Key name? [] > imported3
>>>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no)
>>>>>> [no]
>>>>>>    key generation parameters:
>>>>>>  operation    Operation to perform
>>>>>>  import
>>>>>>  application  Application
>>>>>> pkcs11
>>>>>>  protect      Protected by
>>>>>>  token
>>>>>>  slot         Slot to read cards from                                   0
>>>>>>  recovery     Key recovery
>>>>>>  yes
>>>>>>  verify       Verify security of key
>>>>>>  yes
>>>>>>  type         Key type
>>>>>>  RSA
>>>>>>  pemreadfile  PEM file containing RSA key
>>>>>> teste.pe
>>>>>> m
>>>>>>  plainname    Key name
>>>>>>  imported
>>>>>> 3
>>>>>>  nvram        Store blob in NVRAM (will require administrator cardset)
>>>>>>  no
>>>>>>
>>>>>> Loading `mscapi':
>>>>>>  Module 1: 0 cards of 1 read
>>>>>>  Module 1 slot 0: `mscapi' #1 (`oper')
>>>>>>  Module 1 slot 0:- passphrase supplied - reading card
>>>>>> Card reading complete.
>>>>>>
>>>>>> Key successfully imported.
>>>>>> Path to key:
>>>>>> C:\nfast\kmdata\local\key_pkcs11_uc3d9fa9461f5ada90d40e0b1a2420099ea70834bb-9108857e16ec3ee22b9a23373e9c6f24eac8d70b
>>>>>>
>>>>>>
>>>>>>
>>>>>> It seems that the key is correctly imported. "This is surely possible,
>>>>>> but we have not done it so we can't provide you with finished commands
>>>>>> for importing keys for PKCS#11." . Do you think that the message
>>>>>> saying "Key successfully imported." is not true?
>>>>>>
>>>>>> 1)I will try the JCE way.
>>>>>> 2)Since there's no difference between creating a new one, and
>>>>>> importing, the options are a little bit confusing. Maybe the
>>>>>> documentation must be more "step by step" like.. :-)
>>>>>> 3) I notice that also.
>>>>>>
>>>>>>
>>>>>> I will check for other ways to use the HSM and keep giving feedback here.
>>>>>>
>>>>>> Thanks for all the help provided..
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Oct 14, 2008 at 3:57 PM, Ejbca support
>>>>>> <ejbca-support@...> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> 1) The Howto article is created for the NFastToken way of using nCipher,
>>>>>>> not PKCS#11. You can use nCipher using:
>>>>>>> - PKCS#11
>>>>>>> - NFast JCE Provider
>>>>>>>
>>>>>>> Both ways work, but the howto for importing keys is done for the JCE
>>>>>>> provider.
>>>>>>> When trying to start JBoss using the JCE provider did you use
>>>>>>> EJBCA/bin/nCipherJboss.sh and did you have the nCipher JCE/JCA provider
>>>>>>> installed (it is separate packages in the nCipher install).
>>>>>>>
>>>>>>> When nfkminfo says:
>>>>>>> -----
>>>>>>>
>>>>>>> jboss@host$ $NFAST_HOME/bin/nfkminfo -k
>>>>>>>  AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed
>>>>>>>  AppName jcecsp Ident
>>>>>>> f7e825134fe23f58b1575d8efb487babe7ebd1ed-key-832c8a89fe813dc99ae61e094fe5d195ca3e405d
>>>>>>> -----
>>>>>>> jcecsp means the keys can only be used by the JCE-provider. nCipher does
>>>>>>> it so you have different targets depending on which API you are using. If
>>>>>>> you want to use PKCS#11 you need to import the keys in another way.
>>>>>>> This is surely possible, but we have not done it so we can't provide you
>>>>>>> with finished commands for importing keys for PKCS#11.
>>>>>>>
>>>>>>>
>>>>>>> 2) There is no option for creating an "imported CA", you simply create a
>>>>>>> CA as usual and provide the correct parameters as CAToken parameters.
>>>>>>>  From EJBCAs view there is no difference between a CA with keys
>>>>>>> generated in the HSM or created in the HSM. From EJBCAs view the keys
>>>>>>> ARE simply in the HSM and are used in the HSM.
>>>>>>>
>>>>>>> Simply create a new CA using keys on the HSM. Enter a name for the new
>>>>>>> CA and click 'Create CA'.
>>>>>>>
>>>>>>> Which options do not exist? Perhaps the wording "When importing a
>>>>>>> sub-CA" is confusing? Since you don't import a CA, you simply create a
>>>>>>> CA as usual.
>>>>>>>
>>>>>>> 3) "Import CA certificate" is for something completely different, don't
>>>>>>> use that. This function simply imports a CA certificate (as you
>>>>>>> noticed), so you can have external CA certificates imported for various
>>>>>>> verification reasons.
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Tomas
>>>>>>> -----
>>>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>>>>> training for EJBCA. Please see www.primekey.se or contact
>>>>>>> info@... for more information.
>>>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>>>>
>>>>>>>
>>>>>>> Leonardo L. P. da Mata wrote:
>>>>>>>
>>>>>>>> Hey, so, I've read the documentation, but i think there are some
>>>>>>>> lacks...
>>>>>>>> Just to make sure, to use the nCipher nShield, i should use the pkcs11
>>>>>>>> interface, right? I've tried to start jboss using the ncipher
>>>>>>>> interface, but it didn't wok. So i suppose that this kind of hsm must
>>>>>>>> use the pkcs11 interface.
>>>>>>>>
>>>>>>>> On the screen:
>>>>>>>> https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
>>>>>>>>
>>>>>>>> i can't find the option mentioned in the documentation, there's no
>>>>>>>> "create new CA 'ImportedCA'" option, and when i click in the create
>>>>>>>> button, there's no option that can be selected as impotedCA.
>>>>>>>>
>>>>>>>> There are "Import CA keystore" and "import CA certificate". but when i
>>>>>>>> use the option "import CA certificate" i can import my CA certificate,
>>>>>>>> but the key is not stored in the HSM. the CA Token Type is set to Null
>>>>>>>> after the import.
>>>>>>>>
>>>>>>>> We must provide more than 1 type of security solution, that's why I'm
>>>>>>>> testing booth generating keys inside HSM and generating outside and
>>>>>>>> importing then.
>>>>>>>>
>>>>>>>> The next step i will try is to generate User certificates into smart
>>>>>>>> cards, but I'm already testing http://www.hardtokenmgmt.org/.
>>>>>>>>
>>>>>>>> Thanks, I appreciate the help. Hope to help the company that I'm
>>>>>>>> working for to be another reference installation.
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hi Leonardo,
>>>>>>>>>
>>>>>>>>> Did you read the chapter in the User Guide at ejbca.org called
>>>>>>>>> "Importing an existing CA or sub-CA to EJBCA"? It's under the
>>>>>>>>> HSM->nCopher section. This text explains exactly how you can import
>>>>>>>>> existing keys (stored on disc) to create a CA in EJBCA.
>>>>>>>>> It also explains how you create the CA in EJBCA.
>>>>>>>>>
>>>>>>>>> We have done this and it works, no options in JBoss. Since the keys
>>>>>>>>> are
>>>>>>>>> imported into nCipher, it is simply just like any other CA with keys
>>>>>>>>> on
>>>>>>>>> the nCipher HSM. There is no difference between this CA and a CA where
>>>>>>>>> keys are generated inside the HSM (which is the recommended way for
>>>>>>>>> security reasons of-course).
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Tomas
>>>>>>>>> -----
>>>>>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>>>>>>> training for EJBCA. Please see www.primekey.se or contact
>>>>>>>>> info@... for more information.
>>>>>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>>>>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Leonardo L. P. da Mata wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> I'm developing the pki infrastructure for the Official Press of Minas
>>>>>>>>>> Gerais Estate ,in  Brazil, and I'm having some problems on generating
>>>>>>>>>> keys outside a HSM and importing then inside the HSM.
>>>>>>>>>>
>>>>>>>>>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>>>>>>>>>> able to import the keys using generatekey --import, the keys are
>>>>>>>>>> listed using nfkminfo tool, but i don't know how to use these keys to
>>>>>>>>>> create a new CA. Is it possible to use external keys to create new
>>>>>>>>>> CAs?
>>>>>>>>>>
>>>>>>>>>> Is there any special change to use imported keys in the
>>>>>>>>>> administration
>>>>>>>>>> GUI? Do I need to set parameters when I start JBOSS to use external
>>>>>>>>>> keys?
>>>>>>>>>>
>>>>>>>>>> Is there any other source of information different then ejbca.org?
>>>>>>>>>>
>>>>>>>>>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>>>>>>>>>
>>>>>>>>>> Thanks.
>>>>>>>>>>
>>>>>>>>>> BTW, we are planning to develop the tools as free-software.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -------------------------------------------------------------------------
>>>>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>>>>>>>> challenge
>>>>>>>>> Build the coolest Linux based applications with Moblin SDK & win great
>>>>>>>>> prizes
>>>>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the
>>>>>>>>> world
>>>>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>>>>>> _______________________________________________
>>>>>>>>> Ejbca-develop mailing list
>>>>>>>>> Ejbca-develop@...
>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> -------------------------------------------------------------------------
>>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>>>>>> challenge
>>>>>>> Build the coolest Linux based applications with Moblin SDK & win great
>>>>>>> prizes
>>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the
>>>>>>> world
>>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>>>> _______________________________________________
>>>>>>> Ejbca-develop mailing list
>>>>>>> Ejbca-develop@...
>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> Leonardo Luiz Padovani da Mata
>>>>>> barroca@...
>>>>>>
>>>>>> "May the force be with you, always"
>>>>>> "Nerd Pride... eu tenho. Voce tem?"
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>> training for EJBCA. Please see www.primekey.se or contact info@...
>>>> for more information.
>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>
>>>>
>>>>
>>>> -------------------------------------------------------------------------
>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>>> Build the coolest Linux based applications with Moblin SDK & win great
>>>> prizes
>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>> _______________________________________________
>>>> Ejbca-develop mailing list
>>>> Ejbca-develop@...
>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>
>>>>
>>>
>>>
>>> --
>>> Leonardo Luiz Padovani da Mata
>>> barroca@...
>>>
>>> "May the force be with you, always"
>>> "Nerd Pride... eu tenho. Voce tem?"
>>>
>>
>>
>>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

> I've read the HSM manual and checked that my Security world is a fips level 2.
> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
> with the system administrator.
>
> Thanks.
>
> On Sun, Oct 19, 2008 at 8:12 AM, Tomas Gustavsson <tomas@...> wrote:
>>
>> I think you should be able to see if your security world is in fips
>> level 2 using nfkminfo commands.
>>
>> Otherwise "nCipher.sworld not found" sounds like it can not find the
>> security world. Did you set NFAST_HOME env variable?
>>
>> Cheers,
>> Tomas
>>
>> Leonardo L. P. da Mata wrote:
>>> Ok, i'm abble to create CAs using nCipher HSM, as I've mentioned
>>> (thanks to http://www.linagora.org/ people). Now i need to import
>>> external keys and CAs in this HSM.
>>>
>>> I've tried to use the steps "Importing an existing CA or sub-CA to
>>> EJBCA." on the user's manual, but I'm getting some errors.
>>>
>>> First of all, i didn't create the small world, some old administrators
>>> done this job and i can't do it again.
>>> I don't know if my security world is a fips 140-2 level 2 as mentioned
>>> in: ("The security world has to be initialized in the default FIPS
>>> 140-2 Level 2 for this to work. ").
>>>
>>> After using:
>>> c:\nfast\bin\generatekey.exe --import -c cardset jcecsp
>>> pemreadfile=teste.pem type=RSA keystore=temp.keysto
>>> re
>>>
>>> And type parameter of the x509 certificate, I'm getting:
>>>
>>> Card reading complete.
>>>
>>> Subprocess failed
>>> Arguments: java.exe com.ncipher.provider.tools.ImportKey --keystore temp.keystor
>>> e --alias imported --ident e48cade40f1528f531b372817ddc969bae071de3 --type com.n
>>> cipher.provider.km.KMRSAPrivateKey --certificate C:/nfast/kmdata/tmp/3128_basili
>>> sco.cert << {
>>> }
>>> Errors:
>>> FATAL: java.security.KeyStoreException nCipher.sworld not found
>>>
>>>
>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
>>> nfgk_operate: SoftwareFailed
>>>
>>>
>>> Is this an issue because i have a different fips level?
>>>
>>>
>>> Just to make sure, what's the difference between a recovery key and a
>>> normal key (as the tool asks "recovery: Key recovery? (yes/no) [yes]
>>>> ")?
>>>
>>> Thanks again
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Oct 15, 2008 at 6:51 PM, Leonardo L. P. da Mata
>>> <barroca@...> wrote:
>>>> I've started a new installation from scratch...
>>>> It worked.
>>>>
>>>> Every time you start jboss you need to use nCipherJboss.cmd/.sh , even
>>>> in the first time (generating the AdminCA1). This is something that
>>>> should be better explained in the documentation. This when you need to
>>>> use nCipher HSM :-).
>>>>
>>>> In my last installation, i was using the
>>>> security.provider.1=com.ncipher.provider.km.nCipherKM
>>>> as default security provider in
>>>> JAVA_HOME/jre/lib/security/java.security
>>>>
>>>> But since i couldn't reproduce the error, and changing back to the
>>>> original, the error persists. I guess that this isn't a security
>>>> problem.
>>>>
>>>>
>>>> I will keep testing the software and updating this thread.
>>>>
>>>> Thanks again.
>>>>
>>>>
>>>> On Wed, Oct 15, 2008 at 5:02 PM, Johan Eklund <ejbca-support@...> wrote:
>>>>> I vaguely recall this as caused by not listing the nCipher provider in some
>>>>> JRE configfile.. might have been in JREHOME/lib/security/ or something like
>>>>> that.. my theory is that it is using the regular JCE provider on a nCipher
>>>>> keystore or maybe vice versa.. but this is pretty vague memories.. =/
>>>>>
>>>>> /Johan
>>>>>
>>>>> Leonardo L. P. da Mata skrev:
>>>>>> Hello, i've configured ejbca with JCE keys.
>>>>>> After the installation i'm getting a strange error.
>>>>>> "java.io.IOException: Bad KeyStore file, expecting a 40 character line."
>>>>>>
>>>>>> it seens that the keystore cannot be loaded.
>>>>>> Is the keystore used when starting ejbca the keystore that stores the
>>>>>> keys for SSL?(:-o)
>>>>>>
>>>>>> ejbca.properties contains:
>>>>>> ca.tokentype=org.ejbca.core.model.ca.catoken.NFastCAToken
>>>>>> ca.tokenpassword=password
>>>>>>
>>>>>> and catoken.properties contains:
>>>>>> keyStore baac258f773b0eb0ac1277e807207f0c63065ced
>>>>>> defaultKey defaultRoot1
>>>>>> certSignKey signRoot1
>>>>>> crlSignKey signRoot1
>>>>>> testKey testRoot1
>>>>>>
>>>>>> these configuration was done before the installation.
>>>>>>
>>>>>> should i use a different keyStore??
>>>>>> Is there any problem configuring the default CA with soft and then
>>>>>> using ncipher HSM to generate other CAs?
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>>
>>>>>> INFO: WSSERVLET14: JAX-WS servlet initializing
>>>>>> 16:20:18,890 INFO  [EARDeployer] Started J2EE application:
>>>>>> file:/C:/jboss-4.2.3.
>>>>>> GA/server/default/deploy/ejbca.ear
>>>>>> 16:20:19,015 INFO  [Http11Protocol] Starting Coyote HTTP/1.1 on
>>>>>> http-0.0.0.0-808
>>>>>> 0
>>>>>> 16:20:19,031 ERROR [Http11Protocol] Error starting endpoint
>>>>>> java.io.IOException: Bad KeyStore file, expecting a 40 character line.
>>>>>>        at
>>>>>> com.ncipher.provider.km.KMKeyStore.engineLoad(KMKeyStore.java:674)
>>>>>>        at java.security.KeyStore.load(KeyStore.java:1185)
>>>>>>        at
>>>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocket
>>>>>> Factory.java:319)
>>>>>>        at
>>>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESoc
>>>>>> ketFactory.java:259)
>>>>>>        at
>>>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSE
>>>>>> SocketFactory.java:410)
>>>>>>        at
>>>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFact
>>>>>> ory.java:378)
>>>>>>        at
>>>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESo
>>>>>> cketFactory.java:135)
>>>>>>        at
>>>>>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
>>>>>>        at
>>>>>> org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
>>>>>>        at
>>>>>> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203
>>>>>> )
>>>>>>        at
>>>>>> org.apache.catalina.connector.Connector.start(Connector.java:1146)
>>>>>>        at
>>>>>> org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
>>>>>> 01)
>>>>>>        at
>>>>>> org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
>>>>>> a:638)
>>>>>>        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
>>>>>>        at
>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>>>>> sorImpl.java:25)
>>>>>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>>>>>        at
>>>>>> org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
>>>>>> onListenerProxy.java:153)
>>>>>>        at $Proxy46.handleNotification(Unknown Source)
>>>>>>        at
>>>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
>>>>>> ion(JBossNotificationBroadcasterSupport.java:127)
>>>>>>        at
>>>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
>>>>>> n(JBossNotificationBroadcasterSupport.java:108)
>>>>>>        at
>>>>>> org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
>>>>>> 16)
>>>>>>        at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
>>>>>>        at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
>>>>>>        at org.jboss.Main.boot(Main.java:200)
>>>>>>        at org.jboss.Main$1.run(Main.java:508)
>>>>>>        at java.lang.Thread.run(Thread.java:619)
>>>>>> 16:20:19,046 WARN  [JBossWeb] Failed to startConnectors
>>>>>> LifecycleException:  service.getName(): "jboss.web";  Protocol handler
>>>>>> start fai
>>>>>> led: java.io.IOException: Bad KeyStore file, expecting a 40 character
>>>>>> line.
>>>>>>        at
>>>>>> org.apache.catalina.connector.Connector.start(Connector.java:1153)
>>>>>>        at
>>>>>> org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:6
>>>>>> 01)
>>>>>>        at
>>>>>> org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.jav
>>>>>> a:638)
>>>>>>        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
>>>>>>        at
>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>>>>> sorImpl.java:25)
>>>>>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>>>>>        at
>>>>>> org.jboss.mx.notification.NotificationListenerProxy.invoke(Notificati
>>>>>> onListenerProxy.java:153)
>>>>>>        at $Proxy46.handleNotification(Unknown Source)
>>>>>>        at
>>>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotificat
>>>>>> ion(JBossNotificationBroadcasterSupport.java:127)
>>>>>>        at
>>>>>> org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotificatio
>>>>>> n(JBossNotificationBroadcasterSupport.java:108)
>>>>>>        at
>>>>>> org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:9
>>>>>> 16)
>>>>>>        at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
>>>>>>        at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
>>>>>>        at org.jboss.Main.boot(Main.java:200)
>>>>>>        at org.jboss.Main$1.run(Main.java:508)
>>>>>>        at java.lang.Thread.run(Thread.java:619)
>>>>>> 16:20:19,062 INFO  [Server] JBoss (MX MicroKernel) [4.2.3.GA (build:
>>>>>> SVNTag=JBos
>>>>>> s_4_2_3_GA date=200807181439)] Started in 4m:25s:750ms
>>>>>>
>>>>>>
>>>>>> On Tue, Oct 14, 2008 at 4:24 PM, Leonardo L. P. da Mata
>>>>>> <barroca@...> wrote:
>>>>>>
>>>>>>> To illustrate how am I import the keys,  I've imported again, and here
>>>>>>> is the result:
>>>>>>>
>>>>>>> c:\nfast\bin\generatekey --import -c mscapi pkcs11
>>>>>>> pemreadfile=teste.pem type=RSA
>>>>>>> recovery: Key recovery? (yes/no) [yes] >
>>>>>>> plainname: Key name? [] > imported3
>>>>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no)
>>>>>>> [no]
>>>>>>>    key generation parameters:
>>>>>>>  operation    Operation to perform
>>>>>>>  import
>>>>>>>  application  Application
>>>>>>> pkcs11
>>>>>>>  protect      Protected by
>>>>>>>  token
>>>>>>>  slot         Slot to read cards from                                   0
>>>>>>>  recovery     Key recovery
>>>>>>>  yes
>>>>>>>  verify       Verify security of key
>>>>>>>  yes
>>>>>>>  type         Key type
>>>>>>>  RSA
>>>>>>>  pemreadfile  PEM file containing RSA key
>>>>>>> teste.pe
>>>>>>> m
>>>>>>>  plainname    Key name
>>>>>>>  imported
>>>>>>> 3
>>>>>>>  nvram        Store blob in NVRAM (will require administrator cardset)
>>>>>>>  no
>>>>>>>
>>>>>>> Loading `mscapi':
>>>>>>>  Module 1: 0 cards of 1 read
>>>>>>>  Module 1 slot 0: `mscapi' #1 (`oper')
>>>>>>>  Module 1 slot 0:- passphrase supplied - reading card
>>>>>>> Card reading complete.
>>>>>>>
>>>>>>> Key successfully imported.
>>>>>>> Path to key:
>>>>>>> C:\nfast\kmdata\local\key_pkcs11_uc3d9fa9461f5ada90d40e0b1a2420099ea70834bb-9108857e16ec3ee22b9a23373e9c6f24eac8d70b
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> It seems that the key is correctly imported. "This is surely possible,
>>>>>>> but we have not done it so we can't provide you with finished commands
>>>>>>> for importing keys for PKCS#11." . Do you think that the message
>>>>>>> saying "Key successfully imported." is not true?
>>>>>>>
>>>>>>> 1)I will try the JCE way.
>>>>>>> 2)Since there's no difference between creating a new one, and
>>>>>>> importing, the options are a little bit confusing. Maybe the
>>>>>>> documentation must be more "step by step" like.. :-)
>>>>>>> 3) I notice that also.
>>>>>>>
>>>>>>>
>>>>>>> I will check for other ways to use the HSM and keep giving feedback here.
>>>>>>>
>>>>>>> Thanks for all the help provided..
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Oct 14, 2008 at 3:57 PM, Ejbca support
>>>>>>> <ejbca-support@...> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> 1) The Howto article is created for the NFastToken way of using nCipher,
>>>>>>>> not PKCS#11. You can use nCipher using:
>>>>>>>> - PKCS#11
>>>>>>>> - NFast JCE Provider
>>>>>>>>
>>>>>>>> Both ways work, but the howto for importing keys is done for the JCE
>>>>>>>> provider.
>>>>>>>> When trying to start JBoss using the JCE provider did you use
>>>>>>>> EJBCA/bin/nCipherJboss.sh and did you have the nCipher JCE/JCA provider
>>>>>>>> installed (it is separate packages in the nCipher install).
>>>>>>>>
>>>>>>>> When nfkminfo says:
>>>>>>>> -----
>>>>>>>>
>>>>>>>> jboss@host$ $NFAST_HOME/bin/nfkminfo -k
>>>>>>>>  AppName jcecsp Ident f7e825134fe23f58b1575d8efb487babe7ebd1ed
>>>>>>>>  AppName jcecsp Ident
>>>>>>>> f7e825134fe23f58b1575d8efb487babe7ebd1ed-key-832c8a89fe813dc99ae61e094fe5d195ca3e405d
>>>>>>>> -----
>>>>>>>> jcecsp means the keys can only be used by the JCE-provider. nCipher does
>>>>>>>> it so you have different targets depending on which API you are using. If
>>>>>>>> you want to use PKCS#11 you need to import the keys in another way.
>>>>>>>> This is surely possible, but we have not done it so we can't provide you
>>>>>>>> with finished commands for importing keys for PKCS#11.
>>>>>>>>
>>>>>>>>
>>>>>>>> 2) There is no option for creating an "imported CA", you simply create a
>>>>>>>> CA as usual and provide the correct parameters as CAToken parameters.
>>>>>>>>  From EJBCAs view there is no difference between a CA with keys
>>>>>>>> generated in the HSM or created in the HSM. From EJBCAs view the keys
>>>>>>>> ARE simply in the HSM and are used in the HSM.
>>>>>>>>
>>>>>>>> Simply create a new CA using keys on the HSM. Enter a name for the new
>>>>>>>> CA and click 'Create CA'.
>>>>>>>>
>>>>>>>> Which options do not exist? Perhaps the wording "When importing a
>>>>>>>> sub-CA" is confusing? Since you don't import a CA, you simply create a
>>>>>>>> CA as usual.
>>>>>>>>
>>>>>>>> 3) "Import CA certificate" is for something completely different, don't
>>>>>>>> use that. This function simply imports a CA certificate (as you
>>>>>>>> noticed), so you can have external CA certificates imported for various
>>>>>>>> verification reasons.
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Tomas
>>>>>>>> -----
>>>>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>>>>>> training for EJBCA. Please see www.primekey.se or contact
>>>>>>>> info@... for more information.
>>>>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>>>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>>>>>
>>>>>>>>
>>>>>>>> Leonardo L. P. da Mata wrote:
>>>>>>>>
>>>>>>>>> Hey, so, I've read the documentation, but i think there are some
>>>>>>>>> lacks...
>>>>>>>>> Just to make sure, to use the nCipher nShield, i should use the pkcs11
>>>>>>>>> interface, right? I've tried to start jboss using the ncipher
>>>>>>>>> interface, but it didn't wok. So i suppose that this kind of hsm must
>>>>>>>>> use the pkcs11 interface.
>>>>>>>>>
>>>>>>>>> On the screen:
>>>>>>>>> https://localhost:8443/ejbca/adminweb/ca/editcas/editcas.jsp
>>>>>>>>>
>>>>>>>>> i can't find the option mentioned in the documentation, there's no
>>>>>>>>> "create new CA 'ImportedCA'" option, and when i click in the create
>>>>>>>>> button, there's no option that can be selected as impotedCA.
>>>>>>>>>
>>>>>>>>> There are "Import CA keystore" and "import CA certificate". but when i
>>>>>>>>> use the option "import CA certificate" i can import my CA certificate,
>>>>>>>>> but the key is not stored in the HSM. the CA Token Type is set to Null
>>>>>>>>> after the import.
>>>>>>>>>
>>>>>>>>> We must provide more than 1 type of security solution, that's why I'm
>>>>>>>>> testing booth generating keys inside HSM and generating outside and
>>>>>>>>> importing then.
>>>>>>>>>
>>>>>>>>> The next step i will try is to generate User certificates into smart
>>>>>>>>> cards, but I'm already testing http://www.hardtokenmgmt.org/.
>>>>>>>>>
>>>>>>>>> Thanks, I appreciate the help. Hope to help the company that I'm
>>>>>>>>> working for to be another reference installation.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Oct 14, 2008 at 5:28 AM, Tomas Gustavsson <tomas@...>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hi Leonardo,
>>>>>>>>>>
>>>>>>>>>> Did you read the chapter in the User Guide at ejbca.org called
>>>>>>>>>> "Importing an existing CA or sub-CA to EJBCA"? It's under the
>>>>>>>>>> HSM->nCopher section. This text explains exactly how you can import
>>>>>>>>>> existing keys (stored on disc) to create a CA in EJBCA.
>>>>>>>>>> It also explains how you create the CA in EJBCA.
>>>>>>>>>>
>>>>>>>>>> We have done this and it works, no options in JBoss. Since the keys
>>>>>>>>>> are
>>>>>>>>>> imported into nCipher, it is simply just like any other CA with keys
>>>>>>>>>> on
>>>>>>>>>> the nCipher HSM. There is no difference between this CA and a CA where
>>>>>>>>>> keys are generated inside the HSM (which is the recommended way for
>>>>>>>>>> security reasons of-course).
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Tomas
>>>>>>>>>> -----
>>>>>>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>>>>>>>> training for EJBCA. Please see www.primekey.se or contact
>>>>>>>>>> info@... for more information.
>>>>>>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>>>>>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Leonardo L. P. da Mata wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> I'm developing the pki infrastructure for the Official Press of Minas
>>>>>>>>>>> Gerais Estate ,in  Brazil, and I'm having some problems on generating
>>>>>>>>>>> keys outside a HSM and importing then inside the HSM.
>>>>>>>>>>>
>>>>>>>>>>> The server is a Windows XP, and I'm using nCipher nShield HSM. I was
>>>>>>>>>>> able to import the keys using generatekey --import, the keys are
>>>>>>>>>>> listed using nfkminfo tool, but i don't know how to use these keys to
>>>>>>>>>>> create a new CA. Is it possible to use external keys to create new
>>>>>>>>>>> CAs?
>>>>>>>>>>>
>>>>>>>>>>> Is there any special change to use imported keys in the
>>>>>>>>>>> administration
>>>>>>>>>>> GUI? Do I need to set parameters when I start JBOSS to use external
>>>>>>>>>>> keys?
>>>>>>>>>>>
>>>>>>>>>>> Is there any other source of information different then ejbca.org?
>>>>>>>>>>>
>>>>>>>>>>> I'm using ejbca-3.7.1 and jboss-4.2.3-GA
>>>>>>>>>>>
>>>>>>>>>>> Thanks.
>>>>>>>>>>>
>>>>>>>>>>> BTW, we are planning to develop the tools as free-software.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -------------------------------------------------------------------------
>>>>>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>>>>>>>>> challenge
>>>>>>>>>> Build the coolest Linux based applications with Moblin SDK & win great
>>>>>>>>>> prizes
>>>>>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the
>>>>>>>>>> world
>>>>>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Ejbca-develop mailing list
>>>>>>>>>> Ejbca-develop@...
>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> -------------------------------------------------------------------------
>>>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>>>>>>> challenge
>>>>>>>> Build the coolest Linux based applications with Moblin SDK & win great
>>>>>>>> prizes
>>>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the
>>>>>>>> world
>>>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>>>>> _______________________________________________
>>>>>>>> Ejbca-develop mailing list
>>>>>>>> Ejbca-develop@...
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>>>>
>>>>>>>>
>>>>>>> --
>>>>>>> Leonardo Luiz Padovani da Mata
>>>>>>> barroca@...
>>>>>>>
>>>>>>> "May the force be with you, always"
>>>>>>> "Nerd Pride... eu tenho. Voce tem?"
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and
>>>>> training for EJBCA. Please see www.primekey.se or contact info@...
>>>>> for more information.
>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf
>>>>> http://download.primekey.se/documents/ejbca_training.pdf
>>>>>
>>>>>
>>>>>
>>>>> -------------------------------------------------------------------------
>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>>>> Build the coolest Linux based applications with Moblin SDK & win great
>>>>> prizes
>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>> _______________________________________________
>>>>> Ejbca-develop mailing list
>>>>> Ejbca-develop@...
>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Leonardo Luiz Padovani da Mata
>>>> barroca@...
>>>>
>>>> "May the force be with you, always"
>>>> "Nerd Pride... eu tenho. Voce tem?"
>>>>
>>>
>>>
>>>
>>
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejbca-develop@...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>
>
>
> --
> Leonardo Luiz Padovani da Mata
> barroca@...
>
> "May the force be with you, always"
> "Nerd Pride... eu tenho. Voce tem?"
>

> On Mon 20 October, Leonardo L. P. da Mata wrote:
>> I've read the HSM manual and checked that my Security world is a fips level 2.
>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>> with the system administrator.
>
> Hi,
>
> in order to create some key protected by the HSM, you need to create a
> Security World, and OCS (Operator Card Set). This procedure is well
> documented in the HSM documentations. However I may help if you trouble
> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>
> If you really already have a security world, check the file permissions,
> I don't know how is going on windows, but on unix environnement,
> nCipher's default permissions only allow root to read/write the security
> world's files.
>
> BEst regards
>
> --
> http://asyd.net/home/   - Home Page
> http://guses.org/home/  - French Speaking (Open)Solaris User Group
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

> Hey Brune, the Security World is ok. I've checked  the file
> permissions, and apparently this is not an issue, because i'm getting
> the same problem using the system administrator.
>
> I'm following the steps of ejbca user's guide. When importing a file,
> i can't access the keystore of the HSM:
>
> keystore: Filename of JCE key store? []
>> temp.keystore
> ERROR: keystore: key store key is missing
> keystore: Filename of JCE key store? []
>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
> ERROR: keystore: cannot open file
> keystore: Filename of JCE key store? []
>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
> ERROR: keystore: invalid keystore
> ERROR: keystore: key store key is missing
> keystore: Filename of JCE key store? []
>>
> ERROR: keystore: invalid filename
> keystore: Filename of JCE key store? []
>> c:\nfast\kmdata\local\
> ERROR: keystore: cannot open file
> keystore: Filename of JCE key store? []
>
>
>
> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
> mentioned in the user guide:
> "Windows: 'copy con: temp.keystore' and copypaste the string, press
> Ctrl-Z and Enter"
>
> Thanks again.
>
> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
>> On Mon 20 October, Leonardo L. P. da Mata wrote:
>>> I've read the HSM manual and checked that my Security world is a fips level 2.
>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>>> with the system administrator.
>>
>> Hi,
>>
>> in order to create some key protected by the HSM, you need to create a
>> Security World, and OCS (Operator Card Set). This procedure is well
>> documented in the HSM documentations. However I may help if you trouble
>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>>
>> If you really already have a security world, check the file permissions,
>> I don't know how is going on windows, but on unix environnement,
>> nCipher's default permissions only allow root to read/write the security
>> world's files.
>>
>> BEst regards
>>
>> --
>> http://asyd.net/home/   - Home Page
>> http://guses.org/home/  - French Speaking (Open)Solaris User Group
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejbca-develop@...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>
>
>
> --
> Leonardo Luiz Padovani da Mata
> barroca@...
>
> "May the force be with you, always"
> "Nerd Pride... eu tenho. Voce tem?"
>

> So, after some time trying to find the problem, i think i could get it solved.
> The eviroment variable JDK_HOME must be set correct for this to work.
> This is a problem with ncipher software that is not well documented,
> but i think it is important to put a note in the User's Guide.
>
> Command used:
> C:\Documents and
> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
> --import -c mscapi jcecsp pemreadfile=unprotected.pem
> keystore=temp.keystore type=RSA alias=imported1
> Result:
> recovery: Key recovery? (yes/no) [yes] >
> keystorepass: JCE key store password? (hidden)
> x509country: Country code? [] >
> x509province: State or province? [] >
> x509locality: City or locality? [] >
> x509org: Organisation? [] >
> x509orgunit: Organisation unit? [] >
> x509dnscommon: Domain name? [] >
> x509email: Email address? [] >
> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
> key generation parameters:
>  operation      Operation to perform                                      import
>
>  application    Application                                               jcecsp
>
>  protect        Protected by                                              token
>  slot           Slot to read cards from                                   0
>  recovery       Key recovery                                              yes
>  verify         Verify security of key                                    yes
>  type           Key type                                                  RSA
>  pemreadfile    PEM file containing RSA key                               unprot
> ected.pem
>  keystore       Filename of JCE key store                                 temp.k
> eystore
>  keystorepass   JCE key store password                                    <hidde
> n>
>  alias          JCE key alias                                             import
> ed1
>  x509country    Country code
>  x509province   State or province
>  x509locality   City or locality
>  x509org        Organisation
>  x509orgunit    Organisation unit
>  x509dnscommon  Domain name
>  x509email      Email address
>  nvram          Store blob in NVRAM (will require administrator cardset)  no
>
> Loading `mscapi':
>  Module 1: 0 cards of 1 read
>  Module 1 slot 0: `mscapi' #1 (`oper')
>  Module 1 slot 0:- passphrase supplied - reading card
> Card reading complete.
>
> Subprocess failed
> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
> }
> Errors:
> FATAL: error creating temp.keystore
>
>
> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
> nfgk_operate: SoftwareFailed
>
>
>
> I still need to test if the key is working correct, but when i list
> keys with nfkminfo, i can see the new imported keys.
>
> Thanks.
>
>
> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
> <barroca@...> wrote:
>> Hey Brune, the Security World is ok. I've checked  the file
>> permissions, and apparently this is not an issue, because i'm getting
>> the same problem using the system administrator.
>>
>> I'm following the steps of ejbca user's guide. When importing a file,
>> i can't access the keystore of the HSM:
>>
>> keystore: Filename of JCE key store? []
>>> temp.keystore
>> ERROR: keystore: key store key is missing
>> keystore: Filename of JCE key store? []
>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
>> ERROR: keystore: cannot open file
>> keystore: Filename of JCE key store? []
>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
>> ERROR: keystore: invalid keystore
>> ERROR: keystore: key store key is missing
>> keystore: Filename of JCE key store? []
>> ERROR: keystore: invalid filename
>> keystore: Filename of JCE key store? []
>>> c:\nfast\kmdata\local\
>> ERROR: keystore: cannot open file
>> keystore: Filename of JCE key store? []
>>
>>
>>
>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
>> mentioned in the user guide:
>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
>> Ctrl-Z and Enter"
>>
>> Thanks again.
>>
>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>>>> with the system administrator.
>>> Hi,
>>>
>>> in order to create some key protected by the HSM, you need to create a
>>> Security World, and OCS (Operator Card Set). This procedure is well
>>> documented in the HSM documentations. However I may help if you trouble
>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>>>
>>> If you really already have a security world, check the file permissions,
>>> I don't know how is going on windows, but on unix environnement,
>>> nCipher's default permissions only allow root to read/write the security
>>> world's files.
>>>
>>> BEst regards
>>>
>>> --
>>> http://asyd.net/home/   - Home Page
>>> http://guses.org/home/  - French Speaking (Open)Solaris User Group
>>>
>>> -------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> _______________________________________________
>>> Ejbca-develop mailing list
>>> Ejbca-develop@...
>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>
>>
>>
>> --
>> Leonardo Luiz Padovani da Mata
>> barroca@...
>>
>> "May the force be with you, always"
>> "Nerd Pride... eu tenho. Voce tem?"
>>
>
>
>

>
> Thanks added it to docs for next release.
>
> Cheers,
> Tomas
>
>
> Leonardo L. P. da Mata wrote:
>> So, after some time trying to find the problem, i think i could get it solved.
>> The eviroment variable JDK_HOME must be set correct for this to work.
>> This is a problem with ncipher software that is not well documented,
>> but i think it is important to put a note in the User's Guide.
>>
>> Command used:
>> C:\Documents and
>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
>> --import -c mscapi jcecsp pemreadfile=unprotected.pem
>> keystore=temp.keystore type=RSA alias=imported1
>> Result:
>> recovery: Key recovery? (yes/no) [yes] >
>> keystorepass: JCE key store password? (hidden)
>> x509country: Country code? [] >
>> x509province: State or province? [] >
>> x509locality: City or locality? [] >
>> x509org: Organisation? [] >
>> x509orgunit: Organisation unit? [] >
>> x509dnscommon: Domain name? [] >
>> x509email: Email address? [] >
>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>> key generation parameters:
>>  operation      Operation to perform                                      import
>>
>>  application    Application                                               jcecsp
>>
>>  protect        Protected by                                              token
>>  slot           Slot to read cards from                                   0
>>  recovery       Key recovery                                              yes
>>  verify         Verify security of key                                    yes
>>  type           Key type                                                  RSA
>>  pemreadfile    PEM file containing RSA key                               unprot
>> ected.pem
>>  keystore       Filename of JCE key store                                 temp.k
>> eystore
>>  keystorepass   JCE key store password                                    <hidde
>> n>
>>  alias          JCE key alias                                             import
>> ed1
>>  x509country    Country code
>>  x509province   State or province
>>  x509locality   City or locality
>>  x509org        Organisation
>>  x509orgunit    Organisation unit
>>  x509dnscommon  Domain name
>>  x509email      Email address
>>  nvram          Store blob in NVRAM (will require administrator cardset)  no
>>
>> Loading `mscapi':
>>  Module 1: 0 cards of 1 read
>>  Module 1 slot 0: `mscapi' #1 (`oper')
>>  Module 1 slot 0:- passphrase supplied - reading card
>> Card reading complete.
>>
>> Subprocess failed
>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
>> }
>> Errors:
>> FATAL: error creating temp.keystore
>>
>>
>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
>> nfgk_operate: SoftwareFailed
>>
>>
>>
>> I still need to test if the key is working correct, but when i list
>> keys with nfkminfo, i can see the new imported keys.
>>
>> Thanks.
>>
>>
>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
>> <barroca@...> wrote:
>>> Hey Brune, the Security World is ok. I've checked  the file
>>> permissions, and apparently this is not an issue, because i'm getting
>>> the same problem using the system administrator.
>>>
>>> I'm following the steps of ejbca user's guide. When importing a file,
>>> i can't access the keystore of the HSM:
>>>
>>> keystore: Filename of JCE key store? []
>>>> temp.keystore
>>> ERROR: keystore: key store key is missing
>>> keystore: Filename of JCE key store? []
>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
>>> ERROR: keystore: cannot open file
>>> keystore: Filename of JCE key store? []
>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
>>> ERROR: keystore: invalid keystore
>>> ERROR: keystore: key store key is missing
>>> keystore: Filename of JCE key store? []
>>> ERROR: keystore: invalid filename
>>> keystore: Filename of JCE key store? []
>>>> c:\nfast\kmdata\local\
>>> ERROR: keystore: cannot open file
>>> keystore: Filename of JCE key store? []
>>>
>>>
>>>
>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
>>> mentioned in the user guide:
>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
>>> Ctrl-Z and Enter"
>>>
>>> Thanks again.
>>>
>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
>>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
>>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>>>>> with the system administrator.
>>>> Hi,
>>>>
>>>> in order to create some key protected by the HSM, you need to create a
>>>> Security World, and OCS (Operator Card Set). This procedure is well
>>>> documented in the HSM documentations. However I may help if you trouble
>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>>>>
>>>> If you really already have a security world, check the file permissions,
>>>> I don't know how is going on windows, but on unix environnement,
>>>> nCipher's default permissions only allow root to read/write the security
>>>> world's files.
>>>>
>>>> BEst regards
>>>>
>>>> --
>>>> http://asyd.net/home/   - Home Page
>>>> http://guses.org/home/  - French Speaking (Open)Solaris User Group
>>>>
>>>> -------------------------------------------------------------------------
>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>> _______________________________________________
>>>> Ejbca-develop mailing list
>>>> Ejbca-develop@...
>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>
>>>
>>>
>>> --
>>> Leonardo Luiz Padovani da Mata
>>> barroca@...
>>>
>>> "May the force be with you, always"
>>> "Nerd Pride... eu tenho. Voce tem?"
>>>
>>
>>
>>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

> Hey, i've advanced a lot in the ejbca installation and it's
> integration with htmf, but i still can't use htmf correct. I'm sending
> this message here because the htmf list has no discussion at all.
>
> so, i'm using java 6 and intert explorer to access tolima. I've
> generated an administrator card, and it seems to work (i can use this
> card with other applications to sign).
>
> after the administrator authenthicate in the htmf, the ejbca send a message:
>   19:09:11,390 INFO [Log4jLogDevice] 29 de Outubro de 2008 19h9min11s
> BRST, CAId : -1688117755, AUTHORIZATION,
> EVENT_INFO_AUTHORIZEDTORESOURCE, Administrator : C LIENTCERT,
> Certificate SNR : 3964574de5f7dca8, CN=AdminCA1,O=EJBCA Sample,C=SE,
> User : No user involved, Certificate : No certificate involved,
> Comment : Resour ce :
>
> and the htmf hangs with no answer and no debug information.
>
> Anyone have any idea why this isn't working?
>
> BTW, the ant deploy of htmf doesn't substitute all variables correct,
> the $*.hostname variables are beeing deployed without beeing
> substituded. Maybe this is a bug of htmf (TOLIMA)
>
>
> Thanks.
>
> On Tue, Oct 21, 2008 at 5:34 AM, Tomas Gustavsson <tomas@...> wrote:
>  
>> Thanks added it to docs for next release.
>>
>> Cheers,
>> Tomas
>>
>>
>> Leonardo L. P. da Mata wrote:
>>    
>>> So, after some time trying to find the problem, i think i could get it solved.
>>> The eviroment variable JDK_HOME must be set correct for this to work.
>>> This is a problem with ncipher software that is not well documented,
>>> but i think it is important to put a note in the User's Guide.
>>>
>>> Command used:
>>> C:\Documents and
>>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
>>> --import -c mscapi jcecsp pemreadfile=unprotected.pem
>>> keystore=temp.keystore type=RSA alias=imported1
>>> Result:
>>> recovery: Key recovery? (yes/no) [yes] >
>>> keystorepass: JCE key store password? (hidden)
>>> x509country: Country code? [] >
>>> x509province: State or province? [] >
>>> x509locality: City or locality? [] >
>>> x509org: Organisation? [] >
>>> x509orgunit: Organisation unit? [] >
>>> x509dnscommon: Domain name? [] >
>>> x509email: Email address? [] >
>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>>> key generation parameters:
>>>  operation      Operation to perform                                      import
>>>
>>>  application    Application                                               jcecsp
>>>
>>>  protect        Protected by                                              token
>>>  slot           Slot to read cards from                                   0
>>>  recovery       Key recovery                                              yes
>>>  verify         Verify security of key                                    yes
>>>  type           Key type                                                  RSA
>>>  pemreadfile    PEM file containing RSA key                               unprot
>>> ected.pem
>>>  keystore       Filename of JCE key store                                 temp.k
>>> eystore
>>>  keystorepass   JCE key store password                                    <hidde
>>> n>
>>>  alias          JCE key alias                                             import
>>> ed1
>>>  x509country    Country code
>>>  x509province   State or province
>>>  x509locality   City or locality
>>>  x509org        Organisation
>>>  x509orgunit    Organisation unit
>>>  x509dnscommon  Domain name
>>>  x509email      Email address
>>>  nvram          Store blob in NVRAM (will require administrator cardset)  no
>>>
>>> Loading `mscapi':
>>>  Module 1: 0 cards of 1 read
>>>  Module 1 slot 0: `mscapi' #1 (`oper')
>>>  Module 1 slot 0:- passphrase supplied - reading card
>>> Card reading complete.
>>>
>>> Subprocess failed
>>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
>>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
>>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
>>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
>>> }
>>> Errors:
>>> FATAL: error creating temp.keystore
>>>
>>>
>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
>>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
>>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
>>> nfgk_operate: SoftwareFailed
>>>
>>>
>>>
>>> I still need to test if the key is working correct, but when i list
>>> keys with nfkminfo, i can see the new imported keys.
>>>
>>> Thanks.
>>>
>>>
>>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
>>> <barroca@...> wrote:
>>>      
>>>> Hey Brune, the Security World is ok. I've checked  the file
>>>> permissions, and apparently this is not an issue, because i'm getting
>>>> the same problem using the system administrator.
>>>>
>>>> I'm following the steps of ejbca user's guide. When importing a file,
>>>> i can't access the keystore of the HSM:
>>>>
>>>> keystore: Filename of JCE key store? []
>>>>        
>>>>> temp.keystore
>>>>>          
>>>> ERROR: keystore: key store key is missing
>>>> keystore: Filename of JCE key store? []
>>>>        
>>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
>>>>>          
>>>> ERROR: keystore: cannot open file
>>>> keystore: Filename of JCE key store? []
>>>>        
>>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
>>>>>          
>>>> ERROR: keystore: invalid keystore
>>>> ERROR: keystore: key store key is missing
>>>> keystore: Filename of JCE key store? []
>>>> ERROR: keystore: invalid filename
>>>> keystore: Filename of JCE key store? []
>>>>        
>>>>> c:\nfast\kmdata\local\
>>>>>          
>>>> ERROR: keystore: cannot open file
>>>> keystore: Filename of JCE key store? []
>>>>
>>>>
>>>>
>>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
>>>> mentioned in the user guide:
>>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
>>>> Ctrl-Z and Enter"
>>>>
>>>> Thanks again.
>>>>
>>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
>>>>        
>>>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
>>>>>          
>>>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
>>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>>>>>> with the system administrator.
>>>>>>            
>>>>> Hi,
>>>>>
>>>>> in order to create some key protected by the HSM, you need to create a
>>>>> Security World, and OCS (Operator Card Set). This procedure is well
>>>>> documented in the HSM documentations. However I may help if you trouble
>>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>>>>>
>>>>> If you really already have a security world, check the file permissions,
>>>>> I don't know how is going on windows, but on unix environnement,
>>>>> nCipher's default permissions only allow root to read/write the security
>>>>> world's files.
>>>>>
>>>>> BEst regards
>>>>>
>>>>> --
>>>>> http://asyd.net/home/   - Home Page
>>>>> http://guses.org/home/  - French Speaking (Open)Solaris User Group
>>>>>
>>>>> -------------------------------------------------------------------------
>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>> _______________________________________________
>>>>> Ejbca-develop mailing list
>>>>> Ejbca-develop@...
>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>
>>>>>          
>>>> --
>>>> Leonardo Luiz Padovani da Mata
>>>> barroca@...
>>>>
>>>> "May the force be with you, always"
>>>> "Nerd Pride... eu tenho. Voce tem?"
>>>>
>>>>        
>>>
>>>      
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejbca-develop@...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>>    
>
>
>
>  

> Hi Leonardo
>
> I'm assuming you are using the java web start deployment of Tolima. The
> htmf log files are stored in <USER_HOME>/.hardtokenmgmt<n>_<n>.log can
> you send it to me.
>
> Which tokens are you using and which pkcs11 driver?
>
> // Regards Philip
>
> Leonardo L. P. da Mata skrev:
>> Hey, i've advanced a lot in the ejbca installation and it's
>> integration with htmf, but i still can't use htmf correct. I'm sending
>> this message here because the htmf list has no discussion at all.
>>
>> so, i'm using java 6 and intert explorer to access tolima. I've
>> generated an administrator card, and it seems to work (i can use this
>> card with other applications to sign).
>>
>> after the administrator authenthicate in the htmf, the ejbca send a message:
>>   19:09:11,390 INFO [Log4jLogDevice] 29 de Outubro de 2008 19h9min11s
>> BRST, CAId : -1688117755, AUTHORIZATION,
>> EVENT_INFO_AUTHORIZEDTORESOURCE, Administrator : C LIENTCERT,
>> Certificate SNR : 3964574de5f7dca8, CN=AdminCA1,O=EJBCA Sample,C=SE,
>> User : No user involved, Certificate : No certificate involved,
>> Comment : Resour ce :
>>
>> and the htmf hangs with no answer and no debug information.
>>
>> Anyone have any idea why this isn't working?
>>
>> BTW, the ant deploy of htmf doesn't substitute all variables correct,
>> the $*.hostname variables are beeing deployed without beeing
>> substituded. Maybe this is a bug of htmf (TOLIMA)
>>
>>
>> Thanks.
>>
>> On Tue, Oct 21, 2008 at 5:34 AM, Tomas Gustavsson <tomas@...> wrote:
>>
>>> Thanks added it to docs for next release.
>>>
>>> Cheers,
>>> Tomas
>>>
>>>
>>> Leonardo L. P. da Mata wrote:
>>>
>>>> So, after some time trying to find the problem, i think i could get it solved.
>>>> The eviroment variable JDK_HOME must be set correct for this to work.
>>>> This is a problem with ncipher software that is not well documented,
>>>> but i think it is important to put a note in the User's Guide.
>>>>
>>>> Command used:
>>>> C:\Documents and
>>>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
>>>> --import -c mscapi jcecsp pemreadfile=unprotected.pem
>>>> keystore=temp.keystore type=RSA alias=imported1
>>>> Result:
>>>> recovery: Key recovery? (yes/no) [yes] >
>>>> keystorepass: JCE key store password? (hidden)
>>>> x509country: Country code? [] >
>>>> x509province: State or province? [] >
>>>> x509locality: City or locality? [] >
>>>> x509org: Organisation? [] >
>>>> x509orgunit: Organisation unit? [] >
>>>> x509dnscommon: Domain name? [] >
>>>> x509email: Email address? [] >
>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>>>> key generation parameters:
>>>>  operation      Operation to perform                                      import
>>>>
>>>>  application    Application                                               jcecsp
>>>>
>>>>  protect        Protected by                                              token
>>>>  slot           Slot to read cards from                                   0
>>>>  recovery       Key recovery                                              yes
>>>>  verify         Verify security of key                                    yes
>>>>  type           Key type                                                  RSA
>>>>  pemreadfile    PEM file containing RSA key                               unprot
>>>> ected.pem
>>>>  keystore       Filename of JCE key store                                 temp.k
>>>> eystore
>>>>  keystorepass   JCE key store password                                    <hidde
>>>> n>
>>>>  alias          JCE key alias                                             import
>>>> ed1
>>>>  x509country    Country code
>>>>  x509province   State or province
>>>>  x509locality   City or locality
>>>>  x509org        Organisation
>>>>  x509orgunit    Organisation unit
>>>>  x509dnscommon  Domain name
>>>>  x509email      Email address
>>>>  nvram          Store blob in NVRAM (will require administrator cardset)  no
>>>>
>>>> Loading `mscapi':
>>>>  Module 1: 0 cards of 1 read
>>>>  Module 1 slot 0: `mscapi' #1 (`oper')
>>>>  Module 1 slot 0:- passphrase supplied - reading card
>>>> Card reading complete.
>>>>
>>>> Subprocess failed
>>>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
>>>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
>>>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
>>>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
>>>> }
>>>> Errors:
>>>> FATAL: error creating temp.keystore
>>>>
>>>>
>>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
>>>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
>>>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
>>>> nfgk_operate: SoftwareFailed
>>>>
>>>>
>>>>
>>>> I still need to test if the key is working correct, but when i list
>>>> keys with nfkminfo, i can see the new imported keys.
>>>>
>>>> Thanks.
>>>>
>>>>
>>>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
>>>> <barroca@...> wrote:
>>>>
>>>>> Hey Brune, the Security World is ok. I've checked  the file
>>>>> permissions, and apparently this is not an issue, because i'm getting
>>>>> the same problem using the system administrator.
>>>>>
>>>>> I'm following the steps of ejbca user's guide. When importing a file,
>>>>> i can't access the keystore of the HSM:
>>>>>
>>>>> keystore: Filename of JCE key store? []
>>>>>
>>>>>> temp.keystore
>>>>>>
>>>>> ERROR: keystore: key store key is missing
>>>>> keystore: Filename of JCE key store? []
>>>>>
>>>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
>>>>>>
>>>>> ERROR: keystore: cannot open file
>>>>> keystore: Filename of JCE key store? []
>>>>>
>>>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
>>>>>>
>>>>> ERROR: keystore: invalid keystore
>>>>> ERROR: keystore: key store key is missing
>>>>> keystore: Filename of JCE key store? []
>>>>> ERROR: keystore: invalid filename
>>>>> keystore: Filename of JCE key store? []
>>>>>
>>>>>> c:\nfast\kmdata\local\
>>>>>>
>>>>> ERROR: keystore: cannot open file
>>>>> keystore: Filename of JCE key store? []
>>>>>
>>>>>
>>>>>
>>>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
>>>>> mentioned in the user guide:
>>>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
>>>>> Ctrl-Z and Enter"
>>>>>
>>>>> Thanks again.
>>>>>
>>>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
>>>>>
>>>>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
>>>>>>
>>>>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
>>>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>>>>>>> with the system administrator.
>>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> in order to create some key protected by the HSM, you need to create a
>>>>>> Security World, and OCS (Operator Card Set). This procedure is well
>>>>>> documented in the HSM documentations. However I may help if you trouble
>>>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>>>>>>
>>>>>> If you really already have a security world, check the file permissions,
>>>>>> I don't know how is going on windows, but on unix environnement,
>>>>>> nCipher's default permissions only allow root to read/write the security
>>>>>> world's files.
>>>>>>
>>>>>> BEst regards
>>>>>>
>>>>>> --
>>>>>> http://asyd.net/home/   - Home Page
>>>>>> http://guses.org/home/  - French Speaking (Open)Solaris User Group
>>>>>>
>>>>>> -------------------------------------------------------------------------
>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>>> _______________________________________________
>>>>>> Ejbca-develop mailing list
>>>>>> Ejbca-develop@...
>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>>
>>>>>>
>>>>> --
>>>>> Leonardo Luiz Padovani da Mata
>>>>> barroca@...
>>>>>
>>>>> "May the force be with you, always"
>>>>> "Nerd Pride... eu tenho. Voce tem?"
>>>>>
>>>>>
>>>>
>>>>
>>> -------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> _______________________________________________
>>> Ejbca-develop mailing list
>>> Ejbca-develop@...
>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>
>>>
>>
>>
>>
>>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

> it was hanging on oppening the library (wrong pkcs11 interface). i've
> changed to opensc-pkcs11.dll, but now it can't reconize my cards...
>
>
>
> On Thu, Oct 30, 2008 at 8:05 AM, EJBCA Support
> <ejbca-support@...> wrote:
>> Hi Leonardo
>>
>> I'm assuming you are using the java web start deployment of Tolima. The
>> htmf log files are stored in <USER_HOME>/.hardtokenmgmt<n>_<n>.log can
>> you send it to me.
>>
>> Which tokens are you using and which pkcs11 driver?
>>
>> // Regards Philip
>>
>> Leonardo L. P. da Mata skrev:
>>> Hey, i've advanced a lot in the ejbca installation and it's
>>> integration with htmf, but i still can't use htmf correct. I'm sending
>>> this message here because the htmf list has no discussion at all.
>>>
>>> so, i'm using java 6 and intert explorer to access tolima. I've
>>> generated an administrator card, and it seems to work (i can use this
>>> card with other applications to sign).
>>>
>>> after the administrator authenthicate in the htmf, the ejbca send a message:
>>>   19:09:11,390 INFO [Log4jLogDevice] 29 de Outubro de 2008 19h9min11s
>>> BRST, CAId : -1688117755, AUTHORIZATION,
>>> EVENT_INFO_AUTHORIZEDTORESOURCE, Administrator : C LIENTCERT,
>>> Certificate SNR : 3964574de5f7dca8, CN=AdminCA1,O=EJBCA Sample,C=SE,
>>> User : No user involved, Certificate : No certificate involved,
>>> Comment : Resour ce :
>>>
>>> and the htmf hangs with no answer and no debug information.
>>>
>>> Anyone have any idea why this isn't working?
>>>
>>> BTW, the ant deploy of htmf doesn't substitute all variables correct,
>>> the $*.hostname variables are beeing deployed without beeing
>>> substituded. Maybe this is a bug of htmf (TOLIMA)
>>>
>>>
>>> Thanks.
>>>
>>> On Tue, Oct 21, 2008 at 5:34 AM, Tomas Gustavsson <tomas@...> wrote:
>>>
>>>> Thanks added it to docs for next release.
>>>>
>>>> Cheers,
>>>> Tomas
>>>>
>>>>
>>>> Leonardo L. P. da Mata wrote:
>>>>
>>>>> So, after some time trying to find the problem, i think i could get it solved.
>>>>> The eviroment variable JDK_HOME must be set correct for this to work.
>>>>> This is a problem with ncipher software that is not well documented,
>>>>> but i think it is important to put a note in the User's Guide.
>>>>>
>>>>> Command used:
>>>>> C:\Documents and
>>>>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
>>>>> --import -c mscapi jcecsp pemreadfile=unprotected.pem
>>>>> keystore=temp.keystore type=RSA alias=imported1
>>>>> Result:
>>>>> recovery: Key recovery? (yes/no) [yes] >
>>>>> keystorepass: JCE key store password? (hidden)
>>>>> x509country: Country code? [] >
>>>>> x509province: State or province? [] >
>>>>> x509locality: City or locality? [] >
>>>>> x509org: Organisation? [] >
>>>>> x509orgunit: Organisation unit? [] >
>>>>> x509dnscommon: Domain name? [] >
>>>>> x509email: Email address? [] >
>>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>>>>> key generation parameters:
>>>>>  operation      Operation to perform                                      import
>>>>>
>>>>>  application    Application                                               jcecsp
>>>>>
>>>>>  protect        Protected by                                              token
>>>>>  slot           Slot to read cards from                                   0
>>>>>  recovery       Key recovery                                              yes
>>>>>  verify         Verify security of key                                    yes
>>>>>  type           Key type                                                  RSA
>>>>>  pemreadfile    PEM file containing RSA key                               unprot
>>>>> ected.pem
>>>>>  keystore       Filename of JCE key store                                 temp.k
>>>>> eystore
>>>>>  keystorepass   JCE key store password                                    <hidde
>>>>> n>
>>>>>  alias          JCE key alias                                             import
>>>>> ed1
>>>>>  x509country    Country code
>>>>>  x509province   State or province
>>>>>  x509locality   City or locality
>>>>>  x509org        Organisation
>>>>>  x509orgunit    Organisation unit
>>>>>  x509dnscommon  Domain name
>>>>>  x509email      Email address
>>>>>  nvram          Store blob in NVRAM (will require administrator cardset)  no
>>>>>
>>>>> Loading `mscapi':
>>>>>  Module 1: 0 cards of 1 read
>>>>>  Module 1 slot 0: `mscapi' #1 (`oper')
>>>>>  Module 1 slot 0:- passphrase supplied - reading card
>>>>> Card reading complete.
>>>>>
>>>>> Subprocess failed
>>>>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
>>>>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
>>>>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
>>>>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
>>>>> }
>>>>> Errors:
>>>>> FATAL: error creating temp.keystore
>>>>>
>>>>>
>>>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
>>>>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
>>>>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
>>>>> nfgk_operate: SoftwareFailed
>>>>>
>>>>>
>>>>>
>>>>> I still need to test if the key is working correct, but when i list
>>>>> keys with nfkminfo, i can see the new imported keys.
>>>>>
>>>>> Thanks.
>>>>>
>>>>>
>>>>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
>>>>> <barroca@...> wrote:
>>>>>
>>>>>> Hey Brune, the Security World is ok. I've checked  the file
>>>>>> permissions, and apparently this is not an issue, because i'm getting
>>>>>> the same problem using the system administrator.
>>>>>>
>>>>>> I'm following the steps of ejbca user's guide. When importing a file,
>>>>>> i can't access the keystore of the HSM:
>>>>>>
>>>>>> keystore: Filename of JCE key store? []
>>>>>>
>>>>>>> temp.keystore
>>>>>>>
>>>>>> ERROR: keystore: key store key is missing
>>>>>> keystore: Filename of JCE key store? []
>>>>>>
>>>>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
>>>>>>>
>>>>>> ERROR: keystore: cannot open file
>>>>>> keystore: Filename of JCE key store? []
>>>>>>
>>>>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
>>>>>>>
>>>>>> ERROR: keystore: invalid keystore
>>>>>> ERROR: keystore: key store key is missing
>>>>>> keystore: Filename of JCE key store? []
>>>>>> ERROR: keystore: invalid filename
>>>>>> keystore: Filename of JCE key store? []
>>>>>>
>>>>>>> c:\nfast\kmdata\local\
>>>>>>>
>>>>>> ERROR: keystore: cannot open file
>>>>>> keystore: Filename of JCE key store? []
>>>>>>
>>>>>>
>>>>>>
>>>>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
>>>>>> mentioned in the user guide:
>>>>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
>>>>>> Ctrl-Z and Enter"
>>>>>>
>>>>>> Thanks again.
>>>>>>
>>>>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
>>>>>>
>>>>>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
>>>>>>>
>>>>>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
>>>>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>>>>>>>> with the system administrator.
>>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> in order to create some key protected by the HSM, you need to create a
>>>>>>> Security World, and OCS (Operator Card Set). This procedure is well
>>>>>>> documented in the HSM documentations. However I may help if you trouble
>>>>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>>>>>>>
>>>>>>> If you really already have a security world, check the file permissions,
>>>>>>> I don't know how is going on windows, but on unix environnement,
>>>>>>> nCipher's default permissions only allow root to read/write the security
>>>>>>> world's files.
>>>>>>>
>>>>>>> BEst regards
>>>>>>>
>>>>>>> --
>>>>>>> http://asyd.net/home/   - Home Page
>>>>>>> http://guses.org/home/  - French Speaking (Open)Solaris User Group
>>>>>>>
>>>>>>> -------------------------------------------------------------------------
>>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>>>>> _______________________________________________
>>>>>>> Ejbca-develop mailing list
>>>>>>> Ejbca-develop@...
>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> Leonardo Luiz Padovani da Mata
>>>>>> barroca@...
>>>>>>
>>>>>> "May the force be with you, always"
>>>>>> "Nerd Pride... eu tenho. Voce tem?"
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>> -------------------------------------------------------------------------
>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>> _______________________________________________
>>>> Ejbca-develop mailing list
>>>> Ejbca-develop@...
>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejbca-develop@...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>
>
>
> --
> Leonardo Luiz Padovani da Mata
> barroca@...
>
> "May the force be with you, always"
> "Nerd Pride... eu tenho. Voce tem?"
>