Using external key with ncipher HSM

> i mean, the htmf could open the library, but couldn't use it to read
> the cards. It says that the card is not supported.
>
>
> On Thu, Oct 30, 2008 at 3:24 PM, Leonardo L. P. da Mata
> <barroca@...> wrote:
> > it was hanging on oppening the library (wrong pkcs11 interface). i've
> > changed to opensc-pkcs11.dll, but now it can't reconize my cards...
> >
> >
> >
> > On Thu, Oct 30, 2008 at 8:05 AM, EJBCA Support
> > <ejbca-support@...> wrote:
> >> Hi Leonardo
> >>
> >> I'm assuming you are using the java web start deployment of Tolima. The
> >> htmf log files are stored in <USER_HOME>/.hardtokenmgmt<n>_<n>.log can
> >> you send it to me.
> >>
> >> Which tokens are you using and which pkcs11 driver?
> >>
> >> // Regards Philip
> >>
> >> Leonardo L. P. da Mata skrev:
> >>> Hey, i've advanced a lot in the ejbca installation and it's
> >>> integration with htmf, but i still can't use htmf correct. I'm sending
> >>> this message here because the htmf list has no discussion at all.
> >>>
> >>> so, i'm using java 6 and intert explorer to access tolima. I've
> >>> generated an administrator card, and it seems to work (i can use this
> >>> card with other applications to sign).
> >>>
> >>> after the administrator authenthicate in the htmf, the ejbca send a message:
> >>>   19:09:11,390 INFO [Log4jLogDevice] 29 de Outubro de 2008 19h9min11s
> >>> BRST, CAId : -1688117755, AUTHORIZATION,
> >>> EVENT_INFO_AUTHORIZEDTORESOURCE, Administrator : C LIENTCERT,
> >>> Certificate SNR : 3964574de5f7dca8, CN=AdminCA1,O=EJBCA Sample,C=SE,
> >>> User : No user involved, Certificate : No certificate involved,
> >>> Comment : Resour ce :
> >>>
> >>> and the htmf hangs with no answer and no debug information.
> >>>
> >>> Anyone have any idea why this isn't working?
> >>>
> >>> BTW, the ant deploy of htmf doesn't substitute all variables correct,
> >>> the $*.hostname variables are beeing deployed without beeing
> >>> substituded. Maybe this is a bug of htmf (TOLIMA)
> >>>
> >>>
> >>> Thanks.
> >>>
> >>> On Tue, Oct 21, 2008 at 5:34 AM, Tomas Gustavsson <tomas@...> wrote:
> >>>
> >>>> Thanks added it to docs for next release.
> >>>>
> >>>> Cheers,
> >>>> Tomas
> >>>>
> >>>>
> >>>> Leonardo L. P. da Mata wrote:
> >>>>
> >>>>> So, after some time trying to find the problem, i think i could get it solved.
> >>>>> The eviroment variable JDK_HOME must be set correct for this to work.
> >>>>> This is a problem with ncipher software that is not well documented,
> >>>>> but i think it is important to put a note in the User's Guide.
> >>>>>
> >>>>> Command used:
> >>>>> C:\Documents and
> >>>>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
> >>>>> --import -c mscapi jcecsp pemreadfile=unprotected.pem
> >>>>> keystore=temp.keystore type=RSA alias=imported1
> >>>>> Result:
> >>>>> recovery: Key recovery? (yes/no) [yes] >
> >>>>> keystorepass: JCE key store password? (hidden)
> >>>>> x509country: Country code? [] >
> >>>>> x509province: State or province? [] >
> >>>>> x509locality: City or locality? [] >
> >>>>> x509org: Organisation? [] >
> >>>>> x509orgunit: Organisation unit? [] >
> >>>>> x509dnscommon: Domain name? [] >
> >>>>> x509email: Email address? [] >
> >>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
> >>>>> key generation parameters:
> >>>>>  operation      Operation to perform                                      import
> >>>>>
> >>>>>  application    Application                                               jcecsp
> >>>>>
> >>>>>  protect        Protected by                                              token
> >>>>>  slot           Slot to read cards from                                   0
> >>>>>  recovery       Key recovery                                              yes
> >>>>>  verify         Verify security of key                                    yes
> >>>>>  type           Key type                                                  RSA
> >>>>>  pemreadfile    PEM file containing RSA key                               unprot
> >>>>> ected.pem
> >>>>>  keystore       Filename of JCE key store                                 temp.k
> >>>>> eystore
> >>>>>  keystorepass   JCE key store password                                    <hidde
> >>>>> n>
> >>>>>  alias          JCE key alias                                             import
> >>>>> ed1
> >>>>>  x509country    Country code
> >>>>>  x509province   State or province
> >>>>>  x509locality   City or locality
> >>>>>  x509org        Organisation
> >>>>>  x509orgunit    Organisation unit
> >>>>>  x509dnscommon  Domain name
> >>>>>  x509email      Email address
> >>>>>  nvram          Store blob in NVRAM (will require administrator cardset)  no
> >>>>>
> >>>>> Loading `mscapi':
> >>>>>  Module 1: 0 cards of 1 read
> >>>>>  Module 1 slot 0: `mscapi' #1 (`oper')
> >>>>>  Module 1 slot 0:- passphrase supplied - reading card
> >>>>> Card reading complete.
> >>>>>
> >>>>> Subprocess failed
> >>>>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
> >>>>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
> >>>>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
> >>>>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
> >>>>> }
> >>>>> Errors:
> >>>>> FATAL: error creating temp.keystore
> >>>>>
> >>>>>
> >>>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
> >>>>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
> >>>>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
> >>>>> nfgk_operate: SoftwareFailed
> >>>>>
> >>>>>
> >>>>>
> >>>>> I still need to test if the key is working correct, but when i list
> >>>>> keys with nfkminfo, i can see the new imported keys.
> >>>>>
> >>>>> Thanks.
> >>>>>
> >>>>>
> >>>>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
> >>>>> <barroca@...> wrote:
> >>>>>
> >>>>>> Hey Brune, the Security World is ok. I've checked  the file
> >>>>>> permissions, and apparently this is not an issue, because i'm getting
> >>>>>> the same problem using the system administrator.
> >>>>>>
> >>>>>> I'm following the steps of ejbca user's guide. When importing a file,
> >>>>>> i can't access the keystore of the HSM:
> >>>>>>
> >>>>>> keystore: Filename of JCE key store? []
> >>>>>>
> >>>>>>> temp.keystore
> >>>>>>>
> >>>>>> ERROR: keystore: key store key is missing
> >>>>>> keystore: Filename of JCE key store? []
> >>>>>>
> >>>>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
> >>>>>>>
> >>>>>> ERROR: keystore: cannot open file
> >>>>>> keystore: Filename of JCE key store? []
> >>>>>>
> >>>>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
> >>>>>>>
> >>>>>> ERROR: keystore: invalid keystore
> >>>>>> ERROR: keystore: key store key is missing
> >>>>>> keystore: Filename of JCE key store? []
> >>>>>> ERROR: keystore: invalid filename
> >>>>>> keystore: Filename of JCE key store? []
> >>>>>>
> >>>>>>> c:\nfast\kmdata\local\
> >>>>>>>
> >>>>>> ERROR: keystore: cannot open file
> >>>>>> keystore: Filename of JCE key store? []
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
> >>>>>> mentioned in the user guide:
> >>>>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
> >>>>>> Ctrl-Z and Enter"
> >>>>>>
> >>>>>> Thanks again.
> >>>>>>
> >>>>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
> >>>>>>
> >>>>>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
> >>>>>>>
> >>>>>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
> >>>>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
> >>>>>>>> with the system administrator.
> >>>>>>>>
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> in order to create some key protected by the HSM, you need to create a
> >>>>>>> Security World, and OCS (Operator Card Set). This procedure is well
> >>>>>>> documented in the HSM documentations. However I may help if you trouble
> >>>>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
> >>>>>>>
> >>>>>>> If you really already have a security world, check the file permissions,
> >>>>>>> I don't know how is going on windows, but on unix environnement,
> >>>>>>> nCipher's default permissions only allow root to read/write the security
> >>>>>>> world's files.
> >>>>>>>
> >>>>>>> BEst regards
> >>>>>>>
> >>>>>>> --
> >>>>>>> http://asyd.net/home/   - Home Page
> >>>>>>> http://guses.org/home/  - French Speaking (Open)Solaris User Group
> >>>>>>>
> >>>>>>> -------------------------------------------------------------------------
> >>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> >>>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
> >>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
> >>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >>>>>>> _______________________________________________
> >>>>>>> Ejbca-develop mailing list
> >>>>>>> Ejbca-develop@...
> >>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >>>>>>>
> >>>>>>>
> >>>>>> --
> >>>>>> Leonardo Luiz Padovani da Mata
> >>>>>> barroca@...
> >>>>>>
> >>>>>> "May the force be with you, always"
> >>>>>> "Nerd Pride... eu tenho. Voce tem?"
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>> -------------------------------------------------------------------------
> >>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> >>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
> >>>> Grand prize is a trip for two to an Open Source event anywhere in the world
> >>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >>>> _______________________________________________
> >>>> Ejbca-develop mailing list
> >>>> Ejbca-develop@...
> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >> -------------------------------------------------------------------------
> >> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> >> Build the coolest Linux based applications with Moblin SDK & win great prizes
> >> Grand prize is a trip for two to an Open Source event anywhere in the world
> >> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >> _______________________________________________
> >> Ejbca-develop mailing list
> >> Ejbca-develop@...
> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >>
> >
> >
> >
> > --
> > Leonardo Luiz Padovani da Mata
> > barroca@...
> >
> > "May the force be with you, always"
> > "Nerd Pride... eu tenho. Voce tem?"
> >
>
>
>

> That means opensc cannot recognize the format of your cards.
> Which card are you using? Did you format it with opensc?
>
> El Jueves, 30 de Octubre de 2008 18:25:09 Leonardo L. P. da Mata escribió:
>> i mean, the htmf could open the library, but couldn't use it to read
>> the cards. It says that the card is not supported.
>>
>>
>> On Thu, Oct 30, 2008 at 3:24 PM, Leonardo L. P. da Mata
>> <barroca@...> wrote:
>> > it was hanging on oppening the library (wrong pkcs11 interface). i've
>> > changed to opensc-pkcs11.dll, but now it can't reconize my cards...
>> >
>> >
>> >
>> > On Thu, Oct 30, 2008 at 8:05 AM, EJBCA Support
>> > <ejbca-support@...> wrote:
>> >> Hi Leonardo
>> >>
>> >> I'm assuming you are using the java web start deployment of Tolima. The
>> >> htmf log files are stored in <USER_HOME>/.hardtokenmgmt<n>_<n>.log can
>> >> you send it to me.
>> >>
>> >> Which tokens are you using and which pkcs11 driver?
>> >>
>> >> // Regards Philip
>> >>
>> >> Leonardo L. P. da Mata skrev:
>> >>> Hey, i've advanced a lot in the ejbca installation and it's
>> >>> integration with htmf, but i still can't use htmf correct. I'm sending
>> >>> this message here because the htmf list has no discussion at all.
>> >>>
>> >>> so, i'm using java 6 and intert explorer to access tolima. I've
>> >>> generated an administrator card, and it seems to work (i can use this
>> >>> card with other applications to sign).
>> >>>
>> >>> after the administrator authenthicate in the htmf, the ejbca send a message:
>> >>>   19:09:11,390 INFO [Log4jLogDevice] 29 de Outubro de 2008 19h9min11s
>> >>> BRST, CAId : -1688117755, AUTHORIZATION,
>> >>> EVENT_INFO_AUTHORIZEDTORESOURCE, Administrator : C LIENTCERT,
>> >>> Certificate SNR : 3964574de5f7dca8, CN=AdminCA1,O=EJBCA Sample,C=SE,
>> >>> User : No user involved, Certificate : No certificate involved,
>> >>> Comment : Resour ce :
>> >>>
>> >>> and the htmf hangs with no answer and no debug information.
>> >>>
>> >>> Anyone have any idea why this isn't working?
>> >>>
>> >>> BTW, the ant deploy of htmf doesn't substitute all variables correct,
>> >>> the $*.hostname variables are beeing deployed without beeing
>> >>> substituded. Maybe this is a bug of htmf (TOLIMA)
>> >>>
>> >>>
>> >>> Thanks.
>> >>>
>> >>> On Tue, Oct 21, 2008 at 5:34 AM, Tomas Gustavsson <tomas@...> wrote:
>> >>>
>> >>>> Thanks added it to docs for next release.
>> >>>>
>> >>>> Cheers,
>> >>>> Tomas
>> >>>>
>> >>>>
>> >>>> Leonardo L. P. da Mata wrote:
>> >>>>
>> >>>>> So, after some time trying to find the problem, i think i could get it solved.
>> >>>>> The eviroment variable JDK_HOME must be set correct for this to work.
>> >>>>> This is a problem with ncipher software that is not well documented,
>> >>>>> but i think it is important to put a note in the User's Guide.
>> >>>>>
>> >>>>> Command used:
>> >>>>> C:\Documents and
>> >>>>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
>> >>>>> --import -c mscapi jcecsp pemreadfile=unprotected.pem
>> >>>>> keystore=temp.keystore type=RSA alias=imported1
>> >>>>> Result:
>> >>>>> recovery: Key recovery? (yes/no) [yes] >
>> >>>>> keystorepass: JCE key store password? (hidden)
>> >>>>> x509country: Country code? [] >
>> >>>>> x509province: State or province? [] >
>> >>>>> x509locality: City or locality? [] >
>> >>>>> x509org: Organisation? [] >
>> >>>>> x509orgunit: Organisation unit? [] >
>> >>>>> x509dnscommon: Domain name? [] >
>> >>>>> x509email: Email address? [] >
>> >>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>> >>>>> key generation parameters:
>> >>>>>  operation      Operation to perform                                      import
>> >>>>>
>> >>>>>  application    Application                                               jcecsp
>> >>>>>
>> >>>>>  protect        Protected by                                              token
>> >>>>>  slot           Slot to read cards from                                   0
>> >>>>>  recovery       Key recovery                                              yes
>> >>>>>  verify         Verify security of key                                    yes
>> >>>>>  type           Key type                                                  RSA
>> >>>>>  pemreadfile    PEM file containing RSA key                               unprot
>> >>>>> ected.pem
>> >>>>>  keystore       Filename of JCE key store                                 temp.k
>> >>>>> eystore
>> >>>>>  keystorepass   JCE key store password                                    <hidde
>> >>>>> n>
>> >>>>>  alias          JCE key alias                                             import
>> >>>>> ed1
>> >>>>>  x509country    Country code
>> >>>>>  x509province   State or province
>> >>>>>  x509locality   City or locality
>> >>>>>  x509org        Organisation
>> >>>>>  x509orgunit    Organisation unit
>> >>>>>  x509dnscommon  Domain name
>> >>>>>  x509email      Email address
>> >>>>>  nvram          Store blob in NVRAM (will require administrator cardset)  no
>> >>>>>
>> >>>>> Loading `mscapi':
>> >>>>>  Module 1: 0 cards of 1 read
>> >>>>>  Module 1 slot 0: `mscapi' #1 (`oper')
>> >>>>>  Module 1 slot 0:- passphrase supplied - reading card
>> >>>>> Card reading complete.
>> >>>>>
>> >>>>> Subprocess failed
>> >>>>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
>> >>>>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
>> >>>>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
>> >>>>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
>> >>>>> }
>> >>>>> Errors:
>> >>>>> FATAL: error creating temp.keystore
>> >>>>>
>> >>>>>
>> >>>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
>> >>>>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
>> >>>>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
>> >>>>> nfgk_operate: SoftwareFailed
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> I still need to test if the key is working correct, but when i list
>> >>>>> keys with nfkminfo, i can see the new imported keys.
>> >>>>>
>> >>>>> Thanks.
>> >>>>>
>> >>>>>
>> >>>>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
>> >>>>> <barroca@...> wrote:
>> >>>>>
>> >>>>>> Hey Brune, the Security World is ok. I've checked  the file
>> >>>>>> permissions, and apparently this is not an issue, because i'm getting
>> >>>>>> the same problem using the system administrator.
>> >>>>>>
>> >>>>>> I'm following the steps of ejbca user's guide. When importing a file,
>> >>>>>> i can't access the keystore of the HSM:
>> >>>>>>
>> >>>>>> keystore: Filename of JCE key store? []
>> >>>>>>
>> >>>>>>> temp.keystore
>> >>>>>>>
>> >>>>>> ERROR: keystore: key store key is missing
>> >>>>>> keystore: Filename of JCE key store? []
>> >>>>>>
>> >>>>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
>> >>>>>>>
>> >>>>>> ERROR: keystore: cannot open file
>> >>>>>> keystore: Filename of JCE key store? []
>> >>>>>>
>> >>>>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
>> >>>>>>>
>> >>>>>> ERROR: keystore: invalid keystore
>> >>>>>> ERROR: keystore: key store key is missing
>> >>>>>> keystore: Filename of JCE key store? []
>> >>>>>> ERROR: keystore: invalid filename
>> >>>>>> keystore: Filename of JCE key store? []
>> >>>>>>
>> >>>>>>> c:\nfast\kmdata\local\
>> >>>>>>>
>> >>>>>> ERROR: keystore: cannot open file
>> >>>>>> keystore: Filename of JCE key store? []
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
>> >>>>>> mentioned in the user guide:
>> >>>>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
>> >>>>>> Ctrl-Z and Enter"
>> >>>>>>
>> >>>>>> Thanks again.
>> >>>>>>
>> >>>>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
>> >>>>>>
>> >>>>>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
>> >>>>>>>
>> >>>>>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
>> >>>>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>> >>>>>>>> with the system administrator.
>> >>>>>>>>
>> >>>>>>> Hi,
>> >>>>>>>
>> >>>>>>> in order to create some key protected by the HSM, you need to create a
>> >>>>>>> Security World, and OCS (Operator Card Set). This procedure is well
>> >>>>>>> documented in the HSM documentations. However I may help if you trouble
>> >>>>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>> >>>>>>>
>> >>>>>>> If you really already have a security world, check the file permissions,
>> >>>>>>> I don't know how is going on windows, but on unix environnement,
>> >>>>>>> nCipher's default permissions only allow root to read/write the security
>> >>>>>>> world's files.
>> >>>>>>>
>> >>>>>>> BEst regards
>> >>>>>>>
>> >>>>>>> --
>> >>>>>>> http://asyd.net/home/   - Home Page
>> >>>>>>> http://guses.org/home/  - French Speaking (Open)Solaris User Group
>> >>>>>>>
>> >>>>>>> -------------------------------------------------------------------------
>> >>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >>>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >>>>>>> _______________________________________________
>> >>>>>>> Ejbca-develop mailing list
>> >>>>>>> Ejbca-develop@...
>> >>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >>>>>>>
>> >>>>>>>
>> >>>>>> --
>> >>>>>> Leonardo Luiz Padovani da Mata
>> >>>>>> barroca@...
>> >>>>>>
>> >>>>>> "May the force be with you, always"
>> >>>>>> "Nerd Pride... eu tenho. Voce tem?"
>> >>>>>>
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>> -------------------------------------------------------------------------
>> >>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >>>> _______________________________________________
>> >>>> Ejbca-develop mailing list
>> >>>> Ejbca-develop@...
>> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >>>>
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>
>> >>
>> >> -------------------------------------------------------------------------
>> >> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> _______________________________________________
>> >> Ejbca-develop mailing list
>> >> Ejbca-develop@...
>> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >>
>> >
>> >
>> >
>> > --
>> > Leonardo Luiz Padovani da Mata
>> > barroca@...
>> >
>> > "May the force be with you, always"
>> > "Nerd Pride... eu tenho. Voce tem?"
>> >
>>
>>
>>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

> i have 2 different kinds of cards, starcos and american banknote cards..
>
> the starcos card have been initialized with opensc and they work for
> the browser ssl authentication.
> the american banknote cards came initialized from the factory (i don't
> know why people do that).
>
>
>
> On Thu, Oct 30, 2008 at 3:35 PM, Miguel Angel Tormo Alfaro
> <mlists@...> wrote:
> > That means opensc cannot recognize the format of your cards.
> > Which card are you using? Did you format it with opensc?
> >
> > El Jueves, 30 de Octubre de 2008 18:25:09 Leonardo L. P. da Mata escribió:
> >> i mean, the htmf could open the library, but couldn't use it to read
> >> the cards. It says that the card is not supported.
> >>
> >>
> >> On Thu, Oct 30, 2008 at 3:24 PM, Leonardo L. P. da Mata
> >> <barroca@...> wrote:
> >> > it was hanging on oppening the library (wrong pkcs11 interface). i've
> >> > changed to opensc-pkcs11.dll, but now it can't reconize my cards...
> >> >
> >> >
> >> >
> >> > On Thu, Oct 30, 2008 at 8:05 AM, EJBCA Support
> >> > <ejbca-support@...> wrote:
> >> >> Hi Leonardo
> >> >>
> >> >> I'm assuming you are using the java web start deployment of Tolima. The
> >> >> htmf log files are stored in <USER_HOME>/.hardtokenmgmt<n>_<n>.log can
> >> >> you send it to me.
> >> >>
> >> >> Which tokens are you using and which pkcs11 driver?
> >> >>
> >> >> // Regards Philip
> >> >>
> >> >> Leonardo L. P. da Mata skrev:
> >> >>> Hey, i've advanced a lot in the ejbca installation and it's
> >> >>> integration with htmf, but i still can't use htmf correct. I'm sending
> >> >>> this message here because the htmf list has no discussion at all.
> >> >>>
> >> >>> so, i'm using java 6 and intert explorer to access tolima. I've
> >> >>> generated an administrator card, and it seems to work (i can use this
> >> >>> card with other applications to sign).
> >> >>>
> >> >>> after the administrator authenthicate in the htmf, the ejbca send a message:
> >> >>>   19:09:11,390 INFO [Log4jLogDevice] 29 de Outubro de 2008 19h9min11s
> >> >>> BRST, CAId : -1688117755, AUTHORIZATION,
> >> >>> EVENT_INFO_AUTHORIZEDTORESOURCE, Administrator : C LIENTCERT,
> >> >>> Certificate SNR : 3964574de5f7dca8, CN=AdminCA1,O=EJBCA Sample,C=SE,
> >> >>> User : No user involved, Certificate : No certificate involved,
> >> >>> Comment : Resour ce :
> >> >>>
> >> >>> and the htmf hangs with no answer and no debug information.
> >> >>>
> >> >>> Anyone have any idea why this isn't working?
> >> >>>
> >> >>> BTW, the ant deploy of htmf doesn't substitute all variables correct,
> >> >>> the $*.hostname variables are beeing deployed without beeing
> >> >>> substituded. Maybe this is a bug of htmf (TOLIMA)
> >> >>>
> >> >>>
> >> >>> Thanks.
> >> >>>
> >> >>> On Tue, Oct 21, 2008 at 5:34 AM, Tomas Gustavsson <tomas@...> wrote:
> >> >>>
> >> >>>> Thanks added it to docs for next release.
> >> >>>>
> >> >>>> Cheers,
> >> >>>> Tomas
> >> >>>>
> >> >>>>
> >> >>>> Leonardo L. P. da Mata wrote:
> >> >>>>
> >> >>>>> So, after some time trying to find the problem, i think i could get it solved.
> >> >>>>> The eviroment variable JDK_HOME must be set correct for this to work.
> >> >>>>> This is a problem with ncipher software that is not well documented,
> >> >>>>> but i think it is important to put a note in the User's Guide.
> >> >>>>>
> >> >>>>> Command used:
> >> >>>>> C:\Documents and
> >> >>>>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
> >> >>>>> --import -c mscapi jcecsp pemreadfile=unprotected.pem
> >> >>>>> keystore=temp.keystore type=RSA alias=imported1
> >> >>>>> Result:
> >> >>>>> recovery: Key recovery? (yes/no) [yes] >
> >> >>>>> keystorepass: JCE key store password? (hidden)
> >> >>>>> x509country: Country code? [] >
> >> >>>>> x509province: State or province? [] >
> >> >>>>> x509locality: City or locality? [] >
> >> >>>>> x509org: Organisation? [] >
> >> >>>>> x509orgunit: Organisation unit? [] >
> >> >>>>> x509dnscommon: Domain name? [] >
> >> >>>>> x509email: Email address? [] >
> >> >>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
> >> >>>>> key generation parameters:
> >> >>>>>  operation      Operation to perform                                      import
> >> >>>>>
> >> >>>>>  application    Application                                               jcecsp
> >> >>>>>
> >> >>>>>  protect        Protected by                                              token
> >> >>>>>  slot           Slot to read cards from                                   0
> >> >>>>>  recovery       Key recovery                                              yes
> >> >>>>>  verify         Verify security of key                                    yes
> >> >>>>>  type           Key type                                                  RSA
> >> >>>>>  pemreadfile    PEM file containing RSA key                               unprot
> >> >>>>> ected.pem
> >> >>>>>  keystore       Filename of JCE key store                                 temp.k
> >> >>>>> eystore
> >> >>>>>  keystorepass   JCE key store password                                    <hidde
> >> >>>>> n>
> >> >>>>>  alias          JCE key alias                                             import
> >> >>>>> ed1
> >> >>>>>  x509country    Country code
> >> >>>>>  x509province   State or province
> >> >>>>>  x509locality   City or locality
> >> >>>>>  x509org        Organisation
> >> >>>>>  x509orgunit    Organisation unit
> >> >>>>>  x509dnscommon  Domain name
> >> >>>>>  x509email      Email address
> >> >>>>>  nvram          Store blob in NVRAM (will require administrator cardset)  no
> >> >>>>>
> >> >>>>> Loading `mscapi':
> >> >>>>>  Module 1: 0 cards of 1 read
> >> >>>>>  Module 1 slot 0: `mscapi' #1 (`oper')
> >> >>>>>  Module 1 slot 0:- passphrase supplied - reading card
> >> >>>>> Card reading complete.
> >> >>>>>
> >> >>>>> Subprocess failed
> >> >>>>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
> >> >>>>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
> >> >>>>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
> >> >>>>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
> >> >>>>> }
> >> >>>>> Errors:
> >> >>>>> FATAL: error creating temp.keystore
> >> >>>>>
> >> >>>>>
> >> >>>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
> >> >>>>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
> >> >>>>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
> >> >>>>> nfgk_operate: SoftwareFailed
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> I still need to test if the key is working correct, but when i list
> >> >>>>> keys with nfkminfo, i can see the new imported keys.
> >> >>>>>
> >> >>>>> Thanks.
> >> >>>>>
> >> >>>>>
> >> >>>>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
> >> >>>>> <barroca@...> wrote:
> >> >>>>>
> >> >>>>>> Hey Brune, the Security World is ok. I've checked  the file
> >> >>>>>> permissions, and apparently this is not an issue, because i'm getting
> >> >>>>>> the same problem using the system administrator.
> >> >>>>>>
> >> >>>>>> I'm following the steps of ejbca user's guide. When importing a file,
> >> >>>>>> i can't access the keystore of the HSM:
> >> >>>>>>
> >> >>>>>> keystore: Filename of JCE key store? []
> >> >>>>>>
> >> >>>>>>> temp.keystore
> >> >>>>>>>
> >> >>>>>> ERROR: keystore: key store key is missing
> >> >>>>>> keystore: Filename of JCE key store? []
> >> >>>>>>
> >> >>>>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
> >> >>>>>>>
> >> >>>>>> ERROR: keystore: cannot open file
> >> >>>>>> keystore: Filename of JCE key store? []
> >> >>>>>>
> >> >>>>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
> >> >>>>>>>
> >> >>>>>> ERROR: keystore: invalid keystore
> >> >>>>>> ERROR: keystore: key store key is missing
> >> >>>>>> keystore: Filename of JCE key store? []
> >> >>>>>> ERROR: keystore: invalid filename
> >> >>>>>> keystore: Filename of JCE key store? []
> >> >>>>>>
> >> >>>>>>> c:\nfast\kmdata\local\
> >> >>>>>>>
> >> >>>>>> ERROR: keystore: cannot open file
> >> >>>>>> keystore: Filename of JCE key store? []
> >> >>>>>>
> >> >>>>>>
> >> >>>>>>
> >> >>>>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
> >> >>>>>> mentioned in the user guide:
> >> >>>>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
> >> >>>>>> Ctrl-Z and Enter"
> >> >>>>>>
> >> >>>>>> Thanks again.
> >> >>>>>>
> >> >>>>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
> >> >>>>>>
> >> >>>>>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
> >> >>>>>>>
> >> >>>>>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
> >> >>>>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
> >> >>>>>>>> with the system administrator.
> >> >>>>>>>>
> >> >>>>>>> Hi,
> >> >>>>>>>
> >> >>>>>>> in order to create some key protected by the HSM, you need to create a
> >> >>>>>>> Security World, and OCS (Operator Card Set). This procedure is well
> >> >>>>>>> documented in the HSM documentations. However I may help if you trouble
> >> >>>>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
> >> >>>>>>>
> >> >>>>>>> If you really already have a security world, check the file permissions,
> >> >>>>>>> I don't know how is going on windows, but on unix environnement,
> >> >>>>>>> nCipher's default permissions only allow root to read/write the security
> >> >>>>>>> world's files.
> >> >>>>>>>
> >> >>>>>>> BEst regards
> >> >>>>>>>
> >> >>>>>>> --
> >> >>>>>>> http://asyd.net/home/   - Home Page
> >> >>>>>>> http://guses.org/home/  - French Speaking (Open)Solaris User Group
> >> >>>>>>>
> >> >>>>>>> -------------------------------------------------------------------------
> >> >>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> >> >>>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
> >> >>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
> >> >>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >> >>>>>>> _______________________________________________
> >> >>>>>>> Ejbca-develop mailing list
> >> >>>>>>> Ejbca-develop@...
> >> >>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>> --
> >> >>>>>> Leonardo Luiz Padovani da Mata
> >> >>>>>> barroca@...
> >> >>>>>>
> >> >>>>>> "May the force be with you, always"
> >> >>>>>> "Nerd Pride... eu tenho. Voce tem?"
> >> >>>>>>
> >> >>>>>>
> >> >>>>>
> >> >>>>>
> >> >>>> -------------------------------------------------------------------------
> >> >>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> >> >>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
> >> >>>> Grand prize is a trip for two to an Open Source event anywhere in the world
> >> >>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >> >>>> _______________________________________________
> >> >>>> Ejbca-develop mailing list
> >> >>>> Ejbca-develop@...
> >> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >> >>>>
> >> >>>>
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>
> >> >>
> >> >> -------------------------------------------------------------------------
> >> >> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> >> >> Build the coolest Linux based applications with Moblin SDK & win great prizes
> >> >> Grand prize is a trip for two to an Open Source event anywhere in the world
> >> >> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >> >> _______________________________________________
> >> >> Ejbca-develop mailing list
> >> >> Ejbca-develop@...
> >> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > Leonardo Luiz Padovani da Mata
> >> > barroca@...
> >> >
> >> > "May the force be with you, always"
> >> > "Nerd Pride... eu tenho. Voce tem?"
> >> >
> >>
> >>
> >>
> >
> >
> >
> > -------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> > Build the coolest Linux based applications with Moblin SDK & win great prizes
> > Grand prize is a trip for two to an Open Source event anywhere in the world
> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejbca-develop@...
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >
>
>
>

> OK then. So your starcos cards should work with the opensc-pkcs11.dll, but not the american banknote ones...
> I understand your starcos cards work well with firefox and opensc-pkcs11.dll, right?
>
> El Jueves, 30 de Octubre de 2008 19:26:16 Leonardo L. P. da Mata escribió:
>> i have 2 different kinds of cards, starcos and american banknote cards..
>>
>> the starcos card have been initialized with opensc and they work for
>> the browser ssl authentication.
>> the american banknote cards came initialized from the factory (i don't
>> know why people do that).
>>
>>
>>
>> On Thu, Oct 30, 2008 at 3:35 PM, Miguel Angel Tormo Alfaro
>> <mlists@...> wrote:
>> > That means opensc cannot recognize the format of your cards.
>> > Which card are you using? Did you format it with opensc?
>> >
>> > El Jueves, 30 de Octubre de 2008 18:25:09 Leonardo L. P. da Mata escribió:
>> >> i mean, the htmf could open the library, but couldn't use it to read
>> >> the cards. It says that the card is not supported.
>> >>
>> >>
>> >> On Thu, Oct 30, 2008 at 3:24 PM, Leonardo L. P. da Mata
>> >> <barroca@...> wrote:
>> >> > it was hanging on oppening the library (wrong pkcs11 interface). i've
>> >> > changed to opensc-pkcs11.dll, but now it can't reconize my cards...
>> >> >
>> >> >
>> >> >
>> >> > On Thu, Oct 30, 2008 at 8:05 AM, EJBCA Support
>> >> > <ejbca-support@...> wrote:
>> >> >> Hi Leonardo
>> >> >>
>> >> >> I'm assuming you are using the java web start deployment of Tolima. The
>> >> >> htmf log files are stored in <USER_HOME>/.hardtokenmgmt<n>_<n>.log can
>> >> >> you send it to me.
>> >> >>
>> >> >> Which tokens are you using and which pkcs11 driver?
>> >> >>
>> >> >> // Regards Philip
>> >> >>
>> >> >> Leonardo L. P. da Mata skrev:
>> >> >>> Hey, i've advanced a lot in the ejbca installation and it's
>> >> >>> integration with htmf, but i still can't use htmf correct. I'm sending
>> >> >>> this message here because the htmf list has no discussion at all.
>> >> >>>
>> >> >>> so, i'm using java 6 and intert explorer to access tolima. I've
>> >> >>> generated an administrator card, and it seems to work (i can use this
>> >> >>> card with other applications to sign).
>> >> >>>
>> >> >>> after the administrator authenthicate in the htmf, the ejbca send a message:
>> >> >>>   19:09:11,390 INFO [Log4jLogDevice] 29 de Outubro de 2008 19h9min11s
>> >> >>> BRST, CAId : -1688117755, AUTHORIZATION,
>> >> >>> EVENT_INFO_AUTHORIZEDTORESOURCE, Administrator : C LIENTCERT,
>> >> >>> Certificate SNR : 3964574de5f7dca8, CN=AdminCA1,O=EJBCA Sample,C=SE,
>> >> >>> User : No user involved, Certificate : No certificate involved,
>> >> >>> Comment : Resour ce :
>> >> >>>
>> >> >>> and the htmf hangs with no answer and no debug information.
>> >> >>>
>> >> >>> Anyone have any idea why this isn't working?
>> >> >>>
>> >> >>> BTW, the ant deploy of htmf doesn't substitute all variables correct,
>> >> >>> the $*.hostname variables are beeing deployed without beeing
>> >> >>> substituded. Maybe this is a bug of htmf (TOLIMA)
>> >> >>>
>> >> >>>
>> >> >>> Thanks.
>> >> >>>
>> >> >>> On Tue, Oct 21, 2008 at 5:34 AM, Tomas Gustavsson <tomas@...> wrote:
>> >> >>>
>> >> >>>> Thanks added it to docs for next release.
>> >> >>>>
>> >> >>>> Cheers,
>> >> >>>> Tomas
>> >> >>>>
>> >> >>>>
>> >> >>>> Leonardo L. P. da Mata wrote:
>> >> >>>>
>> >> >>>>> So, after some time trying to find the problem, i think i could get it solved.
>> >> >>>>> The eviroment variable JDK_HOME must be set correct for this to work.
>> >> >>>>> This is a problem with ncipher software that is not well documented,
>> >> >>>>> but i think it is important to put a note in the User's Guide.
>> >> >>>>>
>> >> >>>>> Command used:
>> >> >>>>> C:\Documents and
>> >> >>>>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
>> >> >>>>> --import -c mscapi jcecsp pemreadfile=unprotected.pem
>> >> >>>>> keystore=temp.keystore type=RSA alias=imported1
>> >> >>>>> Result:
>> >> >>>>> recovery: Key recovery? (yes/no) [yes] >
>> >> >>>>> keystorepass: JCE key store password? (hidden)
>> >> >>>>> x509country: Country code? [] >
>> >> >>>>> x509province: State or province? [] >
>> >> >>>>> x509locality: City or locality? [] >
>> >> >>>>> x509org: Organisation? [] >
>> >> >>>>> x509orgunit: Organisation unit? [] >
>> >> >>>>> x509dnscommon: Domain name? [] >
>> >> >>>>> x509email: Email address? [] >
>> >> >>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>> >> >>>>> key generation parameters:
>> >> >>>>>  operation      Operation to perform                                      import
>> >> >>>>>
>> >> >>>>>  application    Application                                               jcecsp
>> >> >>>>>
>> >> >>>>>  protect        Protected by                                              token
>> >> >>>>>  slot           Slot to read cards from                                   0
>> >> >>>>>  recovery       Key recovery                                              yes
>> >> >>>>>  verify         Verify security of key                                    yes
>> >> >>>>>  type           Key type                                                  RSA
>> >> >>>>>  pemreadfile    PEM file containing RSA key                               unprot
>> >> >>>>> ected.pem
>> >> >>>>>  keystore       Filename of JCE key store                                 temp.k
>> >> >>>>> eystore
>> >> >>>>>  keystorepass   JCE key store password                                    <hidde
>> >> >>>>> n>
>> >> >>>>>  alias          JCE key alias                                             import
>> >> >>>>> ed1
>> >> >>>>>  x509country    Country code
>> >> >>>>>  x509province   State or province
>> >> >>>>>  x509locality   City or locality
>> >> >>>>>  x509org        Organisation
>> >> >>>>>  x509orgunit    Organisation unit
>> >> >>>>>  x509dnscommon  Domain name
>> >> >>>>>  x509email      Email address
>> >> >>>>>  nvram          Store blob in NVRAM (will require administrator cardset)  no
>> >> >>>>>
>> >> >>>>> Loading `mscapi':
>> >> >>>>>  Module 1: 0 cards of 1 read
>> >> >>>>>  Module 1 slot 0: `mscapi' #1 (`oper')
>> >> >>>>>  Module 1 slot 0:- passphrase supplied - reading card
>> >> >>>>> Card reading complete.
>> >> >>>>>
>> >> >>>>> Subprocess failed
>> >> >>>>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
>> >> >>>>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
>> >> >>>>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
>> >> >>>>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
>> >> >>>>> }
>> >> >>>>> Errors:
>> >> >>>>> FATAL: error creating temp.keystore
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
>> >> >>>>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
>> >> >>>>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
>> >> >>>>> nfgk_operate: SoftwareFailed
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> I still need to test if the key is working correct, but when i list
>> >> >>>>> keys with nfkminfo, i can see the new imported keys.
>> >> >>>>>
>> >> >>>>> Thanks.
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
>> >> >>>>> <barroca@...> wrote:
>> >> >>>>>
>> >> >>>>>> Hey Brune, the Security World is ok. I've checked  the file
>> >> >>>>>> permissions, and apparently this is not an issue, because i'm getting
>> >> >>>>>> the same problem using the system administrator.
>> >> >>>>>>
>> >> >>>>>> I'm following the steps of ejbca user's guide. When importing a file,
>> >> >>>>>> i can't access the keystore of the HSM:
>> >> >>>>>>
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>>
>> >> >>>>>>> temp.keystore
>> >> >>>>>>>
>> >> >>>>>> ERROR: keystore: key store key is missing
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>>
>> >> >>>>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
>> >> >>>>>>>
>> >> >>>>>> ERROR: keystore: cannot open file
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>>
>> >> >>>>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
>> >> >>>>>>>
>> >> >>>>>> ERROR: keystore: invalid keystore
>> >> >>>>>> ERROR: keystore: key store key is missing
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>> ERROR: keystore: invalid filename
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>>
>> >> >>>>>>> c:\nfast\kmdata\local\
>> >> >>>>>>>
>> >> >>>>>> ERROR: keystore: cannot open file
>> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
>> >> >>>>>> mentioned in the user guide:
>> >> >>>>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
>> >> >>>>>> Ctrl-Z and Enter"
>> >> >>>>>>
>> >> >>>>>> Thanks again.
>> >> >>>>>>
>> >> >>>>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
>> >> >>>>>>
>> >> >>>>>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
>> >> >>>>>>>
>> >> >>>>>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
>> >> >>>>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>> >> >>>>>>>> with the system administrator.
>> >> >>>>>>>>
>> >> >>>>>>> Hi,
>> >> >>>>>>>
>> >> >>>>>>> in order to create some key protected by the HSM, you need to create a
>> >> >>>>>>> Security World, and OCS (Operator Card Set). This procedure is well
>> >> >>>>>>> documented in the HSM documentations. However I may help if you trouble
>> >> >>>>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>> >> >>>>>>>
>> >> >>>>>>> If you really already have a security world, check the file permissions,
>> >> >>>>>>> I don't know how is going on windows, but on unix environnement,
>> >> >>>>>>> nCipher's default permissions only allow root to read/write the security
>> >> >>>>>>> world's files.
>> >> >>>>>>>
>> >> >>>>>>> BEst regards
>> >> >>>>>>>
>> >> >>>>>>> --
>> >> >>>>>>> http://asyd.net/home/   - Home Page
>> >> >>>>>>> http://guses.org/home/  - French Speaking (Open)Solaris User Group
>> >> >>>>>>>
>> >> >>>>>>> -------------------------------------------------------------------------
>> >> >>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >>>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >>>>>>> _______________________________________________
>> >> >>>>>>> Ejbca-develop mailing list
>> >> >>>>>>> Ejbca-develop@...
>> >> >>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >>>>>>>
>> >> >>>>>>>
>> >> >>>>>> --
>> >> >>>>>> Leonardo Luiz Padovani da Mata
>> >> >>>>>> barroca@...
>> >> >>>>>>
>> >> >>>>>> "May the force be with you, always"
>> >> >>>>>> "Nerd Pride... eu tenho. Voce tem?"
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>> -------------------------------------------------------------------------
>> >> >>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >>>> _______________________________________________
>> >> >>>> Ejbca-develop mailing list
>> >> >>>> Ejbca-develop@...
>> >> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >>>>
>> >> >>>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>
>> >> >>
>> >> >> -------------------------------------------------------------------------
>> >> >> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >> _______________________________________________
>> >> >> Ejbca-develop mailing list
>> >> >> Ejbca-develop@...
>> >> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Leonardo Luiz Padovani da Mata
>> >> > barroca@...
>> >> >
>> >> > "May the force be with you, always"
>> >> > "Nerd Pride... eu tenho. Voce tem?"
>> >> >
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > -------------------------------------------------------------------------
>> > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> > Build the coolest Linux based applications with Moblin SDK & win great prizes
>> > Grand prize is a trip for two to an Open Source event anywhere in the world
>> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> > _______________________________________________
>> > Ejbca-develop mailing list
>> > Ejbca-develop@...
>> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >
>>
>>
>>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

> yes, they work well with firefox, but the htmf could not reconize
> them... maybe i did something wrong during the initialization of those
> cards.
>
> do you why those american banknotes won't work?
>
> On Thu, Oct 30, 2008 at 4:41 PM, Miguel Angel Tormo Alfaro
> <mlists@...> wrote:
> > OK then. So your starcos cards should work with the opensc-pkcs11.dll, but not the american banknote ones...
> > I understand your starcos cards work well with firefox and opensc-pkcs11.dll, right?
> >
> > El Jueves, 30 de Octubre de 2008 19:26:16 Leonardo L. P. da Mata escribió:
> >> i have 2 different kinds of cards, starcos and american banknote cards..
> >>
> >> the starcos card have been initialized with opensc and they work for
> >> the browser ssl authentication.
> >> the american banknote cards came initialized from the factory (i don't
> >> know why people do that).
> >>
> >>
> >>
> >> On Thu, Oct 30, 2008 at 3:35 PM, Miguel Angel Tormo Alfaro
> >> <mlists@...> wrote:
> >> > That means opensc cannot recognize the format of your cards.
> >> > Which card are you using? Did you format it with opensc?
> >> >
> >> > El Jueves, 30 de Octubre de 2008 18:25:09 Leonardo L. P. da Mata escribió:
> >> >> i mean, the htmf could open the library, but couldn't use it to read
> >> >> the cards. It says that the card is not supported.
> >> >>
> >> >>
> >> >> On Thu, Oct 30, 2008 at 3:24 PM, Leonardo L. P. da Mata
> >> >> <barroca@...> wrote:
> >> >> > it was hanging on oppening the library (wrong pkcs11 interface). i've
> >> >> > changed to opensc-pkcs11.dll, but now it can't reconize my cards...
> >> >> >
> >> >> >
> >> >> >
> >> >> > On Thu, Oct 30, 2008 at 8:05 AM, EJBCA Support
> >> >> > <ejbca-support@...> wrote:
> >> >> >> Hi Leonardo
> >> >> >>
> >> >> >> I'm assuming you are using the java web start deployment of Tolima. The
> >> >> >> htmf log files are stored in <USER_HOME>/.hardtokenmgmt<n>_<n>.log can
> >> >> >> you send it to me.
> >> >> >>
> >> >> >> Which tokens are you using and which pkcs11 driver?
> >> >> >>
> >> >> >> // Regards Philip
> >> >> >>
> >> >> >> Leonardo L. P. da Mata skrev:
> >> >> >>> Hey, i've advanced a lot in the ejbca installation and it's
> >> >> >>> integration with htmf, but i still can't use htmf correct. I'm sending
> >> >> >>> this message here because the htmf list has no discussion at all.
> >> >> >>>
> >> >> >>> so, i'm using java 6 and intert explorer to access tolima. I've
> >> >> >>> generated an administrator card, and it seems to work (i can use this
> >> >> >>> card with other applications to sign).
> >> >> >>>
> >> >> >>> after the administrator authenthicate in the htmf, the ejbca send a message:
> >> >> >>>   19:09:11,390 INFO [Log4jLogDevice] 29 de Outubro de 2008 19h9min11s
> >> >> >>> BRST, CAId : -1688117755, AUTHORIZATION,
> >> >> >>> EVENT_INFO_AUTHORIZEDTORESOURCE, Administrator : C LIENTCERT,
> >> >> >>> Certificate SNR : 3964574de5f7dca8, CN=AdminCA1,O=EJBCA Sample,C=SE,
> >> >> >>> User : No user involved, Certificate : No certificate involved,
> >> >> >>> Comment : Resour ce :
> >> >> >>>
> >> >> >>> and the htmf hangs with no answer and no debug information.
> >> >> >>>
> >> >> >>> Anyone have any idea why this isn't working?
> >> >> >>>
> >> >> >>> BTW, the ant deploy of htmf doesn't substitute all variables correct,
> >> >> >>> the $*.hostname variables are beeing deployed without beeing
> >> >> >>> substituded. Maybe this is a bug of htmf (TOLIMA)
> >> >> >>>
> >> >> >>>
> >> >> >>> Thanks.
> >> >> >>>
> >> >> >>> On Tue, Oct 21, 2008 at 5:34 AM, Tomas Gustavsson <tomas@...> wrote:
> >> >> >>>
> >> >> >>>> Thanks added it to docs for next release.
> >> >> >>>>
> >> >> >>>> Cheers,
> >> >> >>>> Tomas
> >> >> >>>>
> >> >> >>>>
> >> >> >>>> Leonardo L. P. da Mata wrote:
> >> >> >>>>
> >> >> >>>>> So, after some time trying to find the problem, i think i could get it solved.
> >> >> >>>>> The eviroment variable JDK_HOME must be set correct for this to work.
> >> >> >>>>> This is a problem with ncipher software that is not well documented,
> >> >> >>>>> but i think it is important to put a note in the User's Guide.
> >> >> >>>>>
> >> >> >>>>> Command used:
> >> >> >>>>> C:\Documents and
> >> >> >>>>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
> >> >> >>>>> --import -c mscapi jcecsp pemreadfile=unprotected.pem
> >> >> >>>>> keystore=temp.keystore type=RSA alias=imported1
> >> >> >>>>> Result:
> >> >> >>>>> recovery: Key recovery? (yes/no) [yes] >
> >> >> >>>>> keystorepass: JCE key store password? (hidden)
> >> >> >>>>> x509country: Country code? [] >
> >> >> >>>>> x509province: State or province? [] >
> >> >> >>>>> x509locality: City or locality? [] >
> >> >> >>>>> x509org: Organisation? [] >
> >> >> >>>>> x509orgunit: Organisation unit? [] >
> >> >> >>>>> x509dnscommon: Domain name? [] >
> >> >> >>>>> x509email: Email address? [] >
> >> >> >>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
> >> >> >>>>> key generation parameters:
> >> >> >>>>>  operation      Operation to perform                                      import
> >> >> >>>>>
> >> >> >>>>>  application    Application                                               jcecsp
> >> >> >>>>>
> >> >> >>>>>  protect        Protected by                                              token
> >> >> >>>>>  slot           Slot to read cards from                                   0
> >> >> >>>>>  recovery       Key recovery                                              yes
> >> >> >>>>>  verify         Verify security of key                                    yes
> >> >> >>>>>  type           Key type                                                  RSA
> >> >> >>>>>  pemreadfile    PEM file containing RSA key                               unprot
> >> >> >>>>> ected.pem
> >> >> >>>>>  keystore       Filename of JCE key store                                 temp.k
> >> >> >>>>> eystore
> >> >> >>>>>  keystorepass   JCE key store password                                    <hidde
> >> >> >>>>> n>
> >> >> >>>>>  alias          JCE key alias                                             import
> >> >> >>>>> ed1
> >> >> >>>>>  x509country    Country code
> >> >> >>>>>  x509province   State or province
> >> >> >>>>>  x509locality   City or locality
> >> >> >>>>>  x509org        Organisation
> >> >> >>>>>  x509orgunit    Organisation unit
> >> >> >>>>>  x509dnscommon  Domain name
> >> >> >>>>>  x509email      Email address
> >> >> >>>>>  nvram          Store blob in NVRAM (will require administrator cardset)  no
> >> >> >>>>>
> >> >> >>>>> Loading `mscapi':
> >> >> >>>>>  Module 1: 0 cards of 1 read
> >> >> >>>>>  Module 1 slot 0: `mscapi' #1 (`oper')
> >> >> >>>>>  Module 1 slot 0:- passphrase supplied - reading card
> >> >> >>>>> Card reading complete.
> >> >> >>>>>
> >> >> >>>>> Subprocess failed
> >> >> >>>>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
> >> >> >>>>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
> >> >> >>>>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
> >> >> >>>>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
> >> >> >>>>> }
> >> >> >>>>> Errors:
> >> >> >>>>> FATAL: error creating temp.keystore
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
> >> >> >>>>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
> >> >> >>>>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
> >> >> >>>>> nfgk_operate: SoftwareFailed
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>> I still need to test if the key is working correct, but when i list
> >> >> >>>>> keys with nfkminfo, i can see the new imported keys.
> >> >> >>>>>
> >> >> >>>>> Thanks.
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
> >> >> >>>>> <barroca@...> wrote:
> >> >> >>>>>
> >> >> >>>>>> Hey Brune, the Security World is ok. I've checked  the file
> >> >> >>>>>> permissions, and apparently this is not an issue, because i'm getting
> >> >> >>>>>> the same problem using the system administrator.
> >> >> >>>>>>
> >> >> >>>>>> I'm following the steps of ejbca user's guide. When importing a file,
> >> >> >>>>>> i can't access the keystore of the HSM:
> >> >> >>>>>>
> >> >> >>>>>> keystore: Filename of JCE key store? []
> >> >> >>>>>>
> >> >> >>>>>>> temp.keystore
> >> >> >>>>>>>
> >> >> >>>>>> ERROR: keystore: key store key is missing
> >> >> >>>>>> keystore: Filename of JCE key store? []
> >> >> >>>>>>
> >> >> >>>>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
> >> >> >>>>>>>
> >> >> >>>>>> ERROR: keystore: cannot open file
> >> >> >>>>>> keystore: Filename of JCE key store? []
> >> >> >>>>>>
> >> >> >>>>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
> >> >> >>>>>>>
> >> >> >>>>>> ERROR: keystore: invalid keystore
> >> >> >>>>>> ERROR: keystore: key store key is missing
> >> >> >>>>>> keystore: Filename of JCE key store? []
> >> >> >>>>>> ERROR: keystore: invalid filename
> >> >> >>>>>> keystore: Filename of JCE key store? []
> >> >> >>>>>>
> >> >> >>>>>>> c:\nfast\kmdata\local\
> >> >> >>>>>>>
> >> >> >>>>>> ERROR: keystore: cannot open file
> >> >> >>>>>> keystore: Filename of JCE key store? []
> >> >> >>>>>>
> >> >> >>>>>>
> >> >> >>>>>>
> >> >> >>>>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
> >> >> >>>>>> mentioned in the user guide:
> >> >> >>>>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
> >> >> >>>>>> Ctrl-Z and Enter"
> >> >> >>>>>>
> >> >> >>>>>> Thanks again.
> >> >> >>>>>>
> >> >> >>>>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
> >> >> >>>>>>
> >> >> >>>>>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
> >> >> >>>>>>>
> >> >> >>>>>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
> >> >> >>>>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
> >> >> >>>>>>>> with the system administrator.
> >> >> >>>>>>>>
> >> >> >>>>>>> Hi,
> >> >> >>>>>>>
> >> >> >>>>>>> in order to create some key protected by the HSM, you need to create a
> >> >> >>>>>>> Security World, and OCS (Operator Card Set). This procedure is well
> >> >> >>>>>>> documented in the HSM documentations. However I may help if you trouble
> >> >> >>>>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
> >> >> >>>>>>>
> >> >> >>>>>>> If you really already have a security world, check the file permissions,
> >> >> >>>>>>> I don't know how is going on windows, but on unix environnement,
> >> >> >>>>>>> nCipher's default permissions only allow root to read/write the security
> >> >> >>>>>>> world's files.
> >> >> >>>>>>>
> >> >> >>>>>>> BEst regards
> >> >> >>>>>>>
> >> >> >>>>>>> --
> >> >> >>>>>>> http://asyd.net/home/   - Home Page
> >> >> >>>>>>> http://guses.org/home/  - French Speaking (Open)Solaris User Group
> >> >> >>>>>>>
> >> >> >>>>>>> -------------------------------------------------------------------------
> >> >> >>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> >> >> >>>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
> >> >> >>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
> >> >> >>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >> >> >>>>>>> _______________________________________________
> >> >> >>>>>>> Ejbca-develop mailing list
> >> >> >>>>>>> Ejbca-develop@...
> >> >> >>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >> >> >>>>>>>
> >> >> >>>>>>>
> >> >> >>>>>> --
> >> >> >>>>>> Leonardo Luiz Padovani da Mata
> >> >> >>>>>> barroca@...
> >> >> >>>>>>
> >> >> >>>>>> "May the force be with you, always"
> >> >> >>>>>> "Nerd Pride... eu tenho. Voce tem?"
> >> >> >>>>>>
> >> >> >>>>>>
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>> -------------------------------------------------------------------------
> >> >> >>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> >> >> >>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
> >> >> >>>> Grand prize is a trip for two to an Open Source event anywhere in the world
> >> >> >>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >> >> >>>> _______________________________________________
> >> >> >>>> Ejbca-develop mailing list
> >> >> >>>> Ejbca-develop@...
> >> >> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >> >> >>>>
> >> >> >>>>
> >> >> >>>
> >> >> >>>
> >> >> >>>
> >> >> >>>
> >> >> >>
> >> >> >>
> >> >> >> -------------------------------------------------------------------------
> >> >> >> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> >> >> >> Build the coolest Linux based applications with Moblin SDK & win great prizes
> >> >> >> Grand prize is a trip for two to an Open Source event anywhere in the world
> >> >> >> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >> >> >> _______________________________________________
> >> >> >> Ejbca-develop mailing list
> >> >> >> Ejbca-develop@...
> >> >> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >> >> >>
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Leonardo Luiz Padovani da Mata
> >> >> > barroca@...
> >> >> >
> >> >> > "May the force be with you, always"
> >> >> > "Nerd Pride... eu tenho. Voce tem?"
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >
> >> >
> >> >
> >> > -------------------------------------------------------------------------
> >> > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> >> > Build the coolest Linux based applications with Moblin SDK & win great prizes
> >> > Grand prize is a trip for two to an Open Source event anywhere in the world
> >> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >> > _______________________________________________
> >> > Ejbca-develop mailing list
> >> > Ejbca-develop@...
> >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >> >
> >>
> >>
> >>
> >
> >
> >
> > -------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> > Build the coolest Linux based applications with Moblin SDK & win great prizes
> > Grand prize is a trip for two to an Open Source event anywhere in the world
> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejbca-develop@...
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >
>
>
>

> Well, your american banknotes won't work with opensc mainly because they weren't initialized by opensc so their internal format is only understanable by the application which did the initialization.
> On the other hand, you should check the opensc website or ask the mainling list to see if those cards are supported, I think they're not.
>
> El Jueves, 30 de Octubre de 2008 19:49:30 Leonardo L. P. da Mata escribió:
>> yes, they work well with firefox, but the htmf could not reconize
>> them... maybe i did something wrong during the initialization of those
>> cards.
>>
>> do you why those american banknotes won't work?
>>
>> On Thu, Oct 30, 2008 at 4:41 PM, Miguel Angel Tormo Alfaro
>> <mlists@...> wrote:
>> > OK then. So your starcos cards should work with the opensc-pkcs11.dll, but not the american banknote ones...
>> > I understand your starcos cards work well with firefox and opensc-pkcs11.dll, right?
>> >
>> > El Jueves, 30 de Octubre de 2008 19:26:16 Leonardo L. P. da Mata escribió:
>> >> i have 2 different kinds of cards, starcos and american banknote cards..
>> >>
>> >> the starcos card have been initialized with opensc and they work for
>> >> the browser ssl authentication.
>> >> the american banknote cards came initialized from the factory (i don't
>> >> know why people do that).
>> >>
>> >>
>> >>
>> >> On Thu, Oct 30, 2008 at 3:35 PM, Miguel Angel Tormo Alfaro
>> >> <mlists@...> wrote:
>> >> > That means opensc cannot recognize the format of your cards.
>> >> > Which card are you using? Did you format it with opensc?
>> >> >
>> >> > El Jueves, 30 de Octubre de 2008 18:25:09 Leonardo L. P. da Mata escribió:
>> >> >> i mean, the htmf could open the library, but couldn't use it to read
>> >> >> the cards. It says that the card is not supported.
>> >> >>
>> >> >>
>> >> >> On Thu, Oct 30, 2008 at 3:24 PM, Leonardo L. P. da Mata
>> >> >> <barroca@...> wrote:
>> >> >> > it was hanging on oppening the library (wrong pkcs11 interface). i've
>> >> >> > changed to opensc-pkcs11.dll, but now it can't reconize my cards...
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > On Thu, Oct 30, 2008 at 8:05 AM, EJBCA Support
>> >> >> > <ejbca-support@...> wrote:
>> >> >> >> Hi Leonardo
>> >> >> >>
>> >> >> >> I'm assuming you are using the java web start deployment of Tolima. The
>> >> >> >> htmf log files are stored in <USER_HOME>/.hardtokenmgmt<n>_<n>.log can
>> >> >> >> you send it to me.
>> >> >> >>
>> >> >> >> Which tokens are you using and which pkcs11 driver?
>> >> >> >>
>> >> >> >> // Regards Philip
>> >> >> >>
>> >> >> >> Leonardo L. P. da Mata skrev:
>> >> >> >>> Hey, i've advanced a lot in the ejbca installation and it's
>> >> >> >>> integration with htmf, but i still can't use htmf correct. I'm sending
>> >> >> >>> this message here because the htmf list has no discussion at all.
>> >> >> >>>
>> >> >> >>> so, i'm using java 6 and intert explorer to access tolima. I've
>> >> >> >>> generated an administrator card, and it seems to work (i can use this
>> >> >> >>> card with other applications to sign).
>> >> >> >>>
>> >> >> >>> after the administrator authenthicate in the htmf, the ejbca send a message:
>> >> >> >>>   19:09:11,390 INFO [Log4jLogDevice] 29 de Outubro de 2008 19h9min11s
>> >> >> >>> BRST, CAId : -1688117755, AUTHORIZATION,
>> >> >> >>> EVENT_INFO_AUTHORIZEDTORESOURCE, Administrator : C LIENTCERT,
>> >> >> >>> Certificate SNR : 3964574de5f7dca8, CN=AdminCA1,O=EJBCA Sample,C=SE,
>> >> >> >>> User : No user involved, Certificate : No certificate involved,
>> >> >> >>> Comment : Resour ce :
>> >> >> >>>
>> >> >> >>> and the htmf hangs with no answer and no debug information.
>> >> >> >>>
>> >> >> >>> Anyone have any idea why this isn't working?
>> >> >> >>>
>> >> >> >>> BTW, the ant deploy of htmf doesn't substitute all variables correct,
>> >> >> >>> the $*.hostname variables are beeing deployed without beeing
>> >> >> >>> substituded. Maybe this is a bug of htmf (TOLIMA)
>> >> >> >>>
>> >> >> >>>
>> >> >> >>> Thanks.
>> >> >> >>>
>> >> >> >>> On Tue, Oct 21, 2008 at 5:34 AM, Tomas Gustavsson <tomas@...> wrote:
>> >> >> >>>
>> >> >> >>>> Thanks added it to docs for next release.
>> >> >> >>>>
>> >> >> >>>> Cheers,
>> >> >> >>>> Tomas
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>> Leonardo L. P. da Mata wrote:
>> >> >> >>>>
>> >> >> >>>>> So, after some time trying to find the problem, i think i could get it solved.
>> >> >> >>>>> The eviroment variable JDK_HOME must be set correct for this to work.
>> >> >> >>>>> This is a problem with ncipher software that is not well documented,
>> >> >> >>>>> but i think it is important to put a note in the User's Guide.
>> >> >> >>>>>
>> >> >> >>>>> Command used:
>> >> >> >>>>> C:\Documents and
>> >> >> >>>>> Settings\barroca\Desktop\server_keys>c:\nfast\bin\generatekey.exe
>> >> >> >>>>> --import -c mscapi jcecsp pemreadfile=unprotected.pem
>> >> >> >>>>> keystore=temp.keystore type=RSA alias=imported1
>> >> >> >>>>> Result:
>> >> >> >>>>> recovery: Key recovery? (yes/no) [yes] >
>> >> >> >>>>> keystorepass: JCE key store password? (hidden)
>> >> >> >>>>> x509country: Country code? [] >
>> >> >> >>>>> x509province: State or province? [] >
>> >> >> >>>>> x509locality: City or locality? [] >
>> >> >> >>>>> x509org: Organisation? [] >
>> >> >> >>>>> x509orgunit: Organisation unit? [] >
>> >> >> >>>>> x509dnscommon: Domain name? [] >
>> >> >> >>>>> x509email: Email address? [] >
>> >> >> >>>>> nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no]
>> >> >> >>>>> key generation parameters:
>> >> >> >>>>>  operation      Operation to perform                                      import
>> >> >> >>>>>
>> >> >> >>>>>  application    Application                                               jcecsp
>> >> >> >>>>>
>> >> >> >>>>>  protect        Protected by                                              token
>> >> >> >>>>>  slot           Slot to read cards from                                   0
>> >> >> >>>>>  recovery       Key recovery                                              yes
>> >> >> >>>>>  verify         Verify security of key                                    yes
>> >> >> >>>>>  type           Key type                                                  RSA
>> >> >> >>>>>  pemreadfile    PEM file containing RSA key                               unprot
>> >> >> >>>>> ected.pem
>> >> >> >>>>>  keystore       Filename of JCE key store                                 temp.k
>> >> >> >>>>> eystore
>> >> >> >>>>>  keystorepass   JCE key store password                                    <hidde
>> >> >> >>>>> n>
>> >> >> >>>>>  alias          JCE key alias                                             import
>> >> >> >>>>> ed1
>> >> >> >>>>>  x509country    Country code
>> >> >> >>>>>  x509province   State or province
>> >> >> >>>>>  x509locality   City or locality
>> >> >> >>>>>  x509org        Organisation
>> >> >> >>>>>  x509orgunit    Organisation unit
>> >> >> >>>>>  x509dnscommon  Domain name
>> >> >> >>>>>  x509email      Email address
>> >> >> >>>>>  nvram          Store blob in NVRAM (will require administrator cardset)  no
>> >> >> >>>>>
>> >> >> >>>>> Loading `mscapi':
>> >> >> >>>>>  Module 1: 0 cards of 1 read
>> >> >> >>>>>  Module 1 slot 0: `mscapi' #1 (`oper')
>> >> >> >>>>>  Module 1 slot 0:- passphrase supplied - reading card
>> >> >> >>>>> Card reading complete.
>> >> >> >>>>>
>> >> >> >>>>> Subprocess failed
>> >> >> >>>>> Arguments: {C:/Arquivos de programas/Java/jdk1.6.0_07/bin/java.exe} com.ncipher.
>> >> >> >>>>> provider.tools.ImportKey --keystore temp.keystore --alias imported1 --ident d34d
>> >> >> >>>>> 2ec33c1b108ceb2d890094736947514ab4ca --type com.ncipher.provider.km.KMRSAPrivate
>> >> >> >>>>> Key --certificate C:/nfast/kmdata/tmp/436_basilisco.cert << {123456
>> >> >> >>>>> }
>> >> >> >>>>> Errors:
>> >> >> >>>>> FATAL: error creating temp.keystore
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>> ERROR: Tcl_Eval of 'store' failed: child process exited abnormally
>> >> >> >>>>> 17:11:36 ERROR: cannot remove kmdata file (C:\nfast\kmdata\local\key_jceshim_d34
>> >> >> >>>>> d2ec33c1b108ceb2d890094736947514ab4ca): No such file or directory
>> >> >> >>>>> nfgk_operate: SoftwareFailed
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>> I still need to test if the key is working correct, but when i list
>> >> >> >>>>> keys with nfkminfo, i can see the new imported keys.
>> >> >> >>>>>
>> >> >> >>>>> Thanks.
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>> On Mon, Oct 20, 2008 at 12:27 PM, Leonardo L. P. da Mata
>> >> >> >>>>> <barroca@...> wrote:
>> >> >> >>>>>
>> >> >> >>>>>> Hey Brune, the Security World is ok. I've checked  the file
>> >> >> >>>>>> permissions, and apparently this is not an issue, because i'm getting
>> >> >> >>>>>> the same problem using the system administrator.
>> >> >> >>>>>>
>> >> >> >>>>>> I'm following the steps of ejbca user's guide. When importing a file,
>> >> >> >>>>>> i can't access the keystore of the HSM:
>> >> >> >>>>>>
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>>
>> >> >> >>>>>>> temp.keystore
>> >> >> >>>>>>>
>> >> >> >>>>>> ERROR: keystore: key store key is missing
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>>
>> >> >> >>>>>>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
>> >> >> >>>>>>>
>> >> >> >>>>>> ERROR: keystore: cannot open file
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>>
>> >> >> >>>>>>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
>> >> >> >>>>>>>
>> >> >> >>>>>> ERROR: keystore: invalid keystore
>> >> >> >>>>>> ERROR: keystore: key store key is missing
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>> ERROR: keystore: invalid filename
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>>
>> >> >> >>>>>>> c:\nfast\kmdata\local\
>> >> >> >>>>>>>
>> >> >> >>>>>> ERROR: keystore: cannot open file
>> >> >> >>>>>> keystore: Filename of JCE key store? []
>> >> >> >>>>>>
>> >> >> >>>>>>
>> >> >> >>>>>>
>> >> >> >>>>>> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
>> >> >> >>>>>> mentioned in the user guide:
>> >> >> >>>>>> "Windows: 'copy con: temp.keystore' and copypaste the string, press
>> >> >> >>>>>> Ctrl-Z and Enter"
>> >> >> >>>>>>
>> >> >> >>>>>> Thanks again.
>> >> >> >>>>>>
>> >> >> >>>>>> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
>> >> >> >>>>>>
>> >> >> >>>>>>> On Mon 20 October, Leonardo L. P. da Mata wrote:
>> >> >> >>>>>>>
>> >> >> >>>>>>>> I've read the HSM manual and checked that my Security world is a fips level 2.
>> >> >> >>>>>>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>> >> >> >>>>>>>> with the system administrator.
>> >> >> >>>>>>>>
>> >> >> >>>>>>> Hi,
>> >> >> >>>>>>>
>> >> >> >>>>>>> in order to create some key protected by the HSM, you need to create a
>> >> >> >>>>>>> Security World, and OCS (Operator Card Set). This procedure is well
>> >> >> >>>>>>> documented in the HSM documentations. However I may help if you trouble
>> >> >> >>>>>>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>> >> >> >>>>>>>
>> >> >> >>>>>>> If you really already have a security world, check the file permissions,
>> >> >> >>>>>>> I don't know how is going on windows, but on unix environnement,
>> >> >> >>>>>>> nCipher's default permissions only allow root to read/write the security
>> >> >> >>>>>>> world's files.
>> >> >> >>>>>>>
>> >> >> >>>>>>> BEst regards
>> >> >> >>>>>>>
>> >> >> >>>>>>> --
>> >> >> >>>>>>> http://asyd.net/home/   - Home Page
>> >> >> >>>>>>> http://guses.org/home/  - French Speaking (Open)Solaris User Group
>> >> >> >>>>>>>
>> >> >> >>>>>>> -------------------------------------------------------------------------
>> >> >> >>>>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >> >>>>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >> >>>>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >> >>>>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >> >>>>>>> _______________________________________________
>> >> >> >>>>>>> Ejbca-develop mailing list
>> >> >> >>>>>>> Ejbca-develop@...
>> >> >> >>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >> >>>>>>>
>> >> >> >>>>>>>
>> >> >> >>>>>> --
>> >> >> >>>>>> Leonardo Luiz Padovani da Mata
>> >> >> >>>>>> barroca@...
>> >> >> >>>>>>
>> >> >> >>>>>> "May the force be with you, always"
>> >> >> >>>>>> "Nerd Pride... eu tenho. Voce tem?"
>> >> >> >>>>>>
>> >> >> >>>>>>
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>> -------------------------------------------------------------------------
>> >> >> >>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >> >>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >> >>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >> >>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >> >>>> _______________________________________________
>> >> >> >>>> Ejbca-develop mailing list
>> >> >> >>>> Ejbca-develop@...
>> >> >> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>
>> >> >> >>
>> >> >> >> -------------------------------------------------------------------------
>> >> >> >> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> >> >> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> >> >> Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> >> >> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> >> >> _______________________________________________
>> >> >> >> Ejbca-develop mailing list
>> >> >> >> Ejbca-develop@...
>> >> >> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > Leonardo Luiz Padovani da Mata
>> >> >> > barroca@...
>> >> >> >
>> >> >> > "May the force be with you, always"
>> >> >> > "Nerd Pride... eu tenho. Voce tem?"
>> >> >> >
>> >> >>
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > -------------------------------------------------------------------------
>> >> > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> >> > Build the coolest Linux based applications with Moblin SDK & win great prizes
>> >> > Grand prize is a trip for two to an Open Source event anywhere in the world
>> >> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> >> > _______________________________________________
>> >> > Ejbca-develop mailing list
>> >> > Ejbca-develop@...
>> >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >> >
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > -------------------------------------------------------------------------
>> > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> > Build the coolest Linux based applications with Moblin SDK & win great prizes
>> > Grand prize is a trip for two to an Open Source event anywhere in the world
>> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> > _______________________________________________
>> > Ejbca-develop mailing list
>> > Ejbca-develop@...
>> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >
>>
>>
>>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

> Hey Brune, the Security World is ok. I've checked  the file
> permissions, and apparently this is not an issue, because i'm getting
> the same problem using the system administrator.
>
> I'm following the steps of ejbca user's guide. When importing a file,
> i can't access the keystore of the HSM:
>
> keystore: Filename of JCE key store? []
>> temp.keystore
> ERROR: keystore: key store key is missing
> keystore: Filename of JCE key store? []
>> 59b8a83024f6d271ac8ec03838d8e3de7c204785
> ERROR: keystore: cannot open file
> keystore: Filename of JCE key store? []
>> c:\nfast\kmdata\local\key_jcecsp_59b8a83024f6d271ac8ec03838d8e3de7c204785
> ERROR: keystore: invalid keystore
> ERROR: keystore: key store key is missing
> keystore: Filename of JCE key store? []
>>
> ERROR: keystore: invalid filename
> keystore: Filename of JCE key store? []
>> c:\nfast\kmdata\local\
> ERROR: keystore: cannot open file
> keystore: Filename of JCE key store? []
>
>
>
> temp.keystore contains "59b8a83024f6d271ac8ec03838d8e3de7c204785" as
> mentioned in the user guide:
> "Windows: 'copy con: temp.keystore' and copypaste the string, press
> Ctrl-Z and Enter"
>
> Thanks again.
>
> On Mon, Oct 20, 2008 at 10:22 AM, Bruno Bonfils <asyd@...> wrote:
>> On Mon 20 October, Leonardo L. P. da Mata wrote:
>>> I've read the HSM manual and checked that my Security world is a fips level 2.
>>> The NFAST_HOME is ok. I think this a security issue. I'm gonna try
>>> with the system administrator.
>>
>> Hi,
>>
>> in order to create some key protected by the HSM, you need to create a
>> Security World, and OCS (Operator Card Set). This procedure is well
>> documented in the HSM documentations. However I may help if you trouble
>> (ps: I work at Linagora and I used to work with EJBCA and nCipher).
>>
>> If you really already have a security world, check the file permissions,
>> I don't know how is going on windows, but on unix environnement,
>> nCipher's default permissions only allow root to read/write the security
>> world's files.
>>
>> BEst regards
>>
>> --
>> http://asyd.net/home/   - Home Page
>> http://guses.org/home/  - French Speaking (Open)Solaris User Group
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejbca-develop@...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>
>
>
> --
> Leonardo Luiz Padovani da Mata
> barroca@...
>
> "May the force be with you, always"
> "Nerd Pride... eu tenho. Voce tem?"
>