[Pki-users] Utimaco HSM "Not Found" problem

Arshad Noor arshad.noor at strongauth.com
Thu Apr 22 21:06:07 UTC 2010 

Hi Christina,

Good to hear from you again.

I changed the token name and removed the space, but nothing changed,
unfortunately:

Listing of PKCS #11 Modules
-----------------------------------------------------------
   1. NSS Internal PKCS #11 Module
          slots: 2 slots attached
         status: loaded

          slot: NSS Internal Cryptographic Services
         token: NSS Generic Crypto Services

          slot: NSS User Private Key and Certificate Services
         token: NSS Certificate DB

   2. CryptoServer
         library name: /usr/bin/libcs2_pkcs11.so
          slots: 1 slot attached
         status: loaded

          slot: CryptoServer Device '/dev/cs2' - Slot No: 0
         token: CBUAETEST
-----------------------------------------------------------

The debug file for the new CA instance shows:

-------------------------------------------
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: display()
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got module 
NSS Internal PKCS #11 Module
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: supported 
modules count= 4
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got from 
config module: NSS Internal PKCS #11 Module
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: module 
found: NSS Internal PKCS #11 Module
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token nick 
name=NSS Generic Crypto Services
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
logged in?false
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token is 
present?true
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token NSS 
Generic Crypto Services not to be added
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token nick 
name=Internal Key Storage Token
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token 
logged in?true
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: token is 
present?true
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding 
module NSS Internal PKCS #11 Module
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got from 
config module: nfast
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding 
module nfast
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got from 
config module: lunasa
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding 
module lunasa
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: got from 
config module: CryptoServer
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel: adding 
module CryptoServer
[22/Apr/2010:13:59:43][http-11004-Processor21]: ModulePanel subpanelno =9
-------------------------------------------

The CS.cfg for this instance has the following:

-------------------------------------------
preop.configModules.count=4
...
preop.configModules.module3.commonName=CryptoServer
preop.configModules.module3.imagePath=../img/clearpixel.gif
preop.configModules.module3.userFriendlyName=Utimacos's CryptoServer 
Hardware Security Module
preop.module.token=CBUAETEST
-------------------------------------------

Arshad Noor
StrongAuth, Inc.

Christina Fu wrote:
> Hi Arshad,
> 
> Just a thought.  Did you try removing the space for your token name?
> 
> Christina
> 
> Arshad Noor wrote:
>> Can someone from the DogTag team explain the process by which
>> the installation servlet "finds" PKCS11 modules/HSMs and logs
>> into them?  Alternatively, if you can point me to the specific
>> source module that performs this, I'd be happy to look at it
>> myself.
>>
>> I'm still baffled by our inability to have the installation
>> servlet find the Utimaco HSM module, despite the fact that
>> modutil sees it:
>>
>> $ pet105:~> modutil -dbdir /var/lib/subca01/alias -nocertdb -list
>>
>> Listing of PKCS #11 Modules
>> -----------------------------------------------------------
>>   1. NSS Internal PKCS #11 Module
>>          slots: 2 slots attached
>>         status: loaded
>>
>>          slot: NSS Internal Cryptographic Services
>>         token: NSS Generic Crypto Services
>>
>>          slot: NSS User Private Key and Certificate Services
>>         token: NSS Certificate DB
>>
>>   2. CryptoServer
>>         library name: /usr/bin/libcs2_pkcs11.so
>>          slots: 1 slot attached
>>         status: loaded
>>
>>          slot: CryptoServer Device '/dev/cs2' - Slot No: 0
>>         token: CBUAE TEST
>> -----------------------------------------------------------
>>
>>
>> There were some SELinux errors, but I fixed all of them; despite
>> all calls now being successful, the installation servlet will
>> still not see the HSM.
>>
>> Thanks.
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>

More information about the Pki-users mailing list