[Pki-users] Utimaco HSM "Not Found" problem
Michael StJohns
msj at nthpermutation.com
Wed Apr 28 02:11:44 UTC 2010
Interesting.
I added the Utimaco to the list of supported modules (CS.cfg -
preop.configModules). This time it showed up in the list in the
supported section along with the "Login" tag.
I clicked "Login" and manually logged in, selected the module as the
default, and completed the enrollment. I then went back to the HSM and
using the Utimaco provided tool confirmed all the keys etc are present.
zcoolkey showed up in the unsupported list.
So try:
Add utimaco to the pkicreate script in /usr/bin
Add utimaco to the supported list in the default CS.cfg
/usr/share/pki/ca/conf
Mike
On 4/27/2010 9:51 PM, Michael StJohns wrote:
> OK -
>
> Using my recompiled/relinked version of the Utimaco library on Fedora
> 12 - 32 bit.
>
> I can consistently get the Utimaco library to show up in the list with
> the three slots I've initialized. BUT - none of those show up with
> the "Login" button.
>
> The reason I couldn't get it to work before was because of the coolkey
> library... if that libary is loaded (name "coolkey"), modutil and
> TokenInfo both see it, but only the coolkey library gets listed on the
> setup page.
>
> I deleted the coolkey library, restarted the server and the Utimaco
> slots showed up.
>
> I re-added the coolkey library with the name "zcoolkey", restarted the
> server - only the Utimaco slots showed up.
>
> - At this point I got suspicious and tried one more thing.
>
> I deleted the Utimaco library with the name "utimaco", restarted the
> server. The zcoolkey library showed up.
>
> Hmm..... looks like for some reason, only the first module
> (alphabetically) is being listed/loaded.
>
> Mike
>
>
>
>
>
> On 4/27/2010 8:51 PM, Arshad Noor wrote:
>> Was this on a 32-bit or 64-bit environment, Mike? I was planning to
>> test this with the 32-bit version of Fedora 11, based on your assertion
>> that it worked. But, now it appears that this might be unpredictable.
>> Is that right?
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>> Michael StJohns wrote:
>>> On 4/26/2010 10:46 PM, Christina Fu wrote:
>>>> Actually, I did spend some time looking into JSS code. The result
>>>> was inconclusive. The code appeared to be reasonable. I do
>>>> suspect, however, without looking closely at the code, that somehow
>>>> the module is unloaded somewhere along the way.
>>>> I'm curious whether this is an issue on this particular HSM, or if
>>>> it's a matter of handling external modules (including software
>>>> modules) in general.
>>>> Has anyone had any success installing/using certicom module on this
>>>> platform, for example?
>>>>
>>>> Again, I did not see any email from another member (StJohns?) that
>>>> you mentioned claiming success with Utimaco HSM on a 32 bit
>>>> machine... could you please forward the email?
>>>> Another thing is, I'm not familiar with Utimaco HSM, but you might
>>>> want to find out how to turn on debugger.
>>>>
>>>> Otherwise, try turning on NSS debugging, which might give you some
>>>> clue.
>>>>
>>>> Christina
>>>>
>>>
>>> Hi Christina -
>>>
>>> I had to put work on this aside for a few days, but am getting back
>>> to it. I've had uneven results. The time that I got the HSM to
>>> show up with the slots, but I didn't get the "Login" button. This
>>> time, I didn't even get the HSM to show up. The first time, I added
>>> the HSM manually, the second via a mod to the create script. Still
>>> working my way through it.
>>>
>>> I modified pki_create_instance to add both the Utimaco library and
>>> the Coolkey PKCS11 libary. I had to turn off SELinux enforcement
>>> to get Coolkey to show up on the list, but even then, the Utimaco
>>> lib didn't. I haven't had a chance to go back and check again.
>>>
>>> Mike
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>
More information about the Pki-users
mailing list