[Pki-users] Problems with Luna PCI HSM and dogtag 1.3

Riccardo Brunetti riccardo.brunetti at to.infn.it
Thu May 24 12:34:27 UTC 2012 

Dear pki-users.
We are setting up a CA subsystem using dogtag 1.3 on CentOS-5.8 and a 
HSM Luna PCI3000 (SafeNet).
The HSM card seems to be correctly installed in the system and, using 
the command line utilities, we could create a partition on the HSM to 
store the crypto data.

Unfortunately, when I run pkicreate and then the configuration wizard in 
order to configure the CA subsystem, the HSM modules seems not to be 
detected and the system still uses the software "NSS Internal PKCS #11 
Module".

I also tried to manually load the pkcs#11 module using the command:

# modutil -dbdir /var/lib/igi-ca/alias -nocertdb -add lunapci -libfile 
/usr/lunapci/lib/libCryptoki2_64.so

and the output of the list command is the following:

# modutil -dbdir /var/lib/igi-ca/alias -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
   1. NSS Internal PKCS #11 Module
      slots: 2 slots attached
     status: loaded

      slot: NSS Internal Cryptographic Services
     token: NSS Generic Crypto Services

      slot: NSS User Private Key and Certificate Services
     token: NSS Certificate DB

   2. lunapci
     library name: /usr/lunapci/lib/libCryptoki2_64.so
      slots: 1 slot attached
     status: loaded

      slot: Viper PCI Card
     token: turintest
-----------------------------------------------------------

Moreover this is the output of TokenInfo command:

# TokenInfo /var/lib/igi-ca/alias/

Database Path: /var/lib/igi-ca/alias/
Found external module 'NSS Internal PKCS #11 Module'
Found external module 'lunapci'
Found external token 'turintest'

Despite all of that, when the configuration wizard comes to the "Key 
Store" page the module is not listed.
I then tried to include it manually in the CS.cfg file:

preop.configModules.module0.commonName=lunapci
preop.configModules.module0.imagePath=../img/clearpixel.gif
preop.configModules.module0.userFriendlyName=lunapci

and in this case it is listed but in Status "Not Found"

How can I solve this issue? Do you have some suggestions?

Thank you very much
R. Brunetti

More information about the Pki-users mailing list