[Pki-users] Problems with Luna PCI HSM and dogtag 1.3
Torino
riccardo.brunetti at to.infn.it
Wed May 30 13:13:04 UTC 2012
Il 24/05/12 21 23:49, Christina Fu ha scritto:
> I have not worked on a Luna PCI HSM, but did you try the following to
> see if it provides you with any clue on the status of the token?
> modutil -dbdir /var/lib/igi-ca/alias -list lunapci
>
> And another suggestion is to add the token/password in the
> password.conf file before you start the configuration.
>
> Christina
>
> On 05/24/2012 05:34 AM, Riccardo Brunetti wrote:
>>
>> Dear pki-users.
>> We are setting up a CA subsystem using dogtag 1.3 on CentOS-5.8 and a
>> HSM Luna PCI3000 (SafeNet).
>> The HSM card seems to be correctly installed in the system and, using
>> the command line utilities, we could create a partition on the HSM to
>> store the crypto data.
>>
>> Unfortunately, when I run pkicreate and then the configuration wizard
>> in order to configure the CA subsystem, the HSM modules seems not to
>> be detected and the system still uses the software "NSS Internal PKCS
>> #11 Module".
>>
>> I also tried to manually load the pkcs#11 module using the command:
>>
>> # modutil -dbdir /var/lib/igi-ca/alias -nocertdb -add lunapci
>> -libfile /usr/lunapci/lib/libCryptoki2_64.so
>>
>> and the output of the list command is the following:
>>
>> # modutil -dbdir /var/lib/igi-ca/alias -list
>>
>> Listing of PKCS #11 Modules
>> -----------------------------------------------------------
>> 1. NSS Internal PKCS #11 Module
>> slots: 2 slots attached
>> status: loaded
>>
>> slot: NSS Internal Cryptographic Services
>> token: NSS Generic Crypto Services
>>
>> slot: NSS User Private Key and Certificate Services
>> token: NSS Certificate DB
>>
>> 2. lunapci
>> library name: /usr/lunapci/lib/libCryptoki2_64.so
>> slots: 1 slot attached
>> status: loaded
>>
>> slot: Viper PCI Card
>> token: turintest
>> -----------------------------------------------------------
>>
>> Moreover this is the output of TokenInfo command:
>>
>> # TokenInfo /var/lib/igi-ca/alias/
>>
>> Database Path: /var/lib/igi-ca/alias/
>> Found external module 'NSS Internal PKCS #11 Module'
>> Found external module 'lunapci'
>> Found external token 'turintest'
>>
>> Despite all of that, when the configuration wizard comes to the "Key
>> Store" page the module is not listed.
>> I then tried to include it manually in the CS.cfg file:
>>
>> preop.configModules.module0.commonName=lunapci
>> preop.configModules.module0.imagePath=../img/clearpixel.gif
>> preop.configModules.module0.userFriendlyName=lunapci
>>
>> and in this case it is listed but in Status "Not Found"
>>
>> How can I solve this issue? Do you have some suggestions?
>>
>> Thank you very much
>> R. Brunetti
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
Dear Christina.
Thank you very much for your suggestions. It was actually a problem with
the HSM activating password.
Now dogtag sees the module and uses it.
Thanks a lot once again.
Best Regards
R. Brunetti
--
-------------------
Riccardo Brunetti
INFN - Torino
Tel: +390116707295
Skype: rbrunetti
-------------------
More information about the Pki-users
mailing list