Pablitos
2009-04-09 11:16:53 UTC
Hello,
I run on Windows Server 2003 ejbca-3.8.1 (jboss 4.2.3).
I have a nCipher nShield HSM and i would like to use it with ejbca.
I tried the following command (pkcs11 generic provider):
preload -c UGISOCS c:\ejbca_3_8_1\bin\pkcs11HSM.cmd generate c:\cknfast.dll
1024 prova i
and the output was:
Loading cardsets:
UGISOCS on modules 1
Loading `UGISOCS':
Module 1 slot 0: `UGISOCS' #2 (`Operator 2')
Module 1 slot 0:- passphrase supplied - reading card
Card reading complete.
Stored Admin key: kfips (a85c...) on module #1
Stored Cardset: UGISOCS (7e3c...) on module #1
Stored Key:
pkcs11/uc7e3c8281c7e575837c265685339b30dd4d517bdf-bcc6bc63708f00c94d79b7cd8f99c6a2efbf1ec6
(da05...) on module #1
Loaded pkcs11
uc7e3c8281c7e575837c265685339b30dd4d517bdf-bcc6bc63708f00c94d79b7cd8f99c6a2efbf1ec6
key (RSAPrivate) on modules 1
Executing c:\ejbca_3_8_1\bin\pkcs11HSM.cmd generate c:\cknfast.dll 1024
prova i
"C:\Program Files\Java\jdk1.6.0_12\bin\java" -cp
C:\ejbca_3_8_1\lib\bcprov-jdk15.jar;C:\ejbca_3_8_1\lib\bcmail-jdk15.jar;C:\ejbca_3_8_1\lib\cert-cvc.jar;C:\ejbca_3_8_1\lib\jline-0.9.94.jar;C:\ejbca_3_8_1\lib\log4j.jar
\ejbca_3_8_1\lib\commons-lang-2.4.jar;C:\ejbca_3_8_1\tmp\bin\classes
org.ejbca.ui.cli.ClientToolBox PKCS11HSMKeyTool generate c:\cknfast.dll 1024
prova i
log4j:WARN No appenders could be found for logger
(org.ejbca.util.keystore.KeyTools).
log4j:WARN Please initialize the log4j system properly.
java.security.ProviderException: Initialization failed
at
sun.security.pkcs11.P11Signature.initialize(P11Signature.java:302)
at
sun.security.pkcs11.P11Signature.engineInitSign(P11Signature.java:327)
at
java.security.Signature$Delegate.engineInitSign(Signature.java:1095)
at java.security.Signature.initSign(Signature.java:480)
at org.bouncycastle.x509.X509Util.calculateSignature(Unknown Source)
at org.bouncycastle.x509.X509V3CertificateGenerator.generate(Unknown
Source)
at org.bouncycastle.x509.X509V3CertificateGenerator.generate(Unknown
Source)
at
org.ejbca.util.keystore.KeyStoreContainerBase.getSelfCertificate(KeyStoreContainerBase.java:145)
at
org.ejbca.util.keystore.KeyStoreContainerBase.generate(KeyStoreContainerBase.java:211)
at
org.ejbca.util.keystore.KeyStoreContainerBase.generate(KeyStoreContainerBase.java:181)
at
org.ejbca.util.keystore.KeyStoreContainerBase.generate(KeyStoreContainerBase.java:193)
at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:127)
at
org.ejbca.ui.cli.PKCS11HSMKeyTool.execute(PKCS11HSMKeyTool.java:46)
at
org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:38)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:51)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception:
CKR_KEY_FUNCTION_NOT_PERMITTED
at sun.security.pkcs11.wrapper.PKCS11.C_SignInit(Native Method)
at
sun.security.pkcs11.P11Signature.initialize(P11Signature.java:294)
... 14 more
Have you any clues about this problem?
thanks and best regards
I run on Windows Server 2003 ejbca-3.8.1 (jboss 4.2.3).
I have a nCipher nShield HSM and i would like to use it with ejbca.
I tried the following command (pkcs11 generic provider):
preload -c UGISOCS c:\ejbca_3_8_1\bin\pkcs11HSM.cmd generate c:\cknfast.dll
1024 prova i
and the output was:
Loading cardsets:
UGISOCS on modules 1
Loading `UGISOCS':
Module 1 slot 0: `UGISOCS' #2 (`Operator 2')
Module 1 slot 0:- passphrase supplied - reading card
Card reading complete.
Stored Admin key: kfips (a85c...) on module #1
Stored Cardset: UGISOCS (7e3c...) on module #1
Stored Key:
pkcs11/uc7e3c8281c7e575837c265685339b30dd4d517bdf-bcc6bc63708f00c94d79b7cd8f99c6a2efbf1ec6
(da05...) on module #1
Loaded pkcs11
uc7e3c8281c7e575837c265685339b30dd4d517bdf-bcc6bc63708f00c94d79b7cd8f99c6a2efbf1ec6
key (RSAPrivate) on modules 1
Executing c:\ejbca_3_8_1\bin\pkcs11HSM.cmd generate c:\cknfast.dll 1024
prova i
"C:\Program Files\Java\jdk1.6.0_12\bin\java" -cp
C:\ejbca_3_8_1\lib\bcprov-jdk15.jar;C:\ejbca_3_8_1\lib\bcmail-jdk15.jar;C:\ejbca_3_8_1\lib\cert-cvc.jar;C:\ejbca_3_8_1\lib\jline-0.9.94.jar;C:\ejbca_3_8_1\lib\log4j.jar
\ejbca_3_8_1\lib\commons-lang-2.4.jar;C:\ejbca_3_8_1\tmp\bin\classes
org.ejbca.ui.cli.ClientToolBox PKCS11HSMKeyTool generate c:\cknfast.dll 1024
prova i
log4j:WARN No appenders could be found for logger
(org.ejbca.util.keystore.KeyTools).
log4j:WARN Please initialize the log4j system properly.
java.security.ProviderException: Initialization failed
at
sun.security.pkcs11.P11Signature.initialize(P11Signature.java:302)
at
sun.security.pkcs11.P11Signature.engineInitSign(P11Signature.java:327)
at
java.security.Signature$Delegate.engineInitSign(Signature.java:1095)
at java.security.Signature.initSign(Signature.java:480)
at org.bouncycastle.x509.X509Util.calculateSignature(Unknown Source)
at org.bouncycastle.x509.X509V3CertificateGenerator.generate(Unknown
Source)
at org.bouncycastle.x509.X509V3CertificateGenerator.generate(Unknown
Source)
at
org.ejbca.util.keystore.KeyStoreContainerBase.getSelfCertificate(KeyStoreContainerBase.java:145)
at
org.ejbca.util.keystore.KeyStoreContainerBase.generate(KeyStoreContainerBase.java:211)
at
org.ejbca.util.keystore.KeyStoreContainerBase.generate(KeyStoreContainerBase.java:181)
at
org.ejbca.util.keystore.KeyStoreContainerBase.generate(KeyStoreContainerBase.java:193)
at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:127)
at
org.ejbca.ui.cli.PKCS11HSMKeyTool.execute(PKCS11HSMKeyTool.java:46)
at
org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:38)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:51)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception:
CKR_KEY_FUNCTION_NOT_PERMITTED
at sun.security.pkcs11.wrapper.PKCS11.C_SignInit(Native Method)
at
sun.security.pkcs11.P11Signature.initialize(P11Signature.java:294)
... 14 more
Have you any clues about this problem?
thanks and best regards
--
View this message in context: http://www.nabble.com/nShield-HSM-CKR_KEY_FUNCTION_NOT_PERMITTED-tp22968918p22968918.html
Sent from the EjbCA - Dev mailing list archive at Nabble.com.
View this message in context: http://www.nabble.com/nShield-HSM-CKR_KEY_FUNCTION_NOT_PERMITTED-tp22968918p22968918.html
Sent from the EjbCA - Dev mailing list archive at Nabble.com.