It looks like you are configured to use softtoken so the rsa private requests are handled there rather than the sca6000
-gary On 08/19/09 07:34, Rishi Renjith wrote: > Hello, I tried creating a NSS database, linking it with crypto card and > connecting using apache mod_nss. Everything works fine, except that > the *rsaprivate > *jobs are not getting increased in the kstat of the card. > > This is what I did. > > *bash-3.00# cd ../nssdb* > *bash-3.00# rm ** > *bash-3.00# certutil -N -d .* > Enter a password which will be used to encrypt your keys. > The password should be at least 8 characters long, > and should contain at least one non-alphabetic character. > > Enter new password: > Re-enter password: > * > * > > *bash-3.00# ls* > cert8.db key3.db secmod.db > *bash-3.00# chmod 777 ** > *bash-3.00# modutil -dbdir . -nocertdb -force -add "Sun Crypto Accelerator" > -libfile /usr/lib/libpkcs11.so -mechanisms RSA:DSA:RC4:DES* > Module "Sun Crypto Accelerator" added to database. > *bash-3.00# modutil -list -dbdir . * > Listing of PKCS #11 Modules > ----------------------------------------------------------- > 1. NSS Internal PKCS #11 Module > slots: 2 slots attached > status: loaded > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > > 2. Sun Crypto Accelerator > library name: /usr/lib/libpkcs11.so > slots: 2 slots attached > status: loaded > > slot: Sun Metaslot > token: Sun Metaslot > > slot: Sun Crypto Softtoken > token: Sun Software PKCS#11 softtoken > ----------------------------------------------------------- > *bash-3.00# certutil -S -x -n "cert309" -t "u,u,u" -k rsa -g 1024 -v 120 -s > "cn=nobody,ou=Org,o=Sun,L=Santa Clara,ST=California,C=US" -d . -h "Sun > Metaslot"* > *Enter Password or Pin for "Sun Metaslot":* > > A random seed must be generated that will be used in the > creation of your key. One of the easiest ways to create a > random seed is to use the timing of keystrokes on a keyboard. > > To begin, type keys on the keyboard until this progress meter > is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! > > Continue typing until the progress meter is full: > > |************************************************************| > > Finished. Press enter to continue: > > Generating key. This may take a few moments... > > Enter Password or Pin for "Sun Software PKCS#11 softtoken": > > *bash-3.00# certutil -K -d .* > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key > and Certificate Services" > Enter Password or Pin for "NSS Certificate DB": > certutil: no keys found > *bash-3.00# certutil -K -d . -h "Sun Software PKCS#11 softtoken"* > certutil: Checking token "Sun Software PKCS#11 softtoken" in slot "Sun > Crypto Softtoken" > Enter Password or Pin for "Sun Software PKCS#11 softtoken": > certutil: no keys found > *bash-3.00# certutil -K -d . -h "Sun Metaslot"* > certutil: Checking token "Sun Metaslot" in slot "Sun Metaslot" > Enter Password or Pin for "Sun Metaslot": > < 0> rsa 204a23dbb2e82d7d8c1495e3374dcd4462423e4c Sun > Metaslot:cert309 > < 1> rsa 54ea6d93df1cfef13064aedc6f6c7f0dce34e7b6 Sun > Metaslot:cert147 > < 2> rsa 34d4a4974cf325e735dd23bb3a6b4680249f3550 (orphan) > < 3> rsa 2018eecb4c05eb25cd30be4de6f13ccaeadcb43d Sun > Metaslot:cert1151 > < 4> rsa 61932a2d796fd8f6e82949059176e980cde5c55a sanCert > < 5> rsa 4e752a9b4a76c1462d9aec76de1617e08d07ff42 Sun > Metaslot:ismc_cert > > *bash-3.00# certutil -L -d .* > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > *bash-3.00# certutil -L -d . -h "Sun Software PKCS#11 softtoken"* > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Enter Password or Pin for "Sun Software PKCS#11 softtoken": > *bash-3.00# certutil -L -d . -h "Sun Metaslot"* > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Enter Password or Pin for "Sun Metaslot": > Sun Metaslot:cert309 u,u,u > Sun Metaslot:cert147 u,u,u > Sun Metaslot:cert1151 u,u,u > Sun Metaslot:sanCert u,u,u > Sun Metaslot:CACERT CA ,, > Sun Metaslot:ismc_cert u,u,u > > * modutil -disable "NSS Internal PKCS #11 Module" -dbdir .* > > WARNING: Performing this operation while the browser is running could cause > corruption of your security databases. If the browser is currently running, > you should exit browser before continuing this operation. Type > 'q <enter>' to abort, or <enter> to continue: > > Slot "NSS Internal Cryptographic Services" disabled. > Slot "NSS User Private Key and Certificate Services" disabled. > > *bash-3.00# modutil -enable "Sun Crypto Accelerator" -dbdir .* > > WARNING: Performing this operation while the browser is running could cause > corruption of your security databases. If the browser is currently running, > you should exit browser before continuing this operation. Type > 'q <enter>' to abort, or <enter> to continue: > > Slot "Sun Metaslot" enabled. > Slot "Sun Crypto Softtoken" enabled. > > --------------------------------------------------------------------------- > ----------------------------------------------------------------------- > > Now when I check the kstat for each connection, the rsaprivate is not > getting increased, only aesjobs are increased. > also tried this test. > *cryptoadm disable provider=mca/0 mechanism=all* > > In this case, the handshake fails. > > But..., if i disable only RSA in the card, > cryptoadm disable provider=mca/0 mechanism=<all RSA mechanisms> > *it works, which means that the card is currently used for AES jobs and RSA > joba are done at the software level. * > > > > The cyrptoadm output is as below, which indicates the card is configured > properly. > > bash-3.00# cryptoadm list > > User-level providers: > Provider: /usr/lib/security/$ISA/pkcs11_kernel.so > Provider: /usr/lib/security/$ISA/pkcs11_softtoken_extra.so > > Kernel software providers: > des > aes256 > arcfour2048 > blowfish448 > sha1 > sha2 > md5 > swrand > > Kernel hardware providers: > mca/0 > > > > Please suggest. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > crypto-discuss mailing list > crypto-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/crypto-discuss
