We tried disabling metaslot also. In that case, instead of "Sun Metaslot" we get the name of the keystore we created in the SCA card using sca manager. The following are the various combinations we tried and the results. *With metaslot enabled + (NSS DB in) FIPS/nonFIPS mode: rsaprivate doesn't increment, aes does* * * *With metaslot disabled + (NSS DB in) non FIPS mode: aes doesn't increment, rsaprivate does* * * *With metaslot disabled + (NSS DB in) FIPS mode: rsa increments, but we get "bad mac error"*
On Thu, Aug 20, 2009 at 12:17 AM, Krishna Yenduri <bhargava.yenduri at sun.com>wrote: > On 08/19/09 10:55, Gary.Morton at sun.com wrote: > >> On 08/19/09 10:49, Rishi Renjith wrote: >> >>> Hello, >>> The manual explains how to configure apache with mod_ssl. We want to use >>> mode_nss with apache. >>> >>> Also we tried disabling the softtoken by giving >>> modutil -disable "sun crypto accelerator" -slot "sun pkcs11 softtoken" >>> >>> but it doesn't seem working, it again shows as enabled!!! >>> >>> Also the sca manual mentions that you can configure metaslot to use the >>> h/w by using >>> Cryptoadm enable metaslot token=ks >>> This also we did but same result. >>> >>> Are we missing any more config here? >>> >> >> Possibly - I haven't set up apache with mod_nss and our card so I can't >> answer that question. Its odd that you can't seem to get away from using >> softtoken even though you've made the config changes I would have >> suggested... maybe someone from the solaris side will have an answer? >> > > Couple of suggestions - > > - See if disabling metaslot helps > #cryptoadm disable metaslot > One would need to use the SCA 6000 slot label for all the commands in this > case. > No "sun pkcs11 softtoken" or "Sun Metaslot" can be used. > > - Try using pktool instead of certutil > > Also, If this is for S10, there may be some patches. You need to contact > Sun support. > > -Krishna > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/crypto-discuss/attachments/20090820/6bee010b/attachment.html>
