Hi,

while trying to get OpenCA going with my shiny nCipher module I am
experiencing some weird problems concerning configuration.

In order to access the module I changed the 'openssl_engine'
configuration value in config.xml:

        <!-- =========== -->
        <!-- HSM support -->
        <!-- =========== -->
        <option>
            <name>openssl_engine</name>
            <value>chil -keyform e</value>
        </option>
        <option>
            <name>hsm_utility</name>
            <value></value>
        </option>
        <option>
            <name>hsm_slot</name>
            <value></value>
        </option>
        <option>
            <name>appid</name>
            <value></value>
        </option>

Then I modified token.xml. In particular I added a WRAPPER (thanks,
Michael) and changed the KEY value to reference the key name that
already exists in the HSM module.

<openca>
    <token_config>
        <default_token>CA</default_token>
        <token>
            <name>CA</name>
            <type>OpenSSL</type>
            <!--
                if the token support sessions then you can use session and
daemon too

                session - token will be logged out at end of session
                daemon  - token will be only logged out explicitly
            -->
            <mode>standby</mode>
            <option>
                <name>SHELL</name>
                <value>/usr/local/ssl/bin/openssl</value>
            </option>
            <option>
                <name>WRAPPER</name>
                <value>/opt/nfast/bin/with-nfast -M</value>
            </option>
            <option>
                <name>KEY</name>
                <value>rsa-sslca</value>
            </option>
            <option>
                <name>PASSWD_PARTS</name>
                <value>1</value>
            </option>
[...]

After running configure_etc.sh the corresponding
etc/servers/ca.conf file reads:

[...]
## Crypto Section
## ==============
openssl         "/usr/local/ssl/bin/openssl"
[...]
## HSM configuration
## =================

## Example: LunaCA3

## opensslEngine    "LunaCA3"
## opensslEngineArg "-enginearg 1:10:11"
opensslEngine    "chil -keyform e"
opensslEngineArg "-enginearg :@hsm_appid@"

HSM_LOGIN_CMD   " -o -s  -i @hsm_appid@"
HSM_LOGOUT_CMD  " -c -s  -i @hsm_appid@"
HSM_GENKEY_CMD  " -s  -i @hsm_appid@ -g @__BITS__@ -f @__OUTFILE__@"


I know that the above opensslEngineArg is not suitable for my HSM,
but it DOES exist. However, when starting the OpenCA server it
does not seem to find this configuration entry. (It reads the
opensslEngine variable without problems.)
It seems that the opensslEngineArg parameter is simply ignored.


# ./openca_start
Content-Type: text/html

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html
        PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml";
lang="C"><head><title>Configuration Error</title>
</head><body bgcolor="#FFFFFF"><CENTER><BR><HR
WIDTH=80%><BR></CENTER><OL><OL><H1><FONT COLOR=red>Error
690</FONT></H1><OL> <B>Configuration Error</B>. Missing Configuration
Keyword : opensslEngineArg.</OL></OL></OL>

</PRE><CENTER><HR WIDTH=80%></CENTER>
<FONT SIZE="+0">
</BODY>
</HTML>
OpenCA: Error Trapped: Missing Configuration Keyword : opensslEngineArg at
/usr/lib/perl5/site_perl/5.8.0/OpenCA/UI/HTML.pm line 147.
Compilation failed in require at ./openca_start line 62.


I am a bit lost in the depths of OpenCA's Perl guts. Can anybody with
more insight help me?

Cheers,

Martin



-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver
higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
OpenCA-Devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-devel

Reply via email to