Hello Martin,
We are configuring OpenCA with an nCipher but after
running the command: openca_start, It's appearing this
error message:
Configuration error: Cannot initialize cryptographic
layer (configurationfile
/usr/local/OpenCA/etc/token.xml)!Cannot create new
OpenCA Token object.
Configuration error: 7123080
All we have done is execute the commands you wrote for
the openca_guide:
1. initialize security world
* switch HSM to 'initialize' mode
* reset the module: /opt/nfast/bin/nopclearfail -c -m
1
* /opt/nfast/bin/newworld --initialize --acs-quorum
2/3
* switch HSM to 'operational' mode
* reset the module: /opt/nfast/bin/nopclearfail -c -m
1
2. verify that the security world has been created
* /opt/nfast/bin/nfkminfo
3. initialize Root CA operator card set
*/opt/nfast/bin/createocs --name=OpenCA
--ocs-quorum=2/3 -m 1 -s 0
4. verify that the operator card set has been created
* /opt/nfast/bin/nfkminfo -c
5. create Root CA key
* /opt/nfast/bin/generatekey2 --cardset=OpenCA hwcrhk
6. verify that the root key has been created
* /opt/nfast/bin/nfkminfo -k
Untill here Everything is ok.
The config.xml file we have is attached to the present
email message.
The we run openca_start and appears the mentioned
error.
What's wrong?
Thanks a lot,
Johnny
______________________________________________
Renovamos el Correo Yahoo!: �250 MB GRATIS!
Nuevos servicios, m�s seguridad
http://correo.yahoo.es<openca>
<token_config>
<default_token>OpenCA</default_token>
<token>
<name>OpenCA</name>
<type>nCipher</type>
<!--
if the token support sessions then you can use session
and daemon too
session - token will be logged out at end of session
daemon - token will be only logged out explicitly
-->
<mode>session</mode>
<option>
<name>SHELL</name>
<value>/usr/bin/openssl</value>
</option>
<option>
<option>
<name>NFAST_HOME</name>
<value>/opt/nfast</value>
</option>
<name>WRAPPER</name>
<value>/opt/nfast/bin/with-nfast -M</value>
</option>
<option>
<name>KEY</name>
<value>rsa-rootkey</value>
</option>
<option>
<name>PASSWD_PARTS</name>
<value>1</value>
</option>
<option>
<name>PEM_CERT</name>
<value>/usr/local/OpenCA/var/crypto/cacerts/cacert.pem</value>
</option>
<option>
<name>DER_CERT</name>
<value>/usr/local/OpenCA/var/crypto/cacerts/cacert.der</value>
</option>
<option>
<name>TXT_CERT</name>
<value>/usr/local/OpenCA/var/crypto/cacerts/cacert.txt</value>
</option>
<option>
<name>CHAIN</name>
<value>/usr/local/OpenCA/var/crypto/chain</value>
</option>
<option>
<name>OPENCA_SV</name>
<value>/usr/local/bin/openca-sv</value>
</option>
<option>
<name>TMPDIR</name>
<value>/usr/local/OpenCA/var/tmp</value>
</option>
<option>
<name>CONFIG</name>
<value>/usr/local/OpenCA/etc/openssl/openssl.cnf</value>
</option>
<option>
<name>RANDFILE</name>
<value>/usr/local/OpenCA/var/crypto/.rand</value>
</option>
<option>
<name>DEBUG</name>
<value>0</value>
</option>
</token>
<token>
<name>BP</name>
<type>OpenSSL</type>
<mode>standby</mode>
<option>
<name>SHELL</name>
<value>/usr/bin/openssl</value>
</option>
<option>
<name>WRAPPER</name>
<value></value>
</option>
<option>
<name>KEY</name>
<value>/usr/local/OpenCA/var/crypto/keys/bp_key.pem</value>
</option>
<option>
<name>PASSWD_PARTS</name>
<value>1</value>
</option>
<option>
<name>PEM_CERT</name>
<value>/usr/local/OpenCA/var/crypto/cacerts/bp_cert.pem</value>
</option>
<option>
<name>OPENCA_SV</name>
<value>/usr/local/bin/openca-sv</value>
</option>
<option>
<name>TMPDIR</name>
<value>/usr/local/OpenCA/var/tmp</value>
</option>
<option>
<name>CONFIG</name>
<value>/usr/local/OpenCA/etc/openssl/openssl.cnf</value>
</option>
<option>
<name>RANDFILE</name>
<value>/usr/local/OpenCA/var/crypto/.rand</value>
</option>
<option>
<name>DEBUG</name>
<value>0</value>
</option>
</token>
<token>
<name>KEYBACKUP</name>
<type>OpenSSL</type>
<mode>standby</mode>
<option>
<name>SHELL</name>
<value>/usr/bin/openssl</value>
</option>
<option>
<name>WRAPPER</name>
<value></value>
</option>
<option>
<name>KEY</name>
<value>/usr/local/OpenCA/var/crypto/keys/keybackup_key.pem</value>
</option>
<option>
<name>PASSWD_PARTS</name>
<value>1</value>
</option>
<option>
<name>PEM_CERT</name>
<value>/usr/local/OpenCA/var/crypto/cacerts/keybackup_cert.pem</value>
</option>
<option>
<name>OPENCA_SV</name>
<value>/usr/local/bin/openca-sv</value>
</option>
<option>
<name>TMPDIR</name>
<value>/usr/local/OpenCA/var/tmp</value>
</option>
<option>
<name>CONFIG</name>
<value>/usr/local/OpenCA/etc/openssl/openssl.cnf</value>
</option>
<option>
<name>RANDFILE</name>
<value>/usr/local/OpenCA/var/crypto/.rand</value>
</option>
<option>
<name>DEBUG</name>
<value>0</value>
</option>
</token>
<token>
<name>LOG</name>
<type>OpenSSL</type>
<!--
if the token support sessions then you can use session
and daemon too
session - token will be logged out at end of session
daemon - token will be only logged out explicitly
-->
<mode>standby</mode>
<option>
<name>SHELL</name>
<value>/usr/bin/openssl</value>
</option>
<option>
<name>WRAPPER</name>
<value></value>
</option>
<option>
<name>KEY</name>
<value>/usr/local/OpenCA/var/crypto/keys/log_key.pem</value>
</option>
<option>
<name>PASSWD_PARTS</name>
<value>1</value>
</option>
<option>
<name>PEM_CERT</name>
<value>/usr/local/OpenCA/var/crypto/cacerts/log_cert.pem</value>
</option>
<option>
<name>CHAIN</name>
<value>/usr/local/OpenCA/var/crypto/chain</value>
</option>
<option>
<name>OPENCA_SV</name>
<value>/usr/local/bin/openca-sv</value>
</option>
<option>
<name>TMPDIR</name>
<value>/usr/local/OpenCA/var/tmp</value>
</option>
<option>
<name>CONFIG</name>
<value>/usr/local/OpenCA/etc/openssl/openssl.cnf</value>
</option>
<option>
<name>RANDFILE</name>
<value>/usr/local/OpenCA/var/crypto/.rand</value>
</option>
<option>
<name>DEBUG</name>
<value>0</value>
</option>
</token>
<!--
This is an example for Chrysalis-ITS Luna CA3.
The slot and appid are numbers and the slot must
be higher than the appid (application ID).
<token>
<name>CA</name>
<type>LunaCA3</type>
<mode>standby</mode>
<option>
<name>SHELL</name>
<value>/usr/bin/openssl</value>
</option>
<option>
<name>WRAPPER</name>
<value></value>
</option>
<option>
<name>UTILITY</name>
<value>this is the place for the utility which comes
with Luna ca3</value>
</option>
<option>
<name>SLOT</name>
<value>19</value>
</option>
<option>
<name>APPID</name>
<value>11</value>
</option>
<option>
<name>LOCK_FILE</name>
<value>/usr/local/OpenCA/var/tmp/ca_hsm_lock</value>
</option>
<option>
<name>OPENCA_SV</name>
<value>/usr/local/bin/openca-sv</value>
</option>
<option>
<name>TMPDIR</name>
<value>/usr/local/OpenCA/var/tmp</value>
</option>
<option>
<name>CONFIG</name>
<value>/usr/local/OpenCA/etc/openssl/openssl.cnf</value>
</option>
<option>
<name>RANDFILE</name>
<value>/usr/local/OpenCA/var/crypto/.rand</value>
</option>
</token>
-->
<!--
This is an example for nCipher nShield modules.
Specification of NFAST_HOME is required (usually /opt/nfast).
WRAPPER defaults to '$NFAST_HOME/bin/with-nfast -M' if
left empty or undefined in token configuration.
KEY is the key ident name of the private key to be used for
private key operations (as reported by nfkminfo -k).
<token>
<name>CA</name>
<type>nCipher</type>
<mode>standby</mode>
<option>
<name>SHELL</name>
<value>/usr/bin/openssl</value>
</option>
<option>
<name>NFAST_HOME</name>
<value>/opt/nfast</value>
</option>
<option>
<name>WRAPPER</name>
<value></value>
</option>
<option>
<name>KEY</name>
<value>rsa-KEYNAME</value>
</option>
<option>
<name>PASSWD_PARTS</name>
<value>1</value>
</option>
<option>
<name>PEM_CERT</name>
<value>/usr/local/OpenCA/var/crypto/cacerts/cacert.pem</value>
</option>
<option>
<name>DER_CERT</name>
<value>/usr/local/OpenCA/var/crypto/cacerts/cacert.der</value>
</option>
<option>
<name>TXT_CERT</name>
<value>/usr/local/OpenCA/var/crypto/cacerts/cacert.txt</value>
</option>
<option>
<name>CHAIN</name>
<value>/usr/local/OpenCA/var/crypto/chain</value>
</option>
<option>
<name>OPENCA_SV</name>
<value>/usr/local/bin/openca-sv</value>
</option>
<option>
<name>TMPDIR</name>
<value>/usr/local/OpenCA/var/tmp</value>
</option>
<option>
<name>CONFIG</name>
<value>/usr/local/OpenCA/etc/openssl/openssl.cnf</value>
</option>
<option>
<name>RANDFILE</name>
<value>/usr/local/OpenCA/var/crypto/.rand</value>
</option>
<option>
<name>DEBUG</name>
<value>0</value>
</option>
</token>
-->
<!--
This is an example for a dynamic engine like OpenSC.
Please notice that pre and post are used with the engine
arguments of OpenSSL's engine command.
<token>
<name>CA</name>
<type>OpenSC</type>
<mode>standby</mode>
<option>
<name>SHELL</name>
<value>/usr/bin/openssl</value>
</option>
<option>
<name>WRAPPER</name>
<value></value>
</option>
<option>
<name>KEY</name>
<value>slot_0-id_45</value>
</option>
<option>
<name>PASSWD_PARTS</name>
<value>1</value>
</option>
<option>
<name>PEM_CERT</name>
<value>/usr/local/OpenCA/var/crypto/cacerts/cacert.pem</value>
</option>
<option>
<name>DER_CERT</name>
<value>/usr/local/OpenCA/var/crypto/cacerts/cacert.der</value>
</option>
<option>
<name>TXT_CERT</name>
<value>/usr/local/OpenCA/var/crypto/cacerts/cacert.txt</value>
</option>
<option>
<name>CHAIN</name>
<value>/usr/local/OpenCA/var/var/crypto/chain</value>
</option>
<option>
<name>OPENCA_SV</name>
<value>/usr/local/bin/openca-sv</value>
</option>
<option>
<name>TMPDIR</name>
<value>/usr/local/OpenCA/var/tmp</value>
</option>
<option>
<name>CONFIG</name>
<value>/usr/local/OpenCA/etc/openssl/openssl.cnf</value>
</option>
<option>
<name>RANDFILE</name>
<value>/usr/local/OpenCA/var/crypto/.rand</value>
</option>
<option>
<name>ENGINE</name>
<value>pkcs11</value>
</option>
<option>
<name>PRE_ENGINE</name>
<value>SO_PATH:/usr/local/lib/opensc/engine_pkcs11.so</value>
</option>
<option>
<name>PRE_ENGINE</name>
<value>ID:pkcs11</value>
</option>
<option>
<name>PRE_ENGINE</name>
<value>LIST_ADD:1</value>
</option>
<option>
<name>PRE_ENGINE</name>
<value>LOAD</value>
</option>
<option>
<name>PRE_ENGINE</name>
<value>MODULE_PATH:/usr/local/lib/pkcs11/opensc-pkcs11.so</value>
</option>
<option>
<name>CARDDRIVER</name>
<value>flex</value>
</option>
<option>
<name>CARDREADER</name>
<value>0</value>
</option>
<option>
<name>PKCS15_INIT</name>
<value>/usr/local/bin/pkcs15-init</value>
</option>
<option>
<name>PKCS15_TOOL</name>
<value>/usr/local/bin/pkcs15-tool</value>
</option>
<option>
<name>OPENSC_TOOL</name>
<value>/usr/local/bin/opensc-tool</value>
</option>
<option>
<name>DEBUG</name>
<value>1</value>
</option>
</token>
-->
</token_config>
</openca>
