Hi Johnny,
> ./openca_start
> Configuration error: Cannot initialize cryptographic
> layer (configurationfile
> /usr/local/OpenCA/etc/token.xml)!The requested token
> is not configured (OpenSSL).
> Configuration error: 7123090
>
> What is it supossed to be in the configuration of the
> OpenSSL token?
It is not sufficient to have only one single token in the token.xml
file. The token configuration is needed by many parts of OpenCA, so
you need to define a software token that is available to the system.
My recommendation:
- start with the stock token.xml as shipped with OpenCA
- change the preconfigured CA token configuration to refer to
the nCipher token as in your current configuration
- make sure that the CA token is *not* the default token, if necessary
copy a software token configuration and name it "Software" and
point the Default token to it
I am using the attached file successfully in a production server
with a nShield module.
Hope this helps.
Martin
<openca>
<token_config>
<default_token>Software</default_token>
<token>
<name>Software</name>
<type>OpenSSL</type>
<!--
if the token support sessions then you can use session and daemon too
session - token will be logged out at end of session
daemon - token will be only logged out explicitly
-->
<mode>standby</mode>
<option>
<name>DEBUG</name>
<value>0</value>
</option>
<option>
<name>SHELL</name>
<value>/usr/local/bin/openssl</value>
</option>
<option>
<name>WRAPPER</name>
<value></value>
</option>
<option>
<name>KEY</name>
<value>/usr/local/openca-0.9.2/var/crypto/keys/cakey.pem</value>
</option>
<option>
<name>PASSWD_PARTS</name>
<value>1</value>
</option>
<option>
<name>PEM_CERT</name>
<value>/usr/local/openca-0.9.2/var/crypto/cacerts/cacert.pem</value>
</option>
<option>
<name>DER_CERT</name>
<value>/usr/local/openca-0.9.2/var/crypto/cacerts/cacert.der</value>
</option>
<option>
<name>TXT_CERT</name>
<value>/usr/local/openca-0.9.2/var/crypto/cacerts/cacert.txt</value>
</option>
<option>
<name>CHAIN</name>
<value>/usr/local/openca-0.9.2/var/crypto/chain</value>
</option>
<option>
<name>OPENCA_SV</name>
<value>/usr/local/bin/openca-sv</value>
</option>
<option>
<name>TMPDIR</name>
<value>/usr/local/openca-0.9.2/var/tmp</value>
</option>
<option>
<name>CONFIG</name>
<value>/usr/local/openca-0.9.2/etc/openssl/openssl.cnf</value>
</option>
<option>
<name>RANDFILE</name>
<value>/usr/local/openca-0.9.2/var/crypto/.rand</value>
</option>
<option>
<name>DEBUG</name>
<value>0</value>
</option>
</token>
<token>
<name>CA</name>
<type>nCipher</type>
<!--
if the token support sessions then you can use session and daemon too
session - token will be logged out at end of session
daemon - token will be only logged out explicitly
-->
<mode>standby</mode>
<option>
<name>DEBUG</name>
<value>0</value>
</option>
<option>
<name>SHELL</name>
<value>/usr/local/bin/openssl</value>
</option>
<option>
<name>NFAST_HOME</name>
<value>/opt/nfast</value>
</option>
<option>
<name>WRAPPER</name>
<value></value>
</option>
<option>
<name>KEY</name>
<value>rsa-uatlevel2key01</value>
</option>
<option>
<name>PASSWD_PARTS</name>
<value>1</value>
</option>
<option>
<name>PEM_CERT</name>
<value>/usr/local/openca-0.9.2/var/crypto/cacerts/cacert.pem</value>
</option>
<option>
<name>DER_CERT</name>
<value>/usr/local/openca-0.9.2/var/crypto/cacerts/cacert.der</value>
</option>
<option>
<name>TXT_CERT</name>
<value>/usr/local/openca-0.9.2/var/crypto/cacerts/cacert.txt</value>
</option>
<option>
<name>CHAIN</name>
<value>/usr/local/openca-0.9.2/var/crypto/chain</value>
</option>
<option>
<name>OPENCA_SV</name>
<value>/usr/local/bin/openca-sv</value>
</option>
<option>
<name>TMPDIR</name>
<value>/usr/local/openca-0.9.2/var/tmp</value>
</option>
<option>
<name>CONFIG</name>
<value>/usr/local/openca-0.9.2/etc/openssl/openssl.cnf</value>
</option>
<option>
<name>RANDFILE</name>
<value>/usr/local/openca-0.9.2/var/crypto/.rand</value>
</option>
<option>
<name>DEBUG</name>
<value>0</value>
</option>
</token>
<token>
<name>BP</name>
<type>OpenSSL</type>
<mode>standby</mode>
<option>
<name>SHELL</name>
<value>/usr/local/bin/openssl</value>
</option>
<option>
<name>WRAPPER</name>
<value></value>
</option>
<option>
<name>KEY</name>
<value>/usr/local/openca-0.9.2/var/crypto/keys/bp_key.pem</value>
</option>
<option>
<name>PASSWD_PARTS</name>
<value>1</value>
</option>
<option>
<name>PEM_CERT</name>
<value>/usr/local/openca-0.9.2/var/crypto/cacerts/bp_cert.pem</value>
</option>
<option>
<name>OPENCA_SV</name>
<value>/usr/local/bin/openca-sv</value>
</option>
<option>
<name>TMPDIR</name>
<value>/usr/local/openca-0.9.2/var/tmp</value>
</option>
<option>
<name>CONFIG</name>
<value>/usr/local/openca-0.9.2/etc/openssl/openssl.cnf</value>
</option>
<option>
<name>RANDFILE</name>
<value>/usr/local/openca-0.9.2/var/crypto/.rand</value>
</option>
</token>
<token>
<name>KEYBACKUP</name>
<type>OpenSSL</type>
<mode>standby</mode>
<option>
<name>SHELL</name>
<value>/usr/local/bin/openssl</value>
</option>
<option>
<name>WRAPPER</name>
<value></value>
</option>
<option>
<name>KEY</name>
<value>/usr/local/openca-0.9.2/var/crypto/keys/keybackup_key.pem</value>
</option>
<option>
<name>PASSWD_PARTS</name>
<value>1</value>
</option>
<option>
<name>PEM_CERT</name>
<value>/usr/local/openca-0.9.2/var/crypto/cacerts/keybackup_cert.pem</value>
</option>
<option>
<name>OPENCA_SV</name>
<value>/usr/local/bin/openca-sv</value>
</option>
<option>
<name>TMPDIR</name>
<value>/usr/local/openca-0.9.2/var/tmp</value>
</option>
<option>
<name>CONFIG</name>
<value>/usr/local/openca-0.9.2/etc/openssl/openssl.cnf</value>
</option>
<option>
<name>RANDFILE</name>
<value>/usr/local/openca-0.9.2/var/crypto/.rand</value>
</option>
</token>
<token>
<name>LOG</name>
<type>OpenSSL</type>
<!--
if the token support sessions then you can use session and daemon too
session - token will be logged out at end of session
daemon - token will be only logged out explicitly
-->
<mode>standby</mode>
<option>
<name>SHELL</name>
<value>/usr/local/bin/openssl</value>
</option>
<option>
<name>WRAPPER</name>
<value></value>
</option>
<option>
<name>KEY</name>
<value>/usr/local/openca-0.9.2/var/crypto/keys/log_key.pem</value>
</option>
<option>
<name>PASSWD_PARTS</name>
<value>1</value>
</option>
<option>
<name>PEM_CERT</name>
<value>/usr/local/openca-0.9.2/var/crypto/cacerts/log_cert.pem</value>
</option>
<option>
<name>CHAIN</name>
<value>/usr/local/openca-0.9.2/var/crypto/chain</value>
</option>
<option>
<name>OPENCA_SV</name>
<value>/usr/local/bin/openca-sv</value>
</option>
<option>
<name>TMPDIR</name>
<value>/usr/local/openca-0.9.2/var/tmp</value>
</option>
<option>
<name>CONFIG</name>
<value>/usr/local/openca-0.9.2/etc/openssl/openssl.cnf</value>
</option>
<option>
<name>RANDFILE</name>
<value>/usr/local/openca-0.9.2/var/crypto/.rand</value>
</option>
</token>
<!--
This is an example for Chrysalis-ITS Luna CA3.
The slot and appid are numbers and the slot must
be higher than the appid (application ID).
<token>
<name>CA</name>
<type>LunaCA3</type>
<mode>standby</mode>
<option>
<name>SHELL</name>
<value>/usr/local/bin/openssl</value>
</option>
<option>
<name>WRAPPER</name>
<value></value>
</option>
<option>
<name>UTILITY</name>
<value>this is the place for the utility which comes with Luna ca3</value>
</option>
<option>
<name>SLOT</name>
<value>19</value>
</option>
<option>
<name>APPID</name>
<value>11</value>
</option>
<option>
<name>LOCK_FILE</name>
<value>/usr/local/openca-0.9.2/var/tmp/ca_hsm_lock</value>
</option>
<option>
<name>OPENCA_SV</name>
<value>/usr/local/bin/openca-sv</value>
</option>
<option>
<name>TMPDIR</name>
<value>/usr/local/openca-0.9.2/var/tmp</value>
</option>
<option>
<name>CONFIG</name>
<value>/usr/local/openca-0.9.2/etc/openssl/openssl.cnf</value>
</option>
<option>
<name>RANDFILE</name>
<value>/usr/local/openca-0.9.2/var/crypto/.rand</value>
</option>
</token>
-->
<!--
This is an example for a dynamic engine like OpenSC.
Please notice that pre and post are used with the engine
arguments of OpenSSL's engine command.
<token>
<name>CA</name>
<type>OpenSC</type>
<mode>standby</mode>
<option>
<name>SHELL</name>
<value>/usr/local/bin/openssl</value>
</option>
<option>
<name>WRAPPER</name>
<value></value>
</option>
<option>
<name>KEY</name>
<value>slot_0-id_45</value>
</option>
<option>
<name>PASSWD_PARTS</name>
<value>1</value>
</option>
<option>
<name>PEM_CERT</name>
<value>/usr/local/openca-0.9.2/var/crypto/cacerts/cacert.pem</value>
</option>
<option>
<name>DER_CERT</name>
<value>/usr/local/openca-0.9.2/var/crypto/cacerts/cacert.der</value>
</option>
<option>
<name>TXT_CERT</name>
<value>/usr/local/openca-0.9.2/var/crypto/cacerts/cacert.txt</value>
</option>
<option>
<name>CHAIN</name>
<value>/usr/local/openca-0.9.2/var/var/crypto/chain</value>
</option>
<option>
<name>OPENCA_SV</name>
<value>/usr/local/bin/openca-sv</value>
</option>
<option>
<name>TMPDIR</name>
<value>/usr/local/openca-0.9.2/var/tmp</value>
</option>
<option>
<name>CONFIG</name>
<value>/usr/local/openca-0.9.2/etc/openssl/openssl.cnf</value>
</option>
<option>
<name>RANDFILE</name>
<value>/usr/local/openca-0.9.2/var/crypto/.rand</value>
</option>
<option>
<name>ENGINE</name>
<value>pkcs11</value>
</option>
<option>
<name>PRE_ENGINE</name>
<value>SO_PATH:/usr/local/lib/opensc/engine_pkcs11.so</value>
</option>
<option>
<name>PRE_ENGINE</name>
<value>ID:pkcs11</value>
</option>
<option>
<name>PRE_ENGINE</name>
<value>LIST_ADD:1</value>
</option>
<option>
<name>PRE_ENGINE</name>
<value>LOAD</value>
</option>
<option>
<name>PRE_ENGINE</name>
<value>MODULE_PATH:/usr/local/lib/pkcs11/opensc-pkcs11.so</value>
</option>
<option>
<name>CARDDRIVER</name>
<value>flex</value>
</option>
<option>
<name>CARDREADER</name>
<value>0</value>
</option>
<option>
<name>PKCS15_INIT</name>
<value>/usr/local/bin/pkcs15-init</value>
</option>
<option>
<name>PKCS15_TOOL</name>
<value>/usr/local/bin/pkcs15-tool</value>
</option>
<option>
<name>OPENSC_TOOL</name>
<value>/usr/local/bin/opensc-tool</value>
</option>
<option>
<name>DEBUG</name>
<value>0</value>
</option>
</token>
-->
</token_config>
</openca>
