Hi Johnny,
> Regarding the problem I told you before, high times
> issuing certificates with the nCipher and problem
> issuing certificates with bp)
first of all sorry for the late reply, I was pretty busy
with production issues lately...
If I understood you correctly, you are facing at least two problems:
1. certificate issuance takes a long time
2. the Batch Processor fails to issue more than the first certificate
of a batch job
I don't think these two have the same cause. Do I understand you
correctly that the logfile below shows problem 2?
Let's see:
> NFastApp_Connect failed: Permission denied
> OpenCA::Token::OpenSSL->nCipher enquiry: hardserver is
> not running
The first line is from the nCipher enquiry command. 'Permission
denied' seems to be pretty clear...
Checks to perform for you
- 'su' to the OpenCA user
- run '/opt/nfast/bin/enquiry'
- check output, among other information it should report that the
Server and the Module are both 'operational'
The enquiry command is read-only, so every Unix user should be able
to run it without problems. It fails if the 'hardserver' process
is not running of if it has a problem.
(I recently had a similar problem: the hardware seemed to have locked up,
either the SCSI controller or the module. Enquiry was reporting
an operative hardserver daemon but did not find any modules.
Restarting /etc/init.d/nfast did not work.
Stopping it, unloading the 'sg' kernel module and starting it again
worked, though. You might want to try it.)
The second line of the above error message is from the OpenCA
nCipher Token module, it indicates that it was unable to execute
the 'enquiry' command to determine the nShield module status.
If this is the case, OpenCA will be unable to 'login' to the nCipher
module and all private key operations with it will fail.
The interesting question is: why does it work with the first certificate
and fails from then on?
Questions:
- can you repeatedly issue certificates and CRLs manually (from the
web interface, not via the BP)?
- after running the BP and experiencing the problem:
- does running the BP again result in the same behaviour (first
cert issued, rest fails)?
- is it possible to issue certificates manually after the problem
was encountered?
> If I take out the NFAST_DEBUGFILE variable I get these
> messges:
>
>
> (**process 1 **Linea 7372 a 12162 - **process 2
> **18147 -19365)*
> OpenCA::Token::OpenSSL->Key information summary<br>
> OpenCA::Token::OpenSSL->Key rsa-rootkey:<br>
> OpenCA::Token::OpenSSL-> Type: RSAPrivate (2048
> bit)<br>
> OpenCA::Token::OpenSSL-> OCS name: RootCA<br>
> OpenCA::Token::OpenSSL-> OCS hash:
> 6d5bce32327db1c63805557d4f15ed0c9aa7b521<br>
> OpenCA::Token::OpenSSL-> OCS type: ephemeral<br>
> OpenCA::Token::OpenSSL-> OCS quorum: 2/6<br>
> OpenCA::Token::OpenSSL-> OCS timeout: 0<br>
> OpenCA::Token::OpenSSL->Verify if key ocs object hash
> 6d5bce32327db1c63805557d4f15ed0c9aa7b521 is
> preloaded<br>
> OpenCA::Token::OpenSSL->Key seems to be usable<br>
> ...
> Loading tokens and/or keys on Module#1, ESN
> B209-0B75-B420
> NFast_Disconnect app=0x80d9b10; conn=0x80d9d00;
> time=1119974052
this looks good...
> 0 cardset(s) and 0 key(s) loaded, in total across all
> module(s).
> Executing /usr/bin/openssl ...
>
> can't use that engine
> 3070:error:81067072:hwcrhk engine:HWCRHK_INIT:dynamic
> locking
> missing:hw_ncipher.c:584:You HAVE to add dynamic
> locking callbacks via
> CRYPTO_set_dynlock_{create,lock,destroy}_callback()
> 3070:error:81067071:hwcrhk engine:HWCRHK_INIT:unit
> failure:hw_ncipher.c:602:
> 3070:error:260B806D:engine
> routines:ENGINE_TABLE_REGISTER:init
> failed:eng_table.c:182:
> Using configuration from
> /usr/local/ca/OpenCA/etc/openssl/openssl/User.conf
> no engine specified
> unable to load CA private key
> error in ca
Question: are you using OpenSSL 0.9.8 (cvs snapshot)? The error message
looks a lot like you are trying to use OpenSSL Dynamic Engine support.
Dynamic Engine for nCipher is not supported in OpenCA up to and
including 0.9.2.2.
IF you are using OpenSSL 0.9.8, you HAVE to use the nCipher module
from CVS Head of the 0.9.2 branch and include a statement like this
in your token.xml file for the nCipher token:
<option>
<name>PRE_ENGINE</name>
<value>SO_PATH:/usr/local/openssl-snap/lib/engines/libncipher.so</value>
</option>
Finally the good news, concerning the long delay before private key
operations I found a small bug in the nCipher module that I will fix
today in CVS.
I'll follow up with a mail to the list about this.
Sorry for the fuzz,
Martin
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id�492&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
