hi every body!
i have an openca samba installation on RHE5 and a HSM LunaCA4! i want to
configure openca to use HSM and i have so many problems and questions! ;-)
1- is there any detailed documentation about configuring a HSM with openca?
2- i changed token.xml for using CA token (HSM in fact) as default token in
deamon mode! is that correct? because i read somewhere that i have to define a
default token that is not HSM for furthur usages and only define CA token as
HSM!
3- i already configured lunaca engine with openssl and i can use openssl to
login to HSM and generate key but how can i do it with openca?
4- in perl modules in "lunaca3.pm" there is a function called "online" and it's
mentioned there we have to check somehow to see if HSM is online! i think if we
are already logged in in HSM so we are online! i can check that with HSM
utilities! no problem! but in "Crypto.pm" in "usetoken" method it seems that it
never calls token online method for Luna token! this is part of debug
information :
OpenCA::Crypto->getToken: entering function
>OpenCA::Crypto->getToken: CA
>OpenCA::Crypto->getToken: token added
>OpenCA::Crypto->getToken: token is present
>CA_OpenApplicationID: failed to open application id. err 0x20
> invalid slot id or app id already open?
>PKI Master Alert: OpenCA::Token::LunaCA3 error
>PKI Master Alert: Aborting all operations
>PKI Master Alert: Error: 65280
>PKI Master Alert: Message:
>PKI Master Alert: debugging messages of empty token follow
>OpenCA::Crypto->setError: errno: 7121040
>OpenCA::Crypto->setError: errval: The token is not usable.
>OpenCA::Crypto->getToken: entering function
>OpenCA::Crypto->getToken: CA
>OpenCA::Crypto->getToken: token added
>OpenCA::Crypto->getToken: token is present
>CA_OpenApplicationID: failed to open application id. err 0x20
> invalid slot id or app id already open?
>PKI Master Alert: OpenCA::Token::LunaCA3 error
>PKI Master Alert: Aborting all operations
>PKI Master Alert: Error: 65280
>PKI Master Alert: Message:
>PKI Master Alert: debugging messages of empty token follow
>OpenCA::Crypto->setError: errno: 7121040
>OpenCA::Crypto->setError: errval: The token is not usable.
>OpenCA::Crypto->getToken: entering function
>OpenCA::Crypto->getToken: CA
>OpenCA::Crypto->getToken: token added
>OpenCA::Crypto->getToken: token is present
>CA_OpenApplicationID: failed to open application id. err 0x20
> invalid slot id or app id already open?
>PKI Master Alert: OpenCA::Token::LunaCA3 error
>PKI Master Alert: Aborting all operations
>PKI Master Alert: Error: 65280
>PKI Master Alert: Message:
>PKI Master Alert: debugging messages of empty token follow
>OpenCA::Crypto->setError: errno: 7121040
>OpenCA::Crypto->setError: errval: The token is not usable.
>OpenCA::Crypto->getToken: entering function
>OpenCA::Crypto->getToken: CA
>OpenCA::Crypto->getToken: token added
>OpenCA::Crypto->getToken: token is present
>CA_OpenApplicationID: failed to open application id. err 0x20
> invalid slot id or app id already open?
>PKI Master Alert: OpenCA::Token::LunaCA3 error
>PKI Master Alert: Aborting all operations
>PKI Master Alert: Error: 65280
>PKI Master Alert: Message:
>PKI Master Alert: debugging messages of empty token follow
>OpenCA::Crypto->setError: errno: 7121040
>OpenCA::Crypto->setError: errval: The token is not usable.
>OpenCA::Crypto->getToken: entering function
>OpenCA::Crypto->getToken: CA
>OpenCA::Crypto->getToken: token added
>OpenCA::Crypto->getToken: token is present
>CA_OpenApplicationID: failed to open application id. err 0x20
> invalid slot id or app id already open?
>PKI Master Alert: OpenCA::Token::LunaCA3 error
>PKI Master Alert: Aborting all operations
>PKI Master Alert: Error: 65280
>PKI Master Alert: Message:
>PKI Master Alert: debugging messages of empty token follow
>OpenCA::Crypto->setError: errno: 7121040
>OpenCA::Crypto->setError: errval: The token is not usable.
>OpenCA::Crypto->getToken: entering function
>OpenCA::Crypto->getToken: CA
>OpenCA::Crypto->getToken: token added
>OpenCA::Crypto->getToken: token is present
>CA_OpenApplicationID: failed to open application id. err 0x20
> invalid slot id or app id already open?
>PKI Master Alert: OpenCA::Token::LunaCA3 error
>PKI Master Alert: Aborting all operations
>PKI Master Alert: Error: 65280
>PKI Master Alert: Message:
>PKI Master Alert: debugging messages of empty token follow
>OpenCA::Crypto->setError: errno: 7121040
>OpenCA::Crypto->setError: errval: The token is not usable.
>OpenCA::Crypto->getToken: entering function
>OpenCA::Crypto->getToken: CA
>OpenCA::Crypto->getToken: token added
>OpenCA::Crypto->getToken: token is present
>CA_OpenApplicationID: failed to open application id. err 0x20
> invalid slot id or app id already open?
>PKI Master Alert: OpenCA::Token::LunaCA3 error
>PKI Master Alert: Aborting all operations
>PKI Master Alert: Error: 65280
>PKI Master Alert: Message:
>PKI Master Alert: debugging messages of empty token follow
>OpenCA::Crypto->setError: errno: 7121040
>OpenCA::Crypto->setError: errval: The token is not usable
5- in UI it says that HSM status is logged out and when i try to login to HSM
it
end with an error that "Cannot initialize Crypto token!The token is not usable"
error no: 7121040
OpenCA::Crypto->newToken: entering function
>OpenCA::Crypto->newToken: argument: OPENCA_SV
>OpenCA::Crypto->newToken: argument: /usr/bin/openca-sv
>OpenCA::Crypto->newToken: argument: UTILITY
>OpenCA::Crypto->newToken: argument: /usr/lunapcm/apache/linux/sautil
>OpenCA::Crypto->newToken: argument: CONFIG
>OpenCA::Crypto->newToken: argument: /opt/etc/openca/openssl/openssl.cnf
>OpenCA::Crypto->newToken: argument: RANDFILE
>OpenCA::Crypto->newToken: argument: /opt/var/openca/crypto/.rand
>OpenCA::Crypto->newToken: argument: OPENCA_TOKEN
>OpenCA::Crypto->newToken: argument: CA
>OpenCA::Crypto->newToken: argument: LOCK_FILE
>OpenCA::Crypto->newToken: argument: /opt/var/openca/tmp/ca_hsm_lock
>OpenCA::Crypto->newToken: argument: SHELL
>OpenCA::Crypto->newToken: argument: /opt/openssl/bin/openssl
>OpenCA::Crypto->newToken: argument: TOKEN_MODE
>OpenCA::Crypto->newToken: argument: deamon
>OpenCA::Crypto->newToken: argument: TMPDIR
>OpenCA::Crypto->newToken: argument: /opt/var/openca/tmp
>OpenCA::Crypto->newToken: argument: GETTEXT
>OpenCA::Crypto->newToken: argument: CODE(0xb54fc74)
>OpenCA::Crypto->newToken: argument: OPENCA_CRYPTO
>OpenCA::Crypto->newToken: argument: OpenCA::Crypto=HASH(0xc008af4)
>OpenCA::Crypto->newToken: argument: SLOT
>OpenCA::Crypto->newToken: argument: 2
>OpenCA::Crypto->newToken: argument: APPID
>OpenCA::Crypto->newToken: argument: 1:40
>OpenCA::Crypto->newToken: argument: WRAPPER
>OpenCA::Crypto->newToken: argument:
>OpenCA::Crypto->newToken: class: OpenCA::Token::LunaCA3
>OpenCA::Crypto->newToken: no error during new
>OpenCA::Crypto->newToken: new token present
>OpenCA::Crypto->addToken: token CA successfully added
>PKI Master Alert: OpenCA::Token::LunaCA3 error
>PKI Master Alert: Aborting all operations
>PKI Master Alert: Error: -1
>PKI Master Alert: Message:
>PKI Master Alert: debugging messages of empty token follow
>OpenCA::Crypto->setError: errno: 7176040
>OpenCA::Crypto->setError: errval: The token CA cannot be used.
>OpenCA::Crypto->getToken: entering function
>OpenCA::Crypto->getToken: CA
>OpenCA::Crypto->getToken: token added
>OpenCA::Crypto->getToken: token is present
>PKI Master Alert: OpenCA::Token::LunaCA3 error
>PKI Master Alert: Aborting all operations
>PKI Master Alert: Error: -1
>PKI Master Alert: Message:
>PKI Master Alert: debugging messages of empty token follow
>OpenCA::Crypto->setError: errno: 7121040
>OpenCA::Crypto->setError: errval: The token is not usable.
>OpenCA::OpenSSL->_stop_shell: try to stop shell
i will appreciate any help or guide !
it really knocked me off my feet! ;-)
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
