Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8310

Cannot save crypto tokens and generate keys with Thales nShield Connect

    Details

    • Sprint:
      EJBCA Team Bob - 2019 w31

      Description

      I have five issues with Thales nShield and EJBCA. It could possibly be a configuration error, but I have carefully checked everything I can think of so I think it is problem(s) in EJBCA.

      My setup is as follows: A VM with Thales Security World Software and latest EJBCA connected to a Thales nShield Connect. EJBCA has two crypto tokens configured, one pointing to the accelerator slot, and one pointing to an OCS.

      The problems I have are as follows:

      1. When I save a crypto token it does not save the "Auto-activate" setting.
      2. I cannot create a key in the accelerator slot, error is CKR_USER_NOT_LOGGED_IN. Custom attribute file is used according to EJBCA. I can create the key in Client Toolbox without any problem.
      3. Whenever I save a crypto token, I erronously get "The P11 slot is already used by other crypto token(s)"
      4. When restarting JBoss and trying to activate the accelerator slot I get "Device unavailable". If I switch attribute file to "Default" and try to activate it works to activate (but I can still not generate keys).
      5. When viewing the crypto token using the accelerator slot, it shows "Default" as attribute file. When clicking edit, it shows "Module Protected Key" (which is my custom attribute file for the Thales accelerator slot). This is probably just a simple UI bug where the currently saved option in the drop-down is not pre-selected.

      I did some testing with an older EJBCA (6.13). The accelerator slot cannot be initialised because the name, library and slot reference are already specified for some reason, see log below:

      2019-07-08 16:00:47,671 DEBUG [org.cesecore.keys.token.p11.Pkcs11SlotLabel] (default task-17) name = libcknfast.so-slot761406613
      library = /opt/nfast/toolkits/pkcs11/libcknfast.so
      slot = 761406613
      name=NFastJava
      library=/opt/nfast/toolkits/pkcs11/libcknfast.so
      slotListIndex=0
      attributes(*,CKO_PUBLIC_KEY,*) = {
        CKA_TOKEN = false
      }
      attributes(*,CKO_PRIVATE_KEY,*) = {
        CKA_TOKEN = true
        CKA_PRIVATE = false
        CKA_SIGN = true
        CKA_DECRYPT = true
      }
      disabledMechanisms = {
        CKM_SHA1_RSA_PKCS
        CKM_SHA256_RSA_PKCS
        CKM_SHA384_RSA_PKCS
        CKM_SHA512_RSA_PKCS
        CKM_MD2_RSA_PKCS
        CKM_MD5_RSA_PKCS
        CKM_DSA_SHA1
        CKM_ECDSA_SHA1
      }
      
      
      2019-07-08 16:00:47,671 DEBUG [org.cesecore.keys.token.p11.Pkcs11SlotLabel] (default task-17) Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
      2019-07-08 16:00:47,671 ERROR [org.cesecore.keys.token.p11.Pkcs11SlotLabel] (default task-17) Error constructing pkcs11 provider: null
      [...]
      Caused by: java.security.ProviderException: Error parsing configuration
              [...]
      Caused by: sun.security.pkcs11.ConfigurationException: name must only be specified once, line 4
      	[...]
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              bastianf Bastian Fredriksson
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 3 days
                  3d
                  Remaining:
                  Time Spent - 1 hour Remaining Estimate - 2 days, 7 hours
                  2d 7h
                  Logged:
                  Time Spent - 1 hour Remaining Estimate - 2 days, 7 hours
                  1h