I have five issues with Thales nShield and EJBCA. It could possibly be a configuration error, but I have carefully checked everything I can think of so I think it is problem(s) in EJBCA.
My setup is as follows: A VM with Thales Security World Software and latest EJBCA connected to a Thales nShield Connect. EJBCA has two crypto tokens configured, one pointing to the accelerator slot, and one pointing to an OCS.
The problems I have are as follows:
1. When I save a crypto token it does not save the "Auto-activate" setting.
2. I cannot create a key in the accelerator slot, error is CKR_USER_NOT_LOGGED_IN. Custom attribute file is used according to EJBCA. I can create the key in Client Toolbox without any problem.
3. Whenever I save a crypto token, I erronously get "The P11 slot is already used by other crypto token(s)"
4. When restarting JBoss and trying to activate the accelerator slot I get "Device unavailable". If I switch attribute file to "Default" and try to activate it works to activate (but I can still not generate keys).
5. When viewing the crypto token using the accelerator slot, it shows "Default" as attribute file. When clicking edit, it shows "Module Protected Key" (which is my custom attribute file for the Thales accelerator slot). This is probably just a simple UI bug where the currently saved option in the drop-down is not pre-selected.
I did some testing with an older EJBCA (6.13). The accelerator slot cannot be initialised because the name, library and slot reference are already specified for some reason, see log below: