On 2009-06-25 18:25 PDT, Sudarshan Gaikaiwari wrote:
> I am trying to configure NSS on a Windows 2003 machine to work as a JCE
> provider under Java 6 in the FIPS mode. I am using the instructions
> http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#NSS
>
> However I am unable to add modules to the secmod.db. Running the command
>
> C:\nssbin\bin>modutil -add "Softoken" -nocertdb -force -mechanisms
> RSA:DSA:RC4:DES -libfile c:\nssbin\lib\softokn3.dll -dbdir c:\nssbin\fipsdb
> Using database directory c:\nssbin\fipsdb...
> ERROR: Failed to add module "Softoken".
>
> What am I doing wrong?
> Is there another module that I should be using instead of softokn3.dll.
Sudarshan,
Our expert in NSS/Java integration is on vacation right now. In his absence
we can try to fill in as best we can, but I can't promise that we'll be able
to resolve your issue quickly.
You generally do not need to manually add NSS's softoken library to
secmod.db because the modutil program should do that automatically if it
is able to find the softoken shared library. You merely need to ensure
that it can find the softoken shared library, and then you need to use
modutil to tell softoken to behave in "FIPS mode", since that is your
objective.
It would help for us to know
a) what version of NSS's DLLs you have, and
b) where you got them from.
There are several ways to get this to work. I'm going to suggest you do
the following steps, which comprise one of those ways. If this doesn't
work, we can try another.
I suggest you
1) remove c:\nssbin\fipsdb\secmod.db or rename it to secmod.db.old
2) run these commands:
modutil -create -dbdir c:\nssbin\fipsdb
(press enter when asked)
modutil -list -dbdir c:\nssbin\fipsdb
You should see output resembling this:
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
> 1. NSS Internal PKCS #11 Module
> slots: 2 slots attached
> status: loaded
>
> slot: NSS Internal Cryptographic Services
> token: NSS Generic Crypto Services
>
> slot: NSS User Private Key and Certificate Services
> token: NSS Certificate DB
> -----------------------------------------------------------
This tells you that NSS now knows about secmod.db, but is not yet in FIPS mode.
3) run these additional commands:
modutil -fips true -dbdir c:\nssbin\fipsdb
(press enter when asked. You should see "FIPS mode enabled.")
modutil -list -dbdir c:\nssbin\fipsdb
You should see output resembling this:
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
> 1. NSS Internal FIPS PKCS #11 Module
> slots: 1 slot attached
> status: loaded
>
> slot: NSS FIPS 140-2 User Private Key Services
> token: NSS FIPS 140-2 Certificate DB
> -----------------------------------------------------------
This shows you that NSS is now configured in FIPS mode for that DB directory.
4) Now, see if your key3.db password is set (and you know it).
run this command:
certutil -K -d c:\nssbin\fipsdb
It will either prompt you for a password:
> certutil: Checking token "NSS FIPS 140-2 Certificate DB" in slot "NSS FIPS
> 140-2
> User Private Key Services"
> Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":
or it will give you an error message such as:
> certutil: Checking token "NSS FIPS 140-2 Certificate DB" in slot "NSS FIPS
> 140-2
> User Private Key Services"
> certutil: could not authenticate to token NSS FIPS 140-2 Certificate DB.: An
> I/O
> error occurred during security authorization.
If it prompts you for a password, enter the password.
If, instead of prompting you for a password, it gives you the error message
shown above, then run this command:
modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir c:\nssbin\fipsdb
It will prompt you to press enter (do that), then it will prompt you to
enter a new password, twice. You must enter the same password exactly,
twice. The password must meet the requirements for a FIPS mode password.
I don't recall those requirements exactly, but a password with at least 8
characters, including at least one capital letter (not in the first
position!), at least one lower case letter, at least one digit and at
least one "special" (punctuation) character should be acceptable.
If you succeed, it will say
> Token "NSS FIPS 140-2 Certificate DB" password changed successfully.
Then repeat the certutil -K command from step 4 above, and re-enter the
new password. You should get no error and output that resembles:
> certutil: no keys found
If you've done all those steps successfully, your NSS files are set up
for your Java use. If you have problems, let us know.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
