On 2009-08-19 06:30 PDT, Rishi wrote: > OK , we have made some progress, we could disable the softtoken by > commenting the line softtoken_extra.so in mca.conf in /kernel/drv/. > Now we got an SSL handshake error "bad MAC". This we thought would be > because the crypto card does not support hashing algorithms in 1.0 > firmware, hence we updated the firmware of sca6000 to 1.1. > > Again created the keystore in the card. Created new NSS DB as before, > and created certificates in the keystore. > -Verified that the certificates are stored in the keystore using > "pktool list token=ks objtype=both". It listed both the RSA private > key and cert. > -cryptoadm list -v, shows mca0 as a hardware provider, indicating that > the card is properly configured. > -modutil -list -dbdir . displays the keystore as a token as > METASLOT_ENABLED is set to false. > > Now the issue is that whenever we try to access the certificates > through NSS using apache mod_nss, it finds the certificate for the > first time and on subsequent tries, fails. Actually it tries to access > the cert from the card a huge number of times and fails. Also the mca/ > 0 disappears from the cryptoadm list -v output. Now the card is shown > as failed and we have to reboot to get the card working again.
Rishi, IMO, You need help from Sun support. It is not normally necessary to disable metaslot. The fact that you find it necessary to do so tells me something is wrong with your Sun PKCS#11 software configuration, but I don't know what. It's not an NSS problem. Sorry. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
