Hello,
I've been trying for some time now to make OCSPD to use private key
protected by old nCipher HSM. Problem is that all documentation I can find
is from the period 2002-2006 and it is outdated. All configuration files
back then were Apache like textual .conf files, now all are .xml if it
matters at all. So, I created key using hwcrhk as a default app, and I've
put a reference in one of the files located in token.d directory. Pointed
out HSM name in that same directory and in hsm.d directory instructed the
location of libchil.so (formerly known as libncipher.so). So my questions
are: Is it possible to use OCSP daemon while the private key is in the HSM.
Is nCipher/Thales supported in version 2.1.0? Has anybody had any
experience with it? Also tried with embed key type. Generally all is
working fine in OpenSSL. Maybe a bug in OCSPD? Any suggestions are welcome.
Please help.
Here is a part of syslog:
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:263]::DEBUG::INFO,
Initialising HSM [chil]
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:287]::DEBUG::ENGINE, PRE
COMMAND (0) => SO_PATH:/usr/lib/ssl/engines/libchil.so
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:294]::DEBUG::ENGINE,
COMMAND SUCCESS!
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:287]::DEBUG::ENGINE, PRE
COMMAND (1) => ID:chil
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:294]::DEBUG::ENGINE,
COMMAND SUCCESS!
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:287]::DEBUG::ENGINE, PRE
COMMAND (2) => LIST_ADD:1
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:294]::DEBUG::ENGINE,
COMMAND SUCCESS!
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:287]::DEBUG::ENGINE, PRE
COMMAND (3) => LOAD:(null)
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:294]::DEBUG::ENGINE,
COMMAND SUCCESS!
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:287]::DEBUG::ENGINE, PRE
COMMAND (4) => THREAD_LOCKING:1
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:294]::DEBUG::ENGINE,
COMMAND SUCCESS!
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:305]::DEBUG::INFO,
ENGINE init Success!
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:348]::DEBUG::INFO,
ENGINE HSM init Successful!
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:263]::DEBUG::INFO,
Initialising HSM [(null)]
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:268]::DEBUG::WARNING, no
PRECMDS provided (?!?!?)
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:305]::DEBUG::INFO,
ENGINE init Success!
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:309]::DEBUG::WARNING,
POSTCMDS not provided (?!?!?)
Oct 8 10:44:31 apache ocspd[27123]: [engine_hsm.c:348]::DEBUG::INFO,
ENGINE HSM init Successful!
Oct 8 10:44:31 apache ocspd[27123]: [hsm_slot.c:104]::DEBUG::No slot
select function for current HSM
Oct 8 10:44:31 apache ocspd[27123]: [hsm_main.c:259]::DEBUG::No set algor
from selected HSM
Oct 8 10:44:31 apache ocspd[27123]: [hsm_main.c:224]::DEBUG::No login
function for selected HSM
Oct 8 10:44:31 apache ocspd[27123]:
[token.c:1638]::DEBUG::PKI_TOKEN_load_keypair()::Can not load key
(file:///usr/local/etc/ocspd/private/ncipher)
Oct 8 10:44:31 apache ocspd[27123]: [core.c:54]::DEBUG::Can not login into
token!
Oct 8 10:44:31 apache ocspd[27123]: Exiting, Glad to serve you, Master!
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
