<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>RE: [Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16850" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=333190419-08072009>It also fails using --random
/dev/urandom</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=333190419-08072009></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=333190419-08072009>[root@huge-fw ipsec.d]#<BR>[root@huge-fw ipsec.d]# rm
-R -f nssdb<BR>[root@huge-fw ipsec.d]# certutil -N -d
sql:/etc/ipsec.d/nssdb
certutil: function failed: security library: bad database.<BR>[root@huge-fw
ipsec.d]# mkdir nssdb<BR>[root@huge-fw ipsec.d]# certutil -N -d
sql:/etc/ipsec.d/nssdb
Enter a password which will be used to encrypt your keys.<BR>The password should
be at least 8 characters long,<BR>and should contain at least one non-alphabetic
character.</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=333190419-08072009>Enter new password:<BR>Re-enter
password:<BR>[root@huge-fw ipsec.d]# ipsec newhostkey --random /dev/urandom
--configdir /etc/ipsec.d/nssdb --password ZSE45tgb --output
/etc/ipsec.d/hostkey.secrets<BR>ipsec rsasigkey: key pair generation failed:
"-8126"<BR>[root@huge-fw ipsec.d]#<BR></SPAN></FONT></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Greg
Scott<BR><B>Sent:</B> Wednesday, July 08, 2009 1:56 PM<BR><B>To:</B> Avesh
Agarwal<BR><B>Cc:</B> users@lists.openswan.org<BR><B>Subject:</B> Re: [Openswan
Users] CKAIDNSS keyword not found where expected inRSAkey in
/var/log/secure<BR></FONT><BR></DIV>
<DIV></DIV><!-- Converted from text/rtf format -->
<P><SPAN lang=en-us><FONT face=Arial size=2>>Please follow the comments
at</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial size=2>>
</FONT></SPAN><A href="https://bugzilla.redhat.com/show_bug.cgi?id=508107"><SPAN
lang=en-us><U><FONT face=Arial color=#0000ff
size=2>https://bugzilla.redhat.com/show_bug.cgi?id=508107</FONT></U></SPAN></A><SPAN
lang=en-us></SPAN> <BR><SPAN lang=en-us><FONT face=Arial
size=2>></FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial size=2>>It
should solve the problem, or wait for 2.6.21-5</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>></FONT></SPAN> <BR><SPAN lang=en-us><FONT
face=Arial size=2>>Avesh</FONT></SPAN> </P>
<P><SPAN lang=en-us><FONT face=Arial size=2>I read thru that whole bug report
top to bottom. The final thing was, it **needed** a password at least 8
characters with at least one number. </FONT></SPAN></P>
<P><SPAN lang=en-us><FONT face=Arial size=2>But no good for me, both without and
with FIPS, both times starting with a clean NSS database. What is
FIPS?</FONT></SPAN> </P>
<P><SPAN lang=en-us><FONT face=Arial size=2>Does the 2.6.22 .tar.gz file get
past all this?</FONT></SPAN> </P><BR>
<P><SPAN lang=en-us><FONT face=Arial size=2>[root@huge-fw ipsec.d]# mkdir
nssdb</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial size=2>[root@huge-fw
ipsec.d]# certutil -N -d sql:/etc/ipsec.d/nssdb</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>Enter a password which will be used to
encrypt your keys.</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial
size=2>The password should be at least 8 characters long,</FONT></SPAN>
<BR><SPAN lang=en-us><FONT face=Arial size=2>and should contain at least one
non-alphabetic character.</FONT></SPAN> </P>
<P><SPAN lang=en-us><FONT face=Arial size=2>Enter new password:</FONT></SPAN>
<BR><SPAN lang=en-us><FONT face=Arial size=2>Re-enter password:</FONT></SPAN>
<BR><SPAN lang=en-us><FONT face=Arial size=2>[root@huge-fw
ipsec.d]#</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial
size=2>[root@huge-fw ipsec.d]#</FONT></SPAN> <BR><SPAN lang=en-us><FONT
face=Arial size=2>[root@huge-fw ipsec.d]# nano nss-password.txt</FONT></SPAN>
<BR><SPAN lang=en-us><FONT face=Arial size=2>[root@huge-fw ipsec.d]# ipsec
newhostkey --configdir /etc/ipsec.d/nssdb --password ZSE45tgb --output
/etc/ipsec.d/hostkey.secrets</FONT></SPAN></P>
<P><SPAN lang=en-us><FONT face=Arial size=2>ipsec rsasigkey: key pair generation
failed: "-8126"</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial
size=2>[root@huge-fw ipsec.d]#</FONT></SPAN> <BR><SPAN lang=en-us><FONT
face=Arial size=2>[root@huge-fw ipsec.d]#</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>[root@huge-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN lang=en-us><FONT face=Arial size=2>[root@huge-fw ipsec.d]# rmdir -R -f
nssdb</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial size=2>rmdir: invalid
option -- 'R'</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial size=2>Try
`rmdir --help' for more information.</FONT></SPAN> <BR><SPAN lang=en-us><FONT
face=Arial size=2>[root@huge-fw ipsec.d]#</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>[root@huge-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN lang=en-us><FONT face=Arial size=2>[root@huge-fw
ipsec.d]#</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial
size=2>[root@huge-fw ipsec.d]# rm -R -f nssdb</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>[root@huge-fw ipsec.d]# mkdir
nssdb</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial size=2>[root@huge-fw
ipsec.d]# certutil -N -d sql:/etc/ipsec.d/nssdb</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>Enter a password which will be used to
encrypt your keys.</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial
size=2>The password should be at least 8 characters long,</FONT></SPAN>
<BR><SPAN lang=en-us><FONT face=Arial size=2>and should contain at least one
non-alphabetic character.</FONT></SPAN> </P>
<P><SPAN lang=en-us><FONT face=Arial size=2>Enter new password:</FONT></SPAN>
<BR><SPAN lang=en-us><FONT face=Arial size=2>Re-enter password:</FONT></SPAN>
<BR><SPAN lang=en-us><FONT face=Arial size=2>[root@huge-fw ipsec.d]# modutil
-fips true -dbdir
sql:/etc/ipsec.d/nssdb
</FONT></SPAN><BR><SPAN lang=en-us><FONT face=Arial size=2>WARNING: Performing
this operation while the browser is running could cause</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>corruption of your security databases. If the
browser is currently running,</FONT></SPAN> <BR><SPAN lang=en-us><FONT
face=Arial size=2>you should exit browser before continuing this operation.
Type</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial size=2>'q
<enter>' to abort, or <enter> to continue:</FONT></SPAN> </P>
<P><SPAN lang=en-us><FONT face=Arial size=2>FIPS mode enabled.</FONT></SPAN>
<BR><SPAN lang=en-us><FONT face=Arial size=2>[root@huge-fw ipsec.d]# ipsec
newhostkey --configdir /etc/ipsec.d/nssdb --password ZSE45tgb --output
/etc/ipsec.d/hostkey.secrets</FONT></SPAN></P>
<P><SPAN lang=en-us><FONT face=Arial size=2>[root@huge-fw ipsec.d]#
date</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial size=2>Wed Jul 8
13:48:41 CDT 2009</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial
size=2>[root@huge-fw ipsec.d]# ls -al hostkey.secrets</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>-rw-------. 1 root root 94 2009-07-08 13:48
hostkey.secrets</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial
size=2>[root@huge-fw ipsec.d]# more hostkey.secrets</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>: RSA {</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>FIPS integrity verification test
failed.</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial
size=2> }</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2># do not change the indenting of that
"}"</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial size=2>[root@huge-fw
ipsec.d]#</FONT></SPAN> </P></BODY></HTML>