<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1">
<TITLE>RE: [Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial"> </FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">> You need. Once you create the keys in NSS database, you have </FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">> public key in ipsec.secrets. file. After that the proedure is </FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">> exactly same as it is without NSS.</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Hmmm....</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">So why do I see this error</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">>> Jul 8 17:37:33 huge-fw pluto[6200]: "Eagan-Everywhere" #4: Can't </FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">>> find the private key from the NSS CERT (err -12285) </FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">using the new version with NSS but the old version - with **identical** conn descriptions works?</FONT><FONT SIZE=2 FACE="Arial"> (Identical except that tne new right side conn description has tne new NSS hostkey while the old conn description has the old right side host key.)</FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Well - maybe a thought -</FONT> <FONT SIZE=2 FACE="Arial">After we went after this all day yesterday,</FONT> <FONT SIZE=2 FACE="Arial">these</FONT><FONT SIZE=2 FACE="Arial"> are the</FONT><FONT SIZE=2 FACE="Arial"> commands</FONT><FONT SIZE=2 FACE="Arial"> I used</FONT><FONT SIZE=2 FACE="Arial"> to generate my</FONT><FONT SIZE=2 FACE="Arial"> new right side</FONT><FONT SIZE=2 FACE="Arial"> host hey</FONT><FONT SIZE=2 FACE="Arial">. I will put "#" in front of each command in case the email butchers the lines.</FONT></SPAN></P>
<P><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Arial">#</FONT> <FONT SIZE=2 FACE="Arial">cd /etc/ipsec.d</FONT></SPAN>
<BR><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Arial">#</FONT> <FONT SIZE=2 FACE="Arial">rm -R -f nssdb</FONT></SPAN>
<BR><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Arial">#</FONT> <FONT SIZE=2 FACE="Arial">mkdir nssdb</FONT></SPAN>
<BR><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Arial">#</FONT> <FONT SIZE=2 FACE="Arial">prelink -u -a</FONT></SPAN>
<BR><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Arial">#</FONT> <FONT SIZE=2 FACE="Arial">certutil -N -d sql:/etc/ipsec.d/nssdb</FONT></SPAN>
<BR><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Arial">#</FONT> <FONT SIZE=2 FACE="Arial">modutil -fips true -dbdir sql:/etc/ipsec.d/nssdb</FONT></SPAN>
<BR><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Arial">#</FONT> <FONT SIZE=2 FACE="Arial">ipsec newhostkey --random /dev/urandom --configdir /etc/ipsec.d/nssdb --password mypassword1 --output</FONT><FONT SIZE=2 FACE="Arial"></FONT> <FONT SIZE=2 FACE="Arial">/etc/ipsec.d/hostkey.secrets</FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">I put my NSS database in /etc/ipsec.d/nssdb but your suggested commands generated the NSS database in /etc/ipsec.d. </FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">I noticed after generating my hostkey that three NSS database files were also created in /etc/ipsec.d, even though I told it the configdir was ./nssdb. Is something hard-coded such that the NSS database must live there? Or maybe the NSS database *must* live in the same directory as the hostkey.secrets file? If so, then my error above was probably because ipsec was looking in the wrong NSS database. </FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">- Greg</FONT></SPAN>
</P>
</BODY>
</HTML>