[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure

[Greg Scott]

>Before you get 2.6.21-5, try following:
>
> certutil -N -d sql:/etc/ipsec.d
>
>modutil -fips true  -dbdir  sql:/etc/ipsec.d
>
>Then create RSA keys.
>
>Avesh

No joy:




[root at huge-fw ipsec.d]# certutil -N -d sql:/etc/ipsec.d/nssdb
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
[root at huge-fw ipsec.d]# modutil -fips true  -dbdir
sql:/etc/ipsec.d/nssdb

WARNING: Performing this operation while the browser is running could
cause
corruption of your security databases. If the browser is currently
running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

FIPS mode enabled.
[root at huge-fw ipsec.d]# ipsec newhostkey --configdir /etc/ipsec.d/nssdb
--output /etc/ipsec.d/hostkey.secrets
[root at huge-fw ipsec.d]#



This finished in less than a second, where it took several seconds
before, along with another window doing some activity to generate some
randomness.  So I looked at what it produced:




[root at huge-fw ipsec.d]# more hostkey.secrets
: RSA   {
FIPS integrity verification test failed.
        }
# do not change the indenting of that "}"
[root at huge-fw ipsec.d]#

What in the world does that mean?

- Greg