[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure
Greg Scott
GregScott at InfraSupportEtc.com
Wed Jul 8 14:32:02 EDT 2009
>Before you get 2.6.21-5, try following:
>
> certutil -N -d sql:/etc/ipsec.d
>
>modutil -fips true -dbdir sql:/etc/ipsec.d
>
>Then create RSA keys.
>
>Avesh
No joy:
[root at huge-fw ipsec.d]# certutil -N -d sql:/etc/ipsec.d/nssdb
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
[root at huge-fw ipsec.d]# modutil -fips true -dbdir
sql:/etc/ipsec.d/nssdb
WARNING: Performing this operation while the browser is running could
cause
corruption of your security databases. If the browser is currently
running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
FIPS mode enabled.
[root at huge-fw ipsec.d]# ipsec newhostkey --configdir /etc/ipsec.d/nssdb
--output /etc/ipsec.d/hostkey.secrets
[root at huge-fw ipsec.d]#
This finished in less than a second, where it took several seconds
before, along with another window doing some activity to generate some
randomness. So I looked at what it produced:
[root at huge-fw ipsec.d]# more hostkey.secrets
: RSA {
FIPS integrity verification test failed.
}
# do not change the indenting of that "}"
[root at huge-fw ipsec.d]#
What in the world does that mean?
- Greg
More information about the Users
mailing list