[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure
Avesh Agarwal
avagarwa at redhat.com
Wed Jul 8 14:36:08 EDT 2009
Greg Scott wrote:
>> Before you get 2.6.21-5, try following:
>>
>> certutil -N -d sql:/etc/ipsec.d
>>
>> modutil -fips true -dbdir sql:/etc/ipsec.d
>>
>> Then create RSA keys.
>>
>> Avesh
>>
>
> No joy:
>
>
>
>
> [root at huge-fw ipsec.d]# certutil -N -d sql:/etc/ipsec.d/nssdb
> Enter a password which will be used to encrypt your keys.
> The password should be at least 8 characters long,
> and should contain at least one non-alphabetic character.
>
> Enter new password:
> Re-enter password:
> [root at huge-fw ipsec.d]# modutil -fips true -dbdir
> sql:/etc/ipsec.d/nssdb
>
> WARNING: Performing this operation while the browser is running could
> cause
> corruption of your security databases. If the browser is currently
> running,
> you should exit browser before continuing this operation. Type
> 'q <enter>' to abort, or <enter> to continue:
>
> FIPS mode enabled.
> [root at huge-fw ipsec.d]# ipsec newhostkey --configdir /etc/ipsec.d/nssdb
> --output /etc/ipsec.d/hostkey.secrets
> [root at huge-fw ipsec.d]#
>
>
>
> This finished in less than a second, where it took several seconds
> before, along with another window doing some activity to generate some
> randomness. So I looked at what it produced:
>
>
>
>
> [root at huge-fw ipsec.d]# more hostkey.secrets
> : RSA {
> FIPS integrity verification test failed.
> }
> # do not change the indenting of that "}"
> [root at huge-fw ipsec.d]#
>
> What in the world does that mean?
>
> - Greg
>
>
>
Please follow the comments at
https://bugzilla.redhat.com/show_bug.cgi?id=508107
It should solve the problem, or wait for 2.6.21-5
Avesh
More information about the Users
mailing list