[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure

Greg Scott GregScott at InfraSupportEtc.com
Wed Jul 8 14:56:17 EDT 2009


>Please follow the comments at
> https://bugzilla.redhat.com/show_bug.cgi?id=508107
>
>It should solve the problem, or wait for 2.6.21-5
>
>Avesh

I read thru that whole bug report top to bottom.  The final thing was,
it **needed** a password at least 8 characters with at least one number.


But no good for me, both without and with FIPS, both times starting with
a clean NSS database.  What is FIPS?

Does the 2.6.22 .tar.gz file get past all this?


[root at huge-fw ipsec.d]# mkdir nssdb
[root at huge-fw ipsec.d]# certutil -N -d sql:/etc/ipsec.d/nssdb
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
[root at huge-fw ipsec.d]#
[root at huge-fw ipsec.d]#
[root at huge-fw ipsec.d]# nano nss-password.txt
[root at huge-fw ipsec.d]# ipsec newhostkey --configdir /etc/ipsec.d/nssdb
--password ZSE45tgb --output /etc/ipsec.d/hostkey.secrets
ipsec rsasigkey: key pair generation failed: "-8126"
[root at huge-fw ipsec.d]#
[root at huge-fw ipsec.d]#
[root at huge-fw ipsec.d]#
[root at huge-fw ipsec.d]# rmdir -R -f nssdb
rmdir: invalid option -- 'R'
Try `rmdir --help' for more information.
[root at huge-fw ipsec.d]#
[root at huge-fw ipsec.d]#
[root at huge-fw ipsec.d]#
[root at huge-fw ipsec.d]# rm -R -f nssdb
[root at huge-fw ipsec.d]# mkdir nssdb
[root at huge-fw ipsec.d]# certutil -N -d sql:/etc/ipsec.d/nssdb
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
[root at huge-fw ipsec.d]# modutil -fips true  -dbdir
sql:/etc/ipsec.d/nssdb                               
WARNING: Performing this operation while the browser is running could
cause
corruption of your security databases. If the browser is currently
running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

FIPS mode enabled.
[root at huge-fw ipsec.d]# ipsec newhostkey --configdir /etc/ipsec.d/nssdb
--password ZSE45tgb --output /etc/ipsec.d/hostkey.secrets
[root at huge-fw ipsec.d]# date
Wed Jul  8 13:48:41 CDT 2009
[root at huge-fw ipsec.d]# ls -al hostkey.secrets
-rw-------. 1 root root 94 2009-07-08 13:48 hostkey.secrets
[root at huge-fw ipsec.d]# more hostkey.secrets
: RSA   {
FIPS integrity verification test failed.
        }
# do not change the indenting of that "}"
[root at huge-fw ipsec.d]#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090708/ee1704d2/attachment-0001.html 


More information about the Users mailing list