[Openswan Users] CKAIDNSS keyword not found where expected inRSAkey in /var/log/secure

Greg Scott GregScott at InfraSupportEtc.com
Wed Jul 8 15:06:27 EDT 2009


It also fails using --random /dev/urandom
 
[root at huge-fw ipsec.d]#
[root at huge-fw ipsec.d]# rm -R -f nssdb
[root at huge-fw ipsec.d]# certutil -N -d sql:/etc/ipsec.d/nssdb
certutil: function failed: security library: bad database.
[root at huge-fw ipsec.d]# mkdir nssdb
[root at huge-fw ipsec.d]# certutil -N -d sql:/etc/ipsec.d/nssdb
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
 
Enter new password:
Re-enter password:
[root at huge-fw ipsec.d]# ipsec newhostkey --random /dev/urandom
--configdir /etc/ipsec.d/nssdb --password ZSE45tgb --output
/etc/ipsec.d/hostkey.secrets
ipsec rsasigkey: key pair generation failed: "-8126"
[root at huge-fw ipsec.d]#


________________________________

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Greg Scott
Sent: Wednesday, July 08, 2009 1:56 PM
To: Avesh Agarwal
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] CKAIDNSS keyword not found where expected
inRSAkey in /var/log/secure



>Please follow the comments at 
> https://bugzilla.redhat.com/show_bug.cgi?id=508107
<https://bugzilla.redhat.com/show_bug.cgi?id=508107>  
> 
>It should solve the problem, or wait for 2.6.21-5 
> 
>Avesh 

I read thru that whole bug report top to bottom.  The final thing was,
it **needed** a password at least 8 characters with at least one number.


But no good for me, both without and with FIPS, both times starting with
a clean NSS database.  What is FIPS? 

Does the 2.6.22 .tar.gz file get past all this? 


[root at huge-fw ipsec.d]# mkdir nssdb 
[root at huge-fw ipsec.d]# certutil -N -d sql:/etc/ipsec.d/nssdb 
Enter a password which will be used to encrypt your keys. 
The password should be at least 8 characters long, 
and should contain at least one non-alphabetic character. 

Enter new password: 
Re-enter password: 
[root at huge-fw ipsec.d]# 
[root at huge-fw ipsec.d]# 
[root at huge-fw ipsec.d]# nano nss-password.txt 
[root at huge-fw ipsec.d]# ipsec newhostkey --configdir /etc/ipsec.d/nssdb
--password ZSE45tgb --output /etc/ipsec.d/hostkey.secrets

ipsec rsasigkey: key pair generation failed: "-8126" 
[root at huge-fw ipsec.d]# 
[root at huge-fw ipsec.d]# 
[root at huge-fw ipsec.d]# 
[root at huge-fw ipsec.d]# rmdir -R -f nssdb 
rmdir: invalid option -- 'R' 
Try `rmdir --help' for more information. 
[root at huge-fw ipsec.d]# 
[root at huge-fw ipsec.d]# 
[root at huge-fw ipsec.d]# 
[root at huge-fw ipsec.d]# rm -R -f nssdb 
[root at huge-fw ipsec.d]# mkdir nssdb 
[root at huge-fw ipsec.d]# certutil -N -d sql:/etc/ipsec.d/nssdb 
Enter a password which will be used to encrypt your keys. 
The password should be at least 8 characters long, 
and should contain at least one non-alphabetic character. 

Enter new password: 
Re-enter password: 
[root at huge-fw ipsec.d]# modutil -fips true  -dbdir
sql:/etc/ipsec.d/nssdb                               
WARNING: Performing this operation while the browser is running could
cause 
corruption of your security databases. If the browser is currently
running, 
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

FIPS mode enabled. 
[root at huge-fw ipsec.d]# ipsec newhostkey --configdir /etc/ipsec.d/nssdb
--password ZSE45tgb --output /etc/ipsec.d/hostkey.secrets

[root at huge-fw ipsec.d]# date 
Wed Jul  8 13:48:41 CDT 2009 
[root at huge-fw ipsec.d]# ls -al hostkey.secrets 
-rw-------. 1 root root 94 2009-07-08 13:48 hostkey.secrets 
[root at huge-fw ipsec.d]# more hostkey.secrets 
: RSA   { 
FIPS integrity verification test failed. 
        } 
# do not change the indenting of that "}" 
[root at huge-fw ipsec.d]# 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090708/c6a0637b/attachment.html 


More information about the Users mailing list