[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure

Avesh Agarwal avagarwa at redhat.com
Wed Jul 8 15:06:45 EDT 2009 

Greg Scott wrote:
>
> >Please follow the comments at
> > _https://bugzilla.redhat.com/show_bug.cgi?id=508107_
> >
> >It should solve the problem, or wait for 2.6.21-5
> >
> >Avesh
>
> I read thru that whole bug report top to bottom.  The final thing was, 
> it **needed** a password at least 8 characters with at least one number. 
>
> But no good for me, both without and with FIPS, both times starting 
> with a clean NSS database.  What is FIPS?
>
> Does the 2.6.22 .tar.gz file get past all this?
>
>
> [root at huge-fw ipsec.d]# mkdir nssdb
> [root at huge-fw ipsec.d]# certutil -N -d sql:/etc/ipsec.d/nssdb
> Enter a password which will be used to encrypt your keys.
> The password should be at least 8 characters long,
> and should contain at least one non-alphabetic character.
>
> Enter new password:
> Re-enter password:
> [root at huge-fw ipsec.d]#
> [root at huge-fw ipsec.d]#
> [root at huge-fw ipsec.d]# nano nss-password.txt
> [root at huge-fw ipsec.d]# ipsec newhostkey --configdir 
> /etc/ipsec.d/nssdb --password ZSE45tgb --output 
> /etc/ipsec.d/hostkey.secrets
>
> ipsec rsasigkey: key pair generation failed: "-8126"
> [root at huge-fw ipsec.d]#
> [root at huge-fw ipsec.d]#
> [root at huge-fw ipsec.d]#
> [root at huge-fw ipsec.d]# rmdir -R -f nssdb
> rmdir: invalid option -- 'R'
> Try `rmdir --help' for more information.
> [root at huge-fw ipsec.d]#
> [root at huge-fw ipsec.d]#
> [root at huge-fw ipsec.d]#
> [root at huge-fw ipsec.d]# rm -R -f nssdb
> [root at huge-fw ipsec.d]# mkdir nssdb
> [root at huge-fw ipsec.d]# certutil -N -d sql:/etc/ipsec.d/nssdb
> Enter a password which will be used to encrypt your keys.
> The password should be at least 8 characters long,
> and should contain at least one non-alphabetic character.
>
> Enter new password:
> Re-enter password:
> [root at huge-fw ipsec.d]# modutil -fips true  -dbdir  
> sql:/etc/ipsec.d/nssdb                              
> WARNING: Performing this operation while the browser is running could 
> cause
> corruption of your security databases. If the browser is currently 
> running,
> you should exit browser before continuing this operation. Type
> 'q <enter>' to abort, or <enter> to continue:
>
> FIPS mode enabled.
> [root at huge-fw ipsec.d]# ipsec newhostkey --configdir 
> /etc/ipsec.d/nssdb --password ZSE45tgb --output 
> /etc/ipsec.d/hostkey.secrets
>
> [root at huge-fw ipsec.d]# date
> Wed Jul  8 13:48:41 CDT 2009
> [root at huge-fw ipsec.d]# ls -al hostkey.secrets
> -rw-------. 1 root root 94 2009-07-08 13:48 hostkey.secrets
> [root at huge-fw ipsec.d]# more hostkey.secrets
> : RSA   {
> FIPS integrity verification test failed.
>         }
> # do not change the indenting of that "}"
> [root at huge-fw ipsec.d]#
>
It should work. I suspect you did not do "prelink -u -a",  please do 
this and try again. All these things need not to be done with 2.6.21-5.

Avesh

More information about the Users mailing list