[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure

Greg Scott GregScott at InfraSupportEtc.com
Thu Jul 9 14:03:25 EDT 2009


OK - so now back to the issue at hand:

> Renamed "nss-password.txt" to "nsspassword" at the HQ site.  Trying to
bring up a remote site, I see:

> Jul  8 17:37:33 huge-fw pluto[6200]: "Eagan-Everywhere" #4: Can't find

> the private key from the NSS CERT (err -12285) Jul  8 17:37:33 huge-fw

> pluto[6200]: "Eagan-Everywhere" #4: transition from state
STATE_MAIN_I2 
> to state STATE_MAIN_I3

OK, so now it looks like my right side can access its NSS database but
now it can't find the left side's keys in there.  

Do both sides now need a copy of all the other sides' keys in their NSS
databases?  If so, how do I put them in?  And if the keys are in the NSS
database, do we no longer need them in the CONN descriptions?  

- Greg

 

-----Original Message-----
From: Avesh Agarwal [mailto:avagarwa at redhat.com] 
Sent: Thursday, July 09, 2009 8:26 AM
To: Paul Wouters
Cc: Greg Scott; users at lists.openswan.org
Subject: Re: [Openswan Users] CKAIDNSS keyword not found where expected
in RSAkey in /var/log/secure

Paul Wouters wrote:
> On Wed, 8 Jul 2009, Greg Scott wrote:
>
>> [root at huge-fw ipsec.d]# ipsec newhostkey --random /dev/urandom 
>> --configdir /etc/ipsec.d/nssdb --password ZSE45tgb --output 
>> /etc/ipsec.d/hostkey.secrets Generated RSA key pair using the NSS 
>> database
>
> Never use /dev/urandom for long term keys! Openswan knows when it 
> needs to use /dev/random and when it is not safe to use /dev/urandom. 
> Don't second guess it!
>
> Paul
Hi Paul,

NSS does not change anything in the way /dev/random or /dev/urandom is
used.


Thanks
Avesh


More information about the Users mailing list