|Applies To||RSA Certificate Manager 6.8|
SafeNet Luna SA HSM
|Issue||Luna based CA unable to sign CRL or certificates, XrcOTHERERROR in trace.log|
The following error shows in Xudad trace.log when certificate signing fails:
2011/01/28 16:17:42 signing 4639 62569360 signerSignCertificate.c:1800 Return code = XrcOTHERERROR (18).
"Verify CA Key" operation for a Luna based CA (from admin interface => CA Operations workbench => view Luna based CA = click 'Verify CA Key') fails with XrcOTHERERROR
SafeNet tool 'ckdemo' and the command './vtl verify' seem to work fine
Followed the steps below to check Sign functionality of Luna SA through ckdemo tool:
Steps on how to Sign data in ckdemo:
1. Go to the installation directory of LunaSA
2. Open ckdemo binary in "/usr/lunasa/bin"
3. Enter the choice as 1. Next it will ask for user, give the input as '1'. This will open the session in LunaSA.
4. Now select choice 3, it will ask for User. Give the input as '1' (Crypto-Officer )
5. Next it will ask for pin. Provide the pin for the corresponding partition
6. Select choice 42 for sign operation. This will ask for mechanism. Give '1' as input.
7. It will ask for data that has to be signed give any value. (Ex: "Hello".)
8. Next it will ask for key used for signature. Give input as 14 (This is handle of private key object of failed CA obatined from the trace logs collected).
9. Check whether the output is <CKR_OK> or an error
Output of the signature for analysis:
Status: C_SignFinal returned error. (CKR_OPERATION_NOT_INITIALIZED)
|Cause||M-of-N was configured on SafeNet Luna SA and needed to activate MofN|
|Resolution||Run the command "hsm show" on Lunash prompt on Luna SA. If the output shows "MofN activation status" as "Deactivated", execute the command "hsm login" (on Lunash prompt) and insert the blue PED key (for Security Officer) and then green PED keys (for MofN) to activate MofN operation. Restart RSA Certificate Manager services. Now certificate or CRL signing (as well as "Verify CA Key" operation on admin interface) should be successful.|
|Legacy Article ID||a55261|