000015179 - Luna based CA unable to sign CRL or certificates  XrcOTHERERROR in trace.log

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015179
Applies ToRSA Certificate Manager 6.8
SafeNet Luna SA HSM
IssueLuna based CA unable to sign CRL or certificates, XrcOTHERERROR in trace.log
The following error shows in Xudad trace.log when certificate signing fails:

2011/01/28 16:17:42 signing  4639   62569360 signerSignCertificate.c:1800 Return code = XrcOTHERERROR (18).
"Verify CA Key" operation for a Luna based CA (from admin interface => CA Operations workbench => view Luna based CA = click 'Verify CA Key') fails with XrcOTHERERROR
SafeNet tool 'ckdemo' and the command './vtl verify' seem to work fine
Followed the steps below to check Sign functionality of Luna SA through ckdemo tool:

Steps on how to Sign data in ckdemo:
1. Go to the installation directory of LunaSA
2. Open ckdemo binary in "/usr/lunasa/bin"
3. Enter the choice as 1. Next it will ask for user, give the input as '1'. This will open the session in LunaSA.
4. Now select choice 3, it will ask for User. Give the input as '1' (Crypto-Officer [1])
5. Next it will ask for pin. Provide the pin for the corresponding partition
6. Select choice 42 for sign operation. This will ask for mechanism. Give '1' as input.
7. It will ask for data that has to be signed give any value. (Ex: "Hello".)
8. Next it will ask for key used for signature. Give input as 14 (This is handle of private key object of failed CA obatined from the trace logs collected).
9. Check whether the output is <CKR_OK> or an error

Output of the signature for analysis:
Status: C_SignFinal returned error. (CKR_OPERATION_NOT_INITIALIZED)
CauseM-of-N was configured on SafeNet Luna SA and needed to activate MofN
ResolutionRun the command "hsm show" on Lunash prompt on Luna SA. If the output shows "MofN activation status" as "Deactivated", execute the command "hsm login" (on Lunash prompt) and insert the blue PED key (for Security Officer) and then green PED keys (for MofN) to activate MofN operation. Restart RSA Certificate Manager services. Now certificate or CRL signing (as well as "Verify CA Key" operation on admin interface) should be successful.
Legacy Article IDa55261

Attachments

    Outcomes