000021846 - RSA Keon CA certificate approval issues where the signing keys are stored on a Thales WebSentry HSM device

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021846
Applies ToKeon Certificate Authority 6.5.1
Thales WebSentry
Hardware Security Module
IssueRSA Keon CA certificate approval issues where the signing keys are stored on a Thales WebSentry HSM device
Unable to approve certificates through the Administration Console
CA Key Pass Phrase window appears requesting a PIN for the Signer's Key - "There does not appear to be a smart card in the reader. Please ensure your smart card is in the reader and connect again." Enter PIN | Use PED prompts displayed.
Cause
RSA Keon CA references CA signing keys via a key identifier and a token label when storing them on a Thales WebSentry HSM device. Changing the environment of a WebSentry HSM device, such as moving a single device into a clustered environment, changes the token label. The stored signing keys for RSA Keon CA will still reference the old token label until they are exported, removed, and imported again where they will take up the new token label for the new environment. The key identifiers of the signing keys do not change, but as the token label has changed, RSA Keon CA is no longer able to reference them.
Resolution
RSA Security Customer Support has provided assistance to customers in the past to resolve issues with RSA Keon CA and CA signing keys stored on Thales WebSentry HSM device. Due to the complexity of how this problem may develop, we do not provide a set solution.

Please contact RSA Security Customer Support to seek assistance. Please note that this may be considered a chargeable service from RSA Security Professional Services, as this issue is not a fault of RSA Keon CA. Contact telephone numbers for RSA Security Customer Support are available on RSA Security's web site at http://www.rsasecurity.com/node.asp?id=1356.
 
Alternatively, if you suspect a hardware issue with the WebSentry HSM device, please contact Thales Customer Support.
WorkaroundThales WebSentry device has been reconfigured from a single HSM device, allowing it to belong to a clustered environment
Thales WebSentry device has been removed from a clustered environment to become a single HSM device
Public and/or Private signing keys for a CA configuration have been exported, removed, and imported using a custom built program using the Thales WebSentry PKCS#11 API
Legacy Article IDa25308

Attachments

    Outcomes