Re: enabling crypto hardware for NSS

Tue, 15 Jul 2008 09:38:41 -0700 

I am trying to setup Apache2, I have enable NSS and software encryption is 
working.
I looked at the doc on modutil but when I tried what I thought might work 
I got this error.
webserver1:/etc/apache2 # modutil -dbdir /etc/apache2/SampleCertDBs/ -add 
IBM_CRYPTO_HDW -libfile /usr/lib64/libopencryptoki.so -mechanisms 
RSA:RC2:RC4:RC5:DES:SHA1:MD5:MD2:SSL:TLS

WARNING: Performing this operation while the browser is running could 
cause
corruption of your security databases. If the browser is currently 
running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Using database directory /etc/apache2/SampleCertDBs...
ERROR: Failed to add module "IBM_CRYPTO_HDW".
webserver1:/etc/apache2 #

webserver1:/etc/apache2 # modutil -list -dbdir /etc/apache2/SampleCertDBs  
                                      Using database directory 
/etc/apache2/SampleCertDBs...

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
-----------------------------------------------------------
webserver1:/etc/apache2 #

Message is not very informative.

I used this Sun referrence as a model for the above ...
Offloading via NSS

In order for NSS to use the hardware cryptographic accelerators, the 
Solaris cryptographic framework should be added as a provider for NSS. 
This is achieved by modifying the appropriate NSS security databases. As 
an example, the following illustrates how firefox can offload RSA 
operations to the hardware:




/usr/sfw/bin/modutil -dbdir 
/home/sprack/.mozilla/firefox/r5s548iw.default/ -add "Solaris Crypto 
Framework" -libfile /usr/lib/libpkcs11.so -mechanisms RSA

/usr/sfw/bin/modutil -dbdir 
/home/sprack/.mozilla/firefox/r5s548iw.default/ -enable "Solaris Crypto 
Framework"




The use of the mechanism option indicates that the Solaris Cryptographic 
Framework should be the default provider for RSA operations [6].
 

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to