David Sadler wrote: > > I am trying to enable crypto hardware support on an IBM z/Series system > running Linux.
Is this IBM linux? Red Hat Linux? or ? (I ask because I know that Red Hat Linux supports mod_nss in Apache, but I was not aware that it was also being used in any IBM Linux. That would be good to know.) > I run this command .. > strace -o modutil.strace.log modutil -dbdir /etc/apache2/SampleCertDBs/ > -add opencryptoki -libfile /usr/lib64/libopencryptoki.so -mechanisms > RSA:RC2:RC4:RC5:DES:SHA1:MD5:MD2:SSL:TLS > Using database directory /etc/apache2/SampleCertDBs... > ERROR: Failed to add module "opencryptoki". I found the bug that is responsible for the fact that no error message is displayed, and we could fix it, but I think you'd get a lot more info from doing a debug trace on the PKCS#11 module you're trying to add. Instructions on how to do that are found in http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn2.html Even if we fixed the modutil bug, so that modutil did correctly report the error code, we wouldn't know which of the many steps that occurs during module initialization was the one that failed. A debug trace would tell us that, and more. > the strace file had these failures .. strace results may be too low level. We really want to see what's happening at the PKCS#11 API, which is not shown in strace output. However from the results shown below, I'd say it appears that the PKCS#11 module was found and was loaded, and that NSS called one or more of its entry points, but one of those function calls returned a failure indication, and so NSS gave up on it. We see references to pkcsslotd, which is a part of the module's implementation on that platform. Something inside that module was apparently unhappy. We see a shmget (shared memory) call fail in the middle of it. It is likely that ultimately the developers or support people for that module will have to help you to figure out why it was unhappy. A PKCS#11 debug trace would help them (and you) pinpoint the problem much more quickly. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
