PKCS#11 with NSS

Similar Messages

• Java 8 64 bit on Windows with NSS for FIPS 140 compliance

  I have asked this question on Stackoverflow but I am beginning to think that this may be a better forum to ask.
  According to JEP 131, Java 8 should provide a PKCS#11 Crypto provider for 64 bit Windows:  https://blogs.oracle.com/mullan/entry/jep_131_pkcs_11_crypto.
  With that in mind, I downloaded and built both 32 and 64 bit versions of NSS with NSPR using these instructions:  https://developer.mozilla.org/en-US/docs/NSS_Sources_Building_Testing
  I downloaded Java 8 for Windows 64 build b118, configured the java.security file and created a nss.cfg file:
  Excerpt from java.security file:
  security.provider.1=sun.security.provider.Sun
  security.provider.2=sun.security.rsa.SunRsaSign
  security.provider.3=sun.security.ec.SunEC
  security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS
  security.provider.5=com.sun.crypto.provider.SunJCE
  security.provider.6=sun.security.jgss.SunProvider
  security.provider.7=com.sun.security.sasl.Provider
  security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
  security.provider.9=sun.security.smartcardio.SunPCSC
  security.provider.10=sun.security.pkcs11.SunPKCS11 /devel/nss.cfg
  From my nss.cfg file:
  # Use NSS as a FIPS-140 compliant cryptographic token
  # SunPKCS11-NSS
  name = NSS
  #32 bit
  #nssLibraryDirectory = C:\devel\nss\nss-3.15.3.1\dist\WINNT6.1_DBG.OBJ\lib
  #64 bit
  nssLibraryDirectory = C:\devel\nss\nss-3.15.3.1\dist\WINNT6.1_64_DBG.OBJ\lib
  #non FIPS
  #nssDbMode = noDb
  #attributes = compatibility
  #FIPS
  nssSecmodDirectory = c:\devel\fipsdb
  nssModule = fips
  I ran the test suite that comes with NSS and it looks like all of the encryption/decryption tests passed (did have some issues with the tests that required hostname/domainname but that has to do with the Windows environment).
  So here is the problem. I run my test encryption app on Java 7 32 bit with the 32 bit version of NSS and everything works great. When I attempt to run Java 8 64 bit with 64 bit NSS I get the following error:
  java.security.ProviderException: Could not initialize NSS
  at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:212)
  at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
  at java.lang.reflect.Constructor.newInstance(Unknown Source)
  at sun.security.jca.ProviderConfig$2.run(Unknown Source)
  at sun.security.jca.ProviderConfig$2.run(Unknown Source)
  at java.security.AccessController.doPrivileged(Native Method)
  at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)
  at sun.security.jca.ProviderConfig.getProvider(Unknown Source)
  at sun.security.jca.ProviderList.getProvider(Unknown Source)
  at sun.security.jca.ProviderList.getIndex(Unknown Source)
  at sun.security.jca.ProviderList.getProviderConfig(Unknown Source)
  at sun.security.jca.ProviderList.getProvider(Unknown Source)
  at java.security.Security.getProvider(Unknown Source)
  at sun.security.ssl.SunJSSE.<init>(Unknown Source)
  at sun.security.ssl.SunJSSE.<init>(Unknown Source)
  at com.sun.net.ssl.internal.ssl.Provider.<init>(Unknown Source)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
  at java.lang.reflect.Constructor.newInstance(Unknown Source)
  at sun.security.jca.ProviderConfig$2.run(Unknown Source)
  at sun.security.jca.ProviderConfig$2.run(Unknown Source)
  at java.security.AccessController.doPrivileged(Native Method)
  at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)
  at sun.security.jca.ProviderConfig.getProvider(Unknown Source)
  at sun.security.jca.ProviderList.getProvider(Unknown Source)
  at sun.security.jca.ProviderList$ServiceList.tryGet(Unknown Source)
  at sun.security.jca.ProviderList$ServiceList.access$200(Unknown Source)
  at sun.security.jca.ProviderList$ServiceList$1.hasNext(Unknown Source)
  at javax.crypto.KeyGenerator.nextSpi(KeyGenerator.java:323)
  at javax.crypto.KeyGenerator.<init>(KeyGenerator.java:158)
  at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:208)
  at STSAESEncryption.generateKeyWithGenerator(STSAESEncryption.java:74)
  at Main.main(Main.java:24)
  Caused by: java.io.IOException: %1 is not a valid Win32 application.
  at sun.security.pkcs11.Secmod.nssLoadLibrary(Native Method)
  at sun.security.pkcs11.Secmod.initialize(Secmod.java:210)
  at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:207)
  ... 36 more
  Has JEP 131 been implemented with Windows/Java 64 bit as of b119?  If so has it been verified to work with NSS or should I submit a bug report?  I did download the code and the error is occurring in the following block of code at the line in bold (also with the arrow by it):
  public synchronized void initialize(DbMode dbMode, String configDir,
          String nssLibDir, boolean nssOptimizeSpace) throws IOException {
          if (isInitialized()) {
              throw new IOException("NSS is already initialized");
          if (dbMode == null) {
              throw new NullPointerException();
          if ((dbMode != DbMode.NO_DB) && (configDir == null)) {
              throw new NullPointerException();
          String platformLibName = System.mapLibraryName("nss3");
          String platformPath;
          if (nssLibDir == null) {
              platformPath = platformLibName;
          } else {
              File base = new File(nssLibDir);
              if (base.isDirectory() == false) {
                  throw new IOException("nssLibDir must be a directory:" + nssLibDir);
              File platformFile = new File(base, platformLibName);
              if (platformFile.isFile() == false) {
                  throw new FileNotFoundException(platformFile.getPath());
              platformPath = platformFile.getPath();
          if (configDir != null) {
              File configBase = new File(configDir);
              if (configBase.isDirectory() == false ) {
                  throw new IOException("configDir must be a directory: " + configDir);
              File secmodFile = new File(configBase, "secmod.db");
              if (secmodFile.isFile() == false) {
                  throw new FileNotFoundException(secmodFile.getPath());
          if (DEBUG) System.out.println("lib: " + platformPath);
  --->   nssHandle = nssLoadLibrary(platformPath);
          if (DEBUG) System.out.println("handle: " + nssHandle);
          fetchVersions();
          if (supported == false) {
              throw new IOException
                  ("The specified version of NSS is incompatible, "
                  + "3.7 or later required");
          if (DEBUG) System.out.println("dir: " + configDir);
          boolean initok = nssInitialize(dbMode.functionName, nssHandle,
              configDir, nssOptimizeSpace);
          if (DEBUG) System.out.println("init: " + initok);
          if (initok == false) {
              throw new IOException("NSS initialization failed");
          this.configDir = configDir;
          this.nssLibDir = nssLibDir;
  Any help or advise about filing a bug report would be appreciated.
  Thanks,

  Had a few similar short system freezes, after installing Windows 8 x64 on 13” MacBook Pro Mid-2010 with BootCamp 5.0.5033.
  There is a suggestion that DisableDynamicTick may fix the problem: https://discussions.apple.com/message/21565295#21565295. There were similar topics at Microsoft forums: 1, 2, 3. It was said “that this will likely reduce system battery life, so it should be undone when you update your Windows build or if it doesn't resolve your issue”, and that “this problem is resolved in the release versions of Windows 8”.
  Another possibility is that there is indeed a buggy driver, within BootCamp 5.0.5033, or a 3rd party, like a wireless network driver in the following case http://answers.microsoft.com/en-us/windows/forum/windows_8-performance/system-fr eeze-randomly-after-installing-windows-8/49488183-26cf-4389-af21-a85dc366c99a?pa ge=2#LastReply.
  The problem has been noticeable on my MacBook, but not annoying enough yet to spend time troubleshooting. If you find a robust solution, using the links above or other method, it would be interesting to know.
  HTH

• Error: mozilla-firefox conflicts with nss-nspr

  I get this message when I try:
  #>pacman -S gnome
  i get:
  error:  mozilla-firefox conflicts with nss-nspr
  i tried upgraded all installed packages, and still got this error.  I'm still not used to pacman, so I could have missed a step or something.  The only other packages I had installed besides the base system at this point was hwd and xorg.
  I removed hwd and still got the same message.

  I've got the same problem with one exception - I've got no "nss-nspr" installed on my system :shock:
  [root@localhost evgeny]# pacman -S gnome
  :: group gnome:
  control-center gnome-applets gnome-backgrounds gnome-common gnome-desktop
  gnome-icon-theme gnome-media gnome-mime-data gnome-panel gnome-session
  gnome-themes gnome2-user-docs metacity nautilus vte yelp
  Install whole content? [Y/n] y
  :: gnome-common-2.8.0-9: is up to date. Upgrade anyway? [Y/n] n
  :: gnome-icon-theme-2.10.1-1: is up to date. Upgrade anyway? [Y/n] n
  :: gnome-mime-data-2.4.2-1: is up to date. Upgrade anyway? [Y/n] n
  :: vte-0.11.13-1: is up to date. Upgrade anyway? [Y/n] n
  error: mozilla-firefox conflicts with nss-nspr
  [root@localhost evgeny]# pacman -R nss-nspr
  error: could not find nss-nspr in database
  Did I missed something ?
  Thnks.

• Avahi conflicts with nss-mdns. [solved]

  I'm confused.  Went to update today, and got this message:
  :: avahi conflicts with nss-mdns. Remove nss-mdns? [Y/n]
  I thought 'Fair enough...' but I always check packages like this with -Si to know what's actually happening in my system.  Soo, I run:
  $ pacman -Si avahi
  Repository : extra
  Name : avahi
  Version : 0.6.6-2
  Groups : None
  Provides : howl mdnsresponder
  Depends On : dbus libcap libdaemon nss-mdns
  Conflicts With : howl mdnsresponder
  Replaces : None
  Size (compressed) : 557952
  Description : A multicast/unicast DNS-SD framework
  MD5 Sum : 52ec5424dde107d8099637feb3076925
  Now, this is why I'm confused.  -Si tells me avahi depends on nss-mdns.  When I try to install, it tells me they conflict.
  So.... which is right?
  -=edit=-
  Okay, I've found something else out that may be pertinent.  Currently, the packages I have for avahi and nss-mdns depend on each other.  That is:
  $pacman -Si nss-mdns avahi
  Name : nss-mdns
  Version : 0.7-3
  Depends On : avahi
  Required By : avahi kdelibs
  Name : avahi
  Version : 0.6.5-1
  Depends On : dbus libcap libdaemon nss-mdns
  Required By : nss-mdns
  However there are new packages for both avahi and nss-mdns available in the repos. (0.7-4 and 6.6-2 respectively)
  The thing is, pacman isn't picking up the new nss-mdns package with a -Syu operation, and gives me that conflicts line... I'm going to try updating nss-mdns first then see if that fixes it.
  -=edit again=-
  Geez, I hate it when I post something and moments later figure it out myself.  The newest versions of nss-mdns and avahi break the dependancy cycle I noted above; that is, nss-mdns no longer depends on avahi.  If I manually updated nss-mdns first, pacman now installs avahi with no problem.
  I'm wondering, is this worth a bug report?  I'm not surprised a cyclic dependancy like that would cause wierd behaviour...

  murkus wrote:snip
  $ pacman -Si avahi
  Repository : extra
  Name : avahi
  Version : 0.6.6-2
  Provides : howl mdnsresponder
  Depends On : dbus libcap libdaemon nss-mdns
  Conflicts With : howl mdnsresponder
  You get that error because they DO conflict.  Do you have mdnsresponder installed?
  If so, and you want avahi, then you'll have to remove mdnsresponder and install avahi.

• Sun PKCS#11 NSS Problem with CA Certificates

  There appears to be a problem with the Sun PKCS#11 provider's NSS specific functionality.
  If Firefox 2.x based KeyStore is loaded which contains CA Certificates which have been imported into the the standard "Software Security Device" (and are therefore not in the root store) they are not visible as Certificate Entries when enumerating the KeyStore aliases.
  If a personal key/cert pair is present then the corresponding CA Certs can be obtained via KeyStore.getCertificateChain(alias) but this doesn't help when I have other CA's present that need to be accessed.
  These additional CA Certificates are visible via the FireFox "Certificate Manager" and via the JSS API's - anyone aware of this problem ?

  You need to use the trustanchors nssModule, read the JavaTM PKCS#11 Reference Guide at --
  http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#Config
  For example, you can write your config file like this --
  name=NSS
  nssSecmodDirectory=path_of_your_dbs
  nssLibraryDirectory=path_of_dll_or_so
  nssModule=trustanchors

• Problems with NSS partition mirroring and pool errors.

  OS: NetWare 6.5SP8 latest patches applied
  I have an NSS pool that is made up of two 2TB LUNS on my SAN array.
  I've been trying to move the pool from the LUNs on my SAN array to a pair of 2TB VMWare disks by using the partition mirror method.
  All of the LUNS reside on the same array, but the two original LUNs are attached to an HBA in passthrough mode, so the VMWare infrastructure does not see those LUNS.
  One partition mirrored without issue. The second one shows as synchronized yet remained at 99%.
  A forum search indicated that a pool rebuild was in order.
  I ran a pool verify and rebuild and tried mirroring the "problem child" partition again with the same result.
  Before running the rebuild a second time, I removed both mirrored pairs.
  I ran a pool verify and rebuild and tried mirroring the "problem child" partition again with the same result.
  Last night, I repeated that same process and finally got 100% synchronization.
  In the second and third rebuild processes, I got an error message stating that data would be lost if I continued the rebuild. Since I have backup, I continued the rebuild.
  About 6 hours after that synchronization finished, I started receiving block error messages for the pool:
  NSS-3.00-5002: Pool xxxx/DATA is being deactivated.
  An error (20012(nameTree.c[45])) at block 536784421(file block -536784421)(ZID 6) has compromised volume integrity.
  The pool deactivated itself.
  I reset the server and when it mounted that volume, I continued to receive the errors.
  I deactivated the pool, put it in maintenance mode and started another pool rebuild, this time with the /purge option.
  I did not remove the mirrored pair before the rebuild started, so I have the one partition that gave me no problems un-mirrored and the partition that did give me problems is mirrored.
  I don't know if that will have any affect on the rebuild process or not.
  My questions are:
  1) Will the fact that the pool is only half-mirrored be an issue for the rebuild?
  2) Is there any other option in the rebuild process that I should have added?
  3) Is the fact that I'm mirroring to a VMFS disk an issue? I could create a new pool/volume on those VMWare disks and use the server consolidation utility to copy the data between volumes, but my desire to avoid that was the reason to use the mirror process in the first place.

  The difference between a sledge hammer and a Q-Tip is that you do a lot less damage with a Q-Tip.
  Everything has been messed with to the point where it would be impossible for any other advice than make a new disk, make a new pool, make a new volume, and do your restore. Then, when all the data is restored without error, move the OLD DATA: volume out of the way and put in the NEW DATA: volume.
  Originally Posted by gathagan
  My questions are:
  1) Will the fact that the pool is only half-mirrored be an issue for the rebuild?
  2) Is there any other option in the rebuild process that I should have added?
  3) Is the fact that I'm mirroring to a VMFS disk an issue? I could create a new pool/volume on those VMWare disks and use the server consolidation utility to copy the data between volumes, but my desire to avoid that was the reason to use the mirror process in the first place.
  1. God only knows. It should not.
  2. No. I think its an issue of doing too much, to quickly. It is unlikely a pool rebuild would "fix" a mirroring problem. I would not have gone ahead with a pool rebuild with mirroring broken.
  3. A disk is a disk. Perhaps there is some underlying issue with the VMDK. How is it provisioned? Is it out of space? Buggy edge cases of having an extactly 2TB VMDK? Who knows.
  The mirroring happens at a layer below the pool level. So I have a hard time understanding a how a rebuild would help mirroring unless the pool is really bent to begin with.
  Again, the state of the current DATA: volume would be in question after all that fiddling, even if you can get it to work would you really trust it? I would not. I would recreate DATA: from backup on whatever new partition you want and chalk it up to experience. You can minimize the pain of that by restoring to a differently named volume and then renaming the volumes after you confirm proper operation.
  -- Bob

• CIFS with NSS

  Never done this one before.
  We have an OES 11 box up in our satellite office. They also have a new Xerox 7845 copier that they use to Scan documents from. Currently, its set up to scan via email and then go to their groupwise accounts via the GWIA. I'd like to bypass that and make it faster/more efficient by having the files go to a directory on the OES server (running NSS). From what I can see, the Xerox supports ftp/smb/netware. For "netware" I think it needs IPX enabled, so thats a no go nowadays. My understanding and correct me if I'm wrong, that SMB should work if I set up CIFS on the OES server.
  In my failed attempts, I installed CIFS on the OES server via OES Install/Configure. Logged into iManager and configured a share called "Scan" with a path of VOL4:Scan. Server name is "FSO_W". Its set to eDirectory (local) mode. I've also tried the domain mode (we also have AD that users login to both AD/Edir with novell client).
  What am I doing wrong here? Is it possible to create a CIFS share for a folder on an NSS volume? If I browse to \\fso_w, i get prompted for a login, but nothing I try works.. have tried edir accounts, root, etc. I also tried setting the "Scan" folder with Read rights for Public, still no dice. If I login to the server normally, and browse to FSO or the IP address.. I see my NSS volumes, as always, but no "Scan" share.
  Help? :) Thanks

  Am 09.04.2015 um 06:06 schrieb joebrug:
  >
  > Hey Massimo,
  > hmm no I don't believe I do. That why?
  Yes. Universal Password is an absolute requirement for all users using cifs.
  CU,
  Massimo Rosen
  Novell Knowledge Partner
  No emails please!
  http://www.cfc-it.de

• Backup Exec with NSS 300 series

  We've just got hold of a NSS 324 with two disks
  installed, and need to back it up via Backup Exec 12.5 has
  anyone outhere actually done this ?
  I can map a drive to the share on the NSS box but Backup Exec can't see it
  Server OS Windows Server 2003
  NSS Firmware 1.0.0

  I haven't used backup exc with the NSS324, but I did see the firmware you are currently running on is the initial release and they have been 3 updated releases since then with a updated Samba client included so I would recommend upgrading to the latest firmware.
  Thanks,
  Jason Bryant
  Cisco Network Engineer.

• Does TLS 1.2 work with SunPKCS11-NSS provider in FIPS mode?

  The following exception occurs while processing serverHelloDone during an attempt at TLS1.2 with NSS in FIPS mode (via modutil) .
       java.security.NoSuchAlgorithmException: no such algorithm: SunTls12RsaPremasterSecret for provider SunPKCS11-NSS
  Both the client and the server are running from a unit test using:
  JDK 1.8.0_31-b13
  nss-3.16.2.3-3
  The same test runs fine in FIPS mode using TLS1.1 or TLS1.0.  The same test also runs with TLS1.2 when the keystore is not in FIPS mode.
  I am thinking that it is not supported.  SunPKCS11-NSS provider needs to be updated with the SunTLS12* algorithms before this will work.  The JSSE's ClientKeyExchange expects to be able to obtain a KeyGenerator specific to TLS1.2.  When in FIPS mode, the crypto provider is SunPKCS11-NSS and it does not have the requested algorithm.
  Can anyone confirm or deny this?  Any ideas as to when it will be supported?
  I've been all over the map trying to figure this one out.  I am pretty sure at this point that it is not a problem with the NSS library.

  Startup Items are in System Preferences>Accounts>youraccount>Startup Items. To delete them just highlight one and click the minus sign. To test it without deleting any just create a new administrator account. Call it test and set the password as test also (easy to remember). Make sure there are no Startup Items. Log out of your account (Apple Menu>Log Out) and log into the new one or if you're running in safe mode, restart and log into the test account. See if it runs OK. If it does, you know it's something in your account causing the problem.
  John

• Erroneous duplicate entries appearing in SunPKCS11 NSS KeyStore

  Using the Java PKCS #11 NSS Based KeyStore API (SunPKCS11 provider) in OpenJDK 7, I am managing to get my NSS DB into a bad state:
  certutil from NSS is showing that an alias is getting duplicated again and again on every attempt to overwrite an existing entry with new data:
  Certificate Nickname Trust Attributes
  SSL,S/MIME,JAR/XPI
  sub-ca-node-mgmt u,u,u
  root-ca u,u,u
  sub-ca-endpoints u,u,u
  sub-ca-node-mgmt ,,
  I am only trying to delete the entry using deleteEntry (in this case sub-ca-node-mgmt), then store an updated version of it (you could imagine this as replacing an expired certificate with the updated version) using setKeyEntry. If I add additional code to reload the keyStore after deleting the entry, this does not make any difference in the result. If I rerun the code over again, I can get as many separate copies of sub-ca-node-mgmt as you could imagine. If I comment out the call to setKeyEntry, the problem stops happening.
  Thus I suspect that setKeyEntry is either not working as advertised, or I am misusing the API. Does anyone have a working example of how to delete and overwrite an existing entry in the PKCS11 KeyStore?
  Edited by: 989646 on Feb 21, 2013 6:44 PM

  Found the root cause for this one. The code which generated the RSA key for the cert was not quite right, and mismatched the certs and keys. When this happened it broke the NSS DB, because the association between the keys and certs got damaged, and Java could not access the DB reliably anymore. However, Java is still part of the problem, because it fails to check if the CKA_ID (NSS / PKCS11 Key ID), which is calculated from the RSA modulus inside the public key / cert and the private key, are properly matching or not.

• OES11 SP2 - Linux File System and NSS Pools & Volumes

  Planning to install our first OES11 SP2 server into an existing tree - the
  idea is to run this new OES11 server virtualized on VMware ESXi 5.5
  The existing tree has two physical NW6.5SP8 servers running eDirectory
  Version 8.7.3.10b (NDS Version 10554.64). One of the existing Netware
  servers is used for DHCP/DNS, File Sharing from three NSS volumes and
  Groupwise 7.0.4 whilst the second server is used for FTP services and
  eDirectory redundancy. Ultimately the plan is to have two virtualized OES11
  SP2 server with one for file sharing and the other for making the move from
  GW7 to GW2012. And we're planning to stick with NSS for file sharing on the
  new OES11 SP2 server.
  I've come across a couple of posts for earlier versions of OES which
  recommended not to put the Linux Native OS File System and NSS storage
  pools/volumes on the same hard drive. Apparently the advice was a result of
  needing to allow EVMS to manage the drive which could be problemmatic.
  I've read the OES11 documentation which says that "The Enterprise Volume
  Management System (EVMS) has been deprecated in SLES 11, and is also
  deprecated in OES 11. Novell Linux Volume Manager (NLVM) replaces EVMS for
  managing NetWare partitions under Novell Storage Services (NSS) pools."
  So I'm wondering if there is still a compelling requirement to keep the
  Linux Native File System and NSS pools/volumes on separate hard drives or
  can they both now safely co-exist on the same drive without causing
  headaches or gotchas for the future?
  Neil

  Hi Willem,
  Many thanks for the further reply.
  So we can just use the VMWare setup to "split" the one physical drive into
  two virtual drives (one for the OS and the second for the pools).
  And I've seen posts in other forums about the need for a decent battery
  backed cache module for the P410i controller so I'll make sure we get one
  (probably 512Mb module + battery).
  Can I ask what is the advantage of configuring each VM's virtual disk to run
  on it's own virtual SCSI adapter (by setting disk1 to scsi 0:0, disk2 to
  scsi 1:0, and so on)?
  Cheers,
  Neil
  >>> On 9/5/14 at 12:56, in message
  <[email protected]>,
  magic31<[email protected]> wrote:
  > HI Niel,
  >
  > xyzl;2318555 Wrote: >
  >> The new installation will run on a Proliant ML350 G6 with P410i>
  > controller
  >> so we can use the raid capability to create two different logical drives>
  > as
  >> suggested.
  >
  > As you will be using ESXi 5.5 as host OS, it's not needed to split
  > thehost server storage into two logical drives... unless that's what
  > youwant in perspective for "general performance" or redundancy reasons.
  > Italso depends on the options that P410i controller has.
  >
  > On a side note, I'm not too familiar with the P410i controller... domake
  > sure you have a decent battery backed cache module installed, asthat will
  > greatly help with the disk performance bit.
  > If the controller can handle it and the controller can handle it, go
  > forraid 10 or raid 50. That might be too big a space penalty but will
  > helpwith disk performance.
  >
  > Once you have your VMware server up and running, you can configure
  > thetwo VM's with each two or more drives attached (on for the OS,
  > thesecond or others for your pools).
  > I usually create a virtual disk per pool+volume set (e.g. DATAPOOL
  > &DATAVOLUME on one vm virtual disk, USERPOOL & USER volume on an other
  > vmvirtual disk).
  > With VMware you can than also configure each VM's virtual disk to run
  > onit's own virtual SCSI adapter (bij setting disk1 to scsi 0:0, disk2
  > toscsi 1:0, and so on).
  >
  >
  > xyzl;2318555 Wrote: > Do you have any suggestions for the disk space that
  > should be reserved> or
  >> used for the Linux Native OS File System (/boot, /swap and LVM)?
  >>
  >
  > Here's one thread that might be of interest (there are more
  > throughoutthe SLES/OES
  >
  forums):https://forums.novell.com/showthread...rtitioning-%28
  > moving-from-NW%29
  >
  > I still contently follow the method I choose for back in 2008, justwith
  > a little bigger sizing which now is:
  >
  > On a virtual disk sized 39GB:
  >
  > primary partition 1: 500 MB /boot , fs type ext2
  > primary partition 2: 12GB / (root), fs type ext3
  > primary partition 3: 3 GB swap , type swap
  >
  > primary partition 4: LVM VG-SYSTEM (LVM partition type 8E), takes up
  > therest of the disk **
  > LVM volume (lv_var): 12 GB /var , fs type ext3
  > LVM volume (lv_usr-install): 7GB /usr/install, fs type ext3
  > * there's still a little space left in the LVM VG, in case var needs
  > toquickly be enlarged
  >
  > One thing that's different in here vs what I used to do: I replaced
  > the/tmp mountpoint with /usr/install
  >
  > In /usr/install, I place all relevant install files/IOS's
  > andinstallation specifics (text files) for the server in question. Keeps
  > itall in one neat place imo.
  >
  > Cheers,
  > Willem-- Knowledge Partner (voluntary sysop)
  > ---
  > If you find a post helpful and are logged into the web interface,
  > please show your appreciation and click on the star below it.
  >
  Thanks!---------------------------------------------------------------------
  ---magi
  > c31's Profile: https://forums.novell.com/member.php?userid=2303View this
  > thread: https://forums.novell.com/showthread.php?t=476852

• NSS pool errors during every NSS background check

  We are running a NW 6.5 SP6 server with NSS pools SYS and POOL1.
  POOL1 contains two volumes: VOL1 and MAIL. Both can grow to max. pool size.
  During every NSSbackground check we receive the messages below.
  I checked the novell support site, but can't find anything usefull on this.
  Anyone got an idea what they mean and how to get rit of them?
  Kind regards,
  Mario van Rijt
  systems administrator
  System console
  4-07-2008 16:59:10 : COMN-3.25-178 [nmID=A0020]
  NSS-2.70-5009: Pool MFP02/POOL1 had an error
  (20012(beastTree.c[510])) at block 23579655(file block -23579655)(ZID
  1).
  4-07-2008 16:59:10 : COMN-3.25-180 [nmID=A0022]
  NSS-2.70-5008: Volume MFP02/VOL1 had an error
  (20012(beastTree.c[510])) at block 23579655(file block -23579655)(ZID
  1).
  Logger screen
  4 Jul 2008 16:59:10 NSS<COMN>-3.25-xxxx: comnPool.c[2629]
  Pool POOL1: System data error 20012(beastTree.c[510]). Block
  23579655(file
  block -23579655)(ZID 1)
  4 Jul 2008 16:59:10 NSS<COMN>-3.25-xxxx: comnVol.c[8852]
  Volume VOL1: System data error 20012(beastTree.c[510]). Block
  23579655(fil
  e block -23579655)(ZID 1)

  Originally Posted by Mario vanRijt
  (20012(beastTree.c[510])) at block 23579655(file block -23579655)(ZID
  1).
  Logger screen
  4 Jul 2008 16:59:10 NSS<COMN>-3.25-xxxx: comnPool.c[2629]
  Pool POOL1: System data error 20012(beastTree.c[510]). Block
  23579655(file
  block -23579655)(ZID 1)
  This one zeems to be
  "20012 zERR_MEDIA_CORRUPTED: The media is corrupted."
  This may indicate that it is time to do a pool rebuild, although I don't know enough about what line 510 of beastTree.c is looking for to say much about what the actual problem is.
  /dps
  4 Jul 2008 16:59:10 NSS<COMN>-3.25-xxxx: comnVol.c[8852]
  Volume VOL1: System data error 20012(beastTree.c[510]). Block
  23579655(fil
  e block -23579655)(ZID 1)[/QUOTE]

• Veeam and OES NSS drives and GroupWise

  Can anyone give me some tips and or tricks when it comes to backing up SLES 11 Sp3 / OES 11 Sp2 servers with NSS drives and GroupWise 2014 using Veeam 8.0?
  I am testing Veeam 8.0 for our company and am a little leery about do a restore of files on our production server and really dont want to setup a complete test server if it pretty straight forward.
  Just wondering,
  Ken

  Veeam 8.0 does have a restore using NSS file system option. My concern is when Veeam does a FLR proxie and brings up a duplicate (excluding IP Address) of my main OES 11 System. Will they conflict having the same name/tree structure or wont the original OES tree even know its there?
  I dont really have the equipment to setup a full test environment so I am hoping someone can help me with this.
  Thanks,
  Ken

• NSS and LUN expanding - what you need to know before you migrate

  Thought I'd share, since this isn't in any documentation or TID that I
  can find.
  Before you move to OES2 Linux with NSS or multipathing code or EVMS, you
  may want to consider this limitation (IMO, a major limitation if you're
  running an Enterprise).
  If you SAN allows you to grow/expand a LUN (ie, LUN1 was 50 GB and now
  you grow it to 100 GB), you cannot use the new space until you reboot
  the server itself. If you're running NCS, then you need to reboot every
  node that can host the clustered resource before you can expand the NSS
  pool.
  The issue is a bug in the devmapper portion of SLES. ANYTHING that uses
  devmapper will prevent the further layers (ie, multipathing or EVMS)
  from seeing the additional space until you reboot the server.
  Obviously rebooting servers in the middle of the day to add more space
  affects Enterprise services to your users. As does making them wait
  until off-hours before they can write/save any data to the servers. Not
  to mention rebooting multiple nodes in your NCS cluster.
  Novell won't fix this until SLES 11. Even then (ie, if you implement
  OES2 now and can live with the limitation it won't be truly fixed in
  SLES 11 if you're using NSS/EVMS), as the limitation will still be in
  EVMS in SLES 11. Therefore, you'd have to migrate your data to LVM2 (I
  believe that's what Novell is switching to). Yet another major
  disruption for your users.
  So, if you're thinking about OES2 with NSS/EVMS or multipathing, you may
  want to consider the effect this will have to your userbase (ie, how
  many times do you want to migrate your data?)
  In our case, looks like it's goint to be one migration --- to MS
  Windows.

  Hi,
  General rule, if you think rebooting is NOT an option AND you are not using clustering - you're looking for trouble.
  I know I can increase space to my cluster with out kicking my users offline.
  Worked for NSS.
  Worked for OCFS.
  Limitation noted and ignored.
  -M
  Originally Posted by KittyNoLegs
  Thought I'd share, since this isn't in any documentation or TID that I
  can find.
  Before you move to OES2 Linux with NSS or multipathing code or EVMS, you
  may want to consider this limitation (IMO, a major limitation if you're
  running an Enterprise).
  If you SAN allows you to grow/expand a LUN (ie, LUN1 was 50 GB and now
  you grow it to 100 GB), you cannot use the new space until you reboot
  the server itself. If you're running NCS, then you need to reboot every
  node that can host the clustered resource before you can expand the NSS
  pool.
  The issue is a bug in the devmapper portion of SLES. ANYTHING that uses
  devmapper will prevent the further layers (ie, multipathing or EVMS)
  from seeing the additional space until you reboot the server.
  Obviously rebooting servers in the middle of the day to add more space
  affects Enterprise services to your users. As does making them wait
  until off-hours before they can write/save any data to the servers. Not
  to mention rebooting multiple nodes in your NCS cluster.
  Novell won't fix this until SLES 11. Even then (ie, if you implement
  OES2 now and can live with the limitation it won't be truly fixed in
  SLES 11 if you're using NSS/EVMS), as the limitation will still be in
  EVMS in SLES 11. Therefore, you'd have to migrate your data to LVM2 (I
  believe that's what Novell is switching to). Yet another major
  disruption for your users.
  So, if you're thinking about OES2 with NSS/EVMS or multipathing, you may
  want to consider the effect this will have to your userbase (ie, how
  many times do you want to migrate your data?)
  In our case, looks like it's goint to be one migration --- to MS
  Windows.

• NSS and DRBD

  Hi,
  I have customer with a limited budget, but wanting to use OES and NSS in a cluster. I've used DRBD quite a lot before and have always been very happy with it, so I'd like to combine it with NSS (and possibly other Novell services).
  Has anyone every installed NSS on top of DRBD and Heartbeat?
  In the past I clustered NSS volumes with NCS and remember that shared storage was abolutely needed. Can NSS be clustered with Heartbeat? Can an NSS volume be swapped in between servers by stopping and starting a init.d-script (as is required for Heartbeat)?
  Thank you,
  Bart

  Originally Posted by brunold
  Bart,
  a few things on this ....
  We have a bunch of xen server running where we mirror the xen guests with drbd and control them with heartbeat.
  The problem with nss and heartbeat might be that nss cannot be stopped. The runlevel script supports just the start option and I'm not aware that the nss system supports 'hotplug' for whole disks. Hotplug in case the heartbeat will deactivate the mirror and activate it on the second node. I guess there might be soem wrisk in data loss ....
  Another idea for you could be not to use nss volumes, but to simply use reiser or ext3 filesystems and provide them to the clients via a ncp volume. So you can use drbd to mirror the devices, heartbeat mount / dismount the filesystems and then you would need to create the ncp share.
  Please see "man ncpcon" - section Managing NCP Volumes for more information.
  Rainer
  nss supports activation and deactivation of pools - this can be used "turn off" nss on the shared disk.
  try nss /poolact=POOL1 and nss /pooldeact=POOL1 commands