SunPKCS11 and NSS 3.11.4

Similar Messages

• SunPKCS11 and NSS on Mac OS X 10.5

  Hello there,
  I've been scratching my head the whole day about how to use the SunPKCS11 provider and Mozilla's NSS framework under Mac OS X 10.5 (a.k.a Leopard).
  Let me replay the whole movie for you...
  So here I am, religiously following Sun's guidelines ([Java PKCS11 reference guide|http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#NSS]).
  I have of course compiled and installed [Mozilla's NSS and NSP|http://www.mozilla.org/projects/security/pki/nss/].
  So far, so good. Now, I followed Sun's instruction and wrote a configuration file for the SunPKCS11 provider. It looks like this:
  name = NSS
  nssLibraryDirectory = /Users/<path_to_lib_dir>/lib
  nssDbMode = noDb
  attributes = compatibilitywhere <path_to_lib_dir> refers of course to the real path on my Leopard machine.
  To test my setup, I use a trivial program that I've found in this very forum if I remember correctly. Here is the error I (violently!) get when trying to run it:
  $ java6 -cp /Users/<path_to_my_classes>/*:. MySmallProgram
  java.security.ProviderException: Could not initialize NSS
       at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:183)
       at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:86)
       at MySmallProgram.test_nss_with_sunpkcs(MySmallProgram.java:214)
       at MySmallProgram.main(MySmallProgram.java:255)
  Caused by: java.io.FileNotFoundException: /Users/<path_to_lib_dir>/lib/libnss3.jnilib
       at sun.security.pkcs11.Secmod.initialize(Secmod.java:169)
       at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:179)
       ... 3 moreOf course, I checked the content of the /Users/<path_to_lib_dir>/lib/ directory and... I got a whole bunch of NSS libraries but not the one SunPKCS11 is looking for. I got a libnss3.dylib library (the equivalent to libnss3.so on a "regular" Unix machine) but no jnilib library. And indeed, why should I have a JNI library? I thought that the purpose of SunPKCS11 was to provide the JNI stuff required to bridge the gap between Java and native libraries.
  After that, I tried to install [Mozilla's JSS|http://www.mozilla.org/projects/security/pki/jss/] but all I get is a libjss4.jnilib library and nothing like a libnss3.jnilib.
  So, any guess about what's going on? Should I really have a JNI library instead of a pure, standard C library?
  Any help will be reaaally appreciated.
  Regards,
  Ctrl-x-53

  You shouldn't be calling System.loadLibrary...The SunPKCS11 provider loads all that up for you. You don't need to explicitly load ANY native libraries to use this.
  Code-wise, all I do is:
  Provider nss = new sun.security.pkcs11.SunPKCS11("c:/nss/nss.cfg");
  Security.insertProviderAt(nss, 1);the contents of c:/nss/nss.cfg:
  name = nss
  nssLibraryDirectory = /nss
  nssSecmodDirectory = /nss
  nssModule = keystoreIn /nss I have all the NSS and NSPR libraries (and .chk files) and I created a new db with certutil.
  At that point you can either pass the provider object around or I think it names them all "PKCS11-<name>" so in my case "PKCS11-nss". You can have several different SunPKCS11 providers installed and active at one time.
  Oh and it shouldn't be any problem that you compiled NSS/NSPR as 64-bit libraries as long as everything else (like the JVM) is 64 bit. You will run into problems trying to mix and match but it should work fine all 64-bit.
  Edited by: dstutz on Jul 15, 2008 7:25 AM
  And now reading stuff again...you say it all works fine on linux. Maybe it's just something about how you've compiled it? I don't have any experience with OS-X. I would recommend posting to the mozilla.dev.tech.crypto newsgroup or join the mailing list at [https://lists.mozilla.org/listinfo/dev-tech-crypto|https://lists.mozilla.org/listinfo/dev-tech-crypto] and asking the NSS developers directly.
  Edited by: dstutz on Jul 15, 2008 7:26 AM

• OES11 SP2 - Linux File System and NSS Pools & Volumes

  Planning to install our first OES11 SP2 server into an existing tree - the
  idea is to run this new OES11 server virtualized on VMware ESXi 5.5
  The existing tree has two physical NW6.5SP8 servers running eDirectory
  Version 8.7.3.10b (NDS Version 10554.64). One of the existing Netware
  servers is used for DHCP/DNS, File Sharing from three NSS volumes and
  Groupwise 7.0.4 whilst the second server is used for FTP services and
  eDirectory redundancy. Ultimately the plan is to have two virtualized OES11
  SP2 server with one for file sharing and the other for making the move from
  GW7 to GW2012. And we're planning to stick with NSS for file sharing on the
  new OES11 SP2 server.
  I've come across a couple of posts for earlier versions of OES which
  recommended not to put the Linux Native OS File System and NSS storage
  pools/volumes on the same hard drive. Apparently the advice was a result of
  needing to allow EVMS to manage the drive which could be problemmatic.
  I've read the OES11 documentation which says that "The Enterprise Volume
  Management System (EVMS) has been deprecated in SLES 11, and is also
  deprecated in OES 11. Novell Linux Volume Manager (NLVM) replaces EVMS for
  managing NetWare partitions under Novell Storage Services (NSS) pools."
  So I'm wondering if there is still a compelling requirement to keep the
  Linux Native File System and NSS pools/volumes on separate hard drives or
  can they both now safely co-exist on the same drive without causing
  headaches or gotchas for the future?
  Neil

  Hi Willem,
  Many thanks for the further reply.
  So we can just use the VMWare setup to "split" the one physical drive into
  two virtual drives (one for the OS and the second for the pools).
  And I've seen posts in other forums about the need for a decent battery
  backed cache module for the P410i controller so I'll make sure we get one
  (probably 512Mb module + battery).
  Can I ask what is the advantage of configuring each VM's virtual disk to run
  on it's own virtual SCSI adapter (by setting disk1 to scsi 0:0, disk2 to
  scsi 1:0, and so on)?
  Cheers,
  Neil
  >>> On 9/5/14 at 12:56, in message
  <[email protected]>,
  magic31<[email protected]> wrote:
  > HI Niel,
  >
  > xyzl;2318555 Wrote: >
  >> The new installation will run on a Proliant ML350 G6 with P410i>
  > controller
  >> so we can use the raid capability to create two different logical drives>
  > as
  >> suggested.
  >
  > As you will be using ESXi 5.5 as host OS, it's not needed to split
  > thehost server storage into two logical drives... unless that's what
  > youwant in perspective for "general performance" or redundancy reasons.
  > Italso depends on the options that P410i controller has.
  >
  > On a side note, I'm not too familiar with the P410i controller... domake
  > sure you have a decent battery backed cache module installed, asthat will
  > greatly help with the disk performance bit.
  > If the controller can handle it and the controller can handle it, go
  > forraid 10 or raid 50. That might be too big a space penalty but will
  > helpwith disk performance.
  >
  > Once you have your VMware server up and running, you can configure
  > thetwo VM's with each two or more drives attached (on for the OS,
  > thesecond or others for your pools).
  > I usually create a virtual disk per pool+volume set (e.g. DATAPOOL
  > &DATAVOLUME on one vm virtual disk, USERPOOL & USER volume on an other
  > vmvirtual disk).
  > With VMware you can than also configure each VM's virtual disk to run
  > onit's own virtual SCSI adapter (bij setting disk1 to scsi 0:0, disk2
  > toscsi 1:0, and so on).
  >
  >
  > xyzl;2318555 Wrote: > Do you have any suggestions for the disk space that
  > should be reserved> or
  >> used for the Linux Native OS File System (/boot, /swap and LVM)?
  >>
  >
  > Here's one thread that might be of interest (there are more
  > throughoutthe SLES/OES
  >
  forums):https://forums.novell.com/showthread...rtitioning-%28
  > moving-from-NW%29
  >
  > I still contently follow the method I choose for back in 2008, justwith
  > a little bigger sizing which now is:
  >
  > On a virtual disk sized 39GB:
  >
  > primary partition 1: 500 MB /boot , fs type ext2
  > primary partition 2: 12GB / (root), fs type ext3
  > primary partition 3: 3 GB swap , type swap
  >
  > primary partition 4: LVM VG-SYSTEM (LVM partition type 8E), takes up
  > therest of the disk **
  > LVM volume (lv_var): 12 GB /var , fs type ext3
  > LVM volume (lv_usr-install): 7GB /usr/install, fs type ext3
  > * there's still a little space left in the LVM VG, in case var needs
  > toquickly be enlarged
  >
  > One thing that's different in here vs what I used to do: I replaced
  > the/tmp mountpoint with /usr/install
  >
  > In /usr/install, I place all relevant install files/IOS's
  > andinstallation specifics (text files) for the server in question. Keeps
  > itall in one neat place imo.
  >
  > Cheers,
  > Willem-- Knowledge Partner (voluntary sysop)
  > ---
  > If you find a post helpful and are logged into the web interface,
  > please show your appreciation and click on the star below it.
  >
  Thanks!---------------------------------------------------------------------
  ---magi
  > c31's Profile: https://forums.novell.com/member.php?userid=2303View this
  > thread: https://forums.novell.com/showthread.php?t=476852

• Error with SUNPKCS11 and Terminal Server

  I've found a problem when trying to create a SUNPKCS11 Provider through a Terminal Server session. My code is as simple as this:
  Provider pkcs11Provider = new sun.security.pkcs11.SunPKCS11(pkcs11ConfigPath);I see that it works fine in my local system, but when I run it through a Terminal Sever session, I get the ProviderException CKR_TOKEN_NOT_RECOGNIZED. The amazing thing is that if I try to do it several times, at last it works. I mean, doing that...
  Provider pkcs11Provider = null;
  while (pkcs11Provider == null) {
     try {
        pkcs11Provider = new sun.security.pkcs11.SunPKCS11(pkcs11ConfigPath);
     } catch (ProviderException e) {
        Throwable cause = e.getCause();
        if (!(cause instanceof PKCS11Exception && ((PKCS11Exception) cause).getErrorCode() == PKCS11Constants.CKR_TOKEN_NOT_RECOGNIZED)) {
           throw new TokenInicializationException(e);
  }...it finally works. It needs much more times to get it with JRE 1.6 (about 1500) than with 1.5 (about 10).
  I'm completely lost and I haven't found anything around about this. Can someone help me to avoid using this loop?

  When using NT Terminal Server, attempting to boot or shutdown Tuxedo can
  fail for semaphore errors.
  This is because NT Terminal Server performs "object decoration" for
  kernel objects that are created while in a remote session. For example,
  if you create a semaphore named foo locally, it will be called foo. But
  if you create a semaphore called foo while logged in remotely with
  session id 1, the semaphore name will be foo:1
  To be able to work with Tuxedo within a remote login window, "object
  decoration" needs to be turned off.
  SOLUTION:
  First make sure the tuxipc service is not running.
  Change directory into %TUXDIR%\bin
  Run Register
  Register libgp.dll /SYSTEM
  Run Register on all other dll's in %TUXDIR%\bin, it need be only run once.
  This will turn off "object decoration" for these dll's and remote admin
  of Tuxedo should no longer fail.
  Ray Castro Junior wrote:
  Hi,
  I have the product Bea Tuxedo v7.1 for Windows 2000 server.
  Machine: Compaq ProLiant.
  If I to install in the same machine the Terminal Server the tuxedo stops all the
  function.
  What it can be this?
  Thanks in advance.
  Ray

• OS X Lion and NSS 326

  I've got a Cisco NSS 326 NAS and have recently run into a problem with OS X Lion Developer Preview and authentication to the NAS. When connecting to the NAS over AFP as guest I can access the NAS just fine. However, when I try and authenticate I get an error that reads:
  "The version of the server you are trying to connect to is not supported. Please contact your system administrator to resolve the problem."
  I've read on another site (http://trick77.com/2011/02/25/afp-broken-linux-based-nas-mac-os-x-lion-10-7) that this has to do with the version of AFP that is running on the NAS compared to the new version that OS X Lion is using AFP 2.
  Does anyone have a solution to enable the NAS to support AFP 2 or are there any plans to support this from Cisco any time soon?

  Hi all NSS32x owners,
  Like you all, I bought a Storage Solution from Cisco, personally hoping that Cisco would be better in supporting us than the OEM they bougth the NSS32x line from.
  Until now I have been disapointed over and over.
  They opened a discussion about what should be implemented in the Cisco versions of the NAS'ses but so far no real addition of any value.
  Now we are facing the problem with OS X Lion's TimeMachine incompatability, which could have been solved for months ago, when the first developer releases were issued.
  No response from Ciso however.
  This is really bad.
  Other companies already have solutions for their products in order to be compatible with Lion.
  Ok, I agree, this might not be a problem caused by Cisco, but a problem that was caused by Apple when releasing Lion. But hey all companies have to update their software so Cisco as well as Apple.
  However, companies of major size (Apple, Cisco, and many others) should be more cooperative when releasing new software.
  I work in IT for over 30 years now and I have always seen that when Cisco bought a company, their "boxes" were painted gray and the Cisco "bridge" logo was aplied and then all over sudden it became a REAL Cisco product.
  And I mean it really became a Cisco product. You might have some minor problems but those were always solved.
  I would have expected the same from Cisco with respect to these NAS'ses.
  And believe me, I have seen quit some NAS'ses from the competitors but the NSS32x series does not come with the support you get from other competing NAS vendors.
  That is what bothers me and I regret that there is no solution today for the issue(s) we have with OS X Lion, but what bothers me even more is that Cisco is not informing us at all about whatever solution there will be within whatever time frame.
  I still have the NSS326 and I had to pay quit a premium over other vendors, but accepted it, supposing that the NAS would have the support I am familiar with from Cisco, but as you can read above I am disapointed.
  So Cisco, what are you going to do to improve support and be more open and informative about coming software releases for the NSS32x series NAS'ses?
  Regards,
  Klaas de Jong

• LVM and NSS in OES11

  I am building out a replacement server which will be the target for a server migration. The server will host an NSS volume. In the past I have always created an array-level logical drive for my NSS partiton/volume. Rather than doing this, I would rather just have one logical drive and partition the space using LVM (except for /boot and swap). Once I create the LVM and add /, /home, /var, /tmp to it, I will have a lot of extra space which I want to use for the NSS volume.
  So, is it possible to use the unused space in LVM for NSS? Or should I stick which a separate logical partition for NSS?
  Chris

  Originally Posted by cmosentine
  I am building out a replacement server which will be the target for a server migration. The server will host an NSS volume. In the past I have always created an array-level logical drive for my NSS partiton/volume. Rather than doing this, I would rather just have one logical drive and partition the space using LVM (except for /boot and swap). Once I create the LVM and add /, /home, /var, /tmp to it, I will have a lot of extra space which I want to use for the NSS volume.
  So, is it possible to use the unused space in LVM for NSS? Or should I stick which a separate logical partition for NSS?
  Chris
  With OES11 it's possible and quite easy to use the left free space on the system disk for NSS.
  It also does not have the potential for havoc as was the case with OES2 (as with OES2 this was also possible, it just meant using EVMS on the system disk device, which could lead to issues booting after patching of updating due to needed missing kernel modules for EVMS within initrd).
  Still, even with it being possible and supported to do so, if you can house the OS bits and data (be it on NSS and other filesystems) on different disk devices.. that would always be what I'd opt for. It makes certain maintenance/recovery and update tasks easier/more flexible/reliable as OS and data partitions are not within one and the same "container".
  Cheers,
  Willem

• SBS and NSS Volumes

  Hi,
  I am fairly new to Novell, but I have recently been looking at Open
  Enterprise Server and Linux Small Business Suite.
  I really thought that Novell was making the best server solution yet for
  small businesses, and thought that I could walk away from Windows SBS.
  Open Enterprise Server does a great job, NSS volumes are easily added in
  imanager, and iprint really does a great job at printing. However, it's
  too expensive for a small business, and it doesn't come with groupwise as
  standard.
  I thought thats Linux Small Business Suite 9 would be perfect. I have just
  installed it, and groupwise works well. Also creating users is easy.
  But :- Why cant i simply add NSS volumes through imanager like I did on
  OES? I thought that the ability to use Novell Volumes was one of the most
  important things for a small business?
  I am fairly new to this, so forgive me if it's just me! Any help is
  appriciated. I have been looking at the feasibility of using Novell SBS
  for small businesses that need; EMail/Printing/Volumes/Backups. Thought it
  would be as easy to setup volumes as OES, and be simple to backup using
  Tar or rsync.
  Regards,
  Luke.

  > I appreciate what you have said. I think I have to keep with Novell SBS.
  Thanks for the comments.
  >
  > I just assumed that Linux SBS would be a replacement of that, and as OES
  > is based on Suse and offers NSS I just guessed it would be very easy for
  > Novell to have included this in Linux SBS.
  I did early on as well -- but my own read is that the Novell Small
  Business team felt they really needed to do *something* to go with the
  Linux flow at Novell -- not a bad thing. It is just that the timing
  was such that an OES iteration wasn't something they could do. (Part of
  what drives the Small Business team timing is Brainshare in Utah every
  March).
  At a guess, the next time round, we'll see an OES Small Business
  product -- now that won't include BorderManager as that seems to be
  only for the NetWare world, and folks can configure Linux based
  firewalls, but it will include GroupWise.
  >
  > I have installed Microsoft SBS for clients, but find Novell's products
  > more reliable, and I'm looking to offer these products.
  >
  Me too - I have three clients who pretty much must run Microsoft
  servers, but for the rest, Novell is a much better fit.
  As the world gets more 'fatigued' with Microsoft licensing and pricing
  (both for applications and the OS), the market for Linux based
  alternatives (both for applications and the OS -- including the server
  OS) will be increasingly attractive -- and Novell is rather well
  positioned for that.
  I think one thing which might really drive the change will be solid
  migration paths at the OS and application level. The current iteration
  of Novell's Linux suite doesn't yet provide that (and really isn't
  targeted there at this point). When it does, and folks can migrate
  from NetWare or Microsoft Server, and from Win98/2k/xp to SuSE on the
  desktop, and from Office to Open Office, AND from applications like
  Quicken, Quickbooks, Act to Linux equivalents, I believe we'll see some
  real movement in the small business marketplace. I honestly believe
  that time will come -- and I for one very much need to get much more
  Linux smart in preparation for that time.
  Barry Schnur
  Novell Support Connection Volunteer Sysop

• SSLv2Hello support with SunPKCS11/NSS in FIPS mode

  Does anyone know if there is a way to enable support for SSLv2Hello when the JRE is configured to use a FIPS crypto module?
  I have an NSS database running in FIPS mode, plugged into my JRE via the following lines in my java.security file:
  security.provider.1=sun.security.pkcs11.SunPKCS11 C:/nss-pkcs11-test/nss-pkcs11.cfg
  security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSSFIPS
  nss-pkcs11.cfg:
  name=NSSFIPS
  nssLibraryDirectory=C:\nss-3.11.4\lib
  nssSecmodDirectory=C:\nss-pkcs11-test
  nssDbMode=readOnly
  nssModule=fipsand keystore/truststore config in the SSL connector in Tomcat's server.xml:
      <!-- TEST NSS PKCS11 MODULE -->
      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                 maxThreads="150" scheme="https" secure="true"
               keystoreFile=""
               keystoreType="PKCS11"
               keystoreProvider="SunPKCS11-NSSFIPS"
               keystorePass="nsspassword"
               truststoreFile=""
               truststoreType="PKCS11"
               truststoreProvider="SunPKCS11-NSSFIPS"
               truststorePass="nsspassword"
                 clientAuth="true" sslProtocol="TLS" />I've tried setting -Dhttps.protocols=TLSv1,SSLv2Hello, but that doesn't seem to make any difference. Currently the only way I can get things working is to disable SSLv2 in the browser, which is less than ideal in terms of user base support. Without SSLv2 disabled in the browser, I see the following error in my logs and am unable to establish the SSL connection with the server:
  http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
  I understand that SSLv2 is not (and should not be) supported in FIPS mode, but it seems like when you have a browser client that supports TLS but sends an SSLv2Hello by default, the server (in my case, Tomcat 6 using the aforementioned JRE) should be smart enough to renegotiate the connection to TLS.
  Any thoughts would be appreciated!

  The browser should have disabled SSLv2Hello by default in the latest releases, because SSLv2 is prohibited now. "TLS clients MUST NOT send the SSL version 2.0 compatible CLIENT-HELLO message format." [RFC6176]

• NSS issues and can't do any administration

  Hello all,
  I hope this is not a re post, I have searched on the forum and Google and can not find anything and am in dire need of some help! I have a SLES 10 SP4, with OES 2 installed on it. It also runs Groupwise 2012. I have NSS setup and configured and it has been running great for the past 2 years. The other day a colleague of mine restarted the server cause it 'was acting funny'. Now that the server has been restarted, we can not access the groupwise nss volume. If I access the server from a windows machine(\\servername) all i get is the sys volume listing. I have gone on the console of the server and try to restart nss, it looks as if it starts up, but I can not access my NSS volume through windows using the server name or with the novell client. If I try to use imanager to check the pools and volumes, It says that the version file can not be read, and NSS may not be running on the server. If I use nsscon, and try to run any nss commands, /pools and /volumes shows everything as active. As I looked through log files I did find that ncp2nss is reporting can not open /_admin/Manage_NSS/manage.cmd the says ncp2nss halted(0). I have removed NDS and re added NDS, I have refreshed the NSS and NCP through Yast-OES Install, and I have verified that LDAP, and nam are running. If i go to the server console, I can navigate to the /media/nss/GROUPWISE volume and see all the files, and Groupwise is still working fine. I can not administer Groupwise and add users from Console one, and my backup uses the unc path to backup databases, which is not accessible. Any help or thoughts would be much appreciated!!
  Thanks in advance

  Originally Posted by magic31
  With your other post, I'm not sure what's causing the problem as you mention LDAP and namcd are running and your volumes and eDir services seem to have loaded ok. To make sure not to over jump things, have you checked to make sure the server's certificates are still valid? (as you mention 2 years)
  Can you give some more detail on the server itself... is it running physical or virtual? Have there been changes to the disk configuration (adding/removing/expanding) or other while keeping the server online?
  Also, does your colleague have a little more description to what was acting funny? Or was it just slow at times?
  -Willem
  No there have been no changes to the disks or server at all. It is a physical server, not virtual. As for certificates, when I removed edirectory, I deleted everything in the OU dealing with the server, and assume that when edir was added back it created new certs. I did however go through iManager and repair default certs there, telling it to overwrite all certs. The only other Certs I have not touched is the CA for the tree, however I have other servers running NSS volumes and they are fine. Also noticed that the pools and volumes for this server are NOT in edir, and with out iManager, or nssmu, I am not sure of how to update edir with volume information, and not sure if that is the problem. and Last, unfortunately, no my colleague has given me very little information on what was going on.
  Thanks for the help.

• NSS and DRBD

  Hi,
  I have customer with a limited budget, but wanting to use OES and NSS in a cluster. I've used DRBD quite a lot before and have always been very happy with it, so I'd like to combine it with NSS (and possibly other Novell services).
  Has anyone every installed NSS on top of DRBD and Heartbeat?
  In the past I clustered NSS volumes with NCS and remember that shared storage was abolutely needed. Can NSS be clustered with Heartbeat? Can an NSS volume be swapped in between servers by stopping and starting a init.d-script (as is required for Heartbeat)?
  Thank you,
  Bart

  Originally Posted by brunold
  Bart,
  a few things on this ....
  We have a bunch of xen server running where we mirror the xen guests with drbd and control them with heartbeat.
  The problem with nss and heartbeat might be that nss cannot be stopped. The runlevel script supports just the start option and I'm not aware that the nss system supports 'hotplug' for whole disks. Hotplug in case the heartbeat will deactivate the mirror and activate it on the second node. I guess there might be soem wrisk in data loss ....
  Another idea for you could be not to use nss volumes, but to simply use reiser or ext3 filesystems and provide them to the clients via a ncp volume. So you can use drbd to mirror the devices, heartbeat mount / dismount the filesystems and then you would need to create the ncp share.
  Please see "man ncpcon" - section Managing NCP Volumes for more information.
  Rainer
  nss supports activation and deactivation of pools - this can be used "turn off" nss on the shared disk.
  try nss /poolact=POOL1 and nss /pooldeact=POOL1 commands

• Java 8 64 bit on Windows with NSS for FIPS 140 compliance

  I have asked this question on Stackoverflow but I am beginning to think that this may be a better forum to ask.
  According to JEP 131, Java 8 should provide a PKCS#11 Crypto provider for 64 bit Windows:  https://blogs.oracle.com/mullan/entry/jep_131_pkcs_11_crypto.
  With that in mind, I downloaded and built both 32 and 64 bit versions of NSS with NSPR using these instructions:  https://developer.mozilla.org/en-US/docs/NSS_Sources_Building_Testing
  I downloaded Java 8 for Windows 64 build b118, configured the java.security file and created a nss.cfg file:
  Excerpt from java.security file:
  security.provider.1=sun.security.provider.Sun
  security.provider.2=sun.security.rsa.SunRsaSign
  security.provider.3=sun.security.ec.SunEC
  security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS
  security.provider.5=com.sun.crypto.provider.SunJCE
  security.provider.6=sun.security.jgss.SunProvider
  security.provider.7=com.sun.security.sasl.Provider
  security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
  security.provider.9=sun.security.smartcardio.SunPCSC
  security.provider.10=sun.security.pkcs11.SunPKCS11 /devel/nss.cfg
  From my nss.cfg file:
  # Use NSS as a FIPS-140 compliant cryptographic token
  # SunPKCS11-NSS
  name = NSS
  #32 bit
  #nssLibraryDirectory = C:\devel\nss\nss-3.15.3.1\dist\WINNT6.1_DBG.OBJ\lib
  #64 bit
  nssLibraryDirectory = C:\devel\nss\nss-3.15.3.1\dist\WINNT6.1_64_DBG.OBJ\lib
  #non FIPS
  #nssDbMode = noDb
  #attributes = compatibility
  #FIPS
  nssSecmodDirectory = c:\devel\fipsdb
  nssModule = fips
  I ran the test suite that comes with NSS and it looks like all of the encryption/decryption tests passed (did have some issues with the tests that required hostname/domainname but that has to do with the Windows environment).
  So here is the problem. I run my test encryption app on Java 7 32 bit with the 32 bit version of NSS and everything works great. When I attempt to run Java 8 64 bit with 64 bit NSS I get the following error:
  java.security.ProviderException: Could not initialize NSS
  at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:212)
  at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
  at java.lang.reflect.Constructor.newInstance(Unknown Source)
  at sun.security.jca.ProviderConfig$2.run(Unknown Source)
  at sun.security.jca.ProviderConfig$2.run(Unknown Source)
  at java.security.AccessController.doPrivileged(Native Method)
  at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)
  at sun.security.jca.ProviderConfig.getProvider(Unknown Source)
  at sun.security.jca.ProviderList.getProvider(Unknown Source)
  at sun.security.jca.ProviderList.getIndex(Unknown Source)
  at sun.security.jca.ProviderList.getProviderConfig(Unknown Source)
  at sun.security.jca.ProviderList.getProvider(Unknown Source)
  at java.security.Security.getProvider(Unknown Source)
  at sun.security.ssl.SunJSSE.<init>(Unknown Source)
  at sun.security.ssl.SunJSSE.<init>(Unknown Source)
  at com.sun.net.ssl.internal.ssl.Provider.<init>(Unknown Source)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
  at java.lang.reflect.Constructor.newInstance(Unknown Source)
  at sun.security.jca.ProviderConfig$2.run(Unknown Source)
  at sun.security.jca.ProviderConfig$2.run(Unknown Source)
  at java.security.AccessController.doPrivileged(Native Method)
  at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)
  at sun.security.jca.ProviderConfig.getProvider(Unknown Source)
  at sun.security.jca.ProviderList.getProvider(Unknown Source)
  at sun.security.jca.ProviderList$ServiceList.tryGet(Unknown Source)
  at sun.security.jca.ProviderList$ServiceList.access$200(Unknown Source)
  at sun.security.jca.ProviderList$ServiceList$1.hasNext(Unknown Source)
  at javax.crypto.KeyGenerator.nextSpi(KeyGenerator.java:323)
  at javax.crypto.KeyGenerator.<init>(KeyGenerator.java:158)
  at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:208)
  at STSAESEncryption.generateKeyWithGenerator(STSAESEncryption.java:74)
  at Main.main(Main.java:24)
  Caused by: java.io.IOException: %1 is not a valid Win32 application.
  at sun.security.pkcs11.Secmod.nssLoadLibrary(Native Method)
  at sun.security.pkcs11.Secmod.initialize(Secmod.java:210)
  at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:207)
  ... 36 more
  Has JEP 131 been implemented with Windows/Java 64 bit as of b119?  If so has it been verified to work with NSS or should I submit a bug report?  I did download the code and the error is occurring in the following block of code at the line in bold (also with the arrow by it):
  public synchronized void initialize(DbMode dbMode, String configDir,
          String nssLibDir, boolean nssOptimizeSpace) throws IOException {
          if (isInitialized()) {
              throw new IOException("NSS is already initialized");
          if (dbMode == null) {
              throw new NullPointerException();
          if ((dbMode != DbMode.NO_DB) && (configDir == null)) {
              throw new NullPointerException();
          String platformLibName = System.mapLibraryName("nss3");
          String platformPath;
          if (nssLibDir == null) {
              platformPath = platformLibName;
          } else {
              File base = new File(nssLibDir);
              if (base.isDirectory() == false) {
                  throw new IOException("nssLibDir must be a directory:" + nssLibDir);
              File platformFile = new File(base, platformLibName);
              if (platformFile.isFile() == false) {
                  throw new FileNotFoundException(platformFile.getPath());
              platformPath = platformFile.getPath();
          if (configDir != null) {
              File configBase = new File(configDir);
              if (configBase.isDirectory() == false ) {
                  throw new IOException("configDir must be a directory: " + configDir);
              File secmodFile = new File(configBase, "secmod.db");
              if (secmodFile.isFile() == false) {
                  throw new FileNotFoundException(secmodFile.getPath());
          if (DEBUG) System.out.println("lib: " + platformPath);
  --->   nssHandle = nssLoadLibrary(platformPath);
          if (DEBUG) System.out.println("handle: " + nssHandle);
          fetchVersions();
          if (supported == false) {
              throw new IOException
                  ("The specified version of NSS is incompatible, "
                  + "3.7 or later required");
          if (DEBUG) System.out.println("dir: " + configDir);
          boolean initok = nssInitialize(dbMode.functionName, nssHandle,
              configDir, nssOptimizeSpace);
          if (DEBUG) System.out.println("init: " + initok);
          if (initok == false) {
              throw new IOException("NSS initialization failed");
          this.configDir = configDir;
          this.nssLibDir = nssLibDir;
  Any help or advise about filing a bug report would be appreciated.
  Thanks,

  Had a few similar short system freezes, after installing Windows 8 x64 on 13” MacBook Pro Mid-2010 with BootCamp 5.0.5033.
  There is a suggestion that DisableDynamicTick may fix the problem: https://discussions.apple.com/message/21565295#21565295. There were similar topics at Microsoft forums: 1, 2, 3. It was said “that this will likely reduce system battery life, so it should be undone when you update your Windows build or if it doesn't resolve your issue”, and that “this problem is resolved in the release versions of Windows 8”.
  Another possibility is that there is indeed a buggy driver, within BootCamp 5.0.5033, or a 3rd party, like a wireless network driver in the following case http://answers.microsoft.com/en-us/windows/forum/windows_8-performance/system-fr eeze-randomly-after-installing-windows-8/49488183-26cf-4389-af21-a85dc366c99a?pa ge=2#LastReply.
  The problem has been noticeable on my MacBook, but not annoying enough yet to spend time troubleshooting. If you find a robust solution, using the links above or other method, it would be interesting to know.
  HTH

• Problems using NSS library as PKCS#11 provider with JAVA 6

  Hi,
  I�m trying to configure JAVA 6 on Solaris 10 SPARC to use Mozilla NSS library as PKCS#11 provider (to achieve FIPS-140 certification for my application). I�m following the guidelines from http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#NSS but unfortunately something doesn�t work for me as expected...
  Let me describe the exact steps that I followed (because devil may be in the small details :-)
  I downloaded NSS 3.11.4 and NSPR 4.6.4 binaries from mozilla.org (32 bit �debug� versions for Solaris 9, because these were the only �binary� versions for SPARC available on Mozilla site and as far as I understand these are the exact versions that passed FIPS-140 certification), unpacked them under the /opt directory and copied both of them into a single /opt/nss tree as follows:
  mkdir /opt/nss
  cp �r /opt/nss-3.11.4/* /opt/nss
  cp �r /opt/nspr-4.6.4/* /opt/nss
  I created a PKCS#11 configuration file /opt/nss/pkcs11.cfg as per JAVA 6 security guide:
  name = NSScrypto
  nssLibraryDirectory = /opt/nss/lib
  nssDbMode = noDb
  attributes = compatibility
  (I know that this configuration is not for FIPS mode � but I thought that I�d better start with a simple NSS configuration)
  Then I modified /usr/jdk/jdk1.6.0_03/jre/lib/security/java.security file and replaced 1st provider with:
  security.provider.1=sun.security.pkcs11.SunPKCS11 /opt/nss/pkcs11.cfg
  Now everything should be in place � so I created a small JAVA program and ran it:
  import javax.crypto.SecretKeyFactory;
  import javax.crypto.spec.DESedeKeySpec;
  import javax.crypto.SecretKey;
  import javax.crypto.Cipher;
  import java.security.*;
  public class Test
  public static void main(String[] args)
  try
  SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DESede");
  DESedeKeySpec keySpec = null;
  keySpec = new DESedeKeySpec(new String("laKuf1Tcc6sOhsdPf49=m4es").getBytes());
  System.out.println("keyFactory provider: " + keyFactory.getProvider().getName());
  SecretKey key = keyFactory.generateSecret(keySpec);
  Cipher decryptCipher = Cipher.getInstance("DESede");
  decryptCipher.init(Cipher.DECRYPT_MODE, key);
  System.out.println("decryptCipher provider: " + decryptCipher.getProvider().getName());
  catch (Exception ex)
  ex.printStackTrace();
  Unfortunately it produced the following output:
  EMS-Server42# java test
  keyFactory provider: SunPKCS11-NSScrypto
  decryptCipher provider: SunJCE
  And when I comment out SunJCE provider in java.security file I get the following exception:
  java.security.NoSuchAlgorithmException: Cannot find any provider supporting DESede
  at javax.crypto.Cipher.getInstance(DashoA13*..)
  at test.main(test.java:38)
  So it looks like something is wrong with my NSS configuration. Because AFAIK DESede (3DES) is supported by the NSS library, but for some reason JAVA doesn�t see this algorithm implemented in NSS PKCS#11 provider.
  Any suggestions on what am I doing wrong?
  Best regards,
  Alex

  Works for me:
  import java.security.Provider;
  import java.security.SecureRandom;
  import java.security.Security;
  import javax.crypto.Cipher;
  import javax.crypto.SecretKey;
  import javax.crypto.SecretKeyFactory;
  import javax.crypto.spec.DESedeKeySpec;
  import javax.crypto.spec.IvParameterSpec;
  public class Test
    public static void main(String[] args)
      try
        String configFileName = "/nss/nss.cfg";
        Provider nss = new sun.security.pkcs11.SunPKCS11(configFileName);
        Security.addProvider(nss);
        SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DESede", nss);
        DESedeKeySpec keySpec = new DESedeKeySpec(new String("laKuf1Tcc6sOhsdPf49=m4es").getBytes("UTF-8"));
        System.out.println("keyFactory provider: " + keyFactory.getProvider().getName());
        SecretKey key = keyFactory.generateSecret(keySpec);
        //iv for CBC mode - note, in practice you don't generate a random iv for decryption :)
        byte[] iv = new byte[8];  //64-bit block size for 3DES
        SecureRandom sr = SecureRandom.getInstance("PKCS11", nss);
        sr.nextBytes(iv);
        IvParameterSpec params = new IvParameterSpec(iv);
        Cipher decryptCipher = Cipher.getInstance("DESede/CBC/NoPadding", nss);
        decryptCipher.init(Cipher.DECRYPT_MODE, key, params);
        System.out.println("decryptCipher provider: " + decryptCipher.getProvider().getName());
      catch (Exception ex)
        ex.printStackTrace();
  }Oh, I wouldn't expect your key loading to work when you switch over to FIPS mode.
  cfg file:
  name = NSScrypto
  nssLibraryDirectory = /nss
  nssSecmodDirectory = /nss
  nssModule = fipsYields the following error:
  java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: Could not create key
  because you can't directly handle keying material in FIPS. You'll have to save the secret key in the NSS certDB or generate a random one each time and send it wrapped to the other side.

• Action Object and Active Directory?

  Hi,
  As I understand the documentation, there is no way to use Action Object in Storage Manager for AD.
  Is that correct?
  Is it possible to work around that when having IDM implemented?
  Many of our customers uses provisioning and self-provisioning through the UA-portal, and it seems rather difficult to integrate this to the NTFS in AD using Storage Manager.
  When customers is running OES and NSS it is a lot easier to customize and maintain a useful dynamic file system.
  Does anyone has any ideas or experience that could help us out?
  Thank you in advance
  Martin

  Moldin,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• VXML Support for ALAW and Nuance ASR

  Hi,
  during a previous upgrade (to CVP8.5) we tried to use alaw codec on. We had issues with ASR and TAC advised that at that time Cisco did not support the use of alaw when ASR is also used i.e. between the VXML gateway and the Nuance ASR server. So it seemed that Nuance supported ALAW and Cisco supported ALAW but not with ASR.
  I have been looking into this again and I found the following document
  http://www.cisco.com/en/US/docs/ios/voice/vxml/developer/guide/refgde1.html#wp1031285
  which states "Cisco IOS Release 15.1(3)T introduces MRCPv1s  command line interface to enhance the supported codec.When communicating  with ASR and TTS server, the MRCPv1s command line interface enables the  G.711(A-law) codec. "
  Has anybody used the MRCPv1s commands? I can't find reference to them anywhere other than this document.
  Thanks
  Michael

  Hi Ram,
  Vocalizer engine logs integrated in NSS logs;  the NSS logging mechanisms now integrate the logs of all the underneath engines including: NR9 and Vocalizer. 
  The same Nuance Session Identifier is used across all NSS components (NR9, Vocalizer,     NSS) involved in a specific MRCP session.  That session identifier can then be used to map all the logs, alarms, call logs of a specific MRCP session.
  NR9, Vocalizer and NSS error logs and diagnostic logs are all saved in the NSS log files.
  NR9, Vocalizer and NSS severe errors are all reported in the same location (i.e. Management Station if available, NSS log files).
  NR9, Vocalizer and NSS event logs are saved in one single call log file per MRCP session.
  Reference:
  ftp://ftp.comptek.ru/pub/Nuance/NSS/NSS-5.1-0-Release-Notes.html
  In order to enable tracing in UCCX for MRCP ASR\TTS, go to UCCX servicability->Tracing->Engine->Subsystems and enable them. You will see these logs under MCVD folder.
  Hope it helps.
  Anand
  Please rate helpful posts by clicking on the stars below the right answers !!

• SunPKCS11 provider - write key on a  SmartCard

  I use provider SunPKCS11 and without any troubles I can read certificates and key from the cryptographic card, but every attempt of writing anything on the card results with an error during setKeyEntry method call:
  -Example------------------------------------------------------------------
  sun.security.pkcs11.SunPKCS11 p =
  new sun.security.pkcs11.SunPKCS11(configFileName);
  Security.addProvider(p);
  KeyStore.PasswordProtection pp = new KeyStore.PasswordProtection(pin);
  KeyStore.Builder builder =
  KeyStore.Builder.newInstance("pkcs11",p ,pp);
  KeyStore store = builder.getKeyStore();
  store.setKeyEntry("pawel", privKey, null, chain); //error
  -error--------------------------------------------------------------------
  Exception in thread "main" java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCOMPLETE
  at sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1067)
  at sun.security.pkcs11.P11KeyStore.engineSetKeyEntry(P11KeyStore.java:443)
  at java.security.KeyStore.setKeyEntry(Unknown Source)
  at hex.pkcs11.Example3.main(Example3.java:88)
  Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCOMPLETE
  at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
  at sun.security.pkcs11.P11KeyStore.storePkey(P11KeyStore.java:1737)
  at sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1063)
  ... 3 more
  I think this error may be caused by improper configuration of the file pkcs11.config, but I can be, of course, mistaken.
  the files which I used to performs test look as follows:
  -file1---------------------------------------------------------------------
  name=CryptoCard
  library=C:\WINNT\system32\CCPkiP11.dll
  -file2---------------------------------------------------------------------
  name=CryptoCard
  library=C:\WINNT\system32\CCPkiP11.dll
  attributes(*,CKO_PRIVATE_KEY,*) = {
  CKA_SENSITIVE=true
  attributes(*,CKO_PRIVATE_KEY,*) = {
  CKA_TOKEN=true
  attributes(*,CKO_PRIVATE_KEY,*) = {
  CKA_SIGN = true
  attributes(*,CKO_PRIVATE_KEY,*) = {
  CKA_PRIVATE=true
  attributes(*,CKO_PRIVATE_KEY,*) = {
  CKA_MODIFIABLE=true
  attributes(*,CKO_PRIVATE_KEY,*) = {
  CKA_DERIVE=false
  attributes(*,CKO_CERTIFICATE,*) = {
  CKA_TRUSTED=true
  attributes(*,CKO_CERTIFICATE,*) = {
  CKA_TOKEN=true
  attributes(*,CKO_CERTIFICATE,*) = {
  CKA_MODIFIABLE=true
  attributes(*,CKO_CERTIFICATE,*) = {
  CKA_PRIVATE=true
  ---------------------------------------------------------------------------

  Hi, i would like to know if you did have a "java.security.ProviderException : Initialization failed" and how you did resolved this problem.
  Or maybe you have an idea to solve this problem.
  My code is :
  1-      String configName = "C:\\pkcs11.cfg";
  2-      Provider provider = new sun.security.pkcs11.SunPKCS11(configName);
  3-      Security.addProvider(provider);
  The exception point out the second line.
  My config file contains :
  name=Java
  ibrary=C:\Program Files\Java\jre1.5.0_01\bin\j2pkcs11.dll
  Thanks a lot to anyone who will help me to solve this problem.
  Regards.