Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IBM HTTP Server

241 views
Skip to first unread message

yuenk...@hotmail.com

unread,
Jul 8, 2006, 7:24:31 AM7/8/06
to
Hi,

I am using IBM HTTP Server 2.0.47 and nCipher nfast 10.15

I am trying to use the
SSLServerCert ncipher-f3:ihs-internal.ft3.com
SSLPKCSDriver "/opt/nfast/toolkits/pkcs11/libcknfast.so"
SSLStashfile "/usr/IBMIHS/bin/ssl.passwd"

KeyFile "/usr/IBMIHS/bin/key_self_signed.kdb"

According to the url:
http://www-306.ibm.com/software/webservers/httpservers/doc/v2047/manual/ibm/en_US/9aecdssl.htm#ikeysk

With the IBM HTTP Server, you must specify a key file to perform encryption. If you use PKCS11 devices, this key file should hold your signer certificates for your personal certificate, created using PKCS11 device.

So I have imported the signer certificate using iKeyman from the device to a CMS key file.

When starting, HTTP Server shows:
[Sat Jul 08 17:22:38 2006] [debug] mod_ibm_ssl.c(1689): Using PKCS11 device: the driver path for PKCS11 device is /opt/nfast/toolkits/pkcs11/libcknfast.so
[Sat Jul 08 17:22:38 2006] [debug] mod_ibm_ssl.c(1706): Using PKCS11 device: the key label entry for PKCS11 device is ncipher-f3:ihs-internal.ft3.com
[Sat Jul 08 17:22:38 2006] [debug] mod_ibm_ssl.c(1718): Using PKCS11 device: the token label for PKCS11 device is ncipher-f3

..

[Sat Jul 08 17:22:46 2006] [debug] mod_ibm_ssl.c(1706): Using PKCS11 device: the key label entry for PKCS11 device is ncipher-f3
[Sat Jul 08 17:22:46 2006] [debug] mod_ibm_ssl.c(1718): Using PKCS11 device: the token label for PKCS11 device is ncipher-f3
..

[Sat Jul 08 17:23:03 2006] [debug] [client 10.1.42.236] [4d1da8] SSL handshake initiated: 10.1.42.236 -> c3app2d1 443
[Sat Jul 08 17:23:04 2006] [crit] [client 10.1.42.236] [4d1da8] SSL0227E: SSL Handshake Failed, Specified label could not be found in the key file.
[Sat Jul 08 17:23:04 2006] [debug] [client 10.1.42.236] [4d1da8] gsk_secure_close rc [0]

Any ideas why I have got
SSL0227E: SSL Handshake Failed, Specified label could not be found in the key file.

Thank you.


Eric Covener

unread,
Jul 9, 2006, 9:08:41 AM7/9/06
to
yuenk...@hotmail.com wrote:
> SSLServerCert ncipher-f3:ihs-internal.ft3.com

You can see with pkcs11 or ncipher tools that ncipher-f3 is the name of
the token label and a personal certificate exists in your primary KDB
with the full label "ncipher-f3:ihs-internal.ft3.com"?

I see from your SSLTrace that you're running with relatively recent IHS
maintenance, but
have you applied any of the GSKit maintenance?

There is a slight chance that your error is issued when the key label
is actually found but GSKit can't build a validation chain for it. Can
the secondary KDB really be used to show
the cert on the crypto card is trusted?

Is there some ncipher environment variable or debug PCKS11 driver that
would generate some trace?

Dan Poirier

unread,
Jul 10, 2006, 7:51:26 AM7/10/06
to
<yuenk...@hotmail.com> writes:

> Hi,
>
> I am using IBM HTTP Server 2.0.47 and nCipher nfast 10.15
>
> I am trying to use the
> SSLServerCert ncipher-f3:ihs-internal.ft3.com
> SSLPKCSDriver "/opt/nfast/toolkits/pkcs11/libcknfast.so"
> SSLStashfile "/usr/IBMIHS/bin/ssl.passwd"
>
> KeyFile "/usr/IBMIHS/bin/key_self_signed.kdb"
>
>

> Any ideas why I have got
> SSL0227E: SSL Handshake Failed, Specified label could not be found in the key file.
>
> Thank you.
>
>

You've specified that the server should use the SSL certificate in
your key database that has the label "ncipher-f3:ihs-internal.ft3.com"
but IHS can't find any certificate with that label.

See: SSLServerCert directive
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.ihs.doc/info/ihs/ihs/dihs_sslservercert.html

--
Dan Poirier <poi...@us.ibm.com>

0 new messages