After configuring n-of-m authentication on my HSM with SmartCard Shell, I am trying to get a root CA working.
For this, I started a self-hosted PKIAAS docker instance. I got an activation code for my personal HSM, authenticated to the portal with it, configured a trustcenter, and registered my CA HSM into it.
Issue
When trying to perform N-of-m authentication with my CA HSM, I got errors like this:
Connection Error (General Error)
Procedure
So, once I’m logged in, I do the following:
stop the java middleware and plug out my personnal token.
plug my CA HSM in, and connect it to the portal with java -jar ocf-cc.jar -s 0 http://localhost:8080/rt/hsm
click Views / Subjects in the navigation bar
click the TrustCenter ID
There is see the following in the “CA Token” section:
/DESRCACC1/DEDINK03/DENK0301364 9BAD22A6F41ACB03… (Default) 39F9E06339E54C53 0 authenticated public key(s) in 2 of 3 scheme
So far so good. Then:
I plug my first authentication token to a free USB port
I launch a second middleware instance with java -jar ocf-cc.jar -v
I reload the page. Still the same error. I interrupt the second middleware instance.Plug out the authentication token. Restart the first CA middleware instance and reload again. And I get back to the following status:
0 authenticated public key(s) in 2 of 3 scheme
Going from there:
I click Authenticate again, and a popup asks if the local client is running
I plug my authentication token
I launch the client
I press OK in the popup, then refresh
The public Key Authentication Wizard shows my CA token. I click Enumerate Keys but the authentication token still doesn’t appear. Please find attached the logs: pkiaas-test_2024-10-02-1632.zip (17.0 KB)
Yes, I have multiple devices plugged at a time. I did try to specify -s 0 and -s 1 but didn’t seem to work much. That was before I noticed I may have a faulty USB port though.
I can’t find the -r in the ocf help, but I’ll give it a try tomorrow. Thanks!
It also important, that on Windows Smart Card Plug & Play is disabled.
Windows seems to inspect all inserted devices, when you insert a second token. That breaks the existing secure connection between the first token and the portal.
What makes things easier with the token configuration, is to set the URL of the portal on the device that is assigned to the trust center. When you then start the ocf-cc client with the “-a” option, then the client will prompt at token insertion if you want to automatically connect the token to the portal. That reader is then excluded from other interactive portal to token communication, e.g. when you do PKA. No need to start a second instance of the client.
I’ll probably set the autoconnect url during the next token intitialization. For now, following saper’s suggestion works well. Now my commands look like: java -jar ocf-cc.jar -r "Nitrokey Nitrokey HSM 0" -v java -jar ocf-cc.jar -r "Nitrokey Nitrokey HSM 1" http://localhost:8080/rt/hsm
If you are looking for a more permanent connection of the trust center token with the portal, we have the Remote Application Management over HTTP client written in C. We typically use that as systemd unit to permanently connect the token to the portal using a Raspberry PI. That works well with a 10-port USB Hub, which contains all token with key material we use for licensees of the applet.
