Nitrokey HSM - Problem with passthrough to VMware virtual machine

Hi Guys,

i have some issues connecting a Nitrokey HSM to a virtual machine. My setup currently looks this way:
VMware host: Windows 10 with VMware Workstation 12 Player
VMware guest (virtual machine): CentOS 7 (all the latest updates, kernel 3.10.0-514.6.2.el7.x86_64)

USB passthrough works in general, i could verify that with standard USB disks and an USB based HSM by another vendor, both worked fine. When i connect the Nitrokey HSM to the virtual machine, it is also shown as USB device Clay Logic (see ** ** in the following output)

[root@server ~]# lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
** Bus 002 Device 004: ID 20a0:4230 Clay Logic**
Bus 002 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 002 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

But when i try to access the HSM, either with sc-hsm-tool or pkcs11-tool, both tell me that there is no token available.

[root@server ~]# opensc-tool -l
No smart card readers found.

[root@server ~]# pkcs11-tool --module /usr/lib64/opensc-pkcs11.so -I
Cryptoki version 2.20
Manufacturer OpenSC (www.opensc-project.org)
Library Smart card PKCS#11 API (ver 0.0)
No slot with a token was found.

OpenSC is installed in version 0.14.0 (latest availlable version via yum), sc-hsm driver (i guess this should be the right driver) should be enabled.

[root@server ~]# opensc-tool -i
OpenSC 0.14.0 [gcc 4.8.5 20150623 (Red Hat 4.8.5-11)]
Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)

[root@server ~]# opensc-tool -D
Configured card drivers:
cardos Siemens CardOS
flex Schlumberger Multiflex/Cryptoflex
cyberflex Schlumberger Cyberflex
gpk Gemplus GPK
gemsafeV1 driver for the Gemplus GemSAFE V1 applet
miocos MioCOS 1.1
mcrd MICARDO 2.1 / EstEID 1.0 - 3.0
asepcos Athena ASEPCOS
starcos STARCOS SPK 2.3/2.4
tcos TCOS 3.0
openpgp OpenPGP card
jcop JCOP cards with BlueZ PKCS#15 applet
oberthur Oberthur AuthentIC.v2/CosmopolIC.v4
authentic Oberthur AuthentIC v3.1
iasecc IAS-ECC
belpic Belpic cards
ias IAS
incrypto34 Incard Incripto34
acos5 ACS ACOS5 card
akis TUBITAK UEKAE AKIS
entersafe entersafe
epass2003 epass2003
rutoken Rutoken driver
rutoken_ecp Rutoken ECP driver
westcos WESTCOS compatible cards
myeid MyEID cards with PKCS#15 applet
sc-hsm SmartCard-HSM
dnie DNIe: Spanish eID card
setcos Setec cards
muscle MuscleApplet
atrust-acos A-Trust ACOS cards
piv PIV-II for multiple cards
itacns Italian CNS
default Default driver for unknown cards

Could you give me a hint what the problem could be? Thanks a lot in advance!

Hi Guys,

i found a way around the problem myself. Should have read the available ressources and forum posts better. For future reference and for anyone with the same problem.

Afterwards initialization and usage of the Nitrokey HSM is possible.

Basically everything has been said already in the forum post “Nitrokey Pro installation under RHEL7/CentOS7” (thanks to user jwildeboer, can´t link to it because i can only put 2 links in my post…), only installation of the udev rules file was missing there. I guess this is done with installing the nitrokey app (which i don´t use with the Nitrokey HSM).

Suggestion: For a better user experience, some official step by step tutorials to get things running would be really nice.

1 Like

This was a great post to get me sorted out. My solution at the end of all the testing done to find a viable process I could repeat was to dump CentOS 7 and grab Ubuntu as my operating system. Then verify that the USB controller on my hypervisor is set to USB 3.0 and the hardware level of my VM was set to ESXI 6.5. (hypervisor was workstation pro 14.1.3 build-9474260) After which, all I had to do was grab opensc from the repos as well as xca (both were at the newest version) whereas CentOS repos did not carry newest version of XCA. The rest of the config process went smoothly. For others having challenges, unless there is a great need to use CentOS 7 I’d suggest moving to Ubuntu which has done a better job with the USB 3.0 libraries.

2 Likes