Bug Number
Description
bad. SHA-256 can be used as the signing algorithm instead.
57514
If a TKS master key is generated on a SafeNet LunaSA HSM, server-side key genera-
tion fails with the following error in the TKS debug log:
"can't generate key encryption key"
A similar message also appears in the debug log if server-side key generation is turned
on:
"TokenServlet: key encryption key generation failed
for CUID"
where CUID is the card unique ID.
57526
If a server certificate contains the Authority Information Access extension, the certificate
cannot be imported on an nCipher netHSM hardware token. The default caServerCert
profile has this extension enabled by default. For example, when installing a subsystem
such as the Token Key Service (TKS), the SSL server certificate fails to import if the
certificate is processed through the default caServerCert profile because the caServer-
Cert profile adds the Authority Information Access extension to the SSL server certific-
ate automatically. If a CA server is already installed on the nCipher netHSM token, then
the CA signing certificate is overwritten, as well. To import the server certificate prop-
erly, first remove the Authority Information Access extension from the caServerCert pro-
file, then install the subsystem.
57677
If the DRM response to the TPS exceeds the timeout period, the server can return the
incorrect response message,
200 HTTP/1.1 OK
, signaling that the operation com-
pleted successfully instead of timing out.
57640
If a DRM version 6.1 SP4 is migrated to version 7.2, then the archived keys that were
migrated cannot be recovered because the key splitting schemes are different. To be
able to recover these keys, first obtain a migration patch from Red Hat services. This
patch will recover the PIN needed to access the storage token where the DRM private
key resides, then recover the keys and export them to a PKCS #12 file. However, this
package can potentially expose security issues in the version 6.1 SP 4 DRM, so it
should be used only as necessary.
For information on using these migration scripts, see the README available with the
migration package.
57683
If there are multiple enrollment operations using the
tpsclient
tool when server-side
key generation is enabled in the TPS, then the DRM connection can time out before the
TPS can generate the keys. The tool will then return the error
Failed to generate
key on server. Please check DRM.
To correct this, edit the TPS
CS.cfg
con-
figuration file and add a line increasing the timeout period for the connection to the
DRM:
conn.drm1.timeout=25
Release Notes
12