HP UX Security Products and Features Software CSSM_ModuleAttach, CDSA Start Up Errors when calling, CDSA Start Up Errors when calling CSSM

Trouble Shooting HP CDSA

CDSA Start Up Errors when calling CSSM_ModuleAttachCDSA Start Up Errors when callingCSSM_ModuleAttach

Although CDSA start-up errors can be considered a subset of CDSA API errors, they generally require more effort to understand beyond looking at the error code. These type of errors usually originate as a result of an attempt to call CSSM_ModuleAttach.

One common error CDSA add-in developers may encounter is a failure of the HPUX shared library load function (shl_load) to load a requested add-in. CSSM_ModuleAttach will initiate a series of other function calls, one of which is shl_load. This will result in the error code 10031 being set (see above).

shl_load errors might imply many problems; but for add-in developers it typically implies that there are undeﬁned functions or data in the shared library. Thus, one will not likely encounter this particular error if they are utilizing HP released add-in modules. However, if you are developing/debugging your own or someone else’s add-in module, this error could occur. To ﬁx the problem, you want to make sure your add-in module does not refer to undeﬁned functions or data.

Another error that may be encountered as a result of a CSSM_ModuleAttach occurs with CSP add-in modules only. In this situation, the inability to load is a result of an integrity check failure on the CSP. HP has designed the CDSA framework so that it can output a diagnostic integrity trace that allows the user to discern if integrity check failure is occurring.

Before running a CDSA application that is having trouble attaching, cd to the following directory:

<your_home_directory_path>/.cdsa/<your_user_name>

As an example, if your home directory was in /home/smith, and your user name was smith, you would cd to /home/smith/.cdsa/smith . Next, execute the following command:

touch enableIntegrityTrace

On start-up, CDSA checks for this ﬁle’s existence. If it detects the ﬁle, it outputs a complete trace of its integrity checking activities for start-up of CSSM and attachment to a CSP into the enableIntegrityTrace ﬁle.

If these actions are successful the trace ﬁle will have output identical to that shown below (although if you are trying to load a different CSP than libcsp_wwb.1, the CSP lib name will be different):

isl_InitializeSignedListFromImage: manifest hash confirmed!!!

isl_CreateCertificateChain: cert-chain validated; links = 1

118	Appendix E