Trouble Shooting HP CDSA

CDSA Start Up Errors when calling CSSM_ModuleAttach

CDSA Start Up Errors when calling

CSSM_ModuleAttach

Although CDSA start-up errors can be considered a subset of CDSA API errors, they generally require more effort to understand beyond looking at the error code. These type of errors usually originate as a result of an attempt to call CSSM_ModuleAttach.

One common error CDSA add-in developers may encounter is a failure of the HPUX shared library load function (shl_load) to load a requested add-in. CSSM_ModuleAttach will initiate a series of other function calls, one of which is shl_load. This will result in the error code 10031 being set (see above).

shl_load errors might imply many problems; but for add-in developers it typically implies that there are undefined functions or data in the shared library. Thus, one will not likely encounter this particular error if they are utilizing HP released add-in modules. However, if you are developing/debugging your own or someone else’s add-in module, this error could occur. To fix the problem, you want to make sure your add-in module does not refer to undefined functions or data.

Another error that may be encountered as a result of a CSSM_ModuleAttach occurs with CSP add-in modules only. In this situation, the inability to load is a result of an integrity check failure on the CSP. HP has designed the CDSA framework so that it can output a diagnostic integrity trace that allows the user to discern if integrity check failure is occurring.

Before running a CDSA application that is having trouble attaching, cd to the following directory:

<your_home_directory_path>/.cdsa/<your_user_name>

As an example, if your home directory was in /home/smith, and your user name was smith, you would cd to /home/smith/.cdsa/smith . Next, execute the following command:

touch enableIntegrityTrace

On start-up, CDSA checks for this file’s existence. If it detects the file, it outputs a complete trace of its integrity checking activities for start-up of CSSM and attachment to a CSP into the enableIntegrityTrace file.

If these actions are successful the trace file will have output identical to that shown below (although if you are trying to load a different CSP than libcsp_wwb.1, the CSP lib name will be different):

isl_InitializeSignedListFromImage: manifest hash confirmed!!!

isl_CreateCertificateChain: cert-chain validated; links = 1

118

Appendix E

Page 118
Image 118
HP UX Security Products and Features Software manual Cdsa Start Up Errors when calling CSSMModuleAttach, 118