Topic
  • 8 replies
  • Latest Post - ‏2013-04-16T15:35:25Z by inestlerode
Nemachtiani
Nemachtiani
13 Posts

Pinned topic Occasional dp:sign() RSA signing failed

‏2013-04-15T19:56:02Z |

We post multiple requests to a DataPower  with firmware "XI52.4.0.2.3 " for a particular process

Process Output includes original Input and also a timestamp and a signature

We've got 506 responses with same time-stamp (year, month, day, hour, minute and second) but one without signature

instead of a string base 64 we got a "*RSA signing failed*" string

the Process uses dp:sign() extension function and uses as parameter the same Key-Object name and signature-method, the only parameter value that changes is the hash.

¿is there something special to configure on DataPower to stop processing at this kind of event?, ¿shouldn´t this record something in the log?

As a workaround  we decide to check dp:sign() result value with a regular expression, checking with regexp:test if the result has a star character (*)

any tip is appreciated, best regards.

Updated on 2013-04-16T15:29:20Z at 2013-04-16T15:29:20Z by Nemachtiani
  • swlinn
    swlinn
    1395 Posts

    Re: Occasional dp:sign() RSA signing failed

    ‏2013-04-15T20:07:29Z  

    Do you have any archived logs that may have some error logs whose timestamps are when the failing response was generated?

    Regards,

    Steve

  • Nemachtiani
    Nemachtiani
    13 Posts

    Re: Occasional dp:sign() RSA signing failed

    ‏2013-04-15T21:01:10Z  
    • swlinn
    • ‏2013-04-15T20:07:29Z

    Do you have any archived logs that may have some error logs whose timestamps are when the failing response was generated?

    Regards,

    Steve

    Hi swlinn

    yes we got logs, but specifically what should we looking for?

  • swlinn
    swlinn
    1395 Posts

    Re: Occasional dp:sign() RSA signing failed

    ‏2013-04-15T21:41:54Z  

    Hi swlinn

    yes we got logs, but specifically what should we looking for?

    Here's an old thread on this forum ... https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-000014227124  Perhaps it will help.  I'd look for log records for the same transaction id of the message like

    (MPGW_name): Signature generation failed: RSA signing failed
    13:51:57 xsltmsg info 1260496 request <ip.address> 0x8060021a mpgw

    Since you're only seeing this once is a while, I'd rule out the HSM being a factor.  According to this thread, other factors could be the cert/key pair used not matching.

    Regards,

    Steve

  • Nemachtiani
    Nemachtiani
    13 Posts

    Re: Occasional dp:sign() RSA signing failed

    ‏2013-04-15T22:13:01Z  
    • swlinn
    • ‏2013-04-15T21:41:54Z

    Here's an old thread on this forum ... https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-000014227124  Perhaps it will help.  I'd look for log records for the same transaction id of the message like

    (MPGW_name): Signature generation failed: RSA signing failed
    13:51:57 xsltmsg info 1260496 request <ip.address> 0x8060021a mpgw

    Since you're only seeing this once is a while, I'd rule out the HSM being a factor.  According to this thread, other factors could be the cert/key pair used not matching.

    Regards,

    Steve

    well, there's an HSM indeed...

    there is no error logs about "*RSA signing falied*", is it possible to avoid this kind of error for being logged? (perhaps a misconfiguration), well this is not the main point...

    we´re using the same cert/key pair for all 506 requests

    there is no more than one cert/key pair configured and no "changes" where made during the timestamp when the problem appears

    all 506 outputs have the same certificate serial number (not the whole certificate), this is part of the process, just a reference of the needed certificate for signature validation

    could be that the Key-Object or the Certificate Object just "not being loaded/accessed" at runtime? ... (because of the concurrent requests)

    I'll play for a while with dp:sign(..) params and see if this same error message happens with invalid values

  • inestlerode
    inestlerode
    166 Posts

    Re: Occasional dp:sign() RSA signing failed

    ‏2013-04-16T15:10:26Z  

    If it fails all of the time then the problem is probably that you forgot to initialize your HSM.

    If it fails only some of the time then you should open a PMR about this.  This error cannot be caused by a misconfiguration of the key pair or anything like that (about the only user mistake that can cause it is uninitialized HSM).

  • Nemachtiani
    Nemachtiani
    13 Posts

    Re: Occasional dp:sign() RSA signing failed

    ‏2013-04-16T15:18:28Z  

    There are no "RSA signing failure" messages in the log

    We force 3rd parameter in dp:sign to a non-existent Key-Name and dp:sign returns: "*Unrecognized recipient name*" but no similar error messages in the log

    I guess we got a lack of important log configuration

    I just remember we once got a "*RSA verifiying [....something else..]*" at our test environment, it was because HSM module was not properly started, in that event we were just verifying signatures not generating them, so we don't need (neither use) an HSM stored private-key: input data contains signature and PUBLIC-key (as a base 64 string)...

    There's no documentation abount dp:sign "*RSA signing failed*" messages, what else can we do/check? (besides the workaround of checking dp:sign returns a base 64 string and "try again")

    regards

    Updated on 2013-04-16T15:19:26Z at 2013-04-16T15:19:26Z by Nemachtiani
  • Nemachtiani
    Nemachtiani
    13 Posts

    Re: Occasional dp:sign() RSA signing failed

    ‏2013-04-16T15:25:48Z  

    If it fails all of the time then the problem is probably that you forgot to initialize your HSM.

    If it fails only some of the time then you should open a PMR about this.  This error cannot be caused by a misconfiguration of the key pair or anything like that (about the only user mistake that can cause it is uninitialized HSM).

    Sorry, i was writing a new comment and yours wasn´t there yet

    I'm not familiarized with the jargón, what's a PMR?

    This case happens ocassionally, we put a regular expression to verify dp:sign returns a base 64 string.

  • inestlerode
    inestlerode
    166 Posts

    Re: Occasional dp:sign() RSA signing failed

    ‏2013-04-16T15:35:25Z  

    Sorry, i was writing a new comment and yours wasn´t there yet

    I'm not familiarized with the jargón, what's a PMR?

    This case happens ocassionally, we put a regular expression to verify dp:sign returns a base 64 string.

    A PMR refers to an open case with IBM Support.