[Opendnssec-user] Sun SCA6000 and on-board USB

Ville Mattila vmattila at csc.fi
Fri May 21 14:17:34 UTC 2010


Hi,

On Tue, 11 May 2010, Antti Ristimäki wrote:

> I know this is not an OpenDNSSEC specific question, but as I know that
> many of you are using Sun SCA6000 HSM, I dare to ask this in this forum.
>
> The problem is that we haven't managed to make the on-board USB work
> despite of trying with different USB sticks with different partition
> tables etc. For some reason the HSM card doesn't seem to recognize the USB
> stick at all. Has anyone else experienced the same problem?

If anyone could leak details on
- the partition table scheme (f.ex. output of 'fdisk -l /dev/sdX'),
- the filesystem type,
- the tools used for partitioning and filesystem formatting (standard
   GNU/Linux fdisk and mkfs or something else?),
- card admin console commands
you've managed to backup the master key to USB stick attached to SCA6000
with I promise Antti will buy you a pint of beer next time you meet him.

The SCA6000 User Guide only recommends some USB stick models but does
not say anything about how the sticks should be initialized.

We've tried with supposedly all possible combinations of the following
parameters:
- different USB sticks (one 256MB and two different 2GB models),
- partitioning the stick with one primary partition or no partition
   table (that is, file system created to /dev/sdb1 or directly to main
   device /dev/sdb)
- setting the primary partition active/inactive
- FAT, VFAT, NTFS and ext2 filesystems (NTFS formatted on Windows XP,
   others on Linux RHEL4/5)
- three different SCA6000 cards (all running firmware v1.1 and attached
   to different RHEL5.5 x86_64 hosts)
... And every time the SCA6000 diagnostics fails for the USB part that
the stick cannot be used.  The cards are not in FIPS mode.

Of course we can backup the master key via the host but we'd rather
avoid exposing the master key backup to the host (even though the backup
will be encrypted).

Regards,
Ville


More information about the Opendnssec-user mailing list