Token slot_id order changes when restarting

Question

Hello and thanks for taking the time to read this.

Issue:

I have 4 token devices with the same model and the same name, I rely on the slot id (and the serial) to identify wich one to use. After 5 months working without issue we had to restart the server (scheduled maintenance) and found out the slot id changed.

TOKEN      BEFORE    NOW       USB PORT
Token 1    Slot 0    Slot 1    0
Token 2    Slot 1    Slot 0    1
Token 3    Slot 2    Slot 3    2
Token 4    Slot 3    Slot 2    3

Steps trying to solve the issue:

Unpluging every device and leaving only the "Token 1" plugged in gets the Slot 0, but as soon as I plugin the "Token 2" it changes to Slot 1 and leaves "Token 2" as Slot 0 and Token 1 as Slot 1.

I've been trying restarting the udev system to see it it's something to do with the initialization order but it doesn't make any difference. Looking in internet, it looks like just restarting udev not always work with the USB issues (https://askubuntu.com/a/178078).

Restarting every single service associated with the token, opensc or usb, doesn't make any difference.

What I'm trying to achieve:

I'm using openssl to sign some documents. It changes from token to token depending on the user. So i use:

openssl [ARGS] -inkey slot_X-id_XXXXXXXXXXXXXXXX [MORE ARGS]

I had to update the slots to reflect each user. This is just a small bump I have no problem dealing with every 6 months (when we do our scheduled maintenance), but i would like to reference the tokens by the serial or a consistent way to plug/unplug the devices and get the correct slot order.

I know there is a URI scheme that is allowed into the inkey param (https://www.rfc-editor.org/rfc/rfc7512), but I haven't been able to make it work.

Also any info helping me troubleshoot this issue is welcome.

Extra Info: I don't think it's important, but here it is:

**Server:**
OS: Linux (Ubuntu Server 14.06)

**Tokens:**
Slot 0 (0x0): AKS ifdh [eToken 5110 SC] 01 00
  token label        : MyDevice
  token manufacturer : SafeNet, Inc.
  token model        : eToken
  token flags        : rng, login required, PIN initialized, token initialized, other flags=0x200
  hardware version   : 12.0
  firmware version   : 12.0
  serial num         : XXXXXXXX

**Inside each Token:**
Using slot 0 with a present token (0x0)
Certificate Object, type = X.509 cert
  label:
Certificate Object, type = X.509 cert
  label:
Certificate Object, type = X.509 cert
  label:      le-XXXXXXXX-XXXX-XXXX-XXXXX-XXXXXXXXXXXX
  ID:         XXXXXXXXXXXXXXXX

**OpenSSL Engine config**
[openssl_def]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/libeTPkcs11.so

Relevant from the mailing list of lipb11 about how the Slot ID is not permanent to allow hotplug https://sourceforge.net/p/opensc/mailman/message/31235423/

What engine are you using with `openssl`? – kostix Nov 27 '17 at 17:48 — kostix, Nov 27 '17 at 17:48
I'm using pkcs11. Added the info on the question. Thanks – LordNeo Nov 27 '17 at 17:55 — LordNeo, Nov 27 '17 at 17:55

Token slot_id order changes when restarting

0 Answers0