/
Issue with SafeNet 5110 USB eToken on Ubuntu 24.04

Issue with SafeNet 5110 USB eToken on Ubuntu 24.04

Overview

After upgrading to Ubuntu 24.04, some users have reported that the Security Server does not detect the SafeNet 5110 USB eToken — a commonly used HSM token in Estonia. The issue lies in system-level permission handling, not the token itself.

Affected Systems

  • Operating System: Ubuntu 24.04

  • Token: Thales SafeNet 5110 USB eToken

Symptoms

  • The following error occurs in the signer logs:

    • e.r.x.s.t.m.AbstractModuleWorker - Error during module HardwareModuleWorker reload. It will be repeated on next scheduled module refresh.. iaik.pkcs.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR

  • The following is shown in the journal logs:

    • e.r.x.s.t.m.AbstractModuleWorker - Error during module HardwareModuleWorker reload. It will be repeated on next scheduled module refresh.. iaik.pkcs.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR

Root Cause

The pcscd daemon restricts access to the PC/SC interface. The xroad user lacks proper PolicyKit authorization, resulting in failure to retrieve token slots.

Solution

Create a polkit rule to grant access for the xroad group to use PC/SC.

  1. Ensure you are using an up to date version of the Thales SafenetAuthenticationClient v10.9 and libccid v1.5.5-1

  2. Enusre that the Thales software sees the eToken and the pkcs11-tool is also able to see it:

    pkcs11-tool --module=/lib/libeToken.so -L

  3. Create and open the policy file:

    sudo nano /etc/polkit-1/rules.d/xroad.rules

  4. Add the following content:

    polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.isInGroup("xroad")) { return polkit.Result.YES; } });

  5. Restart the polkit service:

    sudo systemctl restart polkit