<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
you could normally find more accurate log info giving out more clue
under <instance dir>/logs/debug, e.g. /var/lib/
pki/pki-tomcat/ca/logs/debug<br>
<br>
Christina<br>
<br>
<div class="moz-cite-prefix">On 01/06/2016 01:54 AM, Lionel Beard
wrote:<br>
</div>
<blockquote
cite="mid:CAEAZrEbtRq1P8hz-zCJRyRZjTBprOfYK8r-oOOVsRJTAeELRaw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="color:rgb(0,0,0);font-size:12.8px">Hi,</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">I'm trying to
create a CA with a Atos/Bull HSM backend.</div>
<div style="color:rgb(0,0,0);font-size:12.8px">I have created a
configuration file default_hsm.cfg with hsm options enabled
and configured, and I have set HSM token and password.</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">When I run the
command:</div>
<div style="color:rgb(0,0,0);font-size:12.8px"># pkispawn -s CA
-f /etc/pki/default_hsm.cfg -vvv</div>
<div style="color:rgb(0,0,0);font-size:12.8px">I get the error:</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">
<div><font face="times new roman, serif">pkispawn : DEBUG
........... <?xml version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse></font></div>
<div><font face="times new roman, serif">pkispawn : INFO
....... constructing PKI configuration data.</font></div>
<div><font face="times new roman, serif">pkispawn : INFO
....... executing 'certutil -R -d
/root/.dogtag/pki-tomcat/ca/alias -s cn=PKI
Administrator,e=<a moz-do-not-send="true"
href="mailto:caadmin@cls.fr" target="_blank">caadmin@cls.fr</a>,o=<a
moz-do-not-send="true" href="http://cls.fr/"
target="_blank">cls.fr</a> Security Domain -k rsa -g
2048 -z /root/.dogtag/pki-tomcat/ca/alias/noise -f
/root/.dogtag/pki-tomcat/ca/password.conf -o
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin'</font></div>
<div><font face="times new roman, serif">pkispawn : INFO
....... rm -f /root/.dogtag/pki-tomcat/ca/alias/noise</font></div>
<div><font face="times new roman, serif">pkispawn : INFO
....... BtoA
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc</font></div>
<div><font face="times new roman, serif">pkispawn : INFO
....... configuring PKI configuration data.</font></div>
<div><font face="times new roman, serif">pkispawn : ERROR
....... Exception from Java Configuration Servlet: 400
Client Error: Bad Request for url: <a
moz-do-not-send="true"
href="https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure"
target="_blank"><a class="moz-txt-link-freetext" href="https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure">https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure</a></a></font></div>
<div><font face="times new roman, serif">pkispawn : ERROR
....... ParseError: not well-formed (invalid token): line
1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"<b>Invalid
Token provided. No such token</b>."} </font></div>
<div><font face="times new roman, serif">pkispawn : DEBUG
....... Error Type: ParseError</font></div>
<div><font face="times new roman, serif">pkispawn : DEBUG
....... Error Message: not well-formed (invalid token):
line 1, column 0</font></div>
<div><font face="times new roman, serif">pkispawn : DEBUG
....... File "/usr/sbin/pkispawn", line 597, in main</font></div>
<div><font face="times new roman, serif"> rv =
instance.spawn(deployer)</font></div>
<div><font face="times new roman, serif"> File
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 116, in spawn</font></div>
<div><font face="times new roman, serif"> json.dumps(data,
cls=pki.encoder.CustomTypeEncoder))</font></div>
<div><font face="times new roman, serif"> File
"/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
line 3872, in configure_pki_data</font></div>
<div><font face="times new roman, serif"> root =
ET.fromstring(e.response.text)</font></div>
<div><font face="times new roman, serif"> File
"/usr/lib64/python2.7/xml/etree/ElementTree.py", line
1300, in XML</font></div>
<div><font face="times new roman, serif"> parser.feed(text)</font></div>
<div><font face="times new roman, serif"> File
"/usr/lib64/python2.7/xml/etree/ElementTree.py", line
1642, in feed</font></div>
<div><font face="times new roman, serif">
self._raiseerror(v)</font></div>
<div><font face="times new roman, serif"> File
"/usr/lib64/python2.7/xml/etree/ElementTree.py", line
1506, in _raiseerror</font></div>
<div><font face="times new roman, serif"> raise err</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif">Installation failed.</font></div>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">Just after pki
service restart.</div>
<div style="color:rgb(0,0,0);font-size:12.8px">I don't know
which "Token" is it talking about, not sure it is HSM token.</div>
<div style="color:rgb(0,0,0);font-size:12.8px">HSM is working
fine because it is previously added to database with modutil:</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">
<div><font face="times new roman, serif"># modutil -list
-dbdir /etc/pki/pki-tomcat/alias -nocertdb</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif">Bull TrustWay
Proteccio NetHSM 2.4</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif">Configuration read
from /etc/proteccio//proteccio.rc</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif">Listing of PKCS #11
Modules</font></div>
<div><font face="times new roman, serif">-----------------------------------------------------------</font></div>
<div><font face="times new roman, serif"> 1. NSS Internal
PKCS #11 Module</font></div>
<div><font face="times new roman, serif"> slots: 2
slots attached</font></div>
<div><font face="times new roman, serif"> status:
loaded</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot: NSS
Internal Cryptographic Services</font></div>
<div><font face="times new roman, serif"> token: NSS
Generic Crypto Services</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot: NSS
User Private Key and Certificate Services</font></div>
<div><font face="times new roman, serif"> token: NSS
Certificate DB</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> 2. nethsm</font></div>
<div><font face="times new roman, serif"> library name:
/usr/lib64/libnethsm.so</font></div>
<div><font face="times new roman, serif"> slots: 8
slots attached</font></div>
<div><font face="times new roman, serif"> status:
loaded</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot:
Trustway Crypto Engine Slot</font></div>
<div><font face="times new roman, serif"> token:
nethsm1_V1</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot:
Trustway Crypto Engine Slot</font></div>
<div><font face="times new roman, serif"> token: </font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot:
Trustway Crypto Engine Slot</font></div>
<div><font face="times new roman, serif"> token: </font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot:
Trustway Crypto Engine Slot</font></div>
<div><font face="times new roman, serif"> token: </font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot:
Trustway Crypto Engine Slot</font></div>
<div><font face="times new roman, serif"> token: </font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot:
Trustway Crypto Engine Slot</font></div>
<div><font face="times new roman, serif"> token: </font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot:
Trustway Crypto Engine Slot</font></div>
<div><font face="times new roman, serif"> token: </font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot:
Trustway Crypto Engine Slot</font></div>
<div><font face="times new roman, serif"> token: </font></div>
<div><font face="times new roman, serif">-----------------------------------------------------------</font></div>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">Of course, I have
updated default_hsm.cfg file according to Redhat documentation
to enable HSM et put HSM token name and password:</div>
<div style="color:rgb(0,0,0);font-size:12.8px">
<div><font face="times new roman, serif"># grep hsm
/etc/pki/default_hsm.cfg </font></div>
<div><font face="times new roman, serif">pki_audit_signing_token=nethsm1_V1</font></div>
<div><font face="times new roman, serif">pki_hsm_enable=True</font></div>
<div><font face="times new roman, serif">pki_hsm_libfile=/usr/lib64/libnethsm.so</font></div>
<div><font face="times new roman, serif">pki_hsm_modulename=nethsm</font></div>
<div><font face="times new roman, serif">pki_ssl_server_token=nethsm1_V1</font></div>
<div><font face="times new roman, serif">pki_subsystem_token=nethsm1_V1</font></div>
<div><font face="times new roman, serif">pki_token_name=nethsm1_V1</font></div>
<div><font face="times new roman, serif">pki_storage_token=nethsm1_V1</font></div>
<div><font face="times new roman, serif">pki_transport_token=nethsm1_V1</font></div>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">I have tried with
interactive installation (so with no HSM), and it is working
fine.</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">Does anyone can
help me?</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">Thanks!</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</body>
</html>