<div dir="ltr">Hi,<div><br></div><div>Sorry for being soooo long to respond, but I have to switch to another project meanwhile.</div><div>I'm trying again to use dogtag with a HSM (with SoftHSM v2.1 this time, because I don't have hardware HSM anymore), and with a fresh new installation (server + dogtag), I still have the same issue during pkispawn - s CA:</div><div><br></div><div><div><font face="monospace, monospace">pkispawn : INFO ....... configuring PKI configuration data.</font></div><div><font face="monospace, monospace">pkispawn : ERROR ....... Exception from Java Configuration Servlet: 400 Client Error: Bad Request for url: <a href="https://dogtag-ca.qt.cls.fr:8443/ca/rest/installer/configure">https://dogtag-ca.qt.cls.fr:8443/ca/rest/installer/configure</a></font></div><div><font face="monospace, monospace">pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Invalid Token provided. No such token."}</font></div></div><div><br></div><div>My CA config file looks like that:</div><div><br></div><div><div><font face="monospace, monospace">[DEFAULT]</font></div><div><font face="monospace, monospace">pki_admin_password=Secret123</font></div><div><font face="monospace, monospace">pki_client_pkcs12_password=Secret123</font></div><div><font face="monospace, monospace">pki_ds_password=Secret123</font></div><div><font face="monospace, monospace"># Optionally keep client databases</font></div><div><font face="monospace, monospace">pki_client_database_purge=False</font></div><div><font face="monospace, monospace"># Provide HSM parameters</font></div><div><font face="monospace, monospace">pki_hsm_enable=True</font></div><div><font face="monospace, monospace">pki_hsm_libfile=/usr/local/lib/softhsm/libsofthsm2.so</font></div><div><font face="monospace, monospace">pki_hsm_modulename=softhsm</font></div><div><font face="monospace, monospace">pki_token_name=dogtag1</font></div><div><font face="monospace, monospace">pki_token_password=hsm_passwd</font></div><div><font face="monospace, monospace"># Provide PKI-specific HSM token names</font></div><div><font face="monospace, monospace">pki_audit_signing_token=dogtag1</font></div><div><font face="monospace, monospace">pki_ssl_server_token=dogtag1</font></div><div><font face="monospace, monospace">pki_subsystem_token=dogtag1</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">[CA]</font></div><div><font face="monospace, monospace"># Provide CA-specific HSM token names</font></div><div><span style="font-family:monospace,monospace">pki_ca_signing_token=dogtag1</span><br></div><div><font face="monospace, monospace">pki_ocsp_signing_token=dogtag1</font></div></div><div><br></div><div><br></div><div><span style="color:rgb(0,0,0);font-size:12.8px">/var/lib/pki/pki-tomcat/ca/logs/debug:</span><br></div><div><div style=""><div><font face="monospace, monospace">[22/Jul/2016:15:36:12][http-bio-8443-exec-3]: SystemConfigService: configure()</font></div><div><font face="monospace, monospace">[22/Jul/2016:15:36:12][http-bio-8443-exec-3]: SystemConfigService: request: ConfigurationRequest [pin=XXXX, token=dogtag1, tokenPassword=XXXX, securityDomainType=newdomain, securityDomainUri=null, securityDomainName=<a href="http://qt.cls.fr">qt.cls.fr</a> Security Domain, securityDomainUser=null, securityDomainPassword=XXXX, isClone=false, cloneUri=null, subsystemName=CA <a href="http://dogtag-ca.qt.cls.fr">dogtag-ca.qt.cls.fr</a> 8443, p12File=null, p12Password=XXXX, hierarchy=root, dsHost=<a href="http://dogtag-ca.qt.cls.fr">dogtag-ca.qt.cls.fr</a>, dsPort=389, baseDN=o=pki-CLS-CA, bindDN=cn=Directory Manager, bindpwd=XXXX, database=pki-CLS-CA, secureConn=false, removeData=true, replicateSchema=null, masterReplicationPort=null, cloneReplicationPort=null, replicationSecurity=null, systemCertsImported=false, systemCerts=[com.netscape.certsrv.system.SystemCertData@60c8305a, com.netscape.certsrv.system.SystemCertData@7774cd87, com.netscape.certsrv.system.SystemCertData@6f41ab06, com.netscape.certsrv.system.SystemCertData@99112a8, com.netscape.certsrv.system.SystemCertData@28fab920], issuingCA=null, backupKeys=false, backupPassword=, adminCertRequestType=pkcs10, adminSubjectDN=cn=PKI Administrator,e=<a href="mailto:caadmin@qt.cls.fr">caadmin@qt.cls.fr</a>,o=<a href="http://qt.cls.fr">qt.cls.fr</a> Security Domain, adminName=caadmin, adminProfileID=caAdminCert, adminCert=null, importAdminCert=false, generateServerCert=true, external=false, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null, generateSubsystemCert=true, sharedDB=false, sharedDBUserDN=null, createNewDB=true, setupReplication=null, subordinateSecurityDomainName=null, reindexData=null]</font></div><div><font face="monospace, monospace">[22/Jul/2016:15:36:12][http-bio-8443-exec-3]: === Token Authentication ===</font></div><div><font face="monospace, monospace">[22/Jul/2016:15:36:12][http-bio-8443-exec-3]: Invalid Token provided. No such token.</font></div><div><br></div></div><div style="color:rgb(0,0,0);font-size:12.8px"><br></div></div><div style="color:rgb(0,0,0);font-size:12.8px">Versions:</div><div style="color:rgb(0,0,0);font-size:12.8px">Fedroa 24</div><div style="color:rgb(0,0,0);font-size:12.8px">Dogtag 10.3.3 (also tested with 10.3.3.3 from git repo)</div><div style="color:rgb(0,0,0);font-size:12.8px"><br></div><div style="color:rgb(0,0,0);font-size:12.8px">Does anyone have an idea?</div><div style="color:rgb(0,0,0);font-size:12.8px"><br></div><div style="color:rgb(0,0,0);font-size:12.8px">Thanks!</div><div style="color:rgb(0,0,0);font-size:12.8px">Regards</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-01-07 18:23 GMT+01:00 Christina Fu <span dir="ltr"><<a href="mailto:cfu@redhat.com" target="_blank">cfu@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div text="#000000" bgcolor="#FFFFFF"> you could normally find more accurate log info giving out more clue under <instance dir>/logs/debug, e.g. /var/lib/ pki/pki-tomcat/ca/logs/debug<br> <br> Christina<div><div class="h5"><br> <br> <div>On 01/06/2016 01:54 AM, Lionel Beard wrote:<br> </div> </div></div><blockquote type="cite"><div><div class="h5"> <div dir="ltr"> <div style="color:rgb(0,0,0);font-size:12.8px">Hi,</div> <div style="color:rgb(0,0,0);font-size:12.8px"><br> </div> <div style="color:rgb(0,0,0);font-size:12.8px">I'm trying to create a CA with a Atos/Bull HSM backend.</div> <div style="color:rgb(0,0,0);font-size:12.8px">I have created a configuration file default_hsm.cfg with hsm options enabled and configured, and I have set HSM token and password.</div> <div style="color:rgb(0,0,0);font-size:12.8px"><br> </div> <div style="color:rgb(0,0,0);font-size:12.8px">When I run the command:</div> <div style="color:rgb(0,0,0);font-size:12.8px"># pkispawn -s CA -f /etc/pki/default_hsm.cfg -vvv</div> <div style="color:rgb(0,0,0);font-size:12.8px">I get the error:</div> <div style="color:rgb(0,0,0);font-size:12.8px"><br> </div> <div style="color:rgb(0,0,0);font-size:12.8px"> <div><font face="times new roman, serif">pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse></font></div> <div><font face="times new roman, serif">pkispawn : INFO ....... constructing PKI configuration data.</font></div> <div><font face="times new roman, serif">pkispawn : INFO ....... executing 'certutil -R -d /root/.dogtag/pki-tomcat/ca/alias -s cn=PKI Administrator,e=<a href="mailto:caadmin@cls.fr" target="_blank">caadmin@cls.fr</a>,o=<a href="http://cls.fr/" target="_blank">cls.fr</a> Security Domain -k rsa -g 2048 -z /root/.dogtag/pki-tomcat/ca/alias/noise -f /root/.dogtag/pki-tomcat/ca/password.conf -o /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin'</font></div> <div><font face="times new roman, serif">pkispawn : INFO ....... rm -f /root/.dogtag/pki-tomcat/ca/alias/noise</font></div> <div><font face="times new roman, serif">pkispawn : INFO ....... BtoA /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc</font></div> <div><font face="times new roman, serif">pkispawn : INFO ....... configuring PKI configuration data.</font></div> <div><font face="times new roman, serif">pkispawn : ERROR ....... Exception from Java Configuration Servlet: 400 Client Error: Bad Request for url: <a href="https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure" target="_blank"></a><a href="https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure" target="_blank">https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure</a></font></div> <div><font face="times new roman, serif">pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"<b>Invalid Token provided. No such token</b>."} </font></div> <div><font face="times new roman, serif">pkispawn : DEBUG ....... Error Type: ParseError</font></div> <div><font face="times new roman, serif">pkispawn : DEBUG ....... Error Message: not well-formed (invalid token): line 1, column 0</font></div> <div><font face="times new roman, serif">pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in main</font></div> <div><font face="times new roman, serif"> rv = instance.spawn(deployer)</font></div> <div><font face="times new roman, serif"> File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 116, in spawn</font></div> <div><font face="times new roman, serif"> json.dumps(data, cls=pki.encoder.CustomTypeEncoder))</font></div> <div><font face="times new roman, serif"> File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data</font></div> <div><font face="times new roman, serif"> root = ET.fromstring(e.response.text)</font></div> <div><font face="times new roman, serif"> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML</font></div> <div><font face="times new roman, serif"> parser.feed(text)</font></div> <div><font face="times new roman, serif"> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed</font></div> <div><font face="times new roman, serif"> self._raiseerror(v)</font></div> <div><font face="times new roman, serif"> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror</font></div> <div><font face="times new roman, serif"> raise err</font></div> <div><font face="times new roman, serif"><br> </font></div> <div><font face="times new roman, serif"><br> </font></div> <div><font face="times new roman, serif">Installation failed.</font></div> </div> <div style="color:rgb(0,0,0);font-size:12.8px"><br> </div> <div style="color:rgb(0,0,0);font-size:12.8px">Just after pki service restart.</div> <div style="color:rgb(0,0,0);font-size:12.8px">I don't know which "Token" is it talking about, not sure it is HSM token.</div> <div style="color:rgb(0,0,0);font-size:12.8px">HSM is working fine because it is previously added to database with modutil:</div> <div style="color:rgb(0,0,0);font-size:12.8px"><br> </div> <div style="color:rgb(0,0,0);font-size:12.8px"> <div><font face="times new roman, serif"># modutil -list -dbdir /etc/pki/pki-tomcat/alias -nocertdb</font></div> <div><font face="times new roman, serif"><br> </font></div> <div><font face="times new roman, serif">Bull TrustWay Proteccio NetHSM 2.4</font></div> <div><font face="times new roman, serif"><br> </font></div> <div><font face="times new roman, serif">Configuration read from /etc/proteccio//proteccio.rc</font></div> <div><font face="times new roman, serif"><br> </font></div> <div><font face="times new roman, serif">Listing of PKCS #11 Modules</font></div> <div><font face="times new roman, serif">-----------------------------------------------------------</font></div> <div><font face="times new roman, serif"> 1. NSS Internal PKCS #11 Module</font></div> <div><font face="times new roman, serif"> slots: 2 slots attached</font></div> <div><font face="times new roman, serif"> status: loaded</font></div> <div><font face="times new roman, serif"><br> </font></div> <div><font face="times new roman, serif"> slot: NSS Internal Cryptographic Services</font></div> <div><font face="times new roman, serif"> token: NSS Generic Crypto Services</font></div> <div><font face="times new roman, serif"><br> </font></div> <div><font face="times new roman, serif"> slot: NSS User Private Key and Certificate Services</font></div> <div><font face="times new roman, serif"> token: NSS Certificate DB</font></div> <div><font face="times new roman, serif"><br> </font></div> <div><font face="times new roman, serif"> 2. nethsm</font></div> <div><font face="times new roman, serif"> library name: /usr/lib64/libnethsm.so</font></div> <div><font face="times new roman, serif"> slots: 8 slots attached</font></div> <div><font face="times new roman, serif"> status: loaded</font></div> <div><font face="times new roman, serif"><br> </font></div> <div><font face="times new roman, serif"> slot: Trustway Crypto Engine Slot</font></div> <div><font face="times new roman, serif"> token: nethsm1_V1</font></div> <div><font face="times new roman, serif"><br> </font></div> <div><font face="times new roman, serif"> slot: Trustway Crypto Engine Slot</font></div> <div><font face="times new roman, serif"> token: </font></div> <div><font face="times new roman, serif"><br> </font></div> <div><font face="times new roman, serif"> slot: Trustway Crypto Engine Slot</font></div> <div><font face="times new roman, serif"> token: </font></div> <div><font face="times new roman, serif"><br> </font></div> <div><font face="times new roman, serif"> slot: Trustway Crypto Engine Slot</font></div> <div><font face="times new roman, serif"> token: </font></div> <div><font face="times new roman, serif"><br> </font></div> <div><font face="times new roman, serif"> slot: Trustway Crypto Engine Slot</font></div> <div><font face="times new roman, serif"> token: </font></div> <div><font face="times new roman, serif"><br> </font></div> <div><font face="times new roman, serif"> slot: Trustway Crypto Engine Slot</font></div> <div><font face="times new roman, serif"> token: </font></div> <div><font face="times new roman, serif"><br> </font></div> <div><font face="times new roman, serif"> slot: Trustway Crypto Engine Slot</font></div> <div><font face="times new roman, serif"> token: </font></div> <div><font face="times new roman, serif"><br> </font></div> <div><font face="times new roman, serif"> slot: Trustway Crypto Engine Slot</font></div> <div><font face="times new roman, serif"> token: </font></div> <div><font face="times new roman, serif">-----------------------------------------------------------</font></div> </div> <div style="color:rgb(0,0,0);font-size:12.8px"><br> </div> <div style="color:rgb(0,0,0);font-size:12.8px">Of course, I have updated default_hsm.cfg file according to Redhat documentation to enable HSM et put HSM token name and password:</div> <div style="color:rgb(0,0,0);font-size:12.8px"> <div><font face="times new roman, serif"># grep hsm /etc/pki/default_hsm.cfg </font></div> <div><font face="times new roman, serif">pki_audit_signing_token=nethsm1_V1</font></div> <div><font face="times new roman, serif">pki_hsm_enable=True</font></div> <div><font face="times new roman, serif">pki_hsm_libfile=/usr/lib64/libnethsm.so</font></div> <div><font face="times new roman, serif">pki_hsm_modulename=nethsm</font></div> <div><font face="times new roman, serif">pki_ssl_server_token=nethsm1_V1</font></div> <div><font face="times new roman, serif">pki_subsystem_token=nethsm1_V1</font></div> <div><font face="times new roman, serif">pki_token_name=nethsm1_V1</font></div> <div><font face="times new roman, serif">pki_storage_token=nethsm1_V1</font></div> <div><font face="times new roman, serif">pki_transport_token=nethsm1_V1</font></div> </div> <div style="color:rgb(0,0,0);font-size:12.8px"><br> </div> <div style="color:rgb(0,0,0);font-size:12.8px">I have tried with interactive installation (so with no HSM), and it is working fine.</div> <div style="color:rgb(0,0,0);font-size:12.8px"><br> </div> <div style="color:rgb(0,0,0);font-size:12.8px">Does anyone can help me?</div> <div style="color:rgb(0,0,0);font-size:12.8px"><br> </div> <div style="color:rgb(0,0,0);font-size:12.8px">Thanks!</div> </div> <br> <fieldset></fieldset> <br> </div></div><pre>_______________________________________________ Pki-users mailing list <a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a></pre> </blockquote> <br> </div> <br>_______________________________________________<br> Pki-users mailing list<br> <a href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/pki-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br></blockquote></div><br></div>