<div dir="ltr">Hi,<div><br></div><div>Sorry for being soooo long to respond, but I have to switch to another project meanwhile.</div><div>I'm trying again to use dogtag with a HSM (with SoftHSM v2.1 this time, because I don't have hardware HSM anymore), and with a fresh new installation (server + dogtag), I still have the same issue during pkispawn - s CA:</div><div><br></div><div><div><font face="monospace, monospace">pkispawn : INFO ....... configuring PKI configuration data.</font></div><div><font face="monospace, monospace">pkispawn : ERROR ....... Exception from Java Configuration Servlet: 400 Client Error: Bad Request for url: <a href="https://dogtag-ca.qt.cls.fr:8443/ca/rest/installer/configure">https://dogtag-ca.qt.cls.fr:8443/ca/rest/installer/configure</a></font></div><div><font face="monospace, monospace">pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Invalid Token provided. No such token."}</font></div></div><div><br></div><div>My CA config file looks like that:</div><div><br></div><div><div><font face="monospace, monospace">[DEFAULT]</font></div><div><font face="monospace, monospace">pki_admin_password=Secret123</font></div><div><font face="monospace, monospace">pki_client_pkcs12_password=Secret123</font></div><div><font face="monospace, monospace">pki_ds_password=Secret123</font></div><div><font face="monospace, monospace"># Optionally keep client databases</font></div><div><font face="monospace, monospace">pki_client_database_purge=False</font></div><div><font face="monospace, monospace"># Provide HSM parameters</font></div><div><font face="monospace, monospace">pki_hsm_enable=True</font></div><div><font face="monospace, monospace">pki_hsm_libfile=/usr/local/lib/softhsm/libsofthsm2.so</font></div><div><font face="monospace, monospace">pki_hsm_modulename=softhsm</font></div><div><font face="monospace, monospace">pki_token_name=dogtag1</font></div><div><font face="monospace, monospace">pki_token_password=hsm_passwd</font></div><div><font face="monospace, monospace"># Provide PKI-specific HSM token names</font></div><div><font face="monospace, monospace">pki_audit_signing_token=dogtag1</font></div><div><font face="monospace, monospace">pki_ssl_server_token=dogtag1</font></div><div><font face="monospace, monospace">pki_subsystem_token=dogtag1</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">[CA]</font></div><div><font face="monospace, monospace"># Provide CA-specific HSM token names</font></div><div><span style="font-family:monospace,monospace">pki_ca_signing_token=dogtag1</span><br></div><div><font face="monospace, monospace">pki_ocsp_signing_token=dogtag1</font></div></div><div><br></div><div><br></div><div><span style="color:rgb(0,0,0);font-size:12.8px">/var/lib/pki/pki-tomcat/ca/logs/debug:</span><br></div><div><div style=""><div><font face="monospace, monospace">[22/Jul/2016:15:36:12][http-bio-8443-exec-3]: SystemConfigService: configure()</font></div><div><font face="monospace, monospace">[22/Jul/2016:15:36:12][http-bio-8443-exec-3]: SystemConfigService: request: ConfigurationRequest [pin=XXXX, token=dogtag1, tokenPassword=XXXX, securityDomainType=newdomain, securityDomainUri=null, securityDomainName=<a href="http://qt.cls.fr">qt.cls.fr</a> Security Domain, securityDomainUser=null, securityDomainPassword=XXXX, isClone=false, cloneUri=null, subsystemName=CA <a href="http://dogtag-ca.qt.cls.fr">dogtag-ca.qt.cls.fr</a> 8443, p12File=null, p12Password=XXXX, hierarchy=root, dsHost=<a href="http://dogtag-ca.qt.cls.fr">dogtag-ca.qt.cls.fr</a>, dsPort=389, baseDN=o=pki-CLS-CA, bindDN=cn=Directory Manager, bindpwd=XXXX, database=pki-CLS-CA, secureConn=false, removeData=true, replicateSchema=null, masterReplicationPort=null, cloneReplicationPort=null, replicationSecurity=null, systemCertsImported=false, systemCerts=[com.netscape.certsrv.system.SystemCertData@60c8305a, com.netscape.certsrv.system.SystemCertData@7774cd87, com.netscape.certsrv.system.SystemCertData@6f41ab06, com.netscape.certsrv.system.SystemCertData@99112a8, com.netscape.certsrv.system.SystemCertData@28fab920], issuingCA=null, backupKeys=false, backupPassword=, adminCertRequestType=pkcs10, adminSubjectDN=cn=PKI Administrator,e=<a href="mailto:caadmin@qt.cls.fr">caadmin@qt.cls.fr</a>,o=<a href="http://qt.cls.fr">qt.cls.fr</a> Security Domain, adminName=caadmin, adminProfileID=caAdminCert, adminCert=null, importAdminCert=false, generateServerCert=true, external=false, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null, generateSubsystemCert=true, sharedDB=false, sharedDBUserDN=null, createNewDB=true, setupReplication=null, subordinateSecurityDomainName=null, reindexData=null]</font></div><div><font face="monospace, monospace">[22/Jul/2016:15:36:12][http-bio-8443-exec-3]: === Token Authentication ===</font></div><div><font face="monospace, monospace">[22/Jul/2016:15:36:12][http-bio-8443-exec-3]: Invalid Token provided. No such token.</font></div><div><br></div></div><div style="color:rgb(0,0,0);font-size:12.8px"><br></div></div><div style="color:rgb(0,0,0);font-size:12.8px">Versions:</div><div style="color:rgb(0,0,0);font-size:12.8px">Fedroa 24</div><div style="color:rgb(0,0,0);font-size:12.8px">Dogtag 10.3.3 (also tested with 10.3.3.3 from git repo)</div><div style="color:rgb(0,0,0);font-size:12.8px"><br></div><div style="color:rgb(0,0,0);font-size:12.8px">Does anyone have an idea?</div><div style="color:rgb(0,0,0);font-size:12.8px"><br></div><div style="color:rgb(0,0,0);font-size:12.8px">Thanks!</div><div style="color:rgb(0,0,0);font-size:12.8px">Regards</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-01-07 18:23 GMT+01:00 Christina Fu <span dir="ltr"><<a href="mailto:cfu@redhat.com" target="_blank">cfu@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
you could normally find more accurate log info giving out more clue
under <instance dir>/logs/debug, e.g. /var/lib/
pki/pki-tomcat/ca/logs/debug<br>
<br>
Christina<div><div class="h5"><br>
<br>
<div>On 01/06/2016 01:54 AM, Lionel Beard
wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div style="color:rgb(0,0,0);font-size:12.8px">Hi,</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">I'm trying to
create a CA with a Atos/Bull HSM backend.</div>
<div style="color:rgb(0,0,0);font-size:12.8px">I have created a
configuration file default_hsm.cfg with hsm options enabled
and configured, and I have set HSM token and password.</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">When I run the
command:</div>
<div style="color:rgb(0,0,0);font-size:12.8px"># pkispawn -s CA
-f /etc/pki/default_hsm.cfg -vvv</div>
<div style="color:rgb(0,0,0);font-size:12.8px">I get the error:</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">
<div><font face="times new roman, serif">pkispawn : DEBUG
........... <?xml version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse></font></div>
<div><font face="times new roman, serif">pkispawn : INFO
....... constructing PKI configuration data.</font></div>
<div><font face="times new roman, serif">pkispawn : INFO
....... executing 'certutil -R -d
/root/.dogtag/pki-tomcat/ca/alias -s cn=PKI
Administrator,e=<a href="mailto:caadmin@cls.fr" target="_blank">caadmin@cls.fr</a>,o=<a href="http://cls.fr/" target="_blank">cls.fr</a> Security Domain -k rsa -g
2048 -z /root/.dogtag/pki-tomcat/ca/alias/noise -f
/root/.dogtag/pki-tomcat/ca/password.conf -o
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin'</font></div>
<div><font face="times new roman, serif">pkispawn : INFO
....... rm -f /root/.dogtag/pki-tomcat/ca/alias/noise</font></div>
<div><font face="times new roman, serif">pkispawn : INFO
....... BtoA
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc</font></div>
<div><font face="times new roman, serif">pkispawn : INFO
....... configuring PKI configuration data.</font></div>
<div><font face="times new roman, serif">pkispawn : ERROR
....... Exception from Java Configuration Servlet: 400
Client Error: Bad Request for url: <a href="https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure" target="_blank"></a><a href="https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure" target="_blank">https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure</a></font></div>
<div><font face="times new roman, serif">pkispawn : ERROR
....... ParseError: not well-formed (invalid token): line
1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"<b>Invalid
Token provided. No such token</b>."} </font></div>
<div><font face="times new roman, serif">pkispawn : DEBUG
....... Error Type: ParseError</font></div>
<div><font face="times new roman, serif">pkispawn : DEBUG
....... Error Message: not well-formed (invalid token):
line 1, column 0</font></div>
<div><font face="times new roman, serif">pkispawn : DEBUG
....... File "/usr/sbin/pkispawn", line 597, in main</font></div>
<div><font face="times new roman, serif"> rv =
instance.spawn(deployer)</font></div>
<div><font face="times new roman, serif"> File
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 116, in spawn</font></div>
<div><font face="times new roman, serif"> json.dumps(data,
cls=pki.encoder.CustomTypeEncoder))</font></div>
<div><font face="times new roman, serif"> File
"/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
line 3872, in configure_pki_data</font></div>
<div><font face="times new roman, serif"> root =
ET.fromstring(e.response.text)</font></div>
<div><font face="times new roman, serif"> File
"/usr/lib64/python2.7/xml/etree/ElementTree.py", line
1300, in XML</font></div>
<div><font face="times new roman, serif"> parser.feed(text)</font></div>
<div><font face="times new roman, serif"> File
"/usr/lib64/python2.7/xml/etree/ElementTree.py", line
1642, in feed</font></div>
<div><font face="times new roman, serif">
self._raiseerror(v)</font></div>
<div><font face="times new roman, serif"> File
"/usr/lib64/python2.7/xml/etree/ElementTree.py", line
1506, in _raiseerror</font></div>
<div><font face="times new roman, serif"> raise err</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif">Installation failed.</font></div>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">Just after pki
service restart.</div>
<div style="color:rgb(0,0,0);font-size:12.8px">I don't know
which "Token" is it talking about, not sure it is HSM token.</div>
<div style="color:rgb(0,0,0);font-size:12.8px">HSM is working
fine because it is previously added to database with modutil:</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">
<div><font face="times new roman, serif"># modutil -list
-dbdir /etc/pki/pki-tomcat/alias -nocertdb</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif">Bull TrustWay
Proteccio NetHSM 2.4</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif">Configuration read
from /etc/proteccio//proteccio.rc</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif">Listing of PKCS #11
Modules</font></div>
<div><font face="times new roman, serif">-----------------------------------------------------------</font></div>
<div><font face="times new roman, serif"> 1. NSS Internal
PKCS #11 Module</font></div>
<div><font face="times new roman, serif"> slots: 2
slots attached</font></div>
<div><font face="times new roman, serif"> status:
loaded</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot: NSS
Internal Cryptographic Services</font></div>
<div><font face="times new roman, serif"> token: NSS
Generic Crypto Services</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot: NSS
User Private Key and Certificate Services</font></div>
<div><font face="times new roman, serif"> token: NSS
Certificate DB</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> 2. nethsm</font></div>
<div><font face="times new roman, serif"> library name:
/usr/lib64/libnethsm.so</font></div>
<div><font face="times new roman, serif"> slots: 8
slots attached</font></div>
<div><font face="times new roman, serif"> status:
loaded</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot:
Trustway Crypto Engine Slot</font></div>
<div><font face="times new roman, serif"> token:
nethsm1_V1</font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot:
Trustway Crypto Engine Slot</font></div>
<div><font face="times new roman, serif"> token: </font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot:
Trustway Crypto Engine Slot</font></div>
<div><font face="times new roman, serif"> token: </font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot:
Trustway Crypto Engine Slot</font></div>
<div><font face="times new roman, serif"> token: </font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot:
Trustway Crypto Engine Slot</font></div>
<div><font face="times new roman, serif"> token: </font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot:
Trustway Crypto Engine Slot</font></div>
<div><font face="times new roman, serif"> token: </font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot:
Trustway Crypto Engine Slot</font></div>
<div><font face="times new roman, serif"> token: </font></div>
<div><font face="times new roman, serif"><br>
</font></div>
<div><font face="times new roman, serif"> slot:
Trustway Crypto Engine Slot</font></div>
<div><font face="times new roman, serif"> token: </font></div>
<div><font face="times new roman, serif">-----------------------------------------------------------</font></div>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">Of course, I have
updated default_hsm.cfg file according to Redhat documentation
to enable HSM et put HSM token name and password:</div>
<div style="color:rgb(0,0,0);font-size:12.8px">
<div><font face="times new roman, serif"># grep hsm
/etc/pki/default_hsm.cfg </font></div>
<div><font face="times new roman, serif">pki_audit_signing_token=nethsm1_V1</font></div>
<div><font face="times new roman, serif">pki_hsm_enable=True</font></div>
<div><font face="times new roman, serif">pki_hsm_libfile=/usr/lib64/libnethsm.so</font></div>
<div><font face="times new roman, serif">pki_hsm_modulename=nethsm</font></div>
<div><font face="times new roman, serif">pki_ssl_server_token=nethsm1_V1</font></div>
<div><font face="times new roman, serif">pki_subsystem_token=nethsm1_V1</font></div>
<div><font face="times new roman, serif">pki_token_name=nethsm1_V1</font></div>
<div><font face="times new roman, serif">pki_storage_token=nethsm1_V1</font></div>
<div><font face="times new roman, serif">pki_transport_token=nethsm1_V1</font></div>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">I have tried with
interactive installation (so with no HSM), and it is working
fine.</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">Does anyone can
help me?</div>
<div style="color:rgb(0,0,0);font-size:12.8px"><br>
</div>
<div style="color:rgb(0,0,0);font-size:12.8px">Thanks!</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
Pki-users mailing list
<a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
Pki-users mailing list<br>
<a href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br></blockquote></div><br></div>