<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <meta name="Generator" content="Microsoft Word 15 (filtered medium)"> <style></style> </head> <body lang="EN-GB" link="#0563C1" vlink="#954F72"> <div class="WordSection1"> Hi All,<o:p></o:p> <o:p> </o:p> I’m doing a basic CA installation of Dogtag 10.6 on RHEL 8 using an NCipher Connect HSM.<o:p></o:p> Installed Packages<o:p></o:p> Name : pki-ca<o:p></o:p> Version : 10.6.9<o:p></o:p> Release : 2.module+el8+2728+a4ad6bba<o:p></o:p> Arch : noarch<o:p></o:p> Size : 2.3 M<o:p></o:p> Source : pki-core-10.6.9-2.module+el8+2728+a4ad6bba.src.rpm<o:p></o:p> <o:p> </o:p> The installation runs through fine generating the private keys and public certs.<o:p></o:p> I’m using:<o:p></o:p> pkispawn -f ca.cfg -s CA -vv<o:p></o:p> <o:p> </o:p> But when it comes to near the end where it tries to fireup the final instance it fails.<o:p></o:p> <o:p> </o:p> From what I gather from the logs is that it’s having trouble understanding which private key is associated with the certificate.<o:p></o:p> <o:p> </o:p> I’ve had a look in the nssdb and I can see the public and private certs<o:p></o:p> [root@ ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias -h accelerator -P accelerator<o:p></o:p> <o:p> </o:p> Certificate Nickname Trust Attributes<o:p></o:p> SSL,S/MIME,JAR/XPI<o:p></o:p> <o:p> </o:p> accelerator:ca_signing u,u,u<o:p></o:p> accelerator:ca_ocsp_signing u,u,u<o:p></o:p> accelerator:subsystem u,u,u<o:p></o:p> accelerator:ca_audit_signing u,u,u<o:p></o:p> accelerator:sslserver u,u,u<o:p></o:p> <o:p> </o:p> <o:p> </o:p> [root@ ~]# certutil -K -d /var/lib/pki/pki-tomcat/alias -h accelerator -P accelerator<o:p></o:p> certutil: Checking token "accelerator" in slot "XXXX-XXXX-XXXX Rt1"<o:p></o:p> < 0> rsa 53d1f55d8615a5bba2f65e24e506a51cc1830803 ca_signing<o:p></o:p> < 1> rsa 90d57df4f4fd65f3d54c6ee4461c141af59d9ead ca_ocsp_signing<o:p></o:p> < 2> rsa 3a9abb6b503489a6ebc4601bd4e3358626502325 accelerator:sslserver<o:p></o:p> < 3> rsa c707ad2ca6ab592c5f2658e92808a2d1952cd2eb subsystem<o:p></o:p> < 4> rsa 105f918fe93883fcba4a14319b8511b24bee9f7d ca_audit_signing<o:p></o:p> <o:p> </o:p> Debug console output from pkispawn:<o:p></o:p> configuration : INFO Removing temp SSL server cert from internal token: sslserver<o:p></o:p> pki.nssdb : DEBUG Command: certutil -F -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmppzqg2r_k/password.txt -n sslserver<o:p></o:p> configuration : INFO Importing permanent SSL server cert into accelerator token: sslserver<o:p></o:p> pki.nssdb : DEBUG Command: certutil -A -d /var/lib/pki/pki-tomcat/alias -h accelerator -P accelerator -f /tmp/tmpbt1mgtq4/password.txt -n sslserver -a -i /tmp/tmp6nd6b9ne/sslserver.crt -t<o:p></o:p> certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN: The operation failed because the PKCS#11 token is not logged in.<o:p></o:p> pki.nssdb : WARNING certutil returned non-zero exit code (bug #1393668)<o:p></o:p> pkihelper : INFO Starting pki-tomcat instance<o:p></o:p> pkihelper : DEBUG Command: systemctl daemon-reload<o:p></o:p> pkihelper : DEBUG Command: systemctl start <a href="mailto:pki-tomcatd@pki-tomcat.service">pki-tomcatd@pki-tomcat.service</a><o:p></o:p> pkihelper : INFO FIPS mode is enabled on this operating system.<o:p></o:p> pkispawn : INFO Checking server at <a href="http://sc.test.com:8080/ca">http://sc.test.com:8080/ca</a><o:p></o:p> pkispawn : INFO Waiting for server to start (1s)<o:p></o:p> pkispawn : INFO Waiting for server to start (2s)<o:p></o:p> pkispawn : INFO Waiting for server to start (3s)<o:p></o:p> pkispawn : INFO Waiting for server to start (4s)<o:p></o:p> <o:p> </o:p> Installation failed:<o:p></o:p> <!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" />Type Exception ReportMessage Subsystem unavailableDescription The server encountered an unexpected condition that prevented it from fulfilling the request.Exception<pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable<o:p></o:p> com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:150)<o:p></o:p> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)<o:p></o:p> com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)<o:p></o:p> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)<o:p></o:p> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)<o:p></o:p> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)<o:p></o:p> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:414)<o:p></o:p> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)<o:p></o:p> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:754)<o:p></o:p> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1376)<o:p></o:p> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)<o:p></o:p> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)<o:p></o:p> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)<o:p></o:p> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)<o:p></o:p> java.lang.Thread.run(Thread.java:748)<o:p></o:p> </pre>Note The full stack trace of the root cause is available in the server logs.<hr class="line" /><h3>Apache Tomcat/9.0.7.redhat-10</h3></body></html><o:p></o:p> <o:p> </o:p> Debug output from /var/log/pki/pki-tomcat/ca/debug.log<o:p></o:p> 2019-07-01 14:00:57 [main] FINE: CertificateAuthority: size: 977 bytes<o:p></o:p> 2019-07-01 14:00:57 [main] FINE: CertificateAuthority: subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=sc.test.com<o:p></o:p> 2019-07-01 14:00:57 [main] FINE: CertificateAuthority: issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=sc.test.com<o:p></o:p> 2019-07-01 14:00:57 [main] FINE: CA SigningUnit.init(ca, ca.signing, null)<o:p></o:p> 2019-07-01 14:00:57 [main] FINE: Setting ca.signing.newNickname=accelerator:ca_signing<o:p></o:p> 2019-07-01 14:00:57 [main] FINE: SigningUnit: Loading certificate accelerator:ca_signing<o:p></o:p> 2019-07-01 14:00:57 [main] FINE: SigningUnit: certificate serial number: 1<o:p></o:p> 2019-07-01 14:00:57 [main] FINE: SigningUnit: Loading private key<o:p></o:p> 2019-07-01 14:00:57 [main] FINE: SigningUnit: private key ID: 53d1f55d8615a5bba2f65e24e506a51cc1830803<o:p></o:p> 2019-07-01 14:00:57 [main] SEVERE: Exception: Algorithm SHA256withRSA is not supported for the signing token and key<o:p></o:p> Algorithm SHA256withRSA is not supported for the signing token and key<o:p></o:p> at com.netscape.ca.SigningUnit.checkSigningAlgorithmFromName(SigningUnit.java:249)<o:p></o:p> at com.netscape.ca.SigningUnit.init(SigningUnit.java:186)<o:p></o:p> at com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1722)<o:p></o:p> at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:547)<o:p></o:p> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:975)<o:p></o:p> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:833)<o:p></o:p> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:826)<o:p></o:p> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:491)<o:p></o:p> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:149)<o:p></o:p> at javax.servlet.GenericServlet.init(GenericServlet.java:158)<o:p></o:p> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<o:p></o:p> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)<o:p></o:p> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<o:p></o:p> at java.lang.reflect.Method.invoke(Method.java:498)<o:p></o:p> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)<o:p></o:p> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)<o:p></o:p> at java.security.AccessController.doPrivileged(Native Method)<o:p></o:p> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)<o:p></o:p> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)<o:p></o:p> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)<o:p></o:p> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)<o:p></o:p> at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1112)<o:p></o:p> at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1079)<o:p></o:p> at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:971)<o:p></o:p> at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4788)<o:p></o:p> at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5100)<o:p></o:p> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)<o:p></o:p> at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:742)<o:p></o:p> at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:130)<o:p></o:p> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:151)<o:p></o:p> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:141)<o:p></o:p> at java.security.AccessController.doPrivileged(Native Method)<o:p></o:p> at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:716)<o:p></o:p> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:703)<o:p></o:p> at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:630)<o:p></o:p> at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1839)<o:p></o:p> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)<o:p></o:p> at java.util.concurrent.FutureTask.run(FutureTask.java:266)<o:p></o:p> at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)<o:p></o:p> at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)<o:p></o:p> at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:525)<o:p></o:p> at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:424)<o:p></o:p> at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1585)<o:p></o:p> at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:308)<o:p></o:p> at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)<o:p></o:p> at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:424)<o:p></o:p> at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:367)<o:p></o:p> at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:966)<o:p></o:p> at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:839)<o:p></o:p> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)<o:p></o:p> at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1427)<o:p></o:p> at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1417)<o:p></o:p> at java.util.concurrent.FutureTask.run(FutureTask.java:266)<o:p></o:p> at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)<o:p></o:p> at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)<o:p></o:p> at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:943)<o:p></o:p> at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:258)<o:p></o:p> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)<o:p></o:p> at org.apache.catalina.core.StandardService.startInternal(StandardService.java:422)<o:p></o:p> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)<o:p></o:p> at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:770)<o:p></o:p> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)<o:p></o:p> at org.apache.catalina.startup.Catalina.start(Catalina.java:682)<o:p></o:p> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<o:p></o:p> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)<o:p></o:p> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<o:p></o:p> at java.lang.reflect.Method.invoke(Method.java:498)<o:p></o:p> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:350)<o:p></o:p> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)<o:p></o:p> Caused by: java.security.InvalidKeyException: org.mozilla.jss.crypto.NoSuchItemOnTokenException: Key is not present on this token<o:p></o:p> at org.mozilla.jss.pkcs11.PK11Signature.engineInitSign(PK11Signature.java:78)<o:p></o:p> at org.mozilla.jss.crypto.Signature.initSign(Signature.java:55)<o:p></o:p> at com.netscape.ca.SigningUnit.checkSigningAlgorithmFromName(SigningUnit.java:235)<o:p></o:p> ... 68 more<o:p></o:p> <o:p> </o:p> I noticed the entry <o:p></o:p> pki.nssdb : DEBUG Command: certutil -A -d /var/lib/pki/pki-tomcat/alias -h accelerator -P accelerator -f /tmp/tmpbt1mgtq4/password.txt -n sslserver -a -i /tmp/tmp6nd6b9ne/sslserver.crt -t<o:p></o:p> certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN: The operation failed because the PKCS#11 token is not logged in.<o:p></o:p> pki.nssdb : WARNING certutil returned non-zero exit code (bug #1393668)<o:p></o:p> <o:p> </o:p> However I believe this relates to an old bug as it indicates using nss with pkcs11 interfaces will fail but when I look in the nssdb the cert is present.<o:p></o:p> <o:p> </o:p> The issue I think is around the system getting access to the private key for the ca_signing cert<o:p></o:p> Caused by: java.security.InvalidKeyException: org.mozilla.jss.crypto.NoSuchItemOnTokenException: Key is not present on this token<o:p></o:p> <o:p> </o:p> Could it be as simple as it’s looking in the local store instead of the HSM backed location as this does have certificates present for some reason.<o:p></o:p> [root@ ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias<o:p></o:p> <o:p> </o:p> Certificate Nickname Trust Attributes<o:p></o:p> SSL,S/MIME,JAR/XPI<o:p></o:p> <o:p> </o:p> ca_signing CT,C,C<o:p></o:p> ca_audit_signing ,,P<o:p></o:p> <o:p> </o:p> [root@ ~]# certutil -K -d /var/lib/pki/pki-tomcat/alias<o:p></o:p> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"<o:p></o:p> Enter Password or Pin for "NSS Certificate DB":<o:p></o:p> certutil: no keys found<o:p></o:p> <o:p> </o:p> As expected the local nssdb does not have the keys present.<o:p></o:p> <o:p> </o:p> Any ideas or pointers would be greatly appreciated.<o:p></o:p> Oh just to add this works on RHEL 7.6 with dogtag 10.5.9<o:p></o:p> <o:p> </o:p> Also not sure why it thinks I’m running in FIPS mode. When I check it seems to suggest not.<o:p></o:p> [root@ ~]# sysctl crypto.fips_enabled<o:p></o:p> crypto.fips_enabled = 0<o:p></o:p> <o:p> </o:p> Thanks<o:p></o:p> Dave Etchen<o:p></o:p> <o:p> </o:p> </div> <hr> <table width="100%"> <tbody> <tr style="font: 12px arial, sans-serif"> <td>David Etchen Senior Systems Engineer NCC Group XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester, M3 3AQ Telephone: <a href="tel:+44 7703 501 120">+44 7703 501 120</a> Mobile: <a href="tel:+44 7703 501 120">+44 7703 501 120</a> Website: <a href="http://www.nccgroup.trust">www.nccgroup.trust</a> Twitter: <a href="https://twitter.com/NCCGroupplc">@NCCGroupplc</a> </td> <td><a href="http://www.nccgroup.trust/"><img src="https://www.nccgroup.trust/static/img/emaillogo/ncc-group-logo.png" border="0"> </a></td> </tr> </tbody> </table> <hr> This email is sent for and on behalf of NCC Group. NCC Group is the trading name of NCC Services Limited (Registered in England CRN: 2802141). The ultimate holding company is NCC Group plc (Registered in England CRN: 4627044). This email may be confidential and/or legally privileged. </body> </html>