[Pki-users] Unable to spawn CA when using HSM

Lionel Beard beard.lionel at gmail.com
Wed Jan 6 09:54:00 UTC 2016 

Hi,

I'm trying to create a CA with a Atos/Bull HSM backend.
I have created a configuration file default_hsm.cfg with hsm options
enabled and configured, and I have set HSM token and password.

When I run the command:
# pkispawn -s CA -f /etc/pki/default_hsm.cfg -vvv
I get the error:

pkispawn    : DEBUG    ........... <?xml version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse>
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... executing 'certutil -R -d
/root/.dogtag/pki-tomcat/ca/alias -s cn=PKI Administrator,e=caadmin at cls.fr
,o=cls.fr Security Domain -k rsa -g 2048 -z
/root/.dogtag/pki-tomcat/ca/alias/noise -f
/root/.dogtag/pki-tomcat/ca/password.conf -o
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin'
pkispawn    : INFO     ....... rm -f /root/.dogtag/pki-tomcat/ca/alias/noise
pkispawn    : INFO     ....... BtoA
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet:
400 Client Error: Bad Request for url:
https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token):
line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"*Invalid
Token provided. No such token*."}
pkispawn    : DEBUG    ....... Error Type: ParseError
pkispawn    : DEBUG    ....... Error Message: not well-formed (invalid
token): line 1, column 0
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in
main
    rv = instance.spawn(deployer)
  File
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 116, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File
"/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line
3872, in configure_pki_data
    root = ET.fromstring(e.response.text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
    parser.feed(text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
    self._raiseerror(v)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in
_raiseerror
    raise err


Installation failed.

Just after pki service restart.
I don't know which "Token" is it talking about, not sure it is HSM token.
HSM is working fine because it is previously added to database with modutil:

# modutil -list -dbdir /etc/pki/pki-tomcat/alias -nocertdb

Bull TrustWay Proteccio NetHSM 2.4

Configuration read from /etc/proteccio//proteccio.rc

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. nethsm
        library name: /usr/lib64/libnethsm.so
         slots: 8 slots attached
        status: loaded

         slot: Trustway Crypto Engine Slot
        token: nethsm1_V1

         slot: Trustway Crypto Engine Slot
        token:

         slot: Trustway Crypto Engine Slot
        token:

         slot: Trustway Crypto Engine Slot
        token:

         slot: Trustway Crypto Engine Slot
        token:

         slot: Trustway Crypto Engine Slot
        token:

         slot: Trustway Crypto Engine Slot
        token:

         slot: Trustway Crypto Engine Slot
        token:
-----------------------------------------------------------

Of course, I have updated default_hsm.cfg file according to Redhat
documentation to enable HSM et put HSM token name and password:
# grep hsm /etc/pki/default_hsm.cfg
pki_audit_signing_token=nethsm1_V1
pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/libnethsm.so
pki_hsm_modulename=nethsm
pki_ssl_server_token=nethsm1_V1
pki_subsystem_token=nethsm1_V1
pki_token_name=nethsm1_V1
pki_storage_token=nethsm1_V1
pki_transport_token=nethsm1_V1

I have tried with interactive installation (so with no HSM), and it is
working fine.

Does anyone can help me?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20160106/d5a68a9c/attachment.htm>

More information about the Pki-users mailing list