[Pki-users] Unable to spawn CA when using HSM

Thu Jan 7 17:23:53 UTC 2016

you could normally find more accurate log info giving out more clue 
under <instance dir>/logs/debug, e.g. /var/lib/ pki/pki-tomcat/ca/logs/debug

Christina

On 01/06/2016 01:54 AM, Lionel Beard wrote:
> Hi,
>
> I'm trying to create a CA with a Atos/Bull HSM backend.
> I have created a configuration file default_hsm.cfg with hsm options 
> enabled and configured, and I have set HSM token and password.
>
> When I run the command:
> # pkispawn -s CA -f /etc/pki/default_hsm.cfg -vvv
> I get the error:
>
> pkispawn    : DEBUG  ........... <?xml version="1.0" encoding="UTF-8" 
> standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse>
> pkispawn    : INFO   ....... constructing PKI configuration data.
> pkispawn    : INFO   ....... executing 'certutil -R -d 
> /root/.dogtag/pki-tomcat/ca/alias -s cn=PKI 
> Administrator,e=caadmin at cls.fr <mailto:caadmin at cls.fr>,o=cls.fr 
> <http://cls.fr/> Security Domain -k rsa -g 2048 -z 
> /root/.dogtag/pki-tomcat/ca/alias/noise -f 
> /root/.dogtag/pki-tomcat/ca/password.conf -o 
> /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin'
> pkispawn    : INFO   ....... rm -f /root/.dogtag/pki-tomcat/ca/alias/noise
> pkispawn    : INFO   ....... BtoA 
> /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin 
> /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc
> pkispawn    : INFO   ....... configuring PKI configuration data.
> pkispawn    : ERROR  ....... Exception from Java Configuration 
> Servlet: 400 Client Error: Bad Request for url: 
> https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure
> pkispawn    : ERROR  ....... ParseError: not well-formed (invalid 
> token): line 1, column 0: 
> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"*Invalid 
> Token provided. No such token*."}
> pkispawn    : DEBUG  ....... Error Type: ParseError
> pkispawn    : DEBUG  ....... Error Message: not well-formed (invalid 
> token): line 1, column 0
> pkispawn    : DEBUG  .......   File "/usr/sbin/pkispawn", line 597, in 
> main
>     rv = instance.spawn(deployer)
>   File 
> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", 
> line 116, in spawn
>     json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
>   File 
> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", 
> line 3872, in configure_pki_data
>     root = ET.fromstring(e.response.text)
>   File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
>     parser.feed(text)
>   File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
> self._raiseerror(v)
>   File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in 
> _raiseerror
>     raise err
>
>
> Installation failed.
>
> Just after pki service restart.
> I don't know which "Token" is it talking about, not sure it is HSM token.
> HSM is working fine because it is previously added to database with 
> modutil:
>
> # modutil -list -dbdir /etc/pki/pki-tomcat/alias -nocertdb
>
> Bull TrustWay Proteccio NetHSM 2.4
>
> Configuration read from /etc/proteccio//proteccio.rc
>
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
>   1. NSS Internal PKCS #11 Module
>          slots: 2 slots attached
>         status: loaded
>
>          slot: NSS Internal Cryptographic Services
>         token: NSS Generic Crypto Services
>
>          slot: NSS User Private Key and Certificate Services
>         token: NSS Certificate DB
>
>   2. nethsm
>         library name: /usr/lib64/libnethsm.so
>          slots: 8 slots attached
>         status: loaded
>
>          slot: Trustway Crypto Engine Slot
>         token: nethsm1_V1
>
>          slot: Trustway Crypto Engine Slot
>         token:
>
>          slot: Trustway Crypto Engine Slot
>         token:
>
>          slot: Trustway Crypto Engine Slot
>         token:
>
>          slot: Trustway Crypto Engine Slot
>         token:
>
>          slot: Trustway Crypto Engine Slot
>         token:
>
>          slot: Trustway Crypto Engine Slot
>         token:
>
>          slot: Trustway Crypto Engine Slot
>         token:
> -----------------------------------------------------------
>
> Of course, I have updated default_hsm.cfg file according to Redhat 
> documentation to enable HSM et put HSM token name and password:
> # grep hsm /etc/pki/default_hsm.cfg
> pki_audit_signing_token=nethsm1_V1
> pki_hsm_enable=True
> pki_hsm_libfile=/usr/lib64/libnethsm.so
> pki_hsm_modulename=nethsm
> pki_ssl_server_token=nethsm1_V1
> pki_subsystem_token=nethsm1_V1
> pki_token_name=nethsm1_V1
> pki_storage_token=nethsm1_V1
> pki_transport_token=nethsm1_V1
>
> I have tried with interactive installation (so with no HSM), and it is 
> working fine.
>
> Does anyone can help me?
>
> Thanks!
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20160107/cebba5a2/attachment.htm>