Unable to spawn CA when using HSM
by Lionel Beard
Hi,
I'm trying to create a CA with a Atos/Bull HSM backend.
I have created a configuration file default_hsm.cfg with hsm options
enabled and configured, and I have set HSM token and password.
When I run the command:
# pkispawn -s CA -f /etc/pki/default_hsm.cfg -vvv
I get the error:
pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse>
pkispawn : INFO ....... constructing PKI configuration data.
pkispawn : INFO ....... executing 'certutil -R -d
/root/.dogtag/pki-tomcat/ca/alias -s cn=PKI Administrator,e=caadmin(a)cls.fr
,o=cls.fr Security Domain -k rsa -g 2048 -z
/root/.dogtag/pki-tomcat/ca/alias/noise -f
/root/.dogtag/pki-tomcat/ca/password.conf -o
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin'
pkispawn : INFO ....... rm -f /root/.dogtag/pki-tomcat/ca/alias/noise
pkispawn : INFO ....... BtoA
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc
pkispawn : INFO ....... configuring PKI configuration data.
pkispawn : ERROR ....... Exception from Java Configuration Servlet:
400 Client Error: Bad Request for url:
https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure
pkispawn : ERROR ....... ParseError: not well-formed (invalid token):
line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"*Invalid
Token provided. No such token*."}
pkispawn : DEBUG ....... Error Type: ParseError
pkispawn : DEBUG ....... Error Message: not well-formed (invalid
token): line 1, column 0
pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in
main
rv = instance.spawn(deployer)
File
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 116, in spawn
json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
File
"/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line
3872, in configure_pki_data
root = ET.fromstring(e.response.text)
File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
parser.feed(text)
File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
self._raiseerror(v)
File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in
_raiseerror
raise err
Installation failed.
Just after pki service restart.
I don't know which "Token" is it talking about, not sure it is HSM token.
HSM is working fine because it is previously added to database with modutil:
# modutil -list -dbdir /etc/pki/pki-tomcat/alias -nocertdb
Bull TrustWay Proteccio NetHSM 2.4
Configuration read from /etc/proteccio//proteccio.rc
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. nethsm
library name: /usr/lib64/libnethsm.so
slots: 8 slots attached
status: loaded
slot: Trustway Crypto Engine Slot
token: nethsm1_V1
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
-----------------------------------------------------------
Of course, I have updated default_hsm.cfg file according to Redhat
documentation to enable HSM et put HSM token name and password:
# grep hsm /etc/pki/default_hsm.cfg
pki_audit_signing_token=nethsm1_V1
pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/libnethsm.so
pki_hsm_modulename=nethsm
pki_ssl_server_token=nethsm1_V1
pki_subsystem_token=nethsm1_V1
pki_token_name=nethsm1_V1
pki_storage_token=nethsm1_V1
pki_transport_token=nethsm1_V1
I have tried with interactive installation (so with no HSM), and it is
working fine.
Does anyone can help me?
Thanks!
8 years, 4 months
Renew expired OCSP system certificates
by pki tech
Hi all,
Good day to you all.
What is the process to renew all the four system certificates
(SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when
those existing certificates are currently expired. I cant access the
pkiconsole also as the system is not up and running.
I have used the certutil to generate the certificate requests and get it
signed by the CA. But it didn't work as expected. I believe the procedure
that i have followed to request generation or the signing profiles used for
the generation, may have some issues.
Cheers.
Regards,
Mark
8 years, 4 months
base64 CMC Request format
by Elliott William C OSS sIT
Hi all,
Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming?
We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded.
Thanks and best regards,
William Elliott
s IT Solutions
Open System Services
8 years, 4 months
Rewrite of Subject in profile
by Supper Florian OSS sIT
Hi and good morning.
I get some request from mobile devices which are very poor.
Subject: CN=B1C43CD0-1624-5FBB-8E54-34FG17DFD3A1\x00
With this subject name, it is not possible to enroll a certificate, because of the " \x00" at the end..
So i'm compelled to rewrite the Subject name. In the first way I only want to remove the "\x00" characters from CN.
I've tried some pattern and configs, but it doesn't work.
Does one of you knows how this could work?
policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
policyset.cmcUserCertSet.1.constraint.params.accept=true
policyset.cmcUserCertSet.1.constraint.params.pattern=.*
policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
policyset.cmcUserCertSet.1.default.name=Subject Name Default
policyset.cmcUserCertSet.1.default.params.name=.*CN=...................................
In the second way, i want to set the whole subject like this below. But I want to use the CN which comes in the csr.
Subject: C=AT, ST=Vienna, L=Vienna, O=My Company GmbH, OU=MYORGUNIT, CN=mycn.example.com /emailAddress=pki-AT-example.com
Thanks for your help.
BR
Florian
8 years, 8 months