Dogtag Installation 10.6 on RHEL 8 Failing against NCipher HSM
by David Etchen
Hi All,
I'm doing a basic CA installation of Dogtag 10.6 on RHEL 8 using an NCipher Connect HSM.
Installed Packages
Name : pki-ca
Version : 10.6.9
Release : 2.module+el8+2728+a4ad6bba
Arch : noarch
Size : 2.3 M
Source : pki-core-10.6.9-2.module+el8+2728+a4ad6bba.src.rpm
The installation runs through fine generating the private keys and public certs.
I'm using:
pkispawn -f ca.cfg -s CA -vv
But when it comes to near the end where it tries to fireup the final instance it fails.
>From what I gather from the logs is that it's having trouble understanding which private key is associated with the certificate.
I've had a look in the nssdb and I can see the public and private certs
[root@ ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias -h accelerator -P accelerator
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
accelerator:ca_signing u,u,u
accelerator:ca_ocsp_signing u,u,u
accelerator:subsystem u,u,u
accelerator:ca_audit_signing u,u,u
accelerator:sslserver u,u,u
[root@ ~]# certutil -K -d /var/lib/pki/pki-tomcat/alias -h accelerator -P accelerator
certutil: Checking token "accelerator" in slot "XXXX-XXXX-XXXX Rt1"
< 0> rsa 53d1f55d8615a5bba2f65e24e506a51cc1830803 ca_signing
< 1> rsa 90d57df4f4fd65f3d54c6ee4461c141af59d9ead ca_ocsp_signing
< 2> rsa 3a9abb6b503489a6ebc4601bd4e3358626502325 accelerator:sslserver
< 3> rsa c707ad2ca6ab592c5f2658e92808a2d1952cd2eb subsystem
< 4> rsa 105f918fe93883fcba4a14319b8511b24bee9f7d ca_audit_signing
Debug console output from pkispawn:
configuration : INFO Removing temp SSL server cert from internal token: sslserver
pki.nssdb : DEBUG Command: certutil -F -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmppzqg2r_k/password.txt -n sslserver
configuration : INFO Importing permanent SSL server cert into accelerator token: sslserver
pki.nssdb : DEBUG Command: certutil -A -d /var/lib/pki/pki-tomcat/alias -h accelerator -P accelerator -f /tmp/tmpbt1mgtq4/password.txt -n sslserver -a -i /tmp/tmp6nd6b9ne/sslserver.crt -t
certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN: The operation failed because the PKCS#11 token is not logged in.
pki.nssdb : WARNING certutil returned non-zero exit code (bug #1393668)
pkihelper : INFO Starting pki-tomcat instance
pkihelper : DEBUG Command: systemctl daemon-reload
pkihelper : DEBUG Command: systemctl start pki-tomcatd(a)pki-tomcat.service<mailto:pki-tomcatd@pki-tomcat.service>
pkihelper : INFO FIPS mode is enabled on this operating system.
pkispawn : INFO Checking server at http://sc.test.com:8080/ca
pkispawn : INFO Waiting for server to start (1s)
pkispawn : INFO Waiting for server to start (2s)
pkispawn : INFO Waiting for server to start (3s)
pkispawn : INFO Waiting for server to start (4s)
Installation failed:
<!doctype html><html lang="en"><head><title>HTTP Status 500 - Internal Server Error</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 - Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Subsystem unavailable</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:150)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)
com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:414)
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:754)
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1376)
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Thread.java:748)
</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/9.0.7.redhat-10</h3></body></html>
Debug output from /var/log/pki/pki-tomcat/ca/debug.log
2019-07-01 14:00:57 [main] FINE: CertificateAuthority: size: 977 bytes
2019-07-01 14:00:57 [main] FINE: CertificateAuthority: subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=sc.test.com
2019-07-01 14:00:57 [main] FINE: CertificateAuthority: issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=sc.test.com
2019-07-01 14:00:57 [main] FINE: CA SigningUnit.init(ca, ca.signing, null)
2019-07-01 14:00:57 [main] FINE: Setting ca.signing.newNickname=accelerator:ca_signing
2019-07-01 14:00:57 [main] FINE: SigningUnit: Loading certificate accelerator:ca_signing
2019-07-01 14:00:57 [main] FINE: SigningUnit: certificate serial number: 1
2019-07-01 14:00:57 [main] FINE: SigningUnit: Loading private key
2019-07-01 14:00:57 [main] FINE: SigningUnit: private key ID: 53d1f55d8615a5bba2f65e24e506a51cc1830803
2019-07-01 14:00:57 [main] SEVERE: Exception: Algorithm SHA256withRSA is not supported for the signing token and key
Algorithm SHA256withRSA is not supported for the signing token and key
at com.netscape.ca.SigningUnit.checkSigningAlgorithmFromName(SigningUnit.java:249)
at com.netscape.ca.SigningUnit.init(SigningUnit.java:186)
at com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1722)
at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:547)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:975)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:833)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:826)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:491)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:149)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1112)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1079)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:971)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4788)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5100)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:742)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:130)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:151)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:141)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:716)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:703)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:630)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1839)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:525)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:424)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1585)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:308)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:424)
at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:367)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:966)
at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:839)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1427)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1417)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:943)
at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:258)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.StandardService.startInternal(StandardService.java:422)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:770)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:682)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:350)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: java.security.InvalidKeyException: org.mozilla.jss.crypto.NoSuchItemOnTokenException: Key is not present on this token
at org.mozilla.jss.pkcs11.PK11Signature.engineInitSign(PK11Signature.java:78)
at org.mozilla.jss.crypto.Signature.initSign(Signature.java:55)
at com.netscape.ca.SigningUnit.checkSigningAlgorithmFromName(SigningUnit.java:235)
... 68 more
I noticed the entry
pki.nssdb : DEBUG Command: certutil -A -d /var/lib/pki/pki-tomcat/alias -h accelerator -P accelerator -f /tmp/tmpbt1mgtq4/password.txt -n sslserver -a -i /tmp/tmp6nd6b9ne/sslserver.crt -t
certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN: The operation failed because the PKCS#11 token is not logged in.
pki.nssdb : WARNING certutil returned non-zero exit code (bug #1393668)
However I believe this relates to an old bug as it indicates using nss with pkcs11 interfaces will fail but when I look in the nssdb the cert is present.
The issue I think is around the system getting access to the private key for the ca_signing cert
Caused by: java.security.InvalidKeyException: org.mozilla.jss.crypto.NoSuchItemOnTokenException: Key is not present on this token
Could it be as simple as it's looking in the local store instead of the HSM backed location as this does have certificates present for some reason.
[root@ ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ca_signing CT,C,C
ca_audit_signing ,,P
[root@ ~]# certutil -K -d /var/lib/pki/pki-tomcat/alias
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
certutil: no keys found
As expected the local nssdb does not have the keys present.
Any ideas or pointers would be greatly appreciated.
Oh just to add this works on RHEL 7.6 with dogtag 10.5.9
Also not sure why it thinks I'm running in FIPS mode. When I check it seems to suggest not.
[root@ ~]# sysctl crypto.fips_enabled
crypto.fips_enabled = 0
Thanks
Dave Etchen
________________________________
David Etchen
Senior Systems Engineer
NCC Group
XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester, M3 3AQ
Telephone: +44 7703 501 120<tel:+44%207703%20501%20120>
Mobile: +44 7703 501 120<tel:+44%207703%20501%20120>
Website: www.nccgroup.trust<http://www.nccgroup.trust>
Twitter: @NCCGroupplc<https://twitter.com/NCCGroupplc>
[https://www.nccgroup.trust/static/img/emaillogo/ncc-group-logo.png] <http://www.nccgroup.trust/>
________________________________
This email is sent for and on behalf of NCC Group. NCC Group is the trading name of NCC Services Limited (Registered in England CRN: 2802141). The ultimate holding company is NCC Group plc (Registered in England CRN: 4627044). This email may be confidential and/or legally privileged.
5 years, 3 months