10:47 a.m.
Hi,
Sorry for being soooo long to respond, but I have to switch to another
project meanwhile.
I'm trying again to use dogtag with a HSM (with SoftHSM v2.1 this time,
because I don't have hardware HSM anymore), and with a fresh new
installation (server + dogtag), I still have the same issue during pkispawn
- s CA:
pkispawn : INFO ....... configuring PKI configuration data.
pkispawn : ERROR ....... Exception from Java Configuration Servlet:
400 Client Error: Bad Request for url:
https://dogtag-ca.qt.cls.fr:8443/ca/rest/installer/configure
pkispawn : ERROR ....... ParseError: not well-formed (invalid token):
line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Invalid
Token provided. No such token."}
My CA config file looks like that:
[DEFAULT]
pki_admin_password=Secret123
pki_client_pkcs12_password=Secret123
pki_ds_password=Secret123
# Optionally keep client databases
pki_client_database_purge=False
# Provide HSM parameters
pki_hsm_enable=True
pki_hsm_libfile=/usr/local/lib/softhsm/libsofthsm2.so
pki_hsm_modulename=softhsm
pki_token_name=dogtag1
pki_token_password=hsm_passwd
# Provide PKI-specific HSM token names
pki_audit_signing_token=dogtag1
pki_ssl_server_token=dogtag1
pki_subsystem_token=dogtag1
[CA]
# Provide CA-specific HSM token names
pki_ca_signing_token=dogtag1
pki_ocsp_signing_token=dogtag1
/var/lib/pki/pki-tomcat/ca/logs/debug:
[22/Jul/2016:15:36:12][http-bio-8443-exec-3]: SystemConfigService:
configure()
[22/Jul/2016:15:36:12][http-bio-8443-exec-3]: SystemConfigService: request:
ConfigurationRequest [pin=XXXX, token=dogtag1, tokenPassword=XXXX,
securityDomainType=newdomain, securityDomainUri=null, securityDomainName=
qt.cls.fr Security Domain, securityDomainUser=null,
securityDomainPassword=XXXX, isClone=false, cloneUri=null, subsystemName=CA
dogtag-ca.qt.cls.fr 8443, p12File=null, p12Password=XXXX, hierarchy=root,
dsHost=dogtag-ca.qt.cls.fr, dsPort=389, baseDN=o=pki-CLS-CA,
bindDN=cn=Directory Manager, bindpwd=XXXX, database=pki-CLS-CA,
secureConn=false, removeData=true, replicateSchema=null,
masterReplicationPort=null, cloneReplicationPort=null,
replicationSecurity=null, systemCertsImported=false,
systemCerts=[com.netscape.certsrv.system.SystemCertData@60c8305a,
com.netscape.certsrv.system.SystemCertData@7774cd87,
com.netscape.certsrv.system.SystemCertData@6f41ab06,
com.netscape.certsrv.system.SystemCertData@99112a8,
com.netscape.certsrv.system.SystemCertData@28fab920], issuingCA=null,
backupKeys=false, backupPassword=, adminCertRequestType=pkcs10,
adminSubjectDN=cn=PKI Administrator,e=caadmin(a)qt.cls.fr,o=qt.cls.fr
Security Domain, adminName=caadmin, adminProfileID=caAdminCert,
adminCert=null, importAdminCert=false, generateServerCert=true,
external=false, standAlone=false, stepTwo=false, authdbBaseDN=null,
authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null,
kraUri=null, tksUri=null, enableServerSideKeyGen=null,
importSharedSecret=null, generateSubsystemCert=true, sharedDB=false,
sharedDBUserDN=null, createNewDB=true, setupReplication=null,
subordinateSecurityDomainName=null, reindexData=null]
[22/Jul/2016:15:36:12][http-bio-8443-exec-3]: === Token Authentication ===
[22/Jul/2016:15:36:12][http-bio-8443-exec-3]: Invalid Token provided. No
such token.
Versions:
Fedroa 24
Dogtag 10.3.3 (also tested with 10.3.3.3 from git repo)
Does anyone have an idea?
Thanks!
Regards
2016-01-07 18:23 GMT+01:00 Christina Fu <cfu(a)redhat.com>:
you could normally find more accurate log info giving out more clue
under
<instance dir>/logs/debug, e.g. /var/lib/ pki/pki-tomcat/ca/logs/debug
Christina
On 01/06/2016 01:54 AM, Lionel Beard wrote:
Hi,
I'm trying to create a CA with a Atos/Bull HSM backend.
I have created a configuration file default_hsm.cfg with hsm options
enabled and configured, and I have set HSM token and password.
When I run the command:
# pkispawn -s CA -f /etc/pki/default_hsm.cfg -vvv
I get the error:
pkispawn : DEBUG ........... <?xml version="1.0"
encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse>
pkispawn : INFO ....... constructing PKI configuration data.
pkispawn : INFO ....... executing 'certutil -R -d
/root/.dogtag/pki-tomcat/ca/alias -s cn=PKI Administrator,e=caadmin(a)cls.fr
,o=cls.fr Security Domain -k rsa -g 2048 -z
/root/.dogtag/pki-tomcat/ca/alias/noise -f
/root/.dogtag/pki-tomcat/ca/password.conf -o
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin'
pkispawn : INFO ....... rm -f
/root/.dogtag/pki-tomcat/ca/alias/noise
pkispawn : INFO ....... BtoA
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc
pkispawn : INFO ....... configuring PKI configuration data.
pkispawn : ERROR ....... Exception from Java Configuration Servlet:
400 Client Error: Bad Request for url:
<https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure>
https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure
pkispawn : ERROR ....... ParseError: not well-formed (invalid
token): line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"*Invalid
Token provided. No such token*."}
pkispawn : DEBUG ....... Error Type: ParseError
pkispawn : DEBUG ....... Error Message: not well-formed (invalid
token): line 1, column 0
pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in
main
rv = instance.spawn(deployer)
File
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 116, in spawn
json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
File
"/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line
3872, in configure_pki_data
root = ET.fromstring(e.response.text)
File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
parser.feed(text)
File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
self._raiseerror(v)
File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in
_raiseerror
raise err
Installation failed.
Just after pki service restart.
I don't know which "Token" is it talking about, not sure it is HSM token.
HSM is working fine because it is previously added to database with
modutil:
# modutil -list -dbdir /etc/pki/pki-tomcat/alias -nocertdb
Bull TrustWay Proteccio NetHSM 2.4
Configuration read from /etc/proteccio//proteccio.rc
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. nethsm
library name: /usr/lib64/libnethsm.so
slots: 8 slots attached
status: loaded
slot: Trustway Crypto Engine Slot
token: nethsm1_V1
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
slot: Trustway Crypto Engine Slot
token:
-----------------------------------------------------------
Of course, I have updated default_hsm.cfg file according to Redhat
documentation to enable HSM et put HSM token name and password:
# grep hsm /etc/pki/default_hsm.cfg
pki_audit_signing_token=nethsm1_V1
pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/libnethsm.so
pki_hsm_modulename=nethsm
pki_ssl_server_token=nethsm1_V1
pki_subsystem_token=nethsm1_V1
pki_token_name=nethsm1_V1
pki_storage_token=nethsm1_V1
pki_transport_token=nethsm1_V1
I have tried with interactive installation (so with no HSM), and it is
working fine.
Does anyone can help me?
Thanks!
_______________________________________________
Pki-users mailing
listPki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users