Hi,

Sorry for being soooo long to respond, but I have to switch to another project meanwhile.

I'm trying again to use dogtag with a HSM (with SoftHSM v2.1 this time, because I don't have hardware HSM anymore), and with a fresh new installation (server + dogtag), I still have the same issue during pkispawn - s CA:

pkispawn : INFO ....... configuring PKI configuration data.

pkispawn : ERROR ....... Exception from Java Configuration Servlet: 400 Client Error: Bad Request for url: https://dogtag-ca.qt.cls.fr:8443/ca/rest/installer/configure

pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Invalid Token provided. No such token."}

My CA config file looks like that:

[DEFAULT]

pki_admin_password=Secret123

pki_client_pkcs12_password=Secret123

pki_ds_password=Secret123

# Optionally keep client databases

pki_client_database_purge=False

# Provide HSM parameters

pki_hsm_enable=True

pki_hsm_libfile=/usr/local/lib/softhsm/libsofthsm2.so

pki_hsm_modulename=softhsm

pki_token_name=dogtag1

pki_token_password=hsm_passwd

# Provide PKI-specific HSM token names

pki_audit_signing_token=dogtag1

pki_ssl_server_token=dogtag1

pki_subsystem_token=dogtag1

[CA]

# Provide CA-specific HSM token names

pki_ca_signing_token=dogtag1

pki_ocsp_signing_token=dogtag1

/var/lib/pki/pki-tomcat/ca/logs/debug:

[22/Jul/2016:15:36:12][http-bio-8443-exec-3]: SystemConfigService: configure()

[22/Jul/2016:15:36:12][http-bio-8443-exec-3]: SystemConfigService: request: ConfigurationRequest [pin=XXXX, token=dogtag1, tokenPassword=XXXX, securityDomainType=newdomain, securityDomainUri=null, securityDomainName=qt.cls.fr Security Domain, securityDomainUser=null, securityDomainPassword=XXXX, isClone=false, cloneUri=null, subsystemName=CA dogtag-ca.qt.cls.fr 8443, p12File=null, p12Password=XXXX, hierarchy=root, dsHost=dogtag-ca.qt.cls.fr, dsPort=389, baseDN=o=pki-CLS-CA, bindDN=cn=Directory Manager, bindpwd=XXXX, database=pki-CLS-CA, secureConn=false, removeData=true, replicateSchema=null, masterReplicationPort=null, cloneReplicationPort=null, replicationSecurity=null, systemCertsImported=false, systemCerts=[com.netscape.certsrv.system.SystemCertData@60c8305a, com.netscape.certsrv.system.SystemCertData@7774cd87, com.netscape.certsrv.system.SystemCertData@6f41ab06, com.netscape.certsrv.system.SystemCertData@99112a8, com.netscape.certsrv.system.SystemCertData@28fab920], issuingCA=null, backupKeys=false, backupPassword=, adminCertRequestType=pkcs10, adminSubjectDN=cn=PKI Administrator,e=caadmin@qt.cls.fr,o=qt.cls.fr Security Domain, adminName=caadmin, adminProfileID=caAdminCert, adminCert=null, importAdminCert=false, generateServerCert=true, external=false, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null, generateSubsystemCert=true, sharedDB=false, sharedDBUserDN=null, createNewDB=true, setupReplication=null, subordinateSecurityDomainName=null, reindexData=null]

[22/Jul/2016:15:36:12][http-bio-8443-exec-3]: === Token Authentication ===

[22/Jul/2016:15:36:12][http-bio-8443-exec-3]: Invalid Token provided. No such token.

Versions:

Fedroa 24

Dogtag 10.3.3 (also tested with 10.3.3.3 from git repo)

Does anyone have an idea?

Thanks!

Regards

2016-01-07 18:23 GMT+01:00 Christina Fu <cfu@redhat.com>:

you could normally find more accurate log info giving out more clue under <instance dir>/logs/debug, e.g. /var/lib/ pki/pki-tomcat/ca/logs/debug

Christina

On 01/06/2016 01:54 AM, Lionel Beard wrote:
Hi,

I'm trying to create a CA with a Atos/Bull HSM backend.

I have created a configuration file default_hsm.cfg with hsm options enabled and configured, and I have set HSM token and password.

When I run the command:

# pkispawn -s CA -f /etc/pki/default_hsm.cfg -vvv

I get the error:

pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse>

pkispawn : INFO ....... constructing PKI configuration data.

pkispawn : INFO ....... executing 'certutil -R -d /root/.dogtag/pki-tomcat/ca/alias -s cn=PKI Administrator,e=caadmin@cls.fr,o=cls.fr Security Domain -k rsa -g 2048 -z /root/.dogtag/pki-tomcat/ca/alias/noise -f /root/.dogtag/pki-tomcat/ca/password.conf -o /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin'

pkispawn : INFO ....... rm -f /root/.dogtag/pki-tomcat/ca/alias/noise

pkispawn : INFO ....... BtoA /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc

pkispawn : INFO ....... configuring PKI configuration data.

pkispawn : ERROR ....... Exception from Java Configuration Servlet: 400 Client Error: Bad Request for url: https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure

pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Invalid Token provided. No such token."}

pkispawn : DEBUG ....... Error Type: ParseError

pkispawn : DEBUG ....... Error Message: not well-formed (invalid token): line 1, column 0

pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in main

rv = instance.spawn(deployer)

File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 116, in spawn

json.dumps(data, cls=pki.encoder.CustomTypeEncoder))

File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data

root = ET.fromstring(e.response.text)

File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML

parser.feed(text)

File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed

self._raiseerror(v)

File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror

raise err

Installation failed.

Just after pki service restart.

I don't know which "Token" is it talking about, not sure it is HSM token.

HSM is working fine because it is previously added to database with modutil:

# modutil -list -dbdir /etc/pki/pki-tomcat/alias -nocertdb

Bull TrustWay Proteccio NetHSM 2.4

Configuration read from /etc/proteccio//proteccio.rc

Listing of PKCS #11 Modules

-----------------------------------------------------------

1. NSS Internal PKCS #11 Module

slots: 2 slots attached

status: loaded

slot: NSS Internal Cryptographic Services

token: NSS Generic Crypto Services

slot: NSS User Private Key and Certificate Services

token: NSS Certificate DB

2. nethsm

library name: /usr/lib64/libnethsm.so

slots: 8 slots attached

status: loaded

slot: Trustway Crypto Engine Slot

token: nethsm1_V1

slot: Trustway Crypto Engine Slot

token:

slot: Trustway Crypto Engine Slot

token:

slot: Trustway Crypto Engine Slot

token:

slot: Trustway Crypto Engine Slot

token:

slot: Trustway Crypto Engine Slot

token:

slot: Trustway Crypto Engine Slot

token:

slot: Trustway Crypto Engine Slot

token:

-----------------------------------------------------------

Of course, I have updated default_hsm.cfg file according to Redhat documentation to enable HSM et put HSM token name and password:

# grep hsm /etc/pki/default_hsm.cfg

pki_audit_signing_token=nethsm1_V1

pki_hsm_enable=True

pki_hsm_libfile=/usr/lib64/libnethsm.so

pki_hsm_modulename=nethsm

pki_ssl_server_token=nethsm1_V1

pki_subsystem_token=nethsm1_V1

pki_token_name=nethsm1_V1

pki_storage_token=nethsm1_V1

pki_transport_token=nethsm1_V1

I have tried with interactive installation (so with no HSM), and it is working fine.

Does anyone can help me?

Thanks!
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users