The module loaded fine as reported by output from modutil; however, I had to restart the service in order for the Wizard to pick it up. Keys are now on the HSM.
-----------------------------------------------------------
Dennis Gnatowski
dgnatowski@yahoo.com
From: Christina Fu <cfu@redhat.com> To: pki-users@redhat.com Sent: Wednesday, November 5, 2014 9:10 PM Subject: Re: [Pki-users] CA integration and installation with HSM
You might want to check the basics first.
If you cd into your <dogtag instance directory>/alias
and perform
modutil -dbdir . -list
What do you see?
If you don't see the module, that means your HSM has not been loaded
correctly. If loaded correctly you should see info on the library
name, slots and status: loaded.
The library doesn't have to be in a specific location, but when you
use modutil to add you need to specify the libfile so it knows where
to go.
Normally it is at /usr/lunasa/lib/ though.
I'll let someone who has knowledge about the pkispawn issue to
answer the rest of the question. Until then, you can try the above
just to see if your hsm has been loaded correctly.
Christina
On 11/05/2014 02:28 PM, Dennis
Gnatowski wrote:
I'm using Dogtag
10.1.1 with SafeNet Luna SA HSM. I changed the flags in the
default.cfg file, performed the install, then added the
PKCS#11 library to secmod. However, either using the Wizard
to do the configuration or modifying the default.cfg file
again and using pkispawn failed to get CA keys generated on
the HSM. Wizard doesn't see the SafeNet library (does it
have to be in a specific directory?) and pkispawn throws an
error "pkispawn : ERROR ....... KeyError: 'pki_uid'!"
I noticed this was reported in ticket #905.
-----------------------------------------------------------
Dennis Gnatowski
dgnatowski@yahoo.com
What are the steps to
integrate DogTag (Root) CA with an HSM? Does
this have to occur during installation?
I've successfully performed a general
installation with CA keys in software. I was
then able to modify secmod.db to add the HSM
library and restart the system. I can both
use command line utilities (certutil) and GUI
(pkiconsole) to create keys on the HSM.
Re-keying the caSigning certificate works but
the CA certificate is issued (issuer) by the
original software-based issuer (therefore NOT
a self-signed CA cert!). So I assume this has
to be done during initial installation (custom
install). But, how do I get the HSM PKCS#11
library added/included with the custom
install?
-----------------------------------------------------------
Dennis Gnatowski dgnatowski@yahoo.com
Adding the PKCS #11 module to secmod.db should happen
after the pkicreate and just before running the silent
install or the web based configuration wizard.
In Dogtag 10, when using pkispawn, you can split the
install and config steps in two using the flags
pki_skip_configuration and pki_skip_installation.
M.