Hi,
I'm trying to
create a CA with a Atos/Bull HSM backend.
I have created a
configuration file default_hsm.cfg with hsm options enabled
and configured, and I have set HSM token and password.
When I run the
command:
# pkispawn -s CA
-f /etc/pki/default_hsm.cfg -vvv
I get the error:
pkispawn : DEBUG
........... <?xml version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse>
pkispawn : INFO
....... constructing PKI configuration data.
pkispawn : INFO
....... executing 'certutil -R -d
/root/.dogtag/pki-tomcat/ca/alias -s cn=PKI
Administrator,e=caadmin@cls.fr,o=cls.fr Security Domain -k rsa -g
2048 -z /root/.dogtag/pki-tomcat/ca/alias/noise -f
/root/.dogtag/pki-tomcat/ca/password.conf -o
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin'
pkispawn : INFO
....... rm -f /root/.dogtag/pki-tomcat/ca/alias/noise
pkispawn : INFO
....... BtoA
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc
pkispawn : INFO
....... configuring PKI configuration data.
pkispawn : ERROR
....... ParseError: not well-formed (invalid token): line
1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Invalid
Token provided. No such token."}
pkispawn : DEBUG
....... Error Type: ParseError
pkispawn : DEBUG
....... Error Message: not well-formed (invalid token):
line 1, column 0
pkispawn : DEBUG
....... File "/usr/sbin/pkispawn", line 597, in main
rv =
instance.spawn(deployer)
File
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 116, in spawn
json.dumps(data,
cls=pki.encoder.CustomTypeEncoder))
File
"/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
line 3872, in configure_pki_data
root =
ET.fromstring(e.response.text)
File
"/usr/lib64/python2.7/xml/etree/ElementTree.py", line
1300, in XML
parser.feed(text)
File
"/usr/lib64/python2.7/xml/etree/ElementTree.py", line
1642, in feed
self._raiseerror(v)
File
"/usr/lib64/python2.7/xml/etree/ElementTree.py", line
1506, in _raiseerror
raise err
Installation failed.
Just after pki
service restart.
I don't know
which "Token" is it talking about, not sure it is HSM token.
HSM is working
fine because it is previously added to database with modutil:
# modutil -list
-dbdir /etc/pki/pki-tomcat/alias -nocertdb
Bull TrustWay
Proteccio NetHSM 2.4
Configuration read
from /etc/proteccio//proteccio.rc
Listing of PKCS #11
Modules
-----------------------------------------------------------
1. NSS Internal
PKCS #11 Module
slots: 2
slots attached
status:
loaded
slot: NSS
Internal Cryptographic Services
token: NSS
Generic Crypto Services
slot: NSS
User Private Key and Certificate Services
token: NSS
Certificate DB
2. nethsm
library name:
/usr/lib64/libnethsm.so
slots: 8
slots attached
status:
loaded
slot:
Trustway Crypto Engine Slot
token:
nethsm1_V1
slot:
Trustway Crypto Engine Slot
token:
slot:
Trustway Crypto Engine Slot
token:
slot:
Trustway Crypto Engine Slot
token:
slot:
Trustway Crypto Engine Slot
token:
slot:
Trustway Crypto Engine Slot
token:
slot:
Trustway Crypto Engine Slot
token:
slot:
Trustway Crypto Engine Slot
token:
-----------------------------------------------------------
Of course, I have
updated default_hsm.cfg file according to Redhat documentation
to enable HSM et put HSM token name and password:
# grep hsm
/etc/pki/default_hsm.cfg
pki_audit_signing_token=nethsm1_V1
pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/libnethsm.so
pki_hsm_modulename=nethsm
pki_ssl_server_token=nethsm1_V1
pki_subsystem_token=nethsm1_V1
pki_token_name=nethsm1_V1
pki_storage_token=nethsm1_V1
pki_transport_token=nethsm1_V1
I have tried with
interactive installation (so with no HSM), and it is working
fine.
Does anyone can
help me?
Thanks!