9:12 a.m.
Hi team.
I'm trying to pkispawn a CA Subsystem with HSM on Deamnd using Thales Luna Cloud HSM.
Following error appears :
============================================================
Installing CA into /var/lib/pki/pki-tomcat.
Notice: Trust flag u is set automatically if the private key is present.
AVERTISSEMENT: TomcatJSS: token for hardware-partition not found
AVERTISSEMENT: TomcatJSS: token for hardware-partition not found
AVERTISSEMENT: TomcatJSS: token for hardware-partition not found
ERROR: ValueError: Unable to load certificate. See
https://cryptography.io/en/latest/faq.html#why-can-t-i-import-my-pem-file for more
details.
File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 575, in
main
scriptlet.spawn(deployer)
File
"/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 989, in spawn
sslserver = subsystem.get_subsystem_cert('sslserver')
File "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line 163, in
get_subsystem_cert
cert_info = self.get_nssdb_cert_info(cert_id)
File "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line 198, in
get_nssdb_cert_info
return nssdb.get_cert_info(nickname, token=token)
File "/usr/lib/python3.9/site-packages/pki/nssdb.py", line 1334, in
get_cert_info
cert_obj = x509.load_pem_x509_certificate(
File "/usr/lib64/python3.9/site-packages/cryptography/x509/base.py", line 399,
in load_pem_x509_certificate
return backend.load_pem_x509_certificate(data)
File
"/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/backend.py",
line 1344, in load_pem_x509_certificate
raise ValueError(
Installation failed: Unable to load certificate. See
https://cryptography.io/en/latest/faq.html#why-can-t-i-import-my-pem-file for more
details.
============================================================
I don't know if I'm missing something. When installation is failing, using modutil
-dbdir . -list in the /var/lib/pki/pki-tomcat/alias directory gives following result :
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri:
pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.71
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri:
pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri:
pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
2. lunasa
library name: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
uri:
pkcs11:library-manufacturer=SafeNet%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20;library-description=Chrystoki%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20;library-version=10.3
slots: 4 slots attached
status: loaded
slot: Luna G7 Slot
token:
uri: pkcs11:
slot: Luna G7 Slot
token:
uri: pkcs11:
slot: Luna G7 Slot
token:
uri: pkcs11:
slot: Net Token Slot
token: partition
uri:
pkcs11:token=partition;manufacturer=SafeNet;serial=1431305167971;model=Cryptovisor7
-----------------------------------------------------------
Instructions seem to be a bit scarce about it. Slot and partition were set following
instructions on this documentation :
https://thalesdocs.com/dpod/services/luna_cloud_hsm/client/configure/inde...
And I don't know if this sample configuration is enough,
https://thalesdocs.com/dpod/services/integrations/linux/redhat_certificat...
Did anyone have any issue or about this ?
Cheers,
A.
12:13 p.m.
Hi Amaury,
I have not had a chance to play with Thales Luna Cloud HSM.
From your modutil listing above, I think "partition" is the value you want
to assign to the following pkispawn parameters:
pki_token_name=partition
pki_<all the cert id's that you wish to go on the hsm
token>_token=partition
Was that what you did?
Christina
On Fri, Nov 5, 2021 at 7:15 AM <amaury.siharath(a)gmail.com> wrote:
Hi team.
I'm trying to pkispawn a CA Subsystem with HSM on Deamnd using Thales Luna
Cloud HSM.
Following error appears :
============================================================
Installing CA into /var/lib/pki/pki-tomcat.
Notice: Trust flag u is set automatically if the private key is present.
AVERTISSEMENT: TomcatJSS: token for hardware-partition not found
AVERTISSEMENT: TomcatJSS: token for hardware-partition not found
AVERTISSEMENT: TomcatJSS: token for hardware-partition not found
ERROR: ValueError: Unable to load certificate. See
https://cryptography.io/en/latest/faq.html#why-can-t-i-import-my-pem-file
for more details.
File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line
575, in main
scriptlet.spawn(deployer)
File
"/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 989, in spawn
sslserver = subsystem.get_subsystem_cert('sslserver')
File "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line
163, in get_subsystem_cert
cert_info = self.get_nssdb_cert_info(cert_id)
File "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line
198, in get_nssdb_cert_info
return nssdb.get_cert_info(nickname, token=token)
File "/usr/lib/python3.9/site-packages/pki/nssdb.py", line 1334, in
get_cert_info
cert_obj = x509.load_pem_x509_certificate(
File "/usr/lib64/python3.9/site-packages/cryptography/x509/base.py",
line 399, in load_pem_x509_certificate
return backend.load_pem_x509_certificate(data)
File
"/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/backend.py",
line 1344, in load_pem_x509_certificate
raise ValueError(
Installation failed: Unable to load certificate. See
https://cryptography.io/en/latest/faq.html#why-can-t-i-import-my-pem-file
for more details.
============================================================
I don't know if I'm missing something. When installation is failing, using
modutil -dbdir . -list in the /var/lib/pki/pki-tomcat/alias directory gives
following result :
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri:
pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.71
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri:
pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri:
pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
2. lunasa
library name: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
uri:
pkcs11:library-manufacturer=SafeNet%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20;library-description=Chrystoki%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20;library-version=10.3
slots: 4 slots attached
status: loaded
slot: Luna G7 Slot
token:
uri: pkcs11:
slot: Luna G7 Slot
token:
uri: pkcs11:
slot: Luna G7 Slot
token:
uri: pkcs11:
slot: Net Token Slot
token: partition
uri:
pkcs11:token=partition;manufacturer=SafeNet;serial=1431305167971;model=Cryptovisor7
-----------------------------------------------------------
Instructions seem to be a bit scarce about it. Slot and partition were set
following instructions on this documentation :
https://thalesdocs.com/dpod/services/luna_cloud_hsm/client/configure/inde...
And I don't know if this sample configuration is enough,
https://thalesdocs.com/dpod/services/integrations/linux/redhat_certificat...
Did anyone have any issue or about this ?
Cheers,
A.
_______________________________________________
Pki-users mailing list -- users(a)lists.dogtagpki.org
To unsubscribe send an email to users-leave(a)lists.dogtagpki.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
1148
days inactive
1151
days old
1 comments
2 participants
participants (2)
-
amaury.siharath@gmail.com -
Christina Fu