#201 nCipher HSM cannot be configured via redhat-idm-console
Closed: wontfix None Opened 9 years ago by rmeggins.


batch update moving tickets to future

set default ticket origin to Community

Added initial screened field value.

Console is working as expected, you can not use a absolute/relative path to a file because of CGI security issues. The library must be located in /etc/dirsrv/slapd-INSTANCE. Then you simply specify the library file name in the console.

There is a bug in how the modutil command is generated in the admin server code.

The fix looks good.

Now I wonder where this type of knowledge about the installation/configuration is available... Since it's not our "product", what we could do is just having a pointer to the right contents, I guess...

Fix Description: First new modules must be located in the server instance
security directory (symlinks work best).

Replying to [comment:15 nhosoi]:

The fix looks good.

Now I wonder where this type of knowledge about the installation/configuration is available... Since it's not our "product", what we could do is just having a pointer to the right contents, I guess...

Fix Description: First new modules must be located in the server instance
security directory (symlinks work best).

There is documentation about the HSM security module here:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/mgng-tokens.html#installing-pkcs11-mods-cmd

In the documentation it even states that it's best to use modutil to add modules, and not the console :-)

Due to cgi security issues, the console only allows you to specify the library name, and not the absolute path to the library. It expects to find the library in the instance security directory: /etc/dirsrv/slapd-INSTANCE.

The reason I mentioned the symlink, is because if you use a symlink in the security directory to the actual library then you don't have to worry about SELinux.

/etc/dirsrc/slapd-INSTANCE/libcknfast.so -> /opt/nfast/toolkit/pkcs11/libcknfast.so

If you directly copy the library to /etc/dirsrv/slapd-INSTANCE then you must update SELinux for the library.

I will be writing up a wiki page on this as well.

To ssh://git.fedorahosted.org/git/389/admin.git
c9b6de5..5af4170 master -> master

commit 5af417033e9cf532856a105a6113825a4d20bbfa
Author: Mark Reynolds mreynolds@redhat.com
Date: Tue Oct 14 14:11:23 2014 -0400

Thank you soooo much for the details, Mark!!

Metadata Update from @nhosoi:
- Issue assigned to mreynolds
- Issue set to the milestone: 389-admin,console 1.1.36

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/201

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

a year ago

Login to comment on this ticket.

Metadata