Unable to create ECC KRA Instance when kra admin key type is ECC, pkispawn fails with below error:
pkispawn : INFO ....... configuring PKI configuration data. pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.cert srv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.io.IOException: Request Rejected - {0}"} pkispawn : DEBUG ....... Error Type: ParseError pkispawn : DEBUG ....... Error Message: not well-formed (invalid token): line 1, column 0 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in main rv = instance.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/confi guration.py", line 116, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data root = ET.fromstring(e.response.text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML parser.feed(text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed self._raiseerror(v) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror raise err
Steps to Reproduce:
1. Setup ECC CA using below config [DEFAULT] pki_instance_name=example-ecc-ca1 pki_https_port=8443 pki_http_port=8080 #NSS DB Token Password pki_token_password=Secret123 #Admin Password pki_admin_password=Secret123 pki_admin_keysize=nistp256 pki_admin_key_type=ecc pki_admin_password=Secret123 #Security Domain pki_hostname=pki2.example.org pki_security_domain_name=Example Org pki_security_domain_password=Secret123 #client Dir pki_client_dir=/opt/example-ecc-ca1 pki_client_pkcs12_password=Secret123 #Backup pki_backup_keys=True pki_backup_password=Secret123 [Tomcat] pki_ajp_port=8009 pki_tomcat_server_port=8005 [CA] pki_import_admin_cert=False pki_ca_signing_key_type=ecc pki_ca_signing_key_size=nistp256 pki_ca_signing_key_algorithm=SHA256withEC pki_ca_signing_signing_algorithm=SHA256withEC pki_ca_signing_subject_dn=cn=CA Signing Certificate3,o=%(pki_security_domain_name)s pki_ocsp_signing_key_type=ecc pki_ocsp_signing_key_size=nistp256 pki_ocsp_signing_key_algorithm=SHA256withEC pki_ocsp_signing_signing_algorithm=SHA256withEC pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate3,o=%(pki_security_domain_name)s pki_audit_signing_key_type=rsa pki_audit_signing_key_size=2048 pki_audit_signing_key_algorithm=SHA256withRSA pki_audit_signing_signing_algorithm=SHA256withRSA pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate3,o=%(pki_security_domain_name)s pki_ssl_server_key_type=ecc pki_ssl_server_key_size=nistp256 pki_ssl_server_key_algorithm=SHA256withEC pki_ssl_server_signing_algorithm=SHA256withEC pki_ssl_server_nickname=Server-Cert cert-pki-Foobar1-ca3 pki_subsystem_key_type=ecc pki_subsystem_key_size=nistp256 pki_subsystem_key_algorithm=SHA256withEC pki_subsystem_signing_algorithm=SHA256withEC pki_subsystem_subject_dn=cn=Subsystem Certificate3,o=%(pki_security_domain_name)s pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s pki_ds_hostname=localhost pki_ds_ldap_port=389 pki_ds_password=Secret123 2. Setup KRA instance using below config [DEFAULT] pki_instance_name=example-ecc-kra1 pki_https_port=12443 pki_http_port=12080 #NSS DB Token Password pki_token_password=Secret123 #KRA Admin password pki_admin_password=Secret123 pki_admin_keysize=nistp256 pki_admin_key_type=ecc pki_admin_password=Secret123 #Security Domain pki_security_domain_hostname=pki2.example.org pki_security_domain_https_port=8443 pki_security_domain_user=caadmin pki_security_domain_password=Secret123 #Client Dir pki_client_dir=/opt/example-ecc-kra1 pki_client_pkcs12_password=Secret123 pki_client_database_password=Secret123 #Backup pki_backup_keys=True pki_backup_password=Secret123 [Tomcat] pki_ajp_port=12009 pki_tomcat_server_port=12005 [KRA] pki_subsystem_key_type=ecc pki_subsystem_key_size=nistp256 pki_subsystem_key_algorithm=SHA256withEC pki_storage_key_type=rsa pki_storage_key_size=2048 pki_storage_key_algorithm=SHA256withRSA pki_storage_signing_algorithm=SHA256withRSA pki_transport_key_type=rsa pki_transport_key_size=2048 pki_transport_key_algorithm=SHA256withRSA pki_transport_signing_algorithm=SHA256withRSA pki_audit_signing_key_type=rsa pki_audit_signing_key_size=2048 pki_audit_signing_key_algorithm=SHA256withRSA pki_audit_signing_signing_algorithm=SHA256withRSA pki_ssl_server_key_type=ecc pki_ssl_server_key_size=nistp256 pki_ssl_server_key_algorithm=SHA256withEC pki_ssl_server_signing_algorithm=SHA256withEC pki_import_admin_cert=False pki_ds_hostname=localhost pki_ds_ldap_port=1389 pki_ds_bind_dn=cn=Directory Manager pki_ds_password=Secret123 pki_ds_secure_connection=False 3. pkispawn -s KRA -f kra_inst.inf -vv pkispawn : DEBUG ........... No connection - server may still be down pkispawn : DEBUG ........... No connection - exception thrown: [Errno 111] Connection refused pkispawn : DEBUG ........... No connection - server may still be down pkispawn : DEBUG ........... No connection - exception thrown: [Errno 111] Connection refused pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8" standal one="no"?><XMLResponse><State>0</State><Type>KRA</Type><Status>running</Status> <Version>10.2.6-4.el7pki</Version></XMLResponse> pkispawn : INFO ....... constructing PKI configuration data. pkispawn : INFO ....... executing 'certutil -R -d /opt/example-ecc-kra1/kra/alias -s cn=PKI Administrator,e=kraadmin@example.org,o=Example Org -k ec -q nistp256 -z /opt/example-ecc-kra1/kra/alias/noise -f /opt/example-ecc-kra1/kra/password.conf -o /opt/example-ecc-kra1/kra/alias/admin_pkcs10.bin' pkispawn : INFO ....... rm -f /opt/example-ecc-kra1/kra/alias/noise pkispawn : INFO ....... BtoA /opt/example-ecc-kra1/kra/alias/admin_pkcs10.bin /opt/example-ecc-kra1/kra/alias/admin_pkcs10.bin.asc pkispawn : INFO ....... configuring PKI configuration data. pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.cert srv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.io.IOException: Request Rejected - {0}"} pkispawn : DEBUG ....... Error Type: ParseError pkispawn : DEBUG ....... Error Message: not well-formed (invalid token): line 1, column 0 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in main rv = instance.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/confi guration.py", line 116, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data root = ET.fromstring(e.response.text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML parser.feed(text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed self._raiseerror(v) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror raise err
Actual results:
KRA instance creation fails
Expected results:
KRA instance should succeed
Additional info:
i suspect it fails because caAdminCert profile doesn't support ECC, the CA debug logs show these: [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: EnrollProfile: auth token is not null [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: SignedAuditEventFactory: create() message=[AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=S uccess][ReqID=12][ProfileID=caAdminCert][CertSubject=CN=PKI Administrator,E=kraadmin@example.org,O=Example Org] certificate request made with certificate profiles [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: BasicProfile: validate start on setId=adminCertSet [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: SubjectNameConstraint: validate start [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: SubjectNameConstraint: validate start [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: SubjectNameConstraint: validate cert subject =CN=PKI Administrator,E=kraadmin@example.org,O=Example Org [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: SubjectNameConstraint: validate() - sn500 dname = CN=PKI Administrator,E=kraadmin@example.org,O=Example Org [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: SubjectNameConstraint: validate end [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: ValidityConstraint: validate start [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: ValidityConstraint: not before: Tue Aug 04 22:09:27 IST 2015 [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: ValidityConstraint: not after: Wed Aug 03 22:09:27 IST 2016 [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: ValidityConstraint: range: 365 [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: ValidityConstraint: range unit: day [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: ValidityConstraint: limit: Wed Aug 03 22:09:27 IST 2016 [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: ValidityConstraint: validate end [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: KeyConstraint: validate start [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: CertRequestSubmitter: submit Key Type RSA Not Matched [04/Aug/2015:22:09:28][http-bio-8443-exec-23]: SignedAuditEventFactory: create() message=[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome =Failure][ReqID=12][InfoName=rejectReason][InfoValue=Request Rejected - Key Type RSA Not Matched] certificate request processed
Per CS/DS Meeting of 08/10/2015 - 10.2.7
commit 017f4f9d4b3c6051f082b8c2b49d5143fd8450e9 Author: Christina Fu cfu@redhat.com Date: Mon Aug 10 15:38:06 2015 -0700
Ticket 1539 Unable to create ECC KRA Instance when kra admin key type is ECC This patch changes the relevant CA enrollment admin profiles so that they ac requests for EC certs. The issue actually not just affected KRA, it also aff other non-CA subsystems.
Metadata Update from @mrniranjan: - Issue assigned to cfu - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2098
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.