TPS token enrollment fails to setupSecureChannel when TPS and TKS security db is on fips mode.
Steps to Reproduce:
1. pkispawn CA, KRA, TKS and TPS instances and enable FIPS mode as described in document CA https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/ht ml/Deploy_and_Install_Guide/TMS_CA_Configuration.html 2. modutil -dbdir /var/lib/pki/pki-rootTKS-aakkiang/alias -list Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal FIPS PKCS #11 Module slots: 1 slot attached status: loaded slot: NSS FIPS 140-2 User Private Key Services token: NSS FIPS 140-2 Certificate DB 2. nfast library name: /opt/nfast/toolkits/pkcs11/libcknfast.so slots: 3 slots attached status: loaded slot: token: loadshared accelerator slot: NHSM6000-OCS token: NHSM6000-OCS slot: NHSM-AAKKIANG-SOFTCARD token: NHSM-AAKKIANG-SOFTCARD 3. Enroll a token using tpsclient. -----------------------------------------------------------
Actual results:
Token enrollment fails. TPS debug log shows org.mozilla.jss.NoSuchTokenException for shared secret key: [07/Oct/2016:16:25:06][http-bio-32344-exec-1]: TPSProcessor.getSharedSecretTransportKeyName: calculated key name: sharedSecret [07/Oct/2016:16:25:06][http-bio-32344-exec-1]: SecureChannelProtocol.getSharedSecretKeyName: Entering... org.mozilla.jss.NoSuchTokenException at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:622) at com.netscape.cms.servlet.tks.SecureChannelProtocol.returnTokenByName (SecureChannelProtocol.java:697) at org.dogtagpki.server.tps.processor.TPSProcessor.generateSecureChanne l(TPSProcessor.java:653) at org.dogtagpki.server.tps.processor.TPSProcessor.setupSecureChannel(T PSProcessor.java:571) at org.dogtagpki.server.tps.processor.TPSProcessor.upgradeApplet(TPSPro cessor.java:950) at org.dogtagpki.server.tps.processor.TPSProcessor.format(TPSProcessor.java:2153) at org.dogtagpki.server.tps.processor.TPSProcessor.process(TPSProcessor.java:2852) at org.dogtagpki.server.tps.TPSSession.process(TPSSession.java:119) at org.dogtagpki.server.tps.TPSServlet.service(TPSServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicati onFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicati onFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapper Valve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContext Valve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentic atorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVa lve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHtt p11Processor.java:1078) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process (AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoi nt.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskT hread.java:61) at java.lang.Thread.run(Thread.java:745) [07/Oct/2016:16:25:06][http-bio-32344-exec-1]: TPSSession.process: Message processing failed: TPSProcessor.setupSecureChannel: Can't set up secure channel: TPSProcessor.generateSecureChannel: Can't get shared secret key!: org.mozilla.jss.NoSuchTokenException [07/Oct/2016:16:25:06][http-bio-32344-exec-1]: TPSConnection.write: Writing: s=43&msg_type=13&operation=5&result=1&message=17 [07/Oct/2016:16:25:06][http-bio-32344-exec-1]: TPSSession.process: leaving: result: 1 status: STATUS_ERROR_SECURE_CHANNEL
Expected results:
Token enrollment should succeed.
Additional info:
jmagne took a look at this issue. It has to do with the name of the internal token no longer can be counted upon in fips mode. Similiar to this other problem https://fedorahosted.org/pki/ticket/2500 - Hard coded token name in SigningUnit.java causes Dogtag install to fail in FIPS mode
Per discussions between cfu and jmagne on 10/07/2016: 10.4.0
commit cb2cc3c7fd93e1a0519a0b530cbc2edbab7741cc Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com Date: Thu Oct 20 15:18:12 2016 -0700
TPS token enrollment fails to setupSecureChannel when TPS and TKS security db is on fips mode. Ticket #2513. Simple fix allows the TPS and TKS the ability to obtain the proper internal token, even in FiPS mode.
Closing
Metadata Update from @aakkiang: - Issue assigned to jmagne - Issue set to the milestone: 10.3.8
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2633
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.