CA installation with both Thales and lunaSA HSM fails.
Steps to Reproduce:
0. Set-up the system as a HSM client. 1. Create a LDAP server instance CC-NonTMS-LDAP running at port 389. 2. CA configuration for installation with lunaSA is as follows: # cat ca_hsm.inf [DEFAULT] pki_instance_name=rhcs92-CA-aakkiang pki_https_port=28443 pki_http_port=28080 pki_hsm_enable=True pki_hsm_libfile=/usr/safenet/lunaclient/lib/libCryptoki2_64.so pki_hsm_modulename=<lunasa_module_name> pki_token_name=<lunasa_module_name> pki_token_password=<lunasa_password> pki_ssl_server_token=<lunasa_module_name> pki_subsystem_token=<lunasa_module_name> pki_audit_signing_token=<lunasa_module_name> [Tomcat] pki_ajp_port=28009 pki_tomcat_server_port=28005 [CA] pki_ca_signing_token=<lunasa_module_name> pki_ocsp_signing_token=<lunasa_module_name> pki_admin_email=caadmin@example.com pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=Secret.123 pki_admin_uid=caadmin pki_client_database_password=Secret.123 pki_client_database_purge=False pki_client_pkcs12_password=Secret.123 pki_ds_password=SECret.123 pki_ds_secure_connection=False pki_ds_remove_data=True pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com pki_ds_database=CC-NonTMS-LDAP pki_security_domain_name=EXAMPLE pki_security_domain_https_port=28443 3. # pkispawn -s CA -f ca_hsm.inf -vvv
Actual results:
Installation failed: com.netscape.certsrv.base.BadRequestException: Invalid Token provided. No such token. Debug log has this: [25/Apr/2017:16:20:45][http-bio-28443-exec-4]: === Token Authentication === [25/Apr/2017:16:20:45][http-bio-28443-exec-4]: Invalid Token provided. No such token. [25/Apr/2017:16:20:45][http-bio-28443-exec-4]: SignedAuditEventFactory:create() message created for eventType=ACCESS_SESSION_TERMINATED
Expected results:
Installation should be successful using both Thales and LunaSA HSMs.
Metadata Update from @mharmsen: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1445519
Metadata Update from @mharmsen: - Custom field component adjusted to General - Custom field feature adjusted to '' - Custom field origin adjusted to Community - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field type adjusted to defect - Custom field version adjusted to '' - Issue priority set to: blocker - Issue set to the milestone: 10.4
Metadata Update from @mharmsen: - Issue assigned to edewata
This is an HSM-specific issue. Non-HSM installation works fine. Someone else more familiar with HSM installation should investigate this.
Metadata Update from @edewata: - Assignee reset
Metadata Update from @mharmsen: - Issue assigned to mharmsen
commit 5e5eb07b90340eb0e46ab4a1ac76a5f77646f134 Author: Matthew Harmsen mharmsen@redhat.com Date: Tue May 30 09:23:55 2017 -0600
Updated minimum selinux-policy-targeted runtime requirement. - Bugzilla Bug #1445519 - CA Server installation with HSM fails
Metadata Update from @mharmsen: - Issue close_status updated to: fixed - Issue set to the milestone: 10.4.6 (was: 10.4) - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue assigned to jmagne (was: mharmsen)
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.4.7-1.fc27
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2780
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Log in to comment on this ticket.