SubCA installation failure with 2 step installation in fips enabled mode
This is needed when we wanted to enable/disable ciphers from server.xml file.
Steps to Reproduce:
1. Install a RootCA with hsm & fips enabled mode. 2. Install subCA using 2 step installation process where in first step we just do configuration .Enable ciphers in server.xml and in step 2 proceed with installation.
Actual results:
installation failure with logs:: [22/May/2017:14:27:33][http-bio-32443-exec-3]: ca.signing Signing Unit nickname NHSM-GKAPOOR-SOFTCARD:caSigningCert cert-SubCA0 CA [22/May/2017:14:27:33][http-bio-32443-exec-3]: Got token NHSM-GKAPOOR-SOFTCARD by name [22/May/2017:14:27:33][http-bio-32443-exec-3]: Found cert by nickname: 'NHSM-GKAPOOR-SOFTCARD:caSigningCert cert-SubCA0 CA' with serial number: 17 [22/May/2017:14:27:33][http-bio-32443-exec-3]: converted to x509CertImpl [22/May/2017:14:27:33][http-bio-32443-exec-3]: Got private key from cert [22/May/2017:14:27:33][http-bio-32443-exec-3]: Got public key from cert [22/May/2017:14:27:33][http-bio-32443-exec-3]: got signing algorithm RSASignatureWithSHA512Digest [22/May/2017:14:27:33][http-bio-32443-exec-3]: CA signing unit inited [22/May/2017:14:27:33][http-bio-32443-exec-3]: cachainNum= 0 [22/May/2017:14:27:33][http-bio-32443-exec-3]: in init - got CA chain from JSS. [22/May/2017:14:27:33][http-bio-32443-exec-3]: ca.ocsp_signing Signing Unit nickname NHSM-GKAPOOR-SOFTCARD:ocspSigningCert cert-SubCA0 CA [22/May/2017:14:27:33][http-bio-32443-exec-3]: Got token NHSM-GKAPOOR-SOFTCARD by name [22/May/2017:14:27:33][http-bio-32443-exec-3]: Unable to find certificate NHSM-GKAPOOR-SOFTCARD:ocspSigningCert cert-SubCA0 CA [22/May/2017:14:27:33][http-bio-32443-exec-3]: SigningUnit: Certificate object not found Certificate object not found at com.netscape.ca.SigningUnit.init(SigningUnit.java:173) at com.netscape.ca.SigningUnit.init(SigningUnit.java:131) at com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1724) at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:528) at com.netscape.cmscore.apps.CMSEngine.reinit(CMSEngine.java:1350) at com.netscape.certsrv.apps.CMS.reinit(CMS.java:192) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.handleCerts(ConfigurationUtils.java:3307) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:189) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:110) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) Caused by: org.mozilla.jss.crypto.ObjectNotFoundException at org.mozilla.jss.CryptoManager.findCertByNicknameNative(NativeMethod) at org.mozilla.jss.CryptoManager.findCertByNickname(CryptoManager.java:1307) at com.netscape.ca.SigningUnit.init(SigningUnit.java:169) ... 70 more
Expected results:
2 step installation should work for subca.
Additional info:
This could be blocker for ipa as well.
Metadata Update from @mharmsen: - Custom field component adjusted to General - Custom field feature adjusted to '' - Custom field origin adjusted to Community - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1454450 - Custom field type adjusted to defect - Custom field version adjusted to '' - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Metadata Update from @mharmsen: - Custom field origin adjusted to QE (was: Community)
Per PKI Bug Council of May 25, 2017: 10.4 - critical
Metadata Update from @mharmsen: - Issue priority set to: critical - Issue set to the milestone: 10.4 (was: 0.0 NEEDS_TRIAGE)
Patches:
Fixed in master:
Metadata Update from @edewata: - Issue close_status updated to: fixed - Issue set to the milestone: 10.4.7 (was: 10.4) - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue assigned to edewata
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.4.7-1.fc27
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2827
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.