dogtagpki

Clone
Source Code
GIT

#2707 SubCA installation failure with 2 step installation in fips enabled mode
Closed: fixed 6 years ago Opened 6 years ago by mharmsen.

Closed: fixed
Reopen Issue

SubCA installation failure with 2 step installation in fips enabled mode

This is needed when we wanted to enable/disable ciphers from server.xml file.

Steps to Reproduce:

1. Install a RootCA with hsm & fips enabled mode.
2. Install subCA using 2 step installation process where in first step we just
do configuration .Enable ciphers in server.xml and in step 2 proceed with
installation.

Actual results:

installation failure with logs::

[22/May/2017:14:27:33][http-bio-32443-exec-3]: ca.signing Signing Unit nickname
NHSM-GKAPOOR-SOFTCARD:caSigningCert cert-SubCA0 CA
[22/May/2017:14:27:33][http-bio-32443-exec-3]: Got token NHSM-GKAPOOR-SOFTCARD
by name
[22/May/2017:14:27:33][http-bio-32443-exec-3]: Found cert by nickname:
'NHSM-GKAPOOR-SOFTCARD:caSigningCert cert-SubCA0 CA' with serial number: 17
[22/May/2017:14:27:33][http-bio-32443-exec-3]: converted to x509CertImpl
[22/May/2017:14:27:33][http-bio-32443-exec-3]: Got private key from cert
[22/May/2017:14:27:33][http-bio-32443-exec-3]: Got public key from cert
[22/May/2017:14:27:33][http-bio-32443-exec-3]: got signing algorithm
RSASignatureWithSHA512Digest
[22/May/2017:14:27:33][http-bio-32443-exec-3]: CA signing unit inited
[22/May/2017:14:27:33][http-bio-32443-exec-3]: cachainNum= 0
[22/May/2017:14:27:33][http-bio-32443-exec-3]: in init - got CA chain from JSS.
[22/May/2017:14:27:33][http-bio-32443-exec-3]: ca.ocsp_signing Signing Unit
nickname NHSM-GKAPOOR-SOFTCARD:ocspSigningCert cert-SubCA0 CA
[22/May/2017:14:27:33][http-bio-32443-exec-3]: Got token NHSM-GKAPOOR-SOFTCARD
by name
[22/May/2017:14:27:33][http-bio-32443-exec-3]: Unable to find certificate
NHSM-GKAPOOR-SOFTCARD:ocspSigningCert cert-SubCA0 CA
[22/May/2017:14:27:33][http-bio-32443-exec-3]: SigningUnit: Certificate object
not found
Certificate object not found
        at com.netscape.ca.SigningUnit.init(SigningUnit.java:173)
        at com.netscape.ca.SigningUnit.init(SigningUnit.java:131)
        at com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1724)
        at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:528)
        at com.netscape.cmscore.apps.CMSEngine.reinit(CMSEngine.java:1350)
        at com.netscape.certsrv.apps.CMS.reinit(CMS.java:192)
        at com.netscape.cms.servlet.csadmin.ConfigurationUtils.handleCerts(ConfigurationUtils.java:3307)
        at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:189)
        at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:110)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
Caused by: org.mozilla.jss.crypto.ObjectNotFoundException
        at org.mozilla.jss.CryptoManager.findCertByNicknameNative(NativeMethod)
        at org.mozilla.jss.CryptoManager.findCertByNickname(CryptoManager.java:1307)
        at com.netscape.ca.SigningUnit.init(SigningUnit.java:169)
        ... 70 more

Expected results:

2 step installation should work for subca.

Additional info:

This could be blocker for ipa as well.

Metadata Update from @mharmsen:
- Custom field component adjusted to General
- Custom field feature adjusted to ''
- Custom field origin adjusted to Community
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1454450
- Custom field type adjusted to defect
- Custom field version adjusted to ''
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
6 years ago

Metadata Update from @mharmsen:
- Custom field origin adjusted to QE (was: Community)
6 years ago

Per PKI Bug Council of May 25, 2017: 10.4 - critical

Metadata Update from @mharmsen:
- Issue priority set to: critical
- Issue set to the milestone: 10.4 (was: 0.0 NEEDS_TRIAGE)
6 years ago

Fixed in master:

  • 14e44691ef0b61220d390afb745496b7d62945ee
  • 9af1746463bec2e62c990279d857635f693cfac7

Metadata Update from @edewata:
- Issue close_status updated to: fixed
- Issue set to the milestone: 10.4.7 (was: 10.4)
- Issue status updated to: Closed (was: Open)
6 years ago

Metadata Update from @mharmsen:
- Issue assigned to edewata
6 years ago

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.4.7-1.fc27
6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2827

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
critical
None
None
defect
''
None
None
None
''
QE
''
pki-core-10.4.7-1.fc27
None
None
None
''
General
''
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.