#7677 HSM: ipa ca-add fails with error in ipa-pki-retrieve-key
Closed: fixed 8 months ago by rcritten. Opened 6 years ago by cheimes.

Issue

The ipa-pki-retrieve-key helper does not yet know how to handle a Dogtag installation with HSM.

Steps to Reproduce

  1. Install Dogtag with NitroHSM integration (requires additional patches and configuration)
  2. ipa ca-add

Actual behavior

Command fails:

# ipa ca-add --subject="CN=testca1" testca1
ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500

Dogtag debug logs:

2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CertificateAuthority: size: 911 bytes
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CertificateAuthority: subject DN: CN=Certificate Authority,O=HSM.EXAMPLE
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CertificateAuthority: issuer DN: CN=Certificate Authority,O=HSM.EXAMPLE
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CA SigningUnit.init(ca, ca.signing, UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8-ba5c-8c63860e374a)
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: Setting ca.signing.newNickname=UserPIN (SmartCard-HSM):UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8-b
a5c-8c63860e374a
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: SigningUnit: Loading certificate UserPIN (SmartCard-HSM):UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8
-ba5c-8c63860e374a
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: SigningUnit: Unable to find certificate UserPIN (SmartCard-HSM):UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c
31-43c8-ba5c-8c63860e374a
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] WARNING: CA signing key and cert not (yet) present in NSSDB
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: Starting KeyRetrieverRunner thread
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CertificateAuthority init: initRequestQueue
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: In LdapBoundConnFactory::getConn()
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: masterConn is connected: true
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: getConn: conn is connected true
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: getConn: mNumConns now 1
2018-08-22 11:51:37 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Running ExternalProcessKeyRetriever
2018-08-22 11:51:37 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: About to execute command: [/usr/libexec/ipa/ipa-pki-retrieve-key, UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8-ba5c-8c63860e374a, master.hsm.example]
...
2018-08-22 11:51:41 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Failed to retrieve key from any host.
2018-08-22 11:51:41 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] WARNING: KeyRetriever did not return a result.
2018-08-22 11:51:41 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Retrying in 10 seconds
2018-08-22 11:51:51 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Running ExternalProcessKeyRetriever
2018-08-22 11:51:51 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: About to execute command: [/usr/libexec/ipa/ipa-pki-retrieve-key, UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8-ba5c-8c63860e374a, master.hsm.example]
2018-08-22 11:51:55 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Failed to retrieve key from any host.
2018-08-22 11:51:55 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] WARNING: KeyRetriever did not return a result.
2018-08-22 11:51:55 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Retrying in 15 seconds

master:

  • 17c2e31 Don't move keys when key backup is disabled

ipa-4-8:

  • f6c2a9d Don't move keys when key backup is disabled

Metadata Update from @rcritten:
- Issue tagged with: hsm

2 years ago

I think a lot has change in the interim. The ca-add is successful but does not store the subca onto the HSM device. The NSS naming suggests that it may have tried to do the right thing. From the certutil output:

NSS Certificate DB:softhsm_token:caSigningCert cert-pki-ca c2c8a21b-21d7-4919-8ba2-9316b6ca61a5 u,u,u

The HSM (softhsm2) has no orphaned keys.

Based on the pki log I think that the token is being added to the nickname:

2022-08-29 19:27:08 [KeyRetrieverRunner-c2c8a21b-21d7-4919-8ba2-9316b6ca61a5] INFO: ExternalProcessKeyRetriever: Retrieving softhsm_token:caSigningCert cert-pki-ca c2c8a21b-21d7-4919-8ba2-9316b6ca61a5 ke

master:

  • cba3094 Support the certmonger nss-user option
  • e6078c6 Don't generate a cafile on HSM instalations
  • 34f28f0 Add token support to installer certificate handling
  • 73d52a6 Only generate kracert.p12 when not installing with HSM
  • e323470 Don't move KRA keys when key backup is disabled
  • f658a26 doc: Add token-password-file to HSM design, set new OID
  • d9efa72 Add LDAP attribute ipaCaHSMConfiguration to store HSM state
  • 82c0b19 Add HSM configuration options to installer scripts
  • a99091a Add attribute ipacahsmconfiguration to the "Read CAs" ACI
  • 7ad3b48 Update SELinux policy to allow certmonger to PKI config files
  • 9362200 Add token support to the renew_ca_cert certmonger helper
  • d0c489e If HSM is configured add the token name to config-show output
  • 0708f60 renew_ca_cert: skip removing non-CA certs, fix nickname
  • b89aa91 renew_ca_cert: set peer trust on the KRA audit certificate
  • 06a8791 tests: helper to copy files from one host to another
  • 36dbc6b ipatests: test software HSM installation with server & replica
  • 6b894f2 After installing a KRA, copy the updated token to other machines
  • 31d66ba Validate the HSM token library path and name during installation
  • c6dd21f Remove caSigningCert from list of certs to renew
  • 87ecca0 Add SELinux subpackage for nCipher nfast HSM support
  • f8798b3 Add SELinux subpackage for Thales Luna HSM support
  • 1ec875c ipatests: test software HSM installation with server & replica
  • b63103c tests: Fix failing test test_testconfig.py with missing token variables
  • c6f2d02 dogtag-ipa-ca-renew-agent-submit: expect certs to be on HSMs
  • 31fda79 Prompt for token password if not provided in replica/ipa-ca-install
  • b9ec2fb KRA: force OAEP for some HSM-based installations
  • ea0bf40 After an HSM replica install ensure all certs are visible
  • bcd8d2d Require certmonger 0.79.17+ for required HSM changes
  • 879a937 Include the HSM tests in the nightlies
  • 6b6c187 Call hsm_validator on KRA installs and validate the HSM password
  • c861ce5 Add SELinux module checking to hsm_validator
  • 6af8577 docs: Add a section on SELinux modules to the HSM design

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

8 months ago

Log in to comment on this ticket.

Metadata