#9626 ipa-replica/server-install with softhsm needs to check permission/ownership of /var/lib/softhsm/tokens to avoid install failure.
Closed: fixed 6 months ago by rcritten. Opened 6 months ago by sumenon.

Issue

ipa-replica-install with softhsm should check permission/ownership of /var/lib/softhsm/tokens to avoid install failure.

Steps to Reproduce

  1. Install IPA server
  2. Copy the token from IPA server to Replica
  3. Install replica using the token.

Actual behavior

Currently we are adding pkiuser to group ods, if that is missing on replica/server the installation would fail.
strace show the below error
/var/lib/softhsm/tokens", 0x7fff117d7a00, 0) = -1 EACCES (Permission denied), which is caused due to pkiuser not being member of ods group.

org.mozilla.jss.NoSuchTokenException: No such token: ipa_token
at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:198)
at com.netscape.cmsutil.crypto.CryptoUtil.getKeyStorageToken(CryptoUtil.java:404)
at com.netscape.cmstools.cli.MainCLI.init(MainCLI.java:549)
at com.netscape.cmstools.nss.NSSCertImportCLI.execute(NSSCertImportCLI.java:69)
at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:659)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698)
DEBUG: NSSDatabase.import_cert_chain(caSigningCert External CA) ends

Expected behavior

Try to check permission to avoid this issue.

Version/Release/Distribution

freeipa-server-4.12.1-1.fc41.x86_64
389-ds-base-3.1.0-10.fc41.x86_64
dogtag-pki-ca-11.5.0-3.fc41.1.noarch
krb5-server-1.21.2-5.fc40.x86_64
softhsm-2.6.1-9.fc40.x86_64


Metadata Update from @rcritten:
- Issue assigned to rcritten

6 months ago

master:

  • 202de16 Run HSM validation as pkiuser to verify token permissions
6 months ago

ipa-4-12:

  • 38b83c2 Run HSM validation as pkiuser to verify token permissions

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 months ago

master:

  • 58c1fdd ipatests: Replace 'usermod -r' command with 'gpasswd -d' in test_hsm.py

ipa-4-12:

  • ed813fe ipatests: Replace 'usermod -r' command with 'gpasswd -d' in test_hsm.py

Log in to comment on this ticket.

Metadata