Loading...

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: certsys-11.0
Affects Version/s: certsys-10.6
Component/s: pki-core
Labels:

Severity:
Important

AssignedTeam:
rhel-idm-cs

Target Milestone:

rc
Story Points:
None
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Bugzilla Bug:
RHBZ: 2272973

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None
Internal Target Milestone numeric:
42

Description of problem:
CA installations failing with timeout on LunaSA HSM

Version-Release number of selected component (if applicable):
RHCS 10.6 on RHEL 8.8 - LunaSA

Name : redhat-pki
Stream : 10 [d][e][a]
Version : 8080020240227223936
Context : 4125a91d
Architecture : x86_64
Profiles : common [d] [i]
Default profiles : common

Available HSMs:

Slot Id -> 0
HSM Label -> thalesLunaQE
HSM Serial Number -> 100084041
HSM Model -> LunaSA 7.11.0
HSM Firmware Version -> 7.11.1
HSM Configuration -> Luna Network HSM Slot (PW) Signing With Cloning Mode
HSM Status -> OK

How reproducible:
Always

Steps to Reproduce:
1. Install CA using LunaSA token using following config :

[DEFAULT]
pki_instance_name = topology-02-CA_prisingh
pki_https_port = 20443
pki_http_port = 20080

pki_token_password=********

pki_hsm_enable=True
pki_hsm_libfile=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
pki_hsm_modulename=nfast
pki_token_name=thalesLunaQE

pki_admin_password = SECret.123
pki_admin_key_type=rsa
pki_admin_key_size=2048
pki_admin_key_algorithm=SHA512withRSA

pki_hostname = pki1.example.com
pki_security_domain_name = topology-02_Foobarmaster.org
pki_security_domain_password = SECret.123

pki_client_dir = /opt/topology-02-CA-new
pki_client_pkcs12_password = SECret.123
pki_ds_password = SECret.123
pki_ds_ldap_port = 3389

pki_sslserver_key_algorithm=SHA512withRSA
pki_sslserver_key_size=2048
pki_sslserver_key_type=rsa

pki_subsystem_key_type=rsa
pki_subsystem_key_size=2048
pki_subsystem_key_algorithm=SHA512withRSA

pki_audit_signing_key_algorithm=SHA512withRSA
pki_audit_signing_key_size=2048
pki_audit_signing_key_type=rsa
pki_audit_signing_signing_algorithm=SHA512withRSA

pki_sslserver_token=thalesLunaQE
pki_subsystem_token=thalesLunaQE
pki_audit_signing_token=thalesLunaQE

[Tomcat]
pki_ajp_port = 20009
pki_tomcat_server_port = 20005

[CA]
pki_import_admin_cert = False
pki_ds_hostname = pki1.example.com
pki_admin_nickname = PKI CA Administrator for Example.Org

pki_ca_signing_key_algorithm=SHA512withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA512withRSA

pki_ocsp_signing_key_algorithm=SHA512withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_signing_algorithm=SHA512withRSA
pki_ca_signing_token=thalesLunaQE
pki_ocsp_signing_token=thalesLunaQE

Actual results:
Failed with following error:
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/topology-02-CA_prisingh/topology-02-CA_prisingh
DEBUG: - user: pkiuser
DEBUG: - group: pkiuser
DEBUG: Command: systemctl enable pki-tomcatd@topology-02-CA_prisingh.service
INFO: Starting PKI server
DEBUG: Command: systemctl start pki-tomcatd@topology-02-CA_prisingh.service
Job for pki-tomcatd@topology-02-CA_prisingh.service failed because a timeout was exceeded.
See "systemctl status pki-tomcatd@topology-02-CA_prisingh.service" and "journalctl -xe" for details.
ERROR: CalledProcessError: Command '['systemctl', 'start', 'pki-tomcatd@topology-02-CA_prisingh.service']' returned non-zero exit status 1.
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 568, in main
deployer.spawn()
File "/usr/lib/python3.6/site-packages/pki/server/deployment/_init_.py", line 4990, in spawn
scriptlet.spawn(self)
File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/finalization.py", line 79, in spawn
timeout=deployer.request_timeout)
File "/usr/lib/python3.6/site-packages/pki/server/_init_.py", line 421, in start
subprocess.check_call(cmd)
File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call
raise CalledProcessError(retcode, cmd)
Installation failed: Command failed: systemctl start pki-tomcatd@topology-02-CA_prisingh.service

Expected results:
Should be successful

Additional info:

journalctl -xe
Apr 03 09:49:55 pki1.example.com pcscd[1480]: 00000149 winscard_svc.c:335:ContextThread() Rejected unauthorized>
Apr 03 09:49:55 pki1.example.com pcscd[1480]: 00207505 auth.c:139:IsClientAuthorized() Process 4852 (user: 17) >
Apr 03 09:49:55 pki1.example.com pcscd[1480]: 00000184 winscard_svc.c:335:ContextThread() Rejected unauthorized>
Apr 03 09:50:02 pki1.example.com pki-server[4889]: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/jav>
Apr 03 09:50:02 pki1.example.com systemd[1]: pki-tomcatd@topology-02-CA_prisingh.service: Failed with result 't>
- Subject: Unit failed
- Defined-By: systemd
- Support: https://access.redhat.com/support
  –
- The unit pki-tomcatd@topology-02-CA_prisingh.service has entered the 'failed' state with result 'timeout'.
  Apr 03 09:50:02 pki1.example.com systemd[1]: Failed to start PKI Tomcat Server topology-02-CA_prisingh.
- Subject: Unit pki-tomcatd@topology-02-CA_prisingh.service has failed
- Defined-By: systemd
- Support: https://access.redhat.com/support
  –
- Unit pki-tomcatd@topology-02-CA_prisingh.service has failed.
  –
- The result is failed.
  Apr 03 09:50:56 pki1.example.com systemd[1]: pcscd.service: Succeeded.
- Subject: Unit succeeded
- Defined-By: systemd
- Support: https://access.redhat.com/support
  –
- The unit pcscd.service has successfully entered the 'dead' state.

external trackers

Red Hat Issue Tracker RHCS-5073

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty