Uploaded image for project: 'Dogtag PKI'
  1. Dogtag PKI
  2. DOGTAG-584

Two-step KRA installation fails on HSM configured system

XMLWordPrintable

    • None
    • rhel-idm-cs
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • 42

      Description of problem:
      KRA two-step installation fails on HSM configured system

      Version-Release number of selected component (if applicable):
      pki-server-10.11.0-0.3.alpha3.module+el8.5.0+11413+57da3eb7.noarch
      pki-kra-10.11.0-0.3.alpha3.module+el8.5.0+11413+57da3eb7.noarch
      pki-base-10.11.0-0.3.alpha3.module+el8.5.0+11413+57da3eb7.noarch
      pki-ca-10.11.0-0.3.alpha3.module+el8.5.0+11413+57da3eb7.noarch

      How reproducible:
      Always

      Steps to Reproduce:
      1. Install RHEL 8.5, enable FIPS and configure HSM
      2. Install DS and CA (HSM-enabled)
      3. Perform HSM configured two-step install of KRA

      1. cat /tmp/test_dir/kra.cfg

      [DEFAULT]
      pki_instance_name = topology-cc-KRA
      pki_https_port = 21443
      pki_http_port = 21080
      pki_token_password=SECret.579
      pki_hsm_enable=True
      pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
      pki_hsm_modulename=nfast
      pki_token_name=NHSM6000-OCS
      pki_admin_password = SECret.123
      pki_admin_key_type=rsa
      pki_admin_key_size=2048
      pki_admin_key_algorithm=SHA512withRSA
      pki_hostname = pki1.example.com
      pki_security_domain_hostname = pki1.example.com
      pki_security_domain_https_port = 20443
      pki_security_domain_name = topology-cc_Foobarmaster.org
      pki_security_domain_password = SECret.123
      pki_client_dir = /opt/topology-cc-KRA
      pki_client_pkcs12_password = SECret.123
      pki_client_database_password = SECret.123
      pki_ds_password = SECret.123
      pki_ds_ldap_port = 3389
      pki_ds_remove_data = True
      pki_ds_bind_dn = CN=Directory Manager
      pki_ds_secure_connection = True
      pki_ds_secure_connection_ca_pem_file = /tmp/rootCA.pem
      pki_ds_ldaps_port = 2636
      pki_sslserver_key_algorithm=SHA512withRSA
      pki_sslserver_key_size=2048
      pki_sslserver_key_type=rsa
      pki_subsystem_key_algorithm=SHA512withRSA
      pki_subsystem_key_size=2048
      pki_subsystem_key_type=rsa
      pki_audit_signing_key_algorithm=SHA512withRSA
      pki_audit_signing_key_size=2048
      pki_audit_signing_key_type=rsa
      pki_audit_signing_signing_algorithm=SHA512withRSA
      pki_cert_chain_path=/tmp/rootCA.pem
      pki_sslserver_token=NHSM6000-OCS
      pki_subsystem_token=NHSM6000-OCS
      pki_audit_signing_token=NHSM6000-OCS

      [Tomcat]
      pki_ajp_port = 21009
      pki_tomcat_server_port = 21005

      [KRA]
      pki_import_admin_cert = False
      pki_admin_nickname = PKI KRA Administrator for Example.Org
      pki_ds_hostname = pki1.example.com
      pki_storage_key_algorithm=SHA512withRSA
      pki_storage_key_size=2048
      pki_storage_key_type=rsa
      pki_storage_signing_algorithm=SHA512withRSA
      pki_transport_key_algorithm=SHA512withRSA
      pki_transport_key_size=2048
      pki_transport_key_type=rsa
      pki_transport_signing_algorithm=SHA512withRSA
      pki_ca_signing_cert_path = /tmp/rootCA.pem
      pki_ca_signing_nickname = caSigningCert cert-topology-cc-CA CA
      pki_admin_cert_path = /opt/pki/certdb/kra-admin.crt
      pki_audit_signing_cert_path = /opt/pki/certdb/kra-audit-signing.crt
      pki_sslserver_cert_path = /opt/pki/certdb/kra-sslserver.crt
      pki_subsystem_cert_path = /opt/pki/certdb/kra-subsystem.crt
      pki_transport_cert_path = /opt/pki/certdb/kra-transport.crt
      pki_storage_cert_path = /opt/pki/certdb/kra-storage.crt
      pki_admin_csr_path = /opt/pki/certdb/kra-admin.csr
      pki_audit_signing_csr_path = /opt/pki/certdb/kra-audit-signing.csr
      pki_sslserver_csr_path = /opt/pki/certdb/kra-sslserver.csr
      pki_subsystem_csr_path = /opt/pki/certdb/kra-subsystem.csr
      pki_transport_csr_path = /opt/pki/certdb/kra-transport.csr
      pki_storage_csr_path = /opt/pki/certdb/kra-storage.csr
      pki_external_step_two = True
      pki_external = True
      pki_storage_token=NHSM6000-OCS
      pki_transport_token=NHSM6000-OCS

      Actual results:
      KRA installation fails in second step with error:
      INFO: Starting PKI server
      DEBUG: Command: systemctl start pki-tomcatd@topology-cc-KRA.service
      Job for pki-tomcatd@topology-cc-KRA.service failed because the control process exited with error code.
      See "systemctl status pki-tomcatd@topology-cc-KRA.service" and "journalctl -xe" for details.
      CalledProcessError: Command '['systemctl', 'start', 'pki-tomcatd@topology-cc-KRA.service']' returned non-zero exit status 1.
      File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main
      scriptlet.spawn(deployer)
      File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 702, in spawn
      timeout=deployer.request_timeout)
      File "/usr/lib/python3.6/site-packages/pki/server/_init_.py", line 335, in start
      subprocess.check_call(cmd)
      File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call
      raise CalledProcessError(retcode, cmd)

      Installation failed: Command failed: systemctl start pki-tomcatd@topology-cc-KRA.service

      Please check pkispawn logs in /var/log/pki/pki-kra-spawn.20210712122139.log

      <messages log>:
      Jul 12 12:29:37 pki1 systemd[1]: Starting PKI Tomcat Server topology-cc-KRA...
      Jul 12 12:29:37 pki1 pki-server[61767]: ERROR: [Errno 13] Permission denied: '/etc/pki/topology-cc-KRA/alias/NHSM6000-OCScert9.db'
      Jul 12 12:29:37 pki1 pki-server[61767]: Traceback (most recent call last):
      Jul 12 12:29:37 pki1 pki-server[61767]: File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 41, in <module>
      Jul 12 12:29:37 pki1 pki-server[61767]: cli.execute(sys.argv)
      Jul 12 12:29:37 pki1 pki-server[61767]: File "/usr/lib/python3.6/site-packages/pki/server/cli/_init_.py", line 145, in execute
      Jul 12 12:29:37 pki1 pki-server[61767]: super(PKIServerCLI, self).execute(args)
      Jul 12 12:29:37 pki1 pki-server[61767]: File "/usr/lib/python3.6/site-packages/pki/cli/_init_.py", line 217, in execute
      Jul 12 12:29:37 pki1 pki-server[61767]: module.execute(module_args)
      Jul 12 12:29:37 pki1 pki-server[61767]: File "/usr/lib/python3.6/site-packages/pki/server/cli/upgrade.py", line 151, in execute
      Jul 12 12:29:37 pki1 pki-server[61767]: tracker_version)
      Jul 12 12:29:37 pki1 pki-server[61767]: File "/usr/lib/python3.6/site-packages/pki/server/cli/upgrade.py", line 178, in upgrade
      Jul 12 12:29:37 pki1 pki-server[61767]: upgrader.upgrade()
      Jul 12 12:29:37 pki1 pki-server[61767]: File "/usr/lib/python3.6/site-packages/pki/upgrade.py", line 484, in upgrade
      Jul 12 12:29:37 pki1 pki-server[61767]: self.upgrade_version(version)
      Jul 12 12:29:37 pki1 pki-server[61767]: File "/usr/lib/python3.6/site-packages/pki/upgrade.py", line 459, in upgrade_version
      Jul 12 12:29:37 pki1 pki-server[61767]: self.run_scriptlet(scriptlet)
      Jul 12 12:29:37 pki1 pki-server[61767]: File "/usr/lib/python3.6/site-packages/pki/server/upgrade.py", line 108, in run_scriptlet
      Jul 12 12:29:37 pki1 pki-server[61767]: scriptlet.upgrade_instance(self.instance)
      Jul 12 12:29:37 pki1 pki-server[61767]: File "/usr/share/pki/server/upgrade/10.11.0/03-ConvertNSSDatabase.py", line 24, in upgrade_instance
      Jul 12 12:29:37 pki1 pki-server[61767]: self.backup(instance.nssdb_dir)
      Jul 12 12:29:37 pki1 pki-server[61767]: File "/usr/lib/python3.6/site-packages/pki/upgrade.py", line 197, in backup
      Jul 12 12:29:37 pki1 pki-server[61767]: self.upgrader.backup(self, path)
      Jul 12 12:29:37 pki1 pki-server[61767]: File "/usr/lib/python3.6/site-packages/pki/upgrade.py", line 441, in backup
      Jul 12 12:29:37 pki1 pki-server[61767]: self.copyfile(sourcefile, targetfile)
      Jul 12 12:29:37 pki1 pki-server[61767]: File "/usr/lib/python3.6/site-packages/pki/server/upgrade.py", line 90, in copyfile
      Jul 12 12:29:37 pki1 pki-server[61767]: self.instance.copyfile(source, dest, force=force)
      Jul 12 12:29:37 pki1 pki-server[61767]: File "/usr/lib/python3.6/site-packages/pki/server/_init_.py", line 582, in copyfile
      Jul 12 12:29:37 pki1 pki-server[61767]: force=force)
      Jul 12 12:29:37 pki1 pki-server[61767]: File "/usr/lib/python3.6/site-packages/pki/util.py", line 213, in copyfile
      Jul 12 12:29:37 pki1 pki-server[61767]: shutil.copyfile(source, dest)
      Jul 12 12:29:37 pki1 pki-server[61767]: File "/usr/lib64/python3.6/shutil.py", line 120, in copyfile
      Jul 12 12:29:37 pki1 pki-server[61767]: with open(src, 'rb') as fsrc:
      Jul 12 12:29:37 pki1 pki-server[61767]: PermissionError: [Errno 13] Permission denied: '/etc/pki/topology-cc-KRA/alias/NHSM6000-OCScert9.db'
      Jul 12 12:29:37 pki1 systemd[1]: pki-tomcatd@topology-cc-KRA.service: Control process exited, code=exited status=1
      Jul 12 12:29:37 pki1 systemd[1]: pki-tomcatd@topology-cc-KRA.service: Failed with result 'exit-code'.
      Jul 12 12:29:37 pki1 systemd[1]: Failed to start PKI Tomcat Server topology-cc-KRA.
      Jul 12 12:29:44 pki1 systemd[1]: session-4.scope: Succeeded.
      Jul 12 12:29:44 pki1 systemd-logind[1340]: Session 4 logged out. Waiting for processes to exit.
      Jul 12 12:29:44 pki1 systemd-logind[1340]: Removed session 4.

      1. ll /etc/pki/topology-cc-KRA/alias/
        total 144
        rw-rw---. 1 pkiuser pkiuser 2860 Jul 12 10:57 ca.crt
        rw------. 1 pkiuser pkiuser 36864 Jul 12 12:28 cert9.db
        rw------. 1 pkiuser pkiuser 45056 Jul 12 12:28 key4.db
        rw------. 1 root root 28672 Jul 12 12:22 NHSM6000-OCScert9.db
        rw------. 1 root root 28672 Jul 12 12:22 NHSM6000-OCSkey4.db
        rw------. 1 pkiuser pkiuser 513 Jul 12 12:02 pkcs11.txt

      Expected results:
      KRA two-step installation should succeed on HSM configured system

      Additional info:
      Same procedure works on RHEl 8.4 bits: https://gitlab.cee.redhat.com/cpinjani/pki-pytest-ansible/-/jobs/4015289

              cfu@redhat.com Christina Fu
              cpinjani@redhat.com Chandan Pinjani (Inactive)
              RH Bugzilla Integration RH Bugzilla Integration
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: