Interactive pkispawn of CA with HSM fails
Steps to Reproduce:
# pkispawn Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: Tomcat: Instance [pki-tomcat]: HTTP port [8080]: Secure HTTP port [8443]: AJP port [8009]: Management port [8005]: Administrator: Username [caadmin]: Password: Verify password: Import certificate (Yes/No) [N]? Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: Using hardware security module (HSM) (Yes/No) [N]? Y HSM Module Name (e. g. - nethsm): nethsm HSM Lib File (e. g. - /opt/nfast/toolkits/pkcs11/libcknfast.so): /opt/nfast/toolkits/pkcs11/libcknfast.so Directory Server: Hostname [sigma.lab.eng.rdu.redhat.com]: Use a secure LDAPS connection (Yes/No/Quit) [N]? LDAP Port [389]: Bind DN [cn=Directory Manager]: Password: Base DN [o=pki-tomcat-CA]: dc=pki-ca Security Domain: Name [lab.eng.rdu.redhat.com Security Domain]: Begin installation (Yes/No/Quit)? yes Installing CA into /var/lib/pki/pki-tomcat. pkispawn : ERROR ....... Since Hardware Security Modules (HSMs) do not allow their private keys to be extracted to PKCS #12 files, the 'pki_backup_keys' and 'pki_backup_password' variables may not be utilized with HSMs. Please contact the HSM vendor regarding their specific backup mechanism. Installation failed.
Actual results:
Installation fails. Did not see a prompt for HSM token name and password.
Expected results:
Installation should be succesful.
Per CS/DS meeting of 06/15/2015: 10.2.5
For the purposes of 10.2.5, it was decided that we would most likely merely 'suppress' interactive HSM installation, and re-visit this is a later version of the product.
If this is the route taken, this will need to be documented in the product.
Suppress interactive HSM installation 20150615-Suppress-interactive-HSM-installation.patch
On 06/16/15 12:24, John Magne wrote:
This patch is reasonable based upon the wishes of cfu in the last meeting for this issue. The decision was made to disable the feature by throwing up a message when the user tries to use a HSM module during the interactive method of pkispawn. This method also allows a self documenting feature where the user is informed that this does not yet work without wading through a bunch of confusing resulting errors. Having the code commented out seems fine since one of the goals of this fix was to be able to re-establish the code when we get the time to fix it. ACK
This patch is reasonable based upon the wishes of cfu in the last meeting for this issue.
The decision was made to disable the feature by throwing up a message when the user tries to use a HSM module during the interactive method of pkispawn.
This method also allows a self documenting feature where the user is informed that this does not yet work without wading through a bunch of confusing resulting errors.
Having the code commented out seems fine since one of the goals of this fix was to be able to re-establish the code when we get the time to fix it.
ACK
Checked into 'master':
Metadata Update from @mharmsen: - Issue assigned to mharmsen - Issue set to the milestone: 10.2.5
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1978
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.