pkispawn of KRA on HSM fails on both shared and nonshared tomcat instances
Steps to Reproduce:
Shared tomcat instance: [root@sigma ~]# pkispawn -s KRA -f /tmp/kra_hsm_instance.inf Loading deployment configuration from /tmp/kra_hsm_instance.inf. Installing KRA into /var/lib/pki/pki-new-master. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-new-master/kra/deployment.cfg. ERROR: Failed to add module "nfast". Probable cause : "The certificate/key database is in an old, unsupported format.". pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['modutil', '-dbdir', '/etc/pki/pki-new-master/alias', '-nocertdb', '-add', 'nfast', '-libfile', '/opt/nfast/toolkits/pkcs11/libcknfast.so', '-force']' returned non-zero exit status 22! Installation failed. It is trying to add the hsm module to /etc/pki/<pki-tomcat>/alias where it was already added during CA installation
Non shared instance: [root@sigma alias]# pkispawn -s KRA -f /tmp/kra_hsm_instance_nonshared.inf Loading deployment configuration from /tmp/kra_hsm_instance_nonshared.inf. Installing KRA into /var/lib/pki/rootkra. Storing deployment configuration into /etc/sysconfig/pki/tomcat/rootkra/kra/deployment.cfg. Module "nfast" added to database. pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.cert srv.base.PKIException","Code":500,"Message":"Failed to import certificate chain from security domain master: java.io.IOException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938) Encountered end of file."} Installation failed. KRA debug log has the following messages: [16/Jun/2015:14:06:57][http-bio-31242-exec-3]: === Security Domain Panel === [16/Jun/2015:14:06:57][http-bio-31242-exec-3]: Joining existing security domain [16/Jun/2015:14:06:57][http-bio-31242-exec-3]: Resolving security domain URLhttps://sigma.lab.eng.rdu.redhat.com:30042 [16/Jun/2015:14:06:57][http-bio-31242-exec-3]: Getting security domain cert chain [16/Jun/2015:14:06:58][http-bio-31242-exec-3]: getHttpResponse: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938) Encountered end of file. com.netscape.certsrv.base.PKIException: Failed to import certificate chain from security domain master: java.io.IOException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938) Encountered end of file. at org.dogtagpki.server.rest.SystemConfigService.getCertChainFromSecuri tyDomain(SystemConfigService.java:952) at org.dogtagpki.server.rest.SystemConfigService.logIntoSecurityDomain( SystemConfigService.java:927) at org.dogtagpki.server.rest.SystemConfigService.configureSecurityDomai n(SystemConfigService.java:886) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfig Service.java:149) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfig Service.java:117) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resourc eMethodInvoker.java:280) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI nvoker.java:234) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI nvoker.java:221) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp atcher.java:356) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp atcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher .service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv ice(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv ice(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapper Valve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContext Valve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentic atorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVa lve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHtt p11Processor.java:1040) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process (AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoi nt.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskT hread.java:61) at java.lang.Thread.run(Thread.java:745)
Actual results:
pkispwan fails on both shared and nonshared tomcat instances
Expected results:
pkispwan should succeed on both shared and nonshared tomcat instances
Additional info:
Attaching config files used for both
Checked-in fix to 'master' to prevent re-registering a security module (shared instance):
Moving to 10.2.6 and marking 'critical'.
The remainder of this ticket will be addressed in the consolidated ticket:
The SSL_ForceHandshake failed issue has a workaround.
The workaround is the following: Edit the CA's server.xml: replace the sslRangeCiphers value with the following: sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
I will provide the actual fix in code in due time.
Metadata Update from @mharmsen: - Issue set to the milestone: 10.2.5
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1986
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.