Issue #1427: pkispawn of OCSP on HSM fails on both shared and nonshared tomcat instances - dogtagpki

dogtagpki

#1427 pkispawn of OCSP on HSM fails on both shared and nonshared tomcat instances

Closed: Fixed None Opened 8 years ago by mharmsen.

pkispawn of OCSP on HSM fails on both shared and nonshared tomcat instances

Steps to Reproduce:

Non shared tomcat instance:

[root@sigma ~]# pkispawn -s OCSP -f /tmp/ocsp_hsm_instance_nonshared.inf
Loading deployment configuration from /tmp/ocsp_hsm_instance_nonshared.inf.
Installing OCSP into /var/lib/pki/rootocsp.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/rootocsp/ocsp/deployment.cfg.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500
Server Error: Internal Server Error
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token):
line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.cert
srv.base.PKIException","Code":500,"Message":"Error in setting certificate names
and key sizes: java.io.IOException: java.io.IOException: SSL_ForceHandshake
failed: (-5938) Encountered end of file."}

Installation failed.

Attaching the ocsp debug log

Shared tomcat instance:

[root@sigma ~]# pkispawn -s OCSP -f /tmp/ocsp_hsm_instance_shared.inf
Loading deployment configuration from /tmp/ocsp_hsm_instance_shared.inf.
Installing OCSP into /var/lib/pki/pki-new-master.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-new-master/ocsp/deployment.cfg.
ERROR: Failed to add module "nfast". Probable cause : "The certificate/key
database is in an old, unsupported format.".
pkispawn    : ERROR    ....... subprocess.CalledProcessError:  Command
'['modutil', '-dbdir', '/etc/pki/pki-new-master/alias', '-nocertdb', '-add',
'nfast', '-libfile', '/opt/nfast/toolkits/pkcs11/libcknfast.so', '-force']'
returned non-zero exit status 22!

Installation failed.

Trying to add hsm module nfast when it already exist

Actual results:

pkispawn fails

Expected results:

pkispawn should succeed

mharmsen commented 8 years ago

Checked-in fix to 'master' to prevent re-registering a security module (shared instance):

d54544b7732baebf6a93ee50708e445921478034

mharmsen commented 8 years ago

Moving to 10.2.6 and marking 'critical'.

mharmsen commented 8 years ago

The remainder of this ticket will be addressed in the consolidated ticket:

PKI TRAC Ticket #1438 - pkispawn of non-CA on HSM on both shared and nonshared tomcat instances

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.2.5

7 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1987

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

critical

Milestone

10.2.5

lowhangingfruit

None

reporter

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1232948

type

defect

version

None

keywords

None

estimate

None

feature

None

origin

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

OCSP

proposedmilestone

None

dogtagpki

Source Code

#1427 pkispawn of OCSP on HSM fails on both shared and nonshared tomcat instances Closed: Fixed None Opened 8 years ago by mharmsen.

Metadata

#1427 pkispawn of OCSP on HSM fails on both shared and nonshared tomcat instances

Closed: Fixed None Opened 8 years ago by mharmsen.