pkispawn of TKS on HSM fails on both shared and nonshared tomcat instances
Steps to Reproduce:
Shared Tomcat Instance [root@sigma ~]# pkispawn -s TKS -f /tmp/tks_hsm_instance_shared.inf Loading deployment configuration from /tmp/kra_hsm_instance_shared.inf. Installing TKS into /var/lib/pki/pki-new-master. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-new-master/tks/deployment.cfg. ERROR: Failed to add module "nfast". Probable cause : "The certificate/key database is in an old, unsupported format.". pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['modutil', '-dbdir', '/etc/pki/pki-new-master/alias', '-nocertdb', '-add', 'nfast', '-libfile', '/opt/nfast/toolkits/pkcs11/libcknfast.so', '-force']' returned non-zero exit status 22! Installation failed. It is trying to add the hsm module to /etc/pki/<pki-tomcat>/alias where it was already added during CA installation
Non shared tomcat instance [root@sigma dogtag]# pkispawn -s TKS -f /tmp/tks_hsm_instance_nonshared.inf Loading deployment configuration from /tmp/tks_hsm_instance_nonshared.inf. Installing TKS into /var/lib/pki/roottks. Storing deployment configuration into /etc/sysconfig/pki/tomcat/roottks/tks/deployment.cfg. Module "nfast" added to database. pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.cert srv.base.PKIException","Code":500,"Message":"Failed to import certificate chain from security domain master: java.io.IOException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938) Encountered end of file."} Installation failed. TKS debug log [18/Jun/2015:10:21:49][http-bio-31801-exec-3]: === Security Domain Panel === [18/Jun/2015:10:21:49][http-bio-31801-exec-3]: Joining existing security domain [18/Jun/2015:10:21:49][http-bio-31801-exec-3]: Resolving security domain URLhttps://sigma.lab.eng.rdu.redhat.com:30042 [18/Jun/2015:10:21:49][http-bio-31801-exec-3]: Getting security domain cert chain [18/Jun/2015:10:21:49][http-bio-31801-exec-3]: getHttpResponse: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938) Encountered end of file. com.netscape.certsrv.base.PKIException: Failed to import certificate chain from security domain master: java.io.IOException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938) Encountered end of file. at org.dogtagpki.server.rest.SystemConfigService.getCertChainFromSecuri tyDomain(SystemConfigService.java:952) at org.dogtagpki.server.rest.SystemConfigService.logIntoSecurityDomain( SystemConfigService.java:927) at org.dogtagpki.server.rest.SystemConfigService.configureSecurityDomai n(SystemConfigService.java:886) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfig Service.java:149) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfig Service.java:117) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resourc eMethodInvoker.java:280) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI nvoker.java:234) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI nvoker.java:221) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp atcher.java:356) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp atcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher .service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv ice(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv ice(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapper Valve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContext Valve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentic atorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVa lve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHtt p11Processor.java:1040) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process (AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoi nt.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskT hread.java:61) at java.lang.Thread.run(Thread.java:745)
Checked-in fix to 'master' to prevent re-registering a security module (shared instance):
Moving to 10.2.6 and marking 'critical'.
The remainder of this ticket will be addressed in the consolidated ticket:
Metadata Update from @mharmsen: - Issue set to the milestone: 10.2.5
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1989
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.