#1444 pkispawn: installation aborts when HSM contains empty slots
Closed: Fixed None Opened 8 years ago by cfu.

When I tried to install a KRA on a shared tomcat instance with its CA on HSM, I got the following error:
pkispawn : INFO ....... security module 'lunasa' is not registered.^M
pkispawn : INFO ....... executing 'modutil -dbdir /etc/pki/pki-cfu2/alias -nocertdb -add lunasa -libfile /usr/safenet/lunaclient/lib/libCryptoki2_64.so -force'^M
ERROR: Failed to add module "lunasa". Probable cause : "The certificate/key database is in an old, unsupported format.".^M

Upon close examination of the code in server/python/pki/server/deployment/pkihelper.py : is_security_module_registered
It appears that that if modutil returns error, pkispawn quits out of there, and it thinks the module is unregistered so it attempts to register the module (which is wrong, as the CA already registered the module).

Turns out on the lunasa, I have three empty slots, which would cause modutil to spit out errors for those slots if I try to list them by calling (mimicing pkispawn code):
modutil -dbdir . -nocertdb -list lunasa
...
ERROR: Unable to get information about token "".
...
ERROR: Unable to get information about token "".

We should make pkispawn more forgiving. If lunasa token is registered, it should just report it is registered, regardless of empty slots.


Fixed in master: 9b62371172bbf0868e84e7f1d8d9ab48e5a0afff

Metadata Update from @cfu:
- Issue assigned to edewata
- Issue set to the milestone: 10.2.6

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2004

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata