When I tried to install a KRA on a shared tomcat instance with its CA on HSM, I got the following error: pkispawn : INFO ....... security module 'lunasa' is not registered.^M pkispawn : INFO ....... executing 'modutil -dbdir /etc/pki/pki-cfu2/alias -nocertdb -add lunasa -libfile /usr/safenet/lunaclient/lib/libCryptoki2_64.so -force'^M ERROR: Failed to add module "lunasa". Probable cause : "The certificate/key database is in an old, unsupported format.".^M
Upon close examination of the code in server/python/pki/server/deployment/pkihelper.py : is_security_module_registered It appears that that if modutil returns error, pkispawn quits out of there, and it thinks the module is unregistered so it attempts to register the module (which is wrong, as the CA already registered the module).
Turns out on the lunasa, I have three empty slots, which would cause modutil to spit out errors for those slots if I try to list them by calling (mimicing pkispawn code): modutil -dbdir . -nocertdb -list lunasa ... ERROR: Unable to get information about token "". ... ERROR: Unable to get information about token "".
We should make pkispawn more forgiving. If lunasa token is registered, it should just report it is registered, regardless of empty slots.
Fixed in master: 9b62371172bbf0868e84e7f1d8d9ab48e5a0afff
Metadata Update from @cfu: - Issue assigned to edewata - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2004
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.