#2423 pki_ca_signing_token when not specified does not fallback to pki_token_name value
Closed: Fixed None Opened 7 years ago by rpattath.

pki_ca_signing_token when not specified does not fallback to pki_token_name
value

Steps to Reproduce:

[root@nocp4 ~]# cat ca-existing.cfg
[DEFAULT]
pki_instance_name=pki-ca-roshni-July22
pki_admin_password=Secret123
pki_client_pkcs12_password=Secret123
pki_ds_password=Secret123
pki_ds_ldap_port=389
pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
pki_token_name=NHSM6000
pki_token_password=redhat123

[CA]
pki_existing=True
pki_ca_signing_csr_path=ca_signing.csr
pki_ca_signing_cert_path=ca_signing.crt

[root@nocp4 ~]# pkispawn -s CA -f ca-existing.cfg
Log file: /var/log/pki/pki-ca-spawn.20160721163125.log
Loading deployment configuration from ca-existing.cfg.
Installing CA into /var/lib/pki/pki-ca-roshni-July22.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-ca-roshni-July22/ca/deployment.cfg.
Module "nfast" added to database.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500
Server Error: Internal Server Error
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token):
line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.cert
srv.base.PKIException","Code":500,"Message":"Error in populating database:
java.lang.NullPointerException"}

Installation failed: not well-formed (invalid token): line 1, column 0

Actual results:

Searching for the cert in internaldb and fails

Expected results:

Should search in NHSM6000

Additional info:

log message
[21/Jul/2016:16:34:05][http-bio-8443-exec-3]: increasing minimum connections by
3
[21/Jul/2016:16:34:05][http-bio-8443-exec-3]: new total available connections 3
[21/Jul/2016:16:34:05][http-bio-8443-exec-3]: new number of connections 3
[21/Jul/2016:16:34:05][http-bio-8443-exec-3]: registered: false
[21/Jul/2016:16:34:05][http-bio-8443-exec-3]: CertificateAuthority init
[21/Jul/2016:16:34:05][http-bio-8443-exec-3]: Creating
LdapBoundConnFactor(CertificateAuthority)
[21/Jul/2016:16:34:05][http-bio-8443-exec-3]: LdapBoundConnFactory: init
[21/Jul/2016:16:34:05][http-bio-8443-exec-3]: LdapBoundConnFactory:doCloning
true
[21/Jul/2016:16:34:05][http-bio-8443-exec-3]: LdapAuthInfo: init()
[21/Jul/2016:16:34:05][http-bio-8443-exec-3]: LdapAuthInfo: init begins
[21/Jul/2016:16:34:05][http-bio-8443-exec-3]: LdapAuthInfo: init: prompt is
internaldb
[21/Jul/2016:16:34:05][http-bio-8443-exec-3]: LdapAuthInfo: init: try getting
from memory cache
[21/Jul/2016:16:34:05][http-bio-8443-exec-3]: LdapAuthInfo: init: got password
from memory
[21/Jul/2016:16:34:05][http-bio-8443-exec-3]: LdapAuthInfo: init: password
found for prompt.
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store
in memory cache
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: LdapAuthInfo: init ends
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: init: before makeConnection
errorIfDown is false
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: makeConnection: errorIfDown false
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: Established LDAP connection using
basic authentication to host nocp4.idm.lab.eng.rdu2.redhat.com port 389 as
cn=Directory Manager
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: initializing with mininum 3 and
maximum 15 connections to host nocp4.idm.lab.eng.rdu2.redhat.com port 389,
secure connection, false, authentication type 1
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: increasing minimum connections by
3
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: new total available connections 3
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: new number of connections 3
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: Cert Repot inited
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: CRL Repot inited
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: Replica Repot inited
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: CertificateAuthority:initSigUnit:
ca cert found
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: CertificateAuthority: initSigUnit
1- setting mIssuerObj and mSubjectObj
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: ca.signing Signing Unit nickname
caSigningCert cert-pki-ca-roshni-July22 CA
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: Got token Internal Key Storage
Token by name
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: Found cert by nickname:
'caSigningCert cert-pki-ca-roshni-July22 CA' with serial number: 1
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: converted to x509CertImpl
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: SigningUnit: Certificate object
not found
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: CA signing key and cert not (yet)
present in NSSDB
[21/Jul/2016:16:34:06][http-bio-8443-exec-3]: Error in populating database:
java.lang.NullPointerException

Per CS/DS Meeting of 08/08/2016: 10.3.6 (minor)

NOTE: As this ticket is probably not major, we decided to move it to
10.3.6. If we can get a 'Dogtag 10.3.6: Miscellaneous Enhancements'
bug accepted with an exception flag, this bug would be a candidate
for that. Otherwise, this bug will be moved to 10.4.

Fixed in master (10.4):

  • 389420ad4ea9994fb54132454a14abbb83c2c35d
  • 9f954fda5fdeda229662a466e645561639ac8402

Cherry-picked to DOGTAG_10_3_BRANCH:

commit f4f62162f16da41a74328889bf2e0d17c223d48d
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Sun Aug 28 20:38:48 2016 +0200

    Fixed default token name for system certificates.

    Previously when installing with HSM the token name has to be
    specified for each system certificate in the pki_<cert>_token
    parameters. The deployment tool has been modified such that by
    default it will use the token name specified in pki_token_name.

    https://fedorahosted.org/pki/ticket/2423
    (cherry picked from commit 389420ad4ea9994fb54132454a14abbb83c2c35d)
commit 465bf002c0671e7251738ce9a4e54bba9853780a
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Sat Aug 27 00:07:08 2016 +0200

    Moved subsystem initialization after database initialization.

    Previously issues with system certificates that happen during
    subsystem initialization were reported as database initialization
    error. Database initialization actually does not depend on
    subsystem initialization, so to avoid confusion and to simplify the
    code the reInitSubsystem() in SystemConfigService is now invoked
    after the initializeDatabase() is complete.

    https://fedorahosted.org/pki/ticket/2423
    (cherry picked from commit 9f954fda5fdeda229662a466e645561639ac8402)

Metadata Update from @rpattath:
- Issue assigned to edewata
- Issue set to the milestone: 10.3.6

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2543

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata