pki_ca_signing_token when not specified does not fallback to pki_token_name value
Steps to Reproduce:
[root@nocp4 ~]# cat ca-existing.cfg [DEFAULT] pki_instance_name=pki-ca-roshni-July22 pki_admin_password=Secret123 pki_client_pkcs12_password=Secret123 pki_ds_password=Secret123 pki_ds_ldap_port=389 pki_hsm_enable=True pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so pki_hsm_modulename=nfast pki_token_name=NHSM6000 pki_token_password=redhat123 [CA] pki_existing=True pki_ca_signing_csr_path=ca_signing.csr pki_ca_signing_cert_path=ca_signing.crt [root@nocp4 ~]# pkispawn -s CA -f ca-existing.cfg Log file: /var/log/pki/pki-ca-spawn.20160721163125.log Loading deployment configuration from ca-existing.cfg. Installing CA into /var/lib/pki/pki-ca-roshni-July22. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-ca-roshni-July22/ca/deployment.cfg. Module "nfast" added to database. pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.cert srv.base.PKIException","Code":500,"Message":"Error in populating database: java.lang.NullPointerException"} Installation failed: not well-formed (invalid token): line 1, column 0
Actual results:
Searching for the cert in internaldb and fails
Expected results:
Should search in NHSM6000
Additional info:
log message [21/Jul/2016:16:34:05][http-bio-8443-exec-3]: increasing minimum connections by 3 [21/Jul/2016:16:34:05][http-bio-8443-exec-3]: new total available connections 3 [21/Jul/2016:16:34:05][http-bio-8443-exec-3]: new number of connections 3 [21/Jul/2016:16:34:05][http-bio-8443-exec-3]: registered: false [21/Jul/2016:16:34:05][http-bio-8443-exec-3]: CertificateAuthority init [21/Jul/2016:16:34:05][http-bio-8443-exec-3]: Creating LdapBoundConnFactor(CertificateAuthority) [21/Jul/2016:16:34:05][http-bio-8443-exec-3]: LdapBoundConnFactory: init [21/Jul/2016:16:34:05][http-bio-8443-exec-3]: LdapBoundConnFactory:doCloning true [21/Jul/2016:16:34:05][http-bio-8443-exec-3]: LdapAuthInfo: init() [21/Jul/2016:16:34:05][http-bio-8443-exec-3]: LdapAuthInfo: init begins [21/Jul/2016:16:34:05][http-bio-8443-exec-3]: LdapAuthInfo: init: prompt is internaldb [21/Jul/2016:16:34:05][http-bio-8443-exec-3]: LdapAuthInfo: init: try getting from memory cache [21/Jul/2016:16:34:05][http-bio-8443-exec-3]: LdapAuthInfo: init: got password from memory [21/Jul/2016:16:34:05][http-bio-8443-exec-3]: LdapAuthInfo: init: password found for prompt. [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store in memory cache [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: LdapAuthInfo: init ends [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: makeConnection: errorIfDown false [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: Established LDAP connection using basic authentication to host nocp4.idm.lab.eng.rdu2.redhat.com port 389 as cn=Directory Manager [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: initializing with mininum 3 and maximum 15 connections to host nocp4.idm.lab.eng.rdu2.redhat.com port 389, secure connection, false, authentication type 1 [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: increasing minimum connections by 3 [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: new total available connections 3 [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: new number of connections 3 [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: Cert Repot inited [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: CRL Repot inited [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: Replica Repot inited [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: CertificateAuthority:initSigUnit: ca cert found [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: CertificateAuthority: initSigUnit 1- setting mIssuerObj and mSubjectObj [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: ca.signing Signing Unit nickname caSigningCert cert-pki-ca-roshni-July22 CA [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: Got token Internal Key Storage Token by name [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: Found cert by nickname: 'caSigningCert cert-pki-ca-roshni-July22 CA' with serial number: 1 [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: converted to x509CertImpl [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: SigningUnit: Certificate object not found [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: CA signing key and cert not (yet) present in NSSDB [21/Jul/2016:16:34:06][http-bio-8443-exec-3]: Error in populating database: java.lang.NullPointerException
Per CS/DS Meeting of 08/08/2016: 10.3.6 (minor)
NOTE: As this ticket is probably not major, we decided to move it to 10.3.6. If we can get a 'Dogtag 10.3.6: Miscellaneous Enhancements' bug accepted with an exception flag, this bug would be a candidate for that. Otherwise, this bug will be moved to 10.4.
Fixed in master (10.4):
Cherry-picked to DOGTAG_10_3_BRANCH:
commit f4f62162f16da41a74328889bf2e0d17c223d48d Author: Endi S. Dewata <edewata@redhat.com> Date: Sun Aug 28 20:38:48 2016 +0200 Fixed default token name for system certificates. Previously when installing with HSM the token name has to be specified for each system certificate in the pki_<cert>_token parameters. The deployment tool has been modified such that by default it will use the token name specified in pki_token_name. https://fedorahosted.org/pki/ticket/2423 (cherry picked from commit 389420ad4ea9994fb54132454a14abbb83c2c35d)
commit 465bf002c0671e7251738ce9a4e54bba9853780a Author: Endi S. Dewata <edewata@redhat.com> Date: Sat Aug 27 00:07:08 2016 +0200 Moved subsystem initialization after database initialization. Previously issues with system certificates that happen during subsystem initialization were reported as database initialization error. Database initialization actually does not depend on subsystem initialization, so to avoid confusion and to simplify the code the reInitSubsystem() in SystemConfigService is now invoked after the initializeDatabase() is complete. https://fedorahosted.org/pki/ticket/2423 (cherry picked from commit 9f954fda5fdeda229662a466e645561639ac8402)
Metadata Update from @rpattath: - Issue assigned to edewata - Issue set to the milestone: 10.3.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2543
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.