Hi, Sorry for being soooo long to respond, but I have to switch to another project meanwhile. I'm trying again to use dogtag with a HSM (with SoftHSM v2.1 this time, because I don't have hardware HSM anymore), and with a fresh new installation (server + dogtag), I still have the same issue during pkispawn - s CA:
pkispawn : INFO ....... configuring PKI configuration data. pkispawn : ERROR ....... Exception from Java Configuration Servlet: 400 Client Error: Bad Request for url: https://dogtag-ca.qt.cls.fr:8443/ca/rest/installer/configure pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Invalid Token provided. No such token."} My CA config file looks like that: [DEFAULT] pki_admin_password=Secret123 pki_client_pkcs12_password=Secret123 pki_ds_password=Secret123 # Optionally keep client databases pki_client_database_purge=False # Provide HSM parameters pki_hsm_enable=True pki_hsm_libfile=/usr/local/lib/softhsm/libsofthsm2.so pki_hsm_modulename=softhsm pki_token_name=dogtag1 pki_token_password=hsm_passwd # Provide PKI-specific HSM token names pki_audit_signing_token=dogtag1 pki_ssl_server_token=dogtag1 pki_subsystem_token=dogtag1 [CA] # Provide CA-specific HSM token names pki_ca_signing_token=dogtag1 pki_ocsp_signing_token=dogtag1 /var/lib/pki/pki-tomcat/ca/logs/debug: [22/Jul/2016:15:36:12][http-bio-8443-exec-3]: SystemConfigService: configure() [22/Jul/2016:15:36:12][http-bio-8443-exec-3]: SystemConfigService: request: ConfigurationRequest [pin=XXXX, token=dogtag1, tokenPassword=XXXX, securityDomainType=newdomain, securityDomainUri=null, securityDomainName= qt.cls.fr Security Domain, securityDomainUser=null, securityDomainPassword=XXXX, isClone=false, cloneUri=null, subsystemName=CA dogtag-ca.qt.cls.fr 8443, p12File=null, p12Password=XXXX, hierarchy=root, dsHost=dogtag-ca.qt.cls.fr, dsPort=389, baseDN=o=pki-CLS-CA, bindDN=cn=Directory Manager, bindpwd=XXXX, database=pki-CLS-CA, secureConn=false, removeData=true, replicateSchema=null, masterReplicationPort=null, cloneReplicationPort=null, replicationSecurity=null, systemCertsImported=false, systemCerts=[com.netscape.certsrv.system.SystemCertData@60c8305a, com.netscape.certsrv.system.SystemCertData@7774cd87, com.netscape.certsrv.system.SystemCertData@6f41ab06, com.netscape.certsrv.system.SystemCertData@99112a8, com.netscape.certsrv.system.SystemCertData@28fab920], issuingCA=null, backupKeys=false, backupPassword=, adminCertRequestType=pkcs10, adminSubjectDN=cn=PKI Administrator,[email protected],o=qt.cls.fr Security Domain, adminName=caadmin, adminProfileID=caAdminCert, adminCert=null, importAdminCert=false, generateServerCert=true, external=false, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null, generateSubsystemCert=true, sharedDB=false, sharedDBUserDN=null, createNewDB=true, setupReplication=null, subordinateSecurityDomainName=null, reindexData=null] [22/Jul/2016:15:36:12][http-bio-8443-exec-3]: === Token Authentication === [22/Jul/2016:15:36:12][http-bio-8443-exec-3]: Invalid Token provided. No such token. Versions: Fedroa 24 Dogtag 10.3.3 (also tested with 10.3.3.3 from git repo) Does anyone have an idea? Thanks! Regards 2016-01-07 18:23 GMT+01:00 Christina Fu <[email protected]>: > you could normally find more accurate log info giving out more clue under > <instance dir>/logs/debug, e.g. /var/lib/ pki/pki-tomcat/ca/logs/debug > > Christina > > > On 01/06/2016 01:54 AM, Lionel Beard wrote: > > Hi, > > I'm trying to create a CA with a Atos/Bull HSM backend. > I have created a configuration file default_hsm.cfg with hsm options > enabled and configured, and I have set HSM token and password. > > When I run the command: > # pkispawn -s CA -f /etc/pki/default_hsm.cfg -vvv > I get the error: > > pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8" > standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse> > pkispawn : INFO ....... constructing PKI configuration data. > pkispawn : INFO ....... executing 'certutil -R -d > /root/.dogtag/pki-tomcat/ca/alias -s cn=PKI Administrator,[email protected] > ,o=cls.fr Security Domain -k rsa -g 2048 -z > /root/.dogtag/pki-tomcat/ca/alias/noise -f > /root/.dogtag/pki-tomcat/ca/password.conf -o > /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin' > pkispawn : INFO ....... rm -f > /root/.dogtag/pki-tomcat/ca/alias/noise > pkispawn : INFO ....... BtoA > /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin > /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc > pkispawn : INFO ....... configuring PKI configuration data. > pkispawn : ERROR ....... Exception from Java Configuration Servlet: > 400 Client Error: Bad Request for url: > <https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure> > https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure > pkispawn : ERROR ....... ParseError: not well-formed (invalid > token): line 1, column 0: > {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"*Invalid > Token provided. No such token*."} > pkispawn : DEBUG ....... Error Type: ParseError > pkispawn : DEBUG ....... Error Message: not well-formed (invalid > token): line 1, column 0 > pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in > main > rv = instance.spawn(deployer) > File > "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", > line 116, in spawn > json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) > File > "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line > 3872, in configure_pki_data > root = ET.fromstring(e.response.text) > File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML > parser.feed(text) > File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed > self._raiseerror(v) > File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in > _raiseerror > raise err > > > Installation failed. > > Just after pki service restart. > I don't know which "Token" is it talking about, not sure it is HSM token. > HSM is working fine because it is previously added to database with > modutil: > > # modutil -list -dbdir /etc/pki/pki-tomcat/alias -nocertdb > > Bull TrustWay Proteccio NetHSM 2.4 > > Configuration read from /etc/proteccio//proteccio.rc > > Listing of PKCS #11 Modules > ----------------------------------------------------------- > 1. NSS Internal PKCS #11 Module > slots: 2 slots attached > status: loaded > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > > 2. nethsm > library name: /usr/lib64/libnethsm.so > slots: 8 slots attached > status: loaded > > slot: Trustway Crypto Engine Slot > token: nethsm1_V1 > > slot: Trustway Crypto Engine Slot > token: > > slot: Trustway Crypto Engine Slot > token: > > slot: Trustway Crypto Engine Slot > token: > > slot: Trustway Crypto Engine Slot > token: > > slot: Trustway Crypto Engine Slot > token: > > slot: Trustway Crypto Engine Slot > token: > > slot: Trustway Crypto Engine Slot > token: > ----------------------------------------------------------- > > Of course, I have updated default_hsm.cfg file according to Redhat > documentation to enable HSM et put HSM token name and password: > # grep hsm /etc/pki/default_hsm.cfg > pki_audit_signing_token=nethsm1_V1 > pki_hsm_enable=True > pki_hsm_libfile=/usr/lib64/libnethsm.so > pki_hsm_modulename=nethsm > pki_ssl_server_token=nethsm1_V1 > pki_subsystem_token=nethsm1_V1 > pki_token_name=nethsm1_V1 > pki_storage_token=nethsm1_V1 > pki_transport_token=nethsm1_V1 > > I have tried with interactive installation (so with no HSM), and it is > working fine. > > Does anyone can help me? > > Thanks! > > > _______________________________________________ > Pki-users mailing > [email protected]https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/pki-users >
_______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
