Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shared secret key is not imported under TPS instance using HSM when the config file has pki_import_shared_secret=True #2604

Open
pki-bot opened this issue Oct 3, 2020 · 5 comments
Open

shared secret key is not imported under TPS instance using HSM when the config file has pki_import_shared_secret=True #2604

pki-bot opened this issue Oct 3, 2020 · 5 comments
Labels
Stale
Milestone
FUTURE

Comments

@pki-bot
Copy link

pki-bot commented Oct 3, 2020

This issue was migrated from Pagure Issue #2484. Originally filed by rpattath (@rpattath) on 2016-09-28 00:07:06:

shared secret key is not imported under TPS instance using HSM when the config
file has pki_import_shared_secret=True

Steps to Reproduce:

TPS config file

[root@nocp4 rpattath]# cat tps.cfg
[DEFAULT]
pki_instance_name = pki-tps-rpattath-Sep23-2016
pki_https_port = 25443
pki_http_port = 25080
pki_admin_password = Secret123
pki_hostname = nocp4.idm.lab.eng.rdu2.redhat.com
pki_security_domain_hostname = nocp4.idm.lab.eng.rdu2.redhat.com
pki_security_domain_https_port = 8443
pki_security_domain_password = Secret123
pki_client_dir = /opt/topology-TPS
pki_client_pkcs12_password = Secret123
pki_ds_password = Secret123
pki_ds_ldap_port = 8389
pki_client_database_password = Secret123
pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
pki_token_name=NHSM-RPATTATH-SOFTCARD
pki_token_password=*****

[Tomcat]
pki_ajp_port = 25009
pki_tomcat_server_port = 25005

[TPS]
pki_import_admin_cert = False
pki_ds_hostname = nocp4.idm.lab.eng.rdu2.redhat.com
pki_authdb_basedn = ou=People,dc=pki-tps
pki_authdb_hostname=nocp4.idm.lab.eng.rdu2.redhat.com
pki_authdb_port=8389
pki_ca_uri=https://nocp4.idm.lab.eng.rdu2.redhat.com:8443
pki_tks_uri=https://nocp4.idm.lab.eng.rdu2.redhat.com:23443
pki_kra_uri=https://nocp4.idm.lab.eng.rdu2.redhat.com:21443
pki_admin_nickname=PKI TPS Administrator for Example.Org
pki_enable_server_side_keygen=True
pki_import_shared_secret=True

Actual results:

[root@nocp4 rpattath]# tkstool -L -d
/var/lib/pki/pki-tps-rpattath-Sep23-2016/alias/ -h NHSM-RPATTATH-SOFTCARD

 slot:  NHSM-RPATTATH-SOFTCARD
token:  NHSM-RPATTATH-SOFTCARD

Enter Password or Pin for "NHSM-RPATTATH-SOFTCARD":
        tkstool: the specified token is empty
[root@nocp4 rpattath]# tkstool -L -d
/var/lib/pki/pki-tps-rpattath-Sep23-2016/alias/

 slot:  NSS User Private Key and Certificate Services
token:  NSS Certificate DB

Enter Password or Pin for "NSS Certificate DB":
Enter Password or Pin for "NSS Certificate DB":
        tkstool: the specified token is empty

Expected results:

pkispawn should fail with appropriate error message to remove the parameter
from the config

Additional info:

log messages

[26/Sep/2016:10:44:19][http-bio-25443-exec-3]: getTransportCert() start
[26/Sep/2016:10:44:19][http-bio-25443-exec-3]: ConfigurationUtils: POST
https://nocp4.idm.lab.eng.rdu2.redhat.com:21443/kra/admin/kra/getTransportCert
[26/Sep/2016:10:44:26][http-bio-25443-exec-3]: ConfigurationUtils: POST https:/
/nocp4.idm.lab.eng.rdu2.redhat.com:23443/tks/admin/tks/importTransportCert
[26/Sep/2016:10:44:32][http-bio-25443-exec-3]: exportTransportCert: status=0
[26/Sep/2016:10:44:32][http-bio-25443-exec-3]: exportTransportCert:
Successfully added transport cert to
https://nocp4.idm.lab.eng.rdu2.redhat.com:23443
[26/Sep/2016:10:44:32][http-bio-25443-exec-3]: finalizeConfiguration:
importSharedSecret:true
[26/Sep/2016:10:44:32][http-bio-25443-exec-3]: finalizeConfiguration:
importSharedSecret: importSharedSecret is true.
[26/Sep/2016:10:44:32][http-bio-25443-exec-3]: In
ConfigurationUtils.getSharedSecret! importKey: true
[26/Sep/2016:10:44:40][http-bio-25443-exec-3]: getSharedSecret: About to
attempt to import shared secret key.
[26/Sep/2016:10:44:40][http-bio-25443-exec-3]: getSharedSecret()): WARNING,
Failed to automatically import shared secret. Please follow the manual
procedure.java.security.InvalidKeyException: Key does not reside on the current
token
@pki-bot pki-bot added this to the FUTURE milestone Oct 3, 2020
@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from rpattath (@rpattath) at 2017-02-27 14:06:13

Metadata Update from @rpattath:

  • Issue set to the milestone: UNTRIAGED

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2017-03-03 20:14:53

Metadata Update from @mharmsen:

  • Custom field feature adjusted to ''
  • Custom field proposedmilestone adjusted to ''
  • Custom field proposedpriority adjusted to ''
  • Custom field reviewer adjusted to ''
  • Custom field version adjusted to ''
  • Issue close_status updated to: None
  • Issue set to the milestone: 10.4 (was: UNTRIAGED)

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2017-08-09 12:43:41

Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2017-08-09 12:43:41

Metadata Update from @mharmsen:

  • Issue set to the milestone: FUTURE (was: 10.4)

@github-actions GitHub Actions
Copy link

This issue is stale because it has been open 365 days with no activity. Remove stale label or comment or this will be closed in 30 days.

@github-actions github-actions bot added the Stale label Mar 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
FUTURE
Development

No branches or pull requests
1 participant
@pki-bot