Hello FreeIPA Community,
I am working on setting up a FreeIPA server on RHEL 9.5 (Tech Preview) with
integration to a Luna HSM (SafeNet). However, I am encountering issues where
the FreeIPA installation does not correctly recognize the HSM tokens during the
ipa-server-install process.
Environment Details:
OS: RHEL 9
FreeIPA Version:
HSM: SafeNet Luna HSM 7.7
PKCS#11 Library: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
Problem Description:
During the ipa-server-install process, the setup fails with the error:
ScriptError: Token named 'a-hsm001-op-lipa-infra' was not found. Check
permissions
I have verified that the HSM client is correctly configured and can see the
tokens using pkcs11-tool. However, FreeIPA does not seem to utilize the Luna
HSM as expected and instead interacts with unrelated PKCS#11 modules like
p11-kit-proxy.
Debugging Steps Performed:
Verified HSM Setup:
Running pkcs11-tool --module /usr/safenet/lunaclient/lib/libCryptoki2_64.so
--list-slots shows the tokens:
Slot 0:
Net Token Slot
Token Label: a-hsm001-op-lipa-infra
Token Manufacturer: SafeNet, Inc.
Token Model: LunaSA 7.7.0
...
The library /usr/safenet/lunaclient/lib/libCryptoki2_64.so is correctly linked
and accessible.
Modified NSSDB Modules:
Added the Luna HSM library to the NSSDB:
modutil -add "LunaHSM" -libfile /usr/safenet/lunaclient/lib/libCryptoki2_64.so
-dbdir /etc/pki/nssdb
Verified that the LunaHSM module is loaded:
modutil -list -dbdir /etc/pki/nssdb
Disabled p11-kit:
Removed p11-kit-proxy from the NSSDB to ensure it does not interfere.
Verified Permissions:
Ensured the library and related files have correct permissions:
chmod +x /usr/safenet/lunaclient/lib/libCryptoki2_64.so
Tried Running ipa-server-install:
Command used:
ipa-server-install -r LINUX.OT.LOCAL \
--random-serial-numbers \
--ds-password=zHLi1cZAjId0HAaIdEF17ZPpg14rHMFJ \
--admin-password=382PZA3i2Kz5g99KDuoO \
--token-name="a-hsm001-op-lipa-infra" \
--token-password="E9J7-Pb9F-9R3N-F9qW" \
--token-library-path="/usr/safenet/lunaclient/lib/libSoftToken.so" \
--setup-kra --verbose
Result:
ScriptError: Token named 'a-hsm001-op-lipa-infra' was not found. Check
permissions.
Logs and Output:
Here is some relevant output from my logs and debug commands:
modutil Output:
2. LunaHSM
library name: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
slots: 8 slots attached
status: loaded
Error from ipa-server-install:
ERROR: Failed to add module "LunaHSM". Probable cause: "Failure to load dynamic
library".
Systemctl Logs for pki-tomcat:
Job for pki-tomcat@pki-tomcat.service failed because the control process exited
with error code.
Questions:
- How can I ensure that FreeIPA uses the Luna HSM for token management during
the ipa-server-install process?
- Is there a way to completely disable p11-kit and ensure FreeIPA interacts
directly with the Luna HSM library?
- Are there any specific FreeIPA or NSSDB configuration tweaks required for HSM
integration?
- I appreciate any insights or guidance you can provide. Please let me know if
you need additional logs or debugging information.
Thank you in advance!
Best regards,
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
