Danny Van den Berg via FreeIPA-users wrote:
> Hello FreeIPA Community,
>
> I am working on setting up a FreeIPA server on RHEL 9.5 (Tech Preview) with
> integration to a Luna HSM (SafeNet). However, I am encountering issues where
> the FreeIPA installation does not correctly recognize the HSM tokens during
> the ipa-server-install process.
>
> Environment Details:
> OS: RHEL 9
> FreeIPA Version:
> HSM: SafeNet Luna HSM 7.7
> PKCS#11 Library: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
>
> Problem Description:
> During the ipa-server-install process, the setup fails with the error:
> ScriptError: Token named 'a-hsm001-op-lipa-infra' was not found. Check
> permissions
>
> I have verified that the HSM client is correctly configured and can see the
> tokens using pkcs11-tool. However, FreeIPA does not seem to utilize the Luna
> HSM as expected and instead interacts with unrelated PKCS#11 modules like
> p11-kit-proxy.
>
> Debugging Steps Performed:
> Verified HSM Setup:
>
> Running pkcs11-tool --module /usr/safenet/lunaclient/lib/libCryptoki2_64.so
> --list-slots shows the tokens:
> Slot 0:
> Net Token Slot
> Token Label: a-hsm001-op-lipa-infra
> Token Manufacturer: SafeNet, Inc.
> Token Model: LunaSA 7.7.0
> ...
> The library /usr/safenet/lunaclient/lib/libCryptoki2_64.so is correctly
> linked and accessible.
>
> Modified NSSDB Modules:
>
> Added the Luna HSM library to the NSSDB:
> modutil -add "LunaHSM" -libfile
> /usr/safenet/lunaclient/lib/libCryptoki2_64.so -dbdir /etc/pki/nssdb
>
> Verified that the LunaHSM module is loaded:
> modutil -list -dbdir /etc/pki/nssdb
>
> Disabled p11-kit:
> Removed p11-kit-proxy from the NSSDB to ensure it does not interfere.
>
> Verified Permissions:
>
> Ensured the library and related files have correct permissions:
> chmod +x /usr/safenet/lunaclient/lib/libCryptoki2_64.so
>
> Tried Running ipa-server-install:
>
> Command used:
> ipa-server-install -r LINUX.OT.LOCAL \
> --random-serial-numbers \
> --ds-password=zHLi1cZAjId0HAaIdEF17ZPpg14rHMFJ \
> --admin-password=382PZA3i2Kz5g99KDuoO \
> --token-name="a-hsm001-op-lipa-infra" \
> --token-password="E9J7-Pb9F-9R3N-F9qW" \
> --token-library-path="/usr/safenet/lunaclient/lib/libSoftToken.so" \
> --setup-kra --verbose
Why are you using libSoftToken.so and not libCryptoki2_64.so?
> Result:
> ScriptError: Token named 'a-hsm001-op-lipa-infra' was not found. Check
> permissions.
>
> Logs and Output:
>
> Here is some relevant output from my logs and debug commands:
>
> modutil Output:
>
> 2. LunaHSM
> library name: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
> slots: 8 slots attached
> status: loaded
>
> Error from ipa-server-install:
> ERROR: Failed to add module "LunaHSM". Probable cause: "Failure to load
> dynamic library".
>
> Systemctl Logs for pki-tomcat:
> Job for pki-tomcat@pki-tomcat.service failed because the control process
> exited with error code.
>
> Questions:
>
> - How can I ensure that FreeIPA uses the Luna HSM for token management during
> the ipa-server-install process?
By using the options you are trying.
> - Is there a way to completely disable p11-kit and ensure FreeIPA interacts
> directly with the Luna HSM library?
You shouldn't need to mess with p11-kit at all. PKI adds the module
using modutil to its NSS database directly and doesn't rely on p11-kit.
> - Are there any specific FreeIPA or NSSDB configuration tweaks required for
> HSM integration?
It should all be automatic.
> - I appreciate any insights or guidance you can provide. Please let me know
> if you need additional logs or debugging information.
A bug was found recently related to group permissions in accessing an
HSM when trying to validate the options passed in. You might try
applying these changes to see if it helps.
--- ca.py.orig 2025-01-09 17:05:46.855615587 -0500
+++ /usr/lib/python3.9/site-packages/ipaserver/install/ca.py
2025-01-09 17:19:18.435615587 -0500
@@ -211,11 +211,7 @@
)
pkiuser = constants.PKI_USER
pkigroup = constants.PKI_GROUP
- if 'libsofthsm' in token_library:
- import grp
- group = grp.getgrnam(constants.ODS_GROUP)
- if str(constants.PKI_USER) in group.gr_mem:
- pkigroup = constants.ODS_GROUP
+ group_list = os.getgrouplist(pkiuser, pkigroup.gid)
with certdb.NSSDatabase() as tempnssdb:
tempnssdb.create_db(user=str(pkiuser), group=str(pkigroup))
# Try adding the token library to the temporary database in
@@ -231,7 +227,7 @@
# It may fail if p11-kit has already registered the library, that's
# ok.
ipautil.run(command, stdin='\n', cwd=tempnssdb.secdir,
- runas=pkiuser, suplementary_groups=[pkigroup],
+ runas=pkiuser, suplementary_groups=group_list,
raiseonerr=False)
command = [
@@ -242,7 +238,7 @@
]
lines = ipautil.run(
command, cwd=tempnssdb.secdir, capture_output=True,
- runas=pkiuser, suplementary_groups=[pkigroup]).output
+ runas=pkiuser, suplementary_groups=group_list).output
found = False
token_line = f'token: {token_name}'
for line in lines.split('\n'):
@@ -265,7 +261,7 @@
]
result = ipautil.run(args, cwd=tempnssdb.secdir,
runas=pkiuser,
- suplementary_groups=[pkigroup],
+ suplementary_groups=group_list,
capture_error=True, raiseonerr=False)
if result.returncode != 0 and len(result.error_output):
if 'SEC_ERROR_BAD_PASSWORD' in result.error_output:
--- constants.py.orig 2025-01-09 17:17:45.674615587 -0500
+++ /usr/lib/python3.9/site-packages/ipaplatform/base/constants.py
2025-01-09 17:18:31.134615587 -0500
@@ -86,7 +86,10 @@
try:
self._entity = entity = grp.getgrnam(self)
except KeyError:
- raise ValueError(f"group '{self!s}' not found") from None
+ try:
+ self._entity = entity = grp.getgrgid(int(self))
+ except (TypeError, ValueError):
+ raise ValueError(f"group '{self!s}' not found")
from None
return entity
@property
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
