Hi Rob, Hereby attached the logging of the /var/log/ipa-server-install.log. The command I’m running is:
ipa-server-install --external-ca -r LINUX.OT.LOCAL --random-serial-numbers --ds-password=XXXXXXXXXXXXXXX --admin-password= XXXXXXXXXXXXXXX --token-name="a-hsm001-op-lipa-infra" --token-password="E9J7-Pb9F-XXXX-XXXX" --token-library-path /usr/safenet/lunaclient/lib/libCryptoki2_64.so --setup-kra --verbose -d If I check with pkcs11-tool: # pkcs11-tool --module /usr/safenet/lunaclient/lib/libCryptoki2_64.so --login --pin 'E9J7-Pb9F-XXXX-XXXX' --test Using slot 0 with a present token (0x0) C_SeedRandom() and C_GenerateRandom(): seems to be OK Digests: all 4 digest functions seem to work SHA-1: OK SHA256: OK ERR: C_Digest() didn't return CKR_OK for a NULL output buffer, but CKR_OPERATION_NOT_INITIALIZED (0x91) ERR: digest operation ended prematurely Signatures (currently only for RSA) testing key 0 () -- non-RSA, skipping testing key 1 () -- non-RSA, skipping testing key 2 () -- non-RSA, skipping testing key 3 () -- non-RSA, skipping testing key 4 () -- non-RSA, skipping testing key 5 (caSigningCert cert-pki-ca) -- non-RSA, skipping testing key 6 () -- non-RSA, skipping testing key 7 () -- non-RSA, skipping testing key 8 () -- non-RSA, skipping Signatures: no private key found in this slot Verify (currently only for RSA) testing key 0 () -- non-RSA, skipping testing key 1 () with 1 mechanism -- non-RSA, skipping testing key 2 () with 1 mechanism -- non-RSA, skipping testing key 3 () with 1 mechanism -- non-RSA, skipping testing key 4 () with 1 mechanism -- non-RSA, skipping testing key 5 (caSigningCert cert-pki-ca) with 1 mechanism -- non-RSA, skipping testing key 6 () with 1 mechanism -- non-RSA, skipping testing key 7 () with 1 mechanism -- non-RSA, skipping testing key 8 () with 1 mechanism -- non-RSA, skipping Decryption (currently only for RSA) testing key 0 () -- non-RSA, skipping testing key 1 () -- non-RSA, skipping testing key 2 () -- non-RSA, skipping testing key 3 () -- non-RSA, skipping testing key 4 () -- non-RSA, skipping testing key 5 (caSigningCert cert-pki-ca) -- non-RSA, skipping testing key 6 () -- non-RSA, skipping testing key 7 () -- non-RSA, skipping testing key 8 () -- non-RSA, skipping 2 errors # pkcs11-tool --module /usr/safenet/lunaclient/lib/libCryptoki2_64.so --list-objects Using slot 0 with a present token (0x0) Certificate Object; type = X.509 cert label: caSigningCert cert-pki-ca subject: DN: C=NL, O= XXXXXXXXXXXXXXX, CN= XXXXXXXXXXXXXXX Prod Issuing CA Infra-Linux - G1 serial: 3C0000000AD05 XXXXXXXXXXXXXXX ID: 41d63235732dfe19XXXXXXXXXXXXXXX Certificate Object; type = X.509 cert label: caSigningCert External CA subject: DN: C=NL, O=XXXXXXXXXXXXXXX, CN= XXXXXXXXXXXXXXX Root CA - G1 serial: 25E41620F655F2 XXXXXXXXXXXXXXX ID: 2905abef0a229ead14a XXXXXXXXXXXXXXX # pkcs11-tool --module /usr/safenet/lunaclient/lib/libCryptoki2_64.so --list-slots Available slots: Slot 0 (0x0): Net Token Slot token label : a-hsm001-op-lipa-infra token manufacturer : Safenet, Inc. token model : LunaSA 7.7.0 token flags : login required, PIN pad present, rng, token initialized, PIN initialized, other flags=0x20 hardware version : 0.0 firmware version : 7.7 serial num : 1522365206425 pin min/max : 7/255 Slot 1 (0x1): Net Token Slot token label : b-hsm001-op-lipa-infra token manufacturer : Safenet, Inc. token model : LunaSA 7.7.0 token flags : login required, PIN pad present, rng, token initialized, PIN initialized, other flags=0x20 hardware version : 0.0 firmware version : 7.7 serial num : 1522346579977 pin min/max : 7/255 Slot 2 (0x2): Luna UHD Slot (empty) Slot 3 (0x3): Luna UHD Slot (empty) Slot 4 (0x4): Luna UHD Slot (empty) Slot 5 (0x5): Luna G7 Slot (empty) Slot 6 (0x6): Luna G7 Slot (empty) Slot 7 (0x7): Luna G7 Slot (empty) Kind regards, Danny From: Rob Crittenden <rcrit...@redhat.com> Date: Tuesday, 14 January 2025 at 21:29 To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Dev <d...@grebit.nl> Subject: Re: [Freeipa-users] Re: FreeIPA Server Installation Issue with Luna HSM Integration Can you provide the full /var/log/ipaserver-install.log? Privately is ok. I need to see more context on where it is failing. thanks rob Danny Van den Berg via FreeIPA-users wrote: > Not yet. We have some issues with continue installing further. It keeps > saying a invalid token while we checked with the vendor that the token should > be ok. So need to check what's wrong there.. > > Press Enter, then enter PIN for "a-hsm001-op-lipa-infra" on external device. > > Process finished, return code=255 > stdout=certutil: Checking token "a-hsm001-op-lipa-infra" in slot "Net Token > Slot" > > stderr=Incorrect password/PIN entered. > certutil: could not authenticate to token a-hsm001-op-lipa-infra.: > SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect. > > File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, > in execute > return_value = self.run() > File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 344, > in run > return cfgr.run() > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 358, in run > self.validate() > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 368, in validate > for _nothing in self._validator(): > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 435, in __runner > exc_handler(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 463, in _handle_validate_exception >
log
Description: log
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
