Dev wrote: > Hi Rob, > > > > Hereby attached the logging of the /var/log/ipa-server-install.log. The > command I’m running is: > > ipa-server-install --external-ca -r > LINUX.OT.LOCAL --random-serial-numbers --ds-password=XXXXXXXXXXXXXXX > --admin-password=XXXXXXXXXXXXXXX --token-name="a-hsm001-op-lipa-infra" > --token-password="E9J7-Pb9F-XXXX-XXXX" --token-library-path > /usr/safenet/lunaclient/lib/libCryptoki2_64.so --setup-kra --verbose -d > > > > If I check with pkcs11-tool: > > > > # pkcs11-tool --module /usr/safenet/lunaclient/lib/libCryptoki2_64.so > --login --pin 'E9J7-Pb9F-XXXX-XXXX' --test > Using slot 0 with a present token (0x0) > C_SeedRandom() and C_GenerateRandom(): > seems to be OK > Digests: > all 4 digest functions seem to work > SHA-1: OK > SHA256: OK > ERR: C_Digest() didn't return CKR_OK for a NULL output buffer, but > CKR_OPERATION_NOT_INITIALIZED (0x91) > ERR: digest operation ended prematurely > Signatures (currently only for RSA) > testing key 0 () -- non-RSA, skipping > testing key 1 () -- non-RSA, skipping > testing key 2 () -- non-RSA, skipping > testing key 3 () -- non-RSA, skipping > testing key 4 () -- non-RSA, skipping > testing key 5 (caSigningCert cert-pki-ca) -- non-RSA, skipping > testing key 6 () -- non-RSA, skipping > testing key 7 () -- non-RSA, skipping > testing key 8 () -- non-RSA, skipping > Signatures: no private key found in this slot > Verify (currently only for RSA) > testing key 0 () -- non-RSA, skipping > testing key 1 () with 1 mechanism -- non-RSA, skipping > testing key 2 () with 1 mechanism -- non-RSA, skipping > testing key 3 () with 1 mechanism -- non-RSA, skipping > testing key 4 () with 1 mechanism -- non-RSA, skipping > testing key 5 (caSigningCert cert-pki-ca) with 1 mechanism -- non-RSA, > skipping > testing key 6 () with 1 mechanism -- non-RSA, skipping > testing key 7 () with 1 mechanism -- non-RSA, skipping > testing key 8 () with 1 mechanism -- non-RSA, skipping > Decryption (currently only for RSA) > testing key 0 () -- non-RSA, skipping > testing key 1 () -- non-RSA, skipping > testing key 2 () -- non-RSA, skipping > testing key 3 () -- non-RSA, skipping > testing key 4 () -- non-RSA, skipping > testing key 5 (caSigningCert cert-pki-ca) -- non-RSA, skipping > testing key 6 () -- non-RSA, skipping > testing key 7 () -- non-RSA, skipping > testing key 8 () -- non-RSA, skipping > 2 errors > > > > # pkcs11-tool --module /usr/safenet/lunaclient/lib/libCryptoki2_64.so > --list-objects > Using slot 0 with a present token (0x0) > Certificate Object; type = X.509 cert > label: caSigningCert cert-pki-ca > subject: DN: C=NL, O=XXXXXXXXXXXXXXX, CN=XXXXXXXXXXXXXXXProd > Issuing CA Infra-Linux - G1 > serial: 3C0000000AD05XXXXXXXXXXXXXXX > ID: 41d63235732dfe19XXXXXXXXXXXXXXX > Certificate Object; type = X.509 cert > label: caSigningCert External CA > subject: DN: C=NL, O=XXXXXXXXXXXXXXX, CN=XXXXXXXXXXXXXXXRoot CA - G1 > serial: 25E41620F655F2XXXXXXXXXXXXXXX > ID: 2905abef0a229ead14aXXXXXXXXXXXXXXX > > > > # pkcs11-tool --module /usr/safenet/lunaclient/lib/libCryptoki2_64.so > --list-slots > Available slots: > Slot 0 (0x0): Net Token Slot > token label : a-hsm001-op-lipa-infra > token manufacturer : Safenet, Inc. > token model : LunaSA 7.7.0 > token flags : login required, PIN pad present, rng, token > initialized, PIN initialized, other flags=0x20 > hardware version : 0.0 > firmware version : 7.7 > serial num : 1522365206425 > pin min/max : 7/255 > Slot 1 (0x1): Net Token Slot > token label : b-hsm001-op-lipa-infra > token manufacturer : Safenet, Inc. > token model : LunaSA 7.7.0 > token flags : login required, PIN pad present, rng, token > initialized, PIN initialized, other flags=0x20 > hardware version : 0.0 > firmware version : 7.7 > serial num : 1522346579977 > pin min/max : 7/255 > Slot 2 (0x2): Luna UHD Slot > (empty) > Slot 3 (0x3): Luna UHD Slot > (empty) > Slot 4 (0x4): Luna UHD Slot > (empty) > Slot 5 (0x5): Luna G7 Slot > (empty) > Slot 6 (0x6): Luna G7 Slot > (empty) > Slot 7 (0x7): Luna G7 Slot > (empty)
The main difference here is that because PKI relies on NSS for crypto. IPA is trying to validate the token in a similar way. You might try manually replicating what IPA (and therefore PKI) is doing: Perhaps try as root first and if that works, try as pkiuser. Perhaps this is some additional permission issue. $ mkdir ~/nssdb $ certutil -N -d ~/nssdb $ modutil -d ~/nssdb -nocertdb -add test -libfile /usr/safenet/lunaclient/lib/libCryptoki2_64.so You'll be prompted to hit ENTER to accept Then try reading the keys from the token: $ certutil -d ~/nssdb -K -h a-hsm001-op-lipa-infra You'll prompted for the PIN. If that simple procedure fails then it may be some incompatibility between your HSM and NSS (firmware revision, for example). You can see the supported versions at https://docs.redhat.com/en/documentation/red_hat_certificate_system/10/html/planning_installation_and_deployment_guide/release_notes-deployment_notes-optional_server_hardware Do you have FIPS enabled? rob > > > Kind regards, > > > > Danny > > > > *From: *Rob Crittenden <rcrit...@redhat.com> > *Date: *Tuesday, 14 January 2025 at 21:29 > *To: *FreeIPA users list <freeipa-users@lists.fedorahosted.org> > *Cc: *Dev <d...@grebit.nl> > *Subject: *Re: [Freeipa-users] Re: FreeIPA Server Installation Issue > with Luna HSM Integration > > Can you provide the full /var/log/ipaserver-install.log? Privately is > ok. I need to see more context on where it is failing. > > thanks > > rob > > Danny Van den Berg via FreeIPA-users wrote: >> Not yet. We have some issues with continue installing further. It keeps >> saying a invalid token while we checked with the vendor that the token >> should be ok. So need to check what's wrong there.. >> >> Press Enter, then enter PIN for "a-hsm001-op-lipa-infra" on external device. >> >> Process finished, return code=255 >> stdout=certutil: Checking token "a-hsm001-op-lipa-infra" in slot "Net Token >> Slot" >> >> stderr=Incorrect password/PIN entered. >> certutil: could not authenticate to token a-hsm001-op-lipa-infra.: >> SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect. >> >> File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, >>in execute >> return_value = self.run() >> File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line >>344, in run >> return cfgr.run() >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >>358, in run >> self.validate() >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >>368, in validate >> for _nothing in self._validator(): >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >>435, in __runner >> exc_handler(exc_info) >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >>463, in _handle_validate_exception >> > -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
