Hello,
Recently I've been experimenting on HSM with FreeIPA, I got stuck at the CA generation, but it's a separate issue. I somehow achieve a successful key generation on HSM with default key_algorimth/size/ settings. RSA 3072/2048 keys showed up on the HSM even after a failed CA installation but not the case with ECC keys.
The error was: Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp877ip58a'] returned non-zero exit status 1:
pkihelper : ERROR Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]
sslv3 alert handshake failure (_ssl.c:1056)
configuration : ERROR Server failed to restart pkispawn : ERROR Exception: server failed to restart
File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line 547, in main scriptlet.spawn(deployer) File "/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 670, in spawn raise Exception("server failed to restart") ') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed.
and configuration was: ``` [DEFAULT] ipa_key_algorithm=SHA256withEC ipa_key_size=nistp384 ipa_key_type=ecc ipa_signing_algorithm=SHA256withEC pki_ca_signing_key_size=nistp384
pki_hsm_enable=True pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so pki_hsm_modulename=nitrohsm pki_token_name=UserPIN (SmartCard-HSM) pki_token_password=648219
pki_random_serial_numbers_enable=True ```
チョーチュアン via FreeIPA-users wrote:
Hello,
Recently I've been experimenting on HSM with FreeIPA, I got stuck at the CA generation, but it's a separate issue. I somehow achieve a successful key generation on HSM with default key_algorimth/size/ settings. RSA 3072/2048 keys showed up on the HSM even after a failed CA installation but not the case with ECC keys.
The error was: Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp877ip58a'] returned non-zero exit status 1:
pkihelper : ERROR Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]
sslv3 alert handshake failure (_ssl.c:1056)
configuration : ERROR Server failed to restart pkispawn : ERROR Exception: server failed to restart
File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line 547, in main scriptlet.spawn(deployer) File "/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 670, in spawn raise Exception("server failed to restart") ') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed.
and configuration was:
[DEFAULT] ipa_key_algorithm=SHA256withEC ipa_key_size=nistp384 ipa_key_type=ecc ipa_signing_algorithm=SHA256withEC pki_ca_signing_key_size=nistp384 pki_hsm_enable=True pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so pki_hsm_modulename=nitrohsm pki_token_name=UserPIN (SmartCard-HSM) pki_token_password=648219 pki_random_serial_numbers_enable=True
You're really on the bleeding edge. I don't know that HSM works reliably yet. An ECC CA is not something we're planning on ever doing (keys too small) so you're on your own with that.
rob
On ti, 28 touko 2019, Rob Crittenden via FreeIPA-users wrote:
チョーチュアン via FreeIPA-users wrote:
Hello,
Recently I've been experimenting on HSM with FreeIPA, I got stuck at the CA generation, but it's a separate issue. I somehow achieve a successful key generation on HSM with default key_algorimth/size/ settings. RSA 3072/2048 keys showed up on the HSM even after a failed CA installation but not the case with ECC keys.
The error was: Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp877ip58a'] returned non-zero exit status 1:
pkihelper : ERROR Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]
sslv3 alert handshake failure (_ssl.c:1056)
configuration : ERROR Server failed to restart pkispawn : ERROR Exception: server failed to restart
File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line 547, in main scriptlet.spawn(deployer) File "/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 670, in spawn raise Exception("server failed to restart") ') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed.
and configuration was:
[DEFAULT] ipa_key_algorithm=SHA256withEC ipa_key_size=nistp384 ipa_key_type=ecc ipa_signing_algorithm=SHA256withEC pki_ca_signing_key_size=nistp384 pki_hsm_enable=True pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so pki_hsm_modulename=nitrohsm pki_token_name=UserPIN (SmartCard-HSM) pki_token_password=648219 pki_random_serial_numbers_enable=True
You're really on the bleeding edge. I don't know that HSM works reliably yet. An ECC CA is not something we're planning on ever doing (keys too small) so you're on your own with that.
Yes, to both not supporting ECC CA (following NIST recommendations) and to not have it working yet in Dogtag with HSM.
Do I understand right that for non-ECC CA you have it working apart from a negotiation error? I think Christian saw negotiation error too and there should be a bug opened at Dogtag side for something related.
Thanks for the feed, and yes, I have the RSA CA working apart from a negotiation error.
On Wed, May 29, 2019 at 12:11 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 28 touko 2019, Rob Crittenden via FreeIPA-users wrote:
チョーチュアン via FreeIPA-users wrote:
Hello,
Recently I've been experimenting on HSM with FreeIPA, I got stuck at the CA generation, but it's a separate issue. I somehow achieve a successful key generation on HSM with default key_algorimth/size/ settings. RSA 3072/2048 keys showed up on the HSM even after a failed CA installation but not the case with ECC keys.
The error was: Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp877ip58a'] returned non-zero exit status 1:
pkihelper : ERROR Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]
sslv3 alert handshake failure (_ssl.c:1056)
configuration : ERROR Server failed to restart pkispawn : ERROR Exception: server failed to restart
File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line 547, in main scriptlet.spawn(deployer) File
"/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 670, in spawn raise Exception("server failed to restart") ') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed.
and configuration was:
[DEFAULT] ipa_key_algorithm=SHA256withEC ipa_key_size=nistp384 ipa_key_type=ecc ipa_signing_algorithm=SHA256withEC pki_ca_signing_key_size=nistp384 pki_hsm_enable=True pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so pki_hsm_modulename=nitrohsm pki_token_name=UserPIN (SmartCard-HSM) pki_token_password=648219 pki_random_serial_numbers_enable=True
You're really on the bleeding edge. I don't know that HSM works reliably yet. An ECC CA is not something we're planning on ever doing (keys too small) so you're on your own with that.
Yes, to both not supporting ECC CA (following NIST recommendations) and to not have it working yet in Dogtag with HSM.
Do I understand right that for non-ECC CA you have it working apart from a negotiation error? I think Christian saw negotiation error too and there should be a bug opened at Dogtag side for something related.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On 29/05/2019 03.39, チョーチュアン via FreeIPA-users wrote:
Thanks for the feed, and yes, I have the RSA CA working apart from a negotiation error.
Hi,
fantastic, thanks for trying this! I was able to install FreeIPA with NitroKey HSM support last year using an experimental build https://gist.github.com/tiran/af7c21882e1732227455a13c3b8ff380 .
HSM integration is super experimental. There are currently several known bugs in Dogtag and FreeIPA related to HSM. A bunch of features don't work either, e.g. Sub CAs and replication. We haven't announced the feature yet because it is barely usable.
I'm even puzzled that you were able to complete the installation at all. My last installation attempts completely failed.
Christian
freeipa-users@lists.fedorahosted.org