I'm trying to integrate Soft HSM 2 and EJBCA CE under a CentOS 7 environment with Wildfly 18.
I'm trying to create a Crypto Token, but form submitting returns an "Error when creating Crypto Token" error, along with the ID of the token which isn't created. The libsofthsm2.so file seems to be recognized by the admin web gui.
Debug level logs in wildfly indicate "sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TOKEN_NOT_RECOGNIZED" along with following errors, to sum them up:
Interacting with softHSM using the sofhsm2-util is working though, as well as "/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate" and "/ejbcaClientToolBox.sh PKCS11HSMKeyTool test".
Listing usable objects on slot with pkcs11-tool is working as well.
Did anyone run into this issue ? Or did I miss something in the documentation ?
A.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I do have several ones, but the right one is configured in web.properties, and following logs seem to confirm this :
2021-11-17 10:06:05,596 DEBUG [org.cesecore.keys.token.p11.Pkcs11SlotLabel] (default task-1) Using JDK8 SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
2021-11-17 10:06:05,616 DEBUG [org.cesecore.keys.token.p11.Pkcs11SlotLabel] (default task-1) Get dummy sun provider throws an exception for /usr/lib64/libsofthsm2.so. This is OK.: java.lang.reflect.InvocationTargetException
Tested both libraries with ejbcaClientTool and it's working.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Indeed, wildfly is run as a service using systemd, and as such, I think that has to do with privileges. I use to run clientToolBox as root user and as such, it's working. BUT trying to run it as wildfly user isn't working, even after changing ownership to wildfly or adding wildfly user as root user ( for testing purpose ).
Running the tool box under these conditions rise the same error logs mentionned at the beginning.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Solution is to create token or initialize softHSM as wildfly user, so that wildfly / ejbca application can actually access necessary files. Labels is effectively displayed on UI and Crypto Token creation is working.
Thank you very much for you help and reactivity, especially when the issue wasn't related to EJBCA ultimately.
Thanks a lot,
A.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Key files in softHSM is (by default) stored in /var/lib/softhsm. By default they are accessible by root and the softhsm user group. Anyone who want to use the slots/keys need to be parts of the softhsm group.
In short, add your wildfly user to the softhsm group in the OS.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
I'm trying to integrate Soft HSM 2 and EJBCA CE under a CentOS 7 environment with Wildfly 18.
I'm trying to create a Crypto Token, but form submitting returns an "Error when creating Crypto Token" error, along with the ID of the token which isn't created. The libsofthsm2.so file seems to be recognized by the admin web gui.
Debug level logs in wildfly indicate "sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TOKEN_NOT_RECOGNIZED" along with following errors, to sum them up:
Caused by: java.lang.IllegalStateException: Error constructing pkcs11 provider: null
Caused by: java.lang.reflect.InvocationTargetException
Caused by: java.security.ProviderException: Initialization failed
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TOKEN_NOT_RECOGNIZED
Interacting with softHSM using the sofhsm2-util is working though, as well as "/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate" and "/ejbcaClientToolBox.sh PKCS11HSMKeyTool test".
Listing usable objects on slot with pkcs11-tool is working as well.
Did anyone run into this issue ? Or did I miss something in the documentation ?
A.
CKR_TOKEN_NOT_RECOGNIZED is an error returned by the PKCS#11 driver.
Does the UI list token labels if you select the "Slot Token/Label" option?
Hi,
No, it doesn't.
Following logs are returned when switching to label list on the UI :
2021-11-17 09:43:51,691 DEBUG [org.cesecore.keys.token.p11.Pkcs11SlotLabel] (default task-2) Found number of slots: 1
2021-11-17 09:43:51,691 DEBUG [org.cesecore.keys.token.p11.Pkcs11SlotLabel] (default task-2) 0: Found token label: id=0
There are more slots with proper labels in the soft hsm though.
Perhaps you have multiple softhsm libs installed and EJBCA uses the wrong one? That should also be visible in the log, which library it uses.
I do have several ones, but the right one is configured in web.properties, and following logs seem to confirm this :
2021-11-17 10:06:05,596 DEBUG [org.cesecore.keys.token.p11.Pkcs11SlotLabel] (default task-1) Using JDK8 SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
2021-11-17 10:06:05,616 DEBUG [org.cesecore.keys.token.p11.Pkcs11SlotLabel] (default task-1) Get dummy sun provider throws an exception for /usr/lib64/libsofthsm2.so. This is OK.: java.lang.reflect.InvocationTargetException
Tested both libraries with ejbcaClientTool and it's working.
How about privileges? Do you run JBoss as another user than you run clientToolBox?
Indeed, wildfly is run as a service using systemd, and as such, I think that has to do with privileges. I use to run clientToolBox as root user and as such, it's working. BUT trying to run it as wildfly user isn't working, even after changing ownership to wildfly or adding wildfly user as root user ( for testing purpose ).
Running the tool box under these conditions rise the same error logs mentionned at the beginning.
That's it. SoftHSM stores the key/slot material as files, which any user trying to use the keys/slots need to have access to.
Yes ! You were and are right !
Solution is to create token or initialize softHSM as wildfly user, so that wildfly / ejbca application can actually access necessary files. Labels is effectively displayed on UI and Crypto Token creation is working.
Thank you very much for you help and reactivity, especially when the issue wasn't related to EJBCA ultimately.
Thanks a lot,
A.
Hi Amaury. May I know how to create token or init softHSM as wildfly user? Is it by change ownership to wildfly user for clientToolBox directory?
Hi @Tomas
How to create and init using wildfly user
Key files in softHSM is (by default) stored in /var/lib/softhsm. By default they are accessible by root and the softhsm user group. Anyone who want to use the slots/keys need to be parts of the softhsm group.
In short, add your wildfly user to the softhsm group in the OS.
Hi @anatom
Noted on that. Thank you. Have a good day