I am able to successfully create and activate PKCS#11 CryptoToken.
I am getting the following "Login failed" exception when I want to work with Utimaco PKCS#11 CryptoToken (for example generating new RSA key pair):
ERROR [org.jboss.ejb3.invocation] (http--0.0.0.0-8443-1) JBAS014134: EJB Invocation failed on component CryptoTokenManagementSessionBean for method public abstract void org.cesecore.keys.token.CryptoTokenManagementSession.createKeyPair(org.cesecore.authentication.tokens.AuthenticationToken,int,java.lang.String,java.lang.String) throws org.cesecore.authorization.AuthorizationDeniedException,org.cesecore.keys.token.CryptoTokenOfflineException,java.security.InvalidKeyException,java.security.InvalidAlgorithmParameterException: javax.ejb.EJBException: java.security.ProviderException: Login failed
at org.jboss.as.ejb3.tx.CMTTxInterceptor.handleExceptionInOurTx(CMTTxInterceptor.java:166) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:230) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:304) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:190) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:32) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
at org.cesecore.keys.token.CryptoTokenManagementSessionLocal$$$view74.createKeyPair(Unknown Source) [cesecore-ejb-interface.jar:]
at org.ejbca.ui.web.admin.cryptotoken.CryptoTokenMBean.generateNewKeyPair(CryptoTokenMBean.java:793)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_25]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_25]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_25]
at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_25]
at org.apache.el.parser.AstValue.invoke(AstValue.java:262)
at org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:278)
at org.apache.jasper.el.JspMethodExpression.invoke(JspMethodExpression.java:68)
at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:88)
at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102)
at javax.faces.component.UICommand.broadcast(UICommand.java:387)
at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:475)
at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:756)
at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:82)
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
at org.owasp.filters.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:198) [ejbca-common-web.jar:EJBCA 6.2.0 (r19221)]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
at org.owasp.filters.ClickjackFilter.doFilter(ClickjackFilter.java:36) [ejbca-common-web.jar:EJBCA 6.2.0 (r19221)]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
at org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:147)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
at org.ejbca.ui.web.admin.ProxiedAuthenticationFilter.doFilter(ProxiedAuthenticationFilter.java:109)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:397)
at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]
Caused by: java.security.ProviderException: Login failed
at sun.security.pkcs11.Token.getAttributes(Token.java:289) [sunpkcs11.jar:1.7.0_25]
at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:312) [sunpkcs11.jar:1.7.0_25]
at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:681) [rt.jar:1.7.0_25]
at org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:391) [cesecore-common.jar:]
at org.cesecore.keys.util.KeyStoreTools.generateRSA(KeyStoreTools.java:275) [cesecore-common.jar:]
at org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:318) [cesecore-common.jar:]
at org.cesecore.keys.token.PKCS11CryptoToken.generateKeyPair(PKCS11CryptoToken.java:212) [cesecore-common.jar:]
at org.cesecore.keys.token.CryptoTokenManagementSessionBean.createKeyPair(CryptoTokenManagementSessionBean.java:510) [cesecore-ejb.jar:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_25]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_25]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_25]
at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_25]
at org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:228) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
... 64 more
Caused by: javax.security.auth.login.LoginException: no password provided, and no callback handler available for retrieving password
at sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1130) [sunpkcs11.jar:1.7.0_25]
at sun.security.pkcs11.Token.ensureLoggedIn(Token.java:199) [sunpkcs11.jar:1.7.0_25]
at sun.security.pkcs11.Token.getAttributes(Token.java:287) [sunpkcs11.jar:1.7.0_25]
... 90 more
When I try to use OpenSC pkcs11-tool from the same server where the EJBCA is deployed it works without any problem.
What could be wrong with EJBCA?
Thank you.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Nope, Utimaco, SafeNet, Thales...all HSMs work stably and reliably in large scale production. Most likely some HSM configuration issue, which I will not be able to trouble shoot a lot for free.
Cheers,
Tomas
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
As you well know, we're an open source project, and this forum is primarily meant for supporting other open source developers and applications. While we happily give some basic support to commercial users as well, HSM troubleshooting is far beyond the realm of community work. If you need further help from us, I suggest you contract sales@primekey.se to negotiate a support contract with us.
Cheers,
Mike Kushner
Developer, Primekey Solutions
EJBCA 6.2.0
JBoss 7.1.1.Final
OpenJDK 1.7.0_25
I am able to successfully create and activate PKCS#11 CryptoToken.
I am getting the following "Login failed" exception when I want to work with Utimaco PKCS#11 CryptoToken (for example generating new RSA key pair):
When I try to use OpenSC pkcs11-tool from the same server where the EJBCA is deployed it works without any problem.
What could be wrong with EJBCA?
Thank you.
Additional information:
Exception occurs after upgrading from EJBCA 6.0.3 to EJBCA 6.2.0.
Before the upgrade all operations on CryptoToken worked.
I read that every PCKS#11 command to Utimaco HSM must be authenticated by the USER.
Could it be the reason why it is telling me that "Login failed"?
Is EJBCA sending password to PKCS#11 cryptotoken every time it needs to do some operation on it?
No, JBoss opens a session to the HSM, which requires the slot password to be sent once.
Cheers,
Mike Kushner
Developer, Primekey Solutions
PrimeKey Solutions offers commercial EJBCA and SignServer support
subscriptions and training courses. Please see www.primekey.se or
contact sales@primekey.se for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
Do you have an experience with such behaviour with Utimaco or any other HSM that you could share.
I would likd to use it together with EJBCA.
Should I customize source code or there could be a workaround?
Nope, Utimaco, SafeNet, Thales...all HSMs work stably and reliably in large scale production. Most likely some HSM configuration issue, which I will not be able to trouble shoot a lot for free.
Cheers,
Tomas
Roman,
As you well know, we're an open source project, and this forum is primarily meant for supporting other open source developers and applications. While we happily give some basic support to commercial users as well, HSM troubleshooting is far beyond the realm of community work. If you need further help from us, I suggest you contract sales@primekey.se to negotiate a support contract with us.
Cheers,
Mike Kushner
Developer, Primekey Solutions
PrimeKey Solutions offers commercial EJBCA and SignServer support
subscriptions and training courses. Please see www.primekey.se or
contact sales@primekey.se for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/