Menu
▾
▴
ejbca-develop
|
From: Michael S. <mi...@st...> - 2014-10-30 11:13:23
|
HI! I'm currently testing EJBCA (latest SVN) with Smartcard-HSM as described on [1]. Versions: - EJBCA (latest SVN) - OpenSC with PKCS#11 module built from git repo - openSUSE 13.1 and pcsc-lite from their chipcard-repo Sometimes the Smartcard-HSM is no longer reachable due to some issues with the way openSUSE starts pcscd via udev during hotplug. Yes, I have to sort that out somewhere else. But I wonder why EJBCA does not reconnect to the Smartcard-HSM once it was unavailable. I have to restart JBOSS to access the token via PKCS#11 module again. Ciao, Michael. [1] http://www.smartcard-hsm.com/2014/09/05/Accessing_your_SmartCard-HSM_from_EJBCA.html |
|
From: Branko M. <br...@ma...> - 2014-10-30 13:44:43
Attachments:
signature.asc
|
On Thu, 30 Oct 2014 12:13:08 +0100 "Michael Ströder" <mi...@st...> wrote: > HI! > > I'm currently testing EJBCA (latest SVN) with Smartcard-HSM as described on > [1]. > > Versions: > - EJBCA (latest SVN) > - OpenSC with PKCS#11 module built from git repo > - openSUSE 13.1 and pcsc-lite from their chipcard-repo > > Sometimes the Smartcard-HSM is no longer reachable due to some issues with the > way openSUSE starts pcscd via udev during hotplug. Yes, I have to sort that out > somewhere else. > > But I wonder why EJBCA does not reconnect to the Smartcard-HSM once it was > unavailable. I have to restart JBOSS to access the token via PKCS#11 module > again. > > Ciao, Michael. > > [1] > http://www.smartcard-hsm.com/2014/09/05/Accessing_your_SmartCard-HSM_from_EJBCA.html > It's a more low-level issue with how the PKCS#11 security provider is implemented in Java. Basically, you have no way to tell the PKCS#11 Java security provider to reestablish a new session. There's also a bunch of cashing happening there, so if you create keys etc outside of EJBCA's running JVM, you won't see them in EJBCA. Fixing this would require quite a bit more effort, unfortunately (implementing a custom Java security provider, and maintaining it). Best regards -- Branko Majic Jabber: br...@ma... Please use only Free formats when sending attachments to me. Бранко Мајић Џабер: br...@ma... Молим вас да додатке шаљете искључиво у слободним форматима. |
|
From: Michael S. <mi...@st...> - 2015-02-16 20:45:11
Attachments:
smime.p7s
|
Branko Majic wrote: > It's a more low-level issue with how the PKCS#11 security provider is > implemented in Java. > > Basically, you have no way to tell the PKCS#11 Java security provider > to reestablish a new session. There's also a bunch of cashing happening > there, so if you create keys etc outside of EJBCA's running JVM, you > won't see them in EJBCA. > > Fixing this would require quite a bit more effort, unfortunately > (implementing a custom Java security provider, and maintaining it). Even worse (with SVN revision 20683): When a crypto token was changed/removed you won't be able to access the "Crypto Tokens" UI in the adminweb anymore (see below) even after restarting JBOSS... :-( Ciao, Michael. 21:43:44,424 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/ejbca/adminweb].[Faces Servlet]] (http--0.0.0.0-8443-1) Servlet.service() for servlet Faces Servlet threw exception: java.lang.RuntimeException: Attempted to find a slot for a PKCS#11 crypto token, but it did not exists. Perhaps the token was removed? at org.cesecore.keys.token.CryptoTokenSessionBean.getCryptoToken(CryptoTokenSessionBean.java:101) [cesecore-ejb.jar:] at sun.reflect.GeneratedMethodAccessor158.invoke(Unknown Source) [:1.7.0_75] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_75] at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_75] at org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:211) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:363) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:194) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:32) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.cesecore.keys.token.CryptoTokenSessionLocal$$$view25.getCryptoToken(Unknown Source) [cesecore-ejb-interface.jar:] at org.cesecore.keys.token.CryptoTokenManagementSessionBean.getCryptoTokenInfo(CryptoTokenManagementSessionBean.java:125) [cesecore-ejb.jar:] at org.cesecore.keys.token.CryptoTokenManagementSessionBean.getCryptoTokenInfos(CryptoTokenManagementSessionBean.java:117) [cesecore-ejb.jar:] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_75] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_75] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_75] at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_75] at org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:211) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:363) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:194) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:32) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] at org.cesecore.keys.token.CryptoTokenManagementSessionLocal$$$view29.getCryptoTokenInfos(Unknown Source) [cesecore-ejb-interface.jar:] at org.ejbca.ui.web.admin.cryptotoken.CryptoTokenMBean.getCryptoTokenGuiList(CryptoTokenMBean.java:310) [classes:] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_75] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_75] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_75] at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_75] at javax.el.BeanELResolver.getValue(BeanELResolver.java:302) [jboss-el-api_2.2_spec-1.0.0.Final.jar:1.0.0.Final] at com.sun.faces.el.DemuxCompositeELResolver._getValue(DemuxCompositeELResolver.java:173) [jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at com.sun.faces.el.DemuxCompositeELResolver.getValue(DemuxCompositeELResolver.java:200) [jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at org.apache.el.parser.AstValue.getValue(AstValue.java:169) [jbossweb-7.0.13.Final.jar:] at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:189) [jbossweb-7.0.13.Final.jar:] at org.apache.jasper.el.JspValueExpression.getValue(JspValueExpression.java:101) [jbossweb-7.0.13.Final.jar:] at javax.faces.component.UIData.getValue(UIData.java:614) [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at javax.faces.component.UIData.getDataModel(UIData.java:1145) [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at javax.faces.component.UIData.setRowIndex(UIData.java:451) [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at com.sun.faces.renderkit.html_basic.TableRenderer.encodeBegin(TableRenderer.java:77) [jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:816) [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at javax.faces.component.UIData.encodeBegin(UIData.java:983) [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at javax.faces.component.UIComponent.encodeAll(UIComponent.java:928) [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at javax.faces.render.Renderer.encodeChildren(Renderer.java:148) [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:840) [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at javax.faces.component.UIComponent.encodeAll(UIComponent.java:930) [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at javax.faces.component.UIComponent.encodeAll(UIComponent.java:933) [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at com.sun.faces.application.ViewHandlerImpl.doRenderView(ViewHandlerImpl.java:266) [jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at com.sun.faces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:197) [jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:110) [jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100) [jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) [jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at javax.faces.webapp.FacesServlet.service(FacesServlet.java:266) [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:] at org.owasp.filters.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:198) [ejbca-common-web.jar:EJBCA 6.3.1Alpha (working copy)] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:] at org.owasp.filters.ClickjackFilter.doFilter(ClickjackFilter.java:36) [ejbca-common-web.jar:EJBCA 6.3.1Alpha (working copy)] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:] at org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:374) [tomahawk-1.1.14.jar:1.1.14] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:] at org.ejbca.ui.web.admin.ProxiedAuthenticationFilter.doFilter(ProxiedAuthenticationFilter.java:109) [classes:] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:397) [jbossweb-7.0.13.Final.jar:] at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75] |
|
From: Michael S. <mi...@st...> - 2015-02-16 20:47:36
|
Michael Ströder wrote: > Branko Majic wrote: >> It's a more low-level issue with how the PKCS#11 security provider is >> implemented in Java. >> >> Basically, you have no way to tell the PKCS#11 Java security provider >> to reestablish a new session. There's also a bunch of cashing happening >> there, so if you create keys etc outside of EJBCA's running JVM, you >> won't see them in EJBCA. >> >> Fixing this would require quite a bit more effort, unfortunately >> (implementing a custom Java security provider, and maintaining it). > > Even worse (with SVN revision 20683): > When a crypto token was changed/removed you won't be able to access the > "Crypto Tokens" UI in the adminweb anymore (see below) even after restarting > JBOSS... :-( And bin/ejbca.sh cryptotoken list also fails with same exception. Sigh... Ciao, Michael. > 21:43:44,424 ERROR > [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/ejbca/adminweb].[Faces > Servlet]] (http--0.0.0.0-8443-1) Servlet.service() for servlet Faces Servlet > threw exception: java.lang.RuntimeException: Attempted to find a slot for a > PKCS#11 crypto token, but it did not exists. Perhaps the token was removed? > at > org.cesecore.keys.token.CryptoTokenSessionBean.getCryptoToken(CryptoTokenSessionBean.java:101) > [cesecore-ejb.jar:] > at sun.reflect.GeneratedMethodAccessor158.invoke(Unknown Source) [:1.7.0_75] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > [rt.jar:1.7.0_75] > at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_75] > at > org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) > [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51) > [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:211) > [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:363) > [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:194) > [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) > [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) > [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:32) > [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.cesecore.keys.token.CryptoTokenSessionLocal$$$view25.getCryptoToken(Unknown Source) > [cesecore-ejb-interface.jar:] > at > org.cesecore.keys.token.CryptoTokenManagementSessionBean.getCryptoTokenInfo(CryptoTokenManagementSessionBean.java:125) > [cesecore-ejb.jar:] > at > org.cesecore.keys.token.CryptoTokenManagementSessionBean.getCryptoTokenInfos(CryptoTokenManagementSessionBean.java:117) > [cesecore-ejb.jar:] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_75] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > [rt.jar:1.7.0_75] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > [rt.jar:1.7.0_75] > at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_75] > at > org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) > [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51) > [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:211) > [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:363) > [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:194) > [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) > [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) > [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:32) > [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.cesecore.keys.token.CryptoTokenManagementSessionLocal$$$view29.getCryptoTokenInfos(Unknown > Source) [cesecore-ejb-interface.jar:] > at > org.ejbca.ui.web.admin.cryptotoken.CryptoTokenMBean.getCryptoTokenGuiList(CryptoTokenMBean.java:310) > [classes:] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_75] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > [rt.jar:1.7.0_75] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > [rt.jar:1.7.0_75] > at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_75] > at javax.el.BeanELResolver.getValue(BeanELResolver.java:302) > [jboss-el-api_2.2_spec-1.0.0.Final.jar:1.0.0.Final] > at > com.sun.faces.el.DemuxCompositeELResolver._getValue(DemuxCompositeELResolver.java:173) > [jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at > com.sun.faces.el.DemuxCompositeELResolver.getValue(DemuxCompositeELResolver.java:200) > [jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at org.apache.el.parser.AstValue.getValue(AstValue.java:169) > [jbossweb-7.0.13.Final.jar:] > at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:189) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.jasper.el.JspValueExpression.getValue(JspValueExpression.java:101) > [jbossweb-7.0.13.Final.jar:] > at javax.faces.component.UIData.getValue(UIData.java:614) > [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at javax.faces.component.UIData.getDataModel(UIData.java:1145) > [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at javax.faces.component.UIData.setRowIndex(UIData.java:451) > [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at > com.sun.faces.renderkit.html_basic.TableRenderer.encodeBegin(TableRenderer.java:77) > [jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at > javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:816) > [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at javax.faces.component.UIData.encodeBegin(UIData.java:983) > [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at javax.faces.component.UIComponent.encodeAll(UIComponent.java:928) > [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at javax.faces.render.Renderer.encodeChildren(Renderer.java:148) > [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at > javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:840) > [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at javax.faces.component.UIComponent.encodeAll(UIComponent.java:930) > [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at javax.faces.component.UIComponent.encodeAll(UIComponent.java:933) > [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at > com.sun.faces.application.ViewHandlerImpl.doRenderView(ViewHandlerImpl.java:266) > [jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at > com.sun.faces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:197) > [jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at > com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:110) > [jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100) > [jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) > [jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at javax.faces.webapp.FacesServlet.service(FacesServlet.java:266) > [jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) > [jbossweb-7.0.13.Final.jar:] > at > org.owasp.filters.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:198) > [ejbca-common-web.jar:EJBCA 6.3.1Alpha (working copy)] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) > [jbossweb-7.0.13.Final.jar:] > at org.owasp.filters.ClickjackFilter.doFilter(ClickjackFilter.java:36) > [ejbca-common-web.jar:EJBCA 6.3.1Alpha (working copy)] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:374) > [tomahawk-1.1.14.jar:1.1.14] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) > [jbossweb-7.0.13.Final.jar:] > at > org.ejbca.ui.web.admin.ProxiedAuthenticationFilter.doFilter(ProxiedAuthenticationFilter.java:109) > [classes:] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:397) > [jbossweb-7.0.13.Final.jar:] > at > org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) > [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) > [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) > [jbossweb-7.0.13.Final.jar:] > at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) > [jbossweb-7.0.13.Final.jar:] > at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) > [jbossweb-7.0.13.Final.jar:] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75] > > -- Michael Ströder Klauprechtstr. 11 Dipl.-Inform. D-76137 Karlsruhe, Germany Tel.: +49 721 8304316 Mobil: +49 170 2391920 E-Mail: mi...@st... http://www.stroeder.com |
|
From: Tomas G. <to...@pr...> - 2015-02-17 05:31:06
|
To reproduce, what do you mean by changed/removed? You just pulled the smart card from the reader, or did you do something else? Cheers, Tomas On February 16, 2015 9:44:23 PM GMT+01:00, "Michael Ströder" <mi...@st...> wrote: >Branko Majic wrote: >> It's a more low-level issue with how the PKCS#11 security provider is >> implemented in Java. >> >> Basically, you have no way to tell the PKCS#11 Java security provider >> to reestablish a new session. There's also a bunch of cashing >happening >> there, so if you create keys etc outside of EJBCA's running JVM, you >> won't see them in EJBCA. >> >> Fixing this would require quite a bit more effort, unfortunately >> (implementing a custom Java security provider, and maintaining it). > >Even worse (with SVN revision 20683): >When a crypto token was changed/removed you won't be able to access the >"Crypto Tokens" UI in the adminweb anymore (see below) even after >restarting >JBOSS... :-( > >Ciao, Michael. > >21:43:44,424 ERROR >[org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/ejbca/adminweb].[Faces >Servlet]] (http--0.0.0.0-8443-1) Servlet.service() for servlet Faces >Servlet >threw exception: java.lang.RuntimeException: Attempted to find a slot >for a >PKCS#11 crypto token, but it did not exists. Perhaps the token was >removed? > at >org.cesecore.keys.token.CryptoTokenSessionBean.getCryptoToken(CryptoTokenSessionBean.java:101) >[cesecore-ejb.jar:] > at sun.reflect.GeneratedMethodAccessor158.invoke(Unknown Source) >[:1.7.0_75] > at >sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >[rt.jar:1.7.0_75] > at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_75] > at >org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) >[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36) >[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) >[jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) >[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51) >[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:211) >[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:363) >[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:194) >[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) >[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) >[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) >[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:32) >[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) >[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) >[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173) >[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) >[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at >org.cesecore.keys.token.CryptoTokenSessionLocal$$$view25.getCryptoToken(Unknown >Source) >[cesecore-ejb-interface.jar:] > at >org.cesecore.keys.token.CryptoTokenManagementSessionBean.getCryptoTokenInfo(CryptoTokenManagementSessionBean.java:125) >[cesecore-ejb.jar:] > at >org.cesecore.keys.token.CryptoTokenManagementSessionBean.getCryptoTokenInfos(CryptoTokenManagementSessionBean.java:117) >[cesecore-ejb.jar:] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >[rt.jar:1.7.0_75] > at >sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >[rt.jar:1.7.0_75] > at >sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >[rt.jar:1.7.0_75] > at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_75] > at >org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) >[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36) >[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) >[jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) >[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51) >[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:211) >[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:363) >[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:194) >[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) >[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) >[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) >[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:32) >[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) >[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) >[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173) >[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) >[jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at >org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) >[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at >org.cesecore.keys.token.CryptoTokenManagementSessionLocal$$$view29.getCryptoTokenInfos(Unknown >Source) [cesecore-ejb-interface.jar:] > at >org.ejbca.ui.web.admin.cryptotoken.CryptoTokenMBean.getCryptoTokenGuiList(CryptoTokenMBean.java:310) >[classes:] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >[rt.jar:1.7.0_75] > at >sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >[rt.jar:1.7.0_75] > at >sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >[rt.jar:1.7.0_75] > at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_75] > at javax.el.BeanELResolver.getValue(BeanELResolver.java:302) >[jboss-el-api_2.2_spec-1.0.0.Final.jar:1.0.0.Final] > at >com.sun.faces.el.DemuxCompositeELResolver._getValue(DemuxCompositeELResolver.java:173) >[jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at >com.sun.faces.el.DemuxCompositeELResolver.getValue(DemuxCompositeELResolver.java:200) >[jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at org.apache.el.parser.AstValue.getValue(AstValue.java:169) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:189) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.jasper.el.JspValueExpression.getValue(JspValueExpression.java:101) >[jbossweb-7.0.13.Final.jar:] > at javax.faces.component.UIData.getValue(UIData.java:614) >[jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at javax.faces.component.UIData.getDataModel(UIData.java:1145) >[jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at javax.faces.component.UIData.setRowIndex(UIData.java:451) >[jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at >com.sun.faces.renderkit.html_basic.TableRenderer.encodeBegin(TableRenderer.java:77) >[jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at >javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:816) >[jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at javax.faces.component.UIData.encodeBegin(UIData.java:983) >[jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at javax.faces.component.UIComponent.encodeAll(UIComponent.java:928) >[jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at javax.faces.render.Renderer.encodeChildren(Renderer.java:148) >[jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at >javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:840) >[jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at javax.faces.component.UIComponent.encodeAll(UIComponent.java:930) >[jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at javax.faces.component.UIComponent.encodeAll(UIComponent.java:933) >[jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at >com.sun.faces.application.ViewHandlerImpl.doRenderView(ViewHandlerImpl.java:266) >[jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at >com.sun.faces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:197) >[jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at >com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:110) >[jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100) >[jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at >com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) >[jsf-impl-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at javax.faces.webapp.FacesServlet.service(FacesServlet.java:266) >[jsf-api-1.2_15-jbossorg-2.jar:1.2_15.jbossorg-1-20111019-SNAPSHOT] > at >org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) >[jbossweb-7.0.13.Final.jar:] > at >org.owasp.filters.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:198) >[ejbca-common-web.jar:EJBCA 6.3.1Alpha (working copy)] > at >org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) >[jbossweb-7.0.13.Final.jar:] > at org.owasp.filters.ClickjackFilter.doFilter(ClickjackFilter.java:36) >[ejbca-common-web.jar:EJBCA 6.3.1Alpha (working copy)] > at >org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:374) >[tomahawk-1.1.14.jar:1.1.14] > at >org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) >[jbossweb-7.0.13.Final.jar:] > at >org.ejbca.ui.web.admin.ProxiedAuthenticationFilter.doFilter(ProxiedAuthenticationFilter.java:109) >[classes:] > at >org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:397) >[jbossweb-7.0.13.Final.jar:] > at >org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) >[jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final] > at >org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) >[jboss-as-web-7.1.1.Final.jar:7.1.1.Final] > at >org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) >[jbossweb-7.0.13.Final.jar:] > at >org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) >[jbossweb-7.0.13.Final.jar:] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75] > > > > >------------------------------------------------------------------------ > >------------------------------------------------------------------------------ >Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >from Actuate! Instantly Supercharge Your Business Reports and >Dashboards >with Interactivity, Sharing, Native Excel Exports, App Integration & >more >Get technology previously reserved for billion-dollar corporations, >FREE >http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > >------------------------------------------------------------------------ > >_______________________________________________ >Ejbca-develop mailing list >Ejb...@li... >https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Michael S. <mi...@st...> - 2015-02-17 08:27:54
Attachments:
smime.p7s
|
Tomas Gustavsson wrote: > To reproduce, what do you mean by changed/removed? You just pulled the > smart card from the reader, or did you do something else? In case the token cannot be recovered in the same manner, e.g. hardware damage, one is stuck. One cannot reach the Crypto Token UI anymore. Or there might be the case where you want to add a new token with the old keys and some new keys but preserve the old Crypto Token configuration for some time without having the old token plugged in. Ciao, Michael. > On February 16, 2015 9:44:23 PM GMT+01:00, "Michael Ströder" <mi...@st...> wrote: >> Branko Majic wrote: >>> It's a more low-level issue with how the PKCS#11 security provider is >>> implemented in Java. >>> >>> Basically, you have no way to tell the PKCS#11 Java security provider >>> to reestablish a new session. There's also a bunch of cashing >> happening >>> there, so if you create keys etc outside of EJBCA's running JVM, you >>> won't see them in EJBCA. >>> >>> Fixing this would require quite a bit more effort, unfortunately >>> (implementing a custom Java security provider, and maintaining it). >> >> Even worse (with SVN revision 20683): >> When a crypto token was changed/removed you won't be able to access the >> "Crypto Tokens" UI in the adminweb anymore (see below) even after >> restarting >> JBOSS... :-( >> >> Ciao, Michael. >> >> 21:43:44,424 ERROR >> [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/ejbca/adminweb].[Faces >> Servlet]] (http--0.0.0.0-8443-1) Servlet.service() for servlet Faces >> Servlet >> threw exception: java.lang.RuntimeException: Attempted to find a slot >> for a >> PKCS#11 crypto token, but it did not exists. Perhaps the token was >> removed? |
|
From: Michael S. <mi...@st...> - 2015-02-17 08:32:41
Attachments:
smime.p7s
|
Michael Ströder wrote: > Tomas Gustavsson wrote: >> To reproduce, what do you mean by changed/removed? You just pulled the >> smart card from the reader, or did you do something else? > > In case the token cannot be recovered in the same manner, e.g. hardware > damage, one is stuck. One cannot reach the Crypto Token UI anymore. > > Or there might be the case where you want to add a new token with the old keys > and some new keys but preserve the old Crypto Token configuration for some > time without having the old token plugged in. Ah yes. For simply reproducing the exception you can just pull the token. The UI frame for Crypto Tokens is not reachable anymore then. Ciao, Michael. >> On February 16, 2015 9:44:23 PM GMT+01:00, "Michael Ströder" <mi...@st...> wrote: >>> Branko Majic wrote: >>>> It's a more low-level issue with how the PKCS#11 security provider is >>>> implemented in Java. >>>> >>>> Basically, you have no way to tell the PKCS#11 Java security provider >>>> to reestablish a new session. There's also a bunch of cashing >>> happening >>>> there, so if you create keys etc outside of EJBCA's running JVM, you >>>> won't see them in EJBCA. >>>> >>>> Fixing this would require quite a bit more effort, unfortunately >>>> (implementing a custom Java security provider, and maintaining it). >>> >>> Even worse (with SVN revision 20683): >>> When a crypto token was changed/removed you won't be able to access the >>> "Crypto Tokens" UI in the adminweb anymore (see below) even after >>> restarting >>> JBOSS... :-( >>> >>> Ciao, Michael. >>> >>> 21:43:44,424 ERROR >>> [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/ejbca/adminweb].[Faces >>> Servlet]] (http--0.0.0.0-8443-1) Servlet.service() for servlet Faces >>> Servlet >>> threw exception: java.lang.RuntimeException: Attempted to find a slot >>> for a >>> PKCS#11 crypto token, but it did not exists. Perhaps the token was >>> removed? > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > -- Michael Ströder Klauprechtstr. 11 Dipl.-Inform. D-76137 Karlsruhe, Germany Tel.: +49 721 8304316 Mobil: +49 170 2391920 E-Mail: mi...@st... http://www.stroeder.com |
|
From: Tomas G. <to...@pr...> - 2015-02-17 10:46:19
|
I created this issue in Jira. https://jira.primekey.se/browse/ECA-4104 On 2015-02-17 09:32, Michael Ströder wrote: > Michael Ströder wrote: >> Tomas Gustavsson wrote: >>> To reproduce, what do you mean by changed/removed? You just pulled the >>> smart card from the reader, or did you do something else? >> >> In case the token cannot be recovered in the same manner, e.g. hardware >> damage, one is stuck. One cannot reach the Crypto Token UI anymore. >> >> Or there might be the case where you want to add a new token with the old keys >> and some new keys but preserve the old Crypto Token configuration for some >> time without having the old token plugged in. > > Ah yes. For simply reproducing the exception you can just pull the token. > The UI frame for Crypto Tokens is not reachable anymore then. > > Ciao, Michael. > >>> On February 16, 2015 9:44:23 PM GMT+01:00, "Michael Ströder" <mi...@st...> wrote: >>>> Branko Majic wrote: >>>>> It's a more low-level issue with how the PKCS#11 security provider is >>>>> implemented in Java. >>>>> >>>>> Basically, you have no way to tell the PKCS#11 Java security provider >>>>> to reestablish a new session. There's also a bunch of cashing >>>> happening >>>>> there, so if you create keys etc outside of EJBCA's running JVM, you >>>>> won't see them in EJBCA. >>>>> >>>>> Fixing this would require quite a bit more effort, unfortunately >>>>> (implementing a custom Java security provider, and maintaining it). >>>> >>>> Even worse (with SVN revision 20683): >>>> When a crypto token was changed/removed you won't be able to access the >>>> "Crypto Tokens" UI in the adminweb anymore (see below) even after >>>> restarting >>>> JBOSS... :-( >>>> >>>> Ciao, Michael. >>>> >>>> 21:43:44,424 ERROR >>>> [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/ejbca/adminweb].[Faces >>>> Servlet]] (http--0.0.0.0-8443-1) Servlet.service() for servlet Faces >>>> Servlet >>>> threw exception: java.lang.RuntimeException: Attempted to find a slot >>>> for a >>>> PKCS#11 crypto token, but it did not exists. Perhaps the token was >>>> removed? >> >> >> >> ------------------------------------------------------------------------------ >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >> with Interactivity, Sharing, Native Excel Exports, App Integration & more >> Get technology previously reserved for billion-dollar corporations, FREE >> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk >> >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > > -- > Michael Ströder Klauprechtstr. 11 > Dipl.-Inform. D-76137 Karlsruhe, Germany > Tel.: +49 721 8304316 Mobil: +49 170 2391920 > E-Mail: mi...@st... http://www.stroeder.com > |
|
From: Andreas S. <and...@ca...> - 2015-02-16 21:19:28
|
>> But I wonder why EJBCA does not reconnect to the Smartcard-HSM once it was >> unavailable. I have to restart JBOSS to access the token via PKCS#11 module >> again. >> >> Ciao, Michael. >> >> [1] >> http://www.smartcard-hsm.com/2014/09/05/Accessing_your_SmartCard-HSM_from_EJBCA.html >> > > It's a more low-level issue with how the PKCS#11 security provider is > implemented in Java. > > Basically, you have no way to tell the PKCS#11 Java security provider > to reestablish a new session. There's also a bunch of cashing happening > there, so if you create keys etc outside of EJBCA's running JVM, you > won't see them in EJBCA. > > Fixing this would require quite a bit more effort, unfortunately > (implementing a custom Java security provider, and maintaining it). We have a JCE Provider for the SmartCard-HSM. Unfortunately I'm no expert on the EJBCA source code and can't tell how it could be integrated. But if someone wants to give it a try, let me know. Andreas -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
|
From: Michael S. <mi...@st...> - 2015-02-16 21:43:51
Attachments:
smime.p7s
|
Hallo Andreas, vielen Dank für Deinen Hinweis. Ich habe durchaus auch mit Eurem USB-Token getestet. Aber aus Sicherheitsgründen bietet Euer Smartcard-HSM ja keinen Import mit pkcs15-init. Obwohl mir Euer Backup-/Restore-Verfahren durchaus zusagt, bin ich trotzdem bei langlebigen Schlüsseln sehr besorgt wg. des proprietären Verfahrens und der sich darus ergebenden Abhängigkeit. Daher kommt das Smartcard-HSM da nicht in Frage. Ich glaube auch nicht, dass die EJBCA bald mit einem geschmeidigen JCE-Support daherkommt. Nun ja, vielleicht schaffst Du es ja. Und beim OpenSC-PKCS#11-Modul bin ich heute auch mit dem Aventra-EID auf einen seg-fault gelaufen... :-( Ja, ich weiss. Für den seg-fault im sc-hsm-Modul gibt's einen Patch. Und daher benutze ich OpenSC aus dem git-repo... Ciao, Michael. Andreas Schwier wrote: >>> But I wonder why EJBCA does not reconnect to the Smartcard-HSM once it was >>> unavailable. I have to restart JBOSS to access the token via PKCS#11 module >>> again. >>> >>> Ciao, Michael. >>> >>> [1] >>> http://www.smartcard-hsm.com/2014/09/05/Accessing_your_SmartCard-HSM_from_EJBCA.html >>> >> >> It's a more low-level issue with how the PKCS#11 security provider is >> implemented in Java. >> >> Basically, you have no way to tell the PKCS#11 Java security provider >> to reestablish a new session. There's also a bunch of cashing happening >> there, so if you create keys etc outside of EJBCA's running JVM, you >> won't see them in EJBCA. >> >> Fixing this would require quite a bit more effort, unfortunately >> (implementing a custom Java security provider, and maintaining it). > > We have a JCE Provider for the SmartCard-HSM. Unfortunately I'm no > expert on the EJBCA source code and can't tell how it could be integrated. > > But if someone wants to give it a try, let me know. > > Andreas -- Michael Ströder Klauprechtstr. 11 Dipl.-Inform. D-76137 Karlsruhe, Germany Tel.: +49 721 8304316 E-Mail: mi...@st... http://www.stroeder.com |
|
From: Andreas K. <ku...@tr...> - 2014-10-30 18:02:04
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Branko, hi Michael, I remember that we once wrote code using a separate thread to look for Card-Insertions to reestablish the PKCS#11 connection. Not a big deal, just a bit of polling and an indirection to access the (currently inserted) card. Our stuff is OS, I can provide a pointer to it ... Greetings, Andreas > On Thu, 30 Oct 2014 12:13:08 +0100 > "Michael Ströder" <mi...@st...> wrote: > >> HI! >> >> I'm currently testing EJBCA (latest SVN) with Smartcard-HSM as described on >> [1]. >> >> Versions: >> - EJBCA (latest SVN) >> - OpenSC with PKCS#11 module built from git repo >> - openSUSE 13.1 and pcsc-lite from their chipcard-repo >> >> Sometimes the Smartcard-HSM is no longer reachable due to some issues with the >> way openSUSE starts pcscd via udev during hotplug. Yes, I have to sort that out >> somewhere else. >> >> But I wonder why EJBCA does not reconnect to the Smartcard-HSM once it was >> unavailable. I have to restart JBOSS to access the token via PKCS#11 module >> again. >> >> Ciao, Michael. >> >> [1] >> http://www.smartcard-hsm.com/2014/09/05/Accessing_your_SmartCard-HSM_from_EJBCA.html >> > > It's a more low-level issue with how the PKCS#11 security provider is > implemented in Java. > > Basically, you have no way to tell the PKCS#11 Java security provider > to reestablish a new session. There's also a bunch of cashing happening > there, so if you create keys etc outside of EJBCA's running JVM, you > won't see them in EJBCA. > > Fixing this would require quite a bit more effort, unfortunately > (implementing a custom Java security provider, and maintaining it). > > Best regards > > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop - -- Andreas Kühne phone: +49 177 293 24 97 mailto: ku...@tr... Trustable Ltd. Niederlassung Deutschland Ströverstr. 18 - 59427 Unna Amtsgericht Hamm HRB 5868 Directors Andreas Kühne, Heiko Veit Company UK Company No: 5218868 Registered in England and Wales -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (MingW32) iQEcBAEBAgAGBQJUUn0OAAoJEJFyHkFEeCGVnE8IAI+weiXAq0mXQghD+sfrH108 JOdOod/kGwv5TD8IutAjOX2NKKUPFOZtj6Y8A9BYosUCRvSHWZ+2YivTQMOyVR2c gVy/bq/upfa/OZcTGAaOWZOeyhlXK7c4yRtq241un8MhfhW2WeeZ6RBhCMZmxqBo eu/x5iXdkMUn7tSuGstmpPzhWAU7qUOQjWqLJwE2rNz94PdSoHRKUbkQ7ca5Fr5m /qrVRo9prvL/IOdCjyWvzo8E4fC5Eavo6sDVkH/B1Jban8TwOIZi7IMiUtB4K4bM 9hucPTj7rIyAlalxNM9oWh3CpkjBp68az/oHy31TCl87O5FcvNsmc2eib3Cx5FA= =XFAv -----END PGP SIGNATURE----- |
|
From: Branko M. <br...@ma...> - 2014-11-04 21:29:25
Attachments:
signature.asc
|
On Thu, 30 Oct 2014 19:01:51 +0100 Andreas Kuehne <ku...@tr...> wrote: > Hi Branko, hi Michael, > > I remember that we once wrote code using a separate thread to look for > Card-Insertions to reestablish the PKCS#11 connection. Not a big deal, > just a bit of polling and an indirection to access the (currently > inserted) card. Our stuff is OS, I can provide a pointer to it ... > Hello Andreas, That could be an interesting feature, although I'm guessing that in the case you described you preserve the PIN codes in-memory (auto-activation)? This would probably be kind of unusable in case of HSMs, I guess, where you may wish to have a hard-token based activation of slots. It would be interesting to see if your code could be intergrated somehow as an external module for EJBCA, that'd mean people could use it if they want to irrespective of whether it can be included in EJBCA core or not. Was your code a patch for EJBCA or...? Best regards -- Branko Majic Jabber: br...@ma... Please use only Free formats when sending attachments to me. Бранко Мајић Џабер: br...@ma... Молим вас да додатке шаљете искључиво у слободним форматима. |
