[Freeipa-users] Re: ECC keypair generation failed with `ipa-server-instal` on HSM

Tue, 28 May 2019 09:11:53 -0700 

On ti, 28 touko 2019, Rob Crittenden via FreeIPA-users wrote:

チョーチュアン via FreeIPA-users wrote:

Hello,

Recently I've been experimenting on HSM with FreeIPA, I got stuck at the
CA generation, but it's a separate issue. I somehow achieve a successful
key generation on HSM with default key_algorimth/size/ settings. RSA
3072/2048 keys showed up on the HSM even after a failed CA installation
but not the case with ECC keys.

The error was:
Failed to configure CA instance: CalledProcessError(Command
['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp877ip58a'] returned
non-zero exit status 1:

pkihelper     : ERROR    Server unreachable due to SSL error:
[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]

sslv3 alert handshake failure (_ssl.c:1056)

configuration : ERROR    Server failed to restart
pkispawn      : ERROR    Exception: server failed to restart

  File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line
547, in main
    scriptlet.spawn(deployer)
  File
"/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 670, in spawn
    raise Exception("server failed to restart")
')
See the installation logs and the following files/directories for more
information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.

and configuration was:
```
[DEFAULT]
ipa_key_algorithm=SHA256withEC
ipa_key_size=nistp384
ipa_key_type=ecc
ipa_signing_algorithm=SHA256withEC
pki_ca_signing_key_size=nistp384

pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so
pki_hsm_modulename=nitrohsm
pki_token_name=UserPIN (SmartCard-HSM)
pki_token_password=648219

pki_random_serial_numbers_enable=True
```


You're really on the bleeding edge. I don't know that HSM works reliably
yet. An ECC CA is not something we're planning on ever doing (keys too
small) so you're on your own with that.

Yes, to both not supporting ECC CA (following NIST recommendations) and
to not have it working yet in Dogtag with HSM.

Do I understand right that for non-ECC CA you have it working apart from
a negotiation error? I think Christian saw negotiation error too and
there should be a bug opened at Dogtag side for something related.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to