Bug 1395817

Summary: Unable to install subordinate CA with HSM in FIPS mode
Product: Red Hat Enterprise Linux 7 Reporter: Matthew Harmsen <mharmsen>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact: Petr Bokoc <pbokoc>
Priority: urgent    
Version: 7.3CC: arubin, edewata, gkapoor, nkinder, pbokoc
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.4.0-1.el7 Doc Type: Bug Fix
Doc Text:
Subordinate CA installation no longer fails due with a `PKCS#11 token is not logged in` error Previously, subordinate Certificate Authority (sub-CA) installation failed due to a bug in the Network Security Services (NSS) library, which generated the "SEC_ERROR_TOKEN_NOT_LOGGED_IN" error. This update adds a workaround to the installer which allows the installation to proceed. If the error is still displayed, it can now be ignored.
 Story Points: ---
Clone Of:
: 1404172 (view as bug list) Environment:
Last Closed: 2017-08-01 22:48:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1404172    

Description Matthew Harmsen 2016-11-16 18:26:11 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/pki/ticket/2543

Installing CA with externally-signed CA certificate (i.e. subordinate CA) with HSM in FIPS mode failed due to the following NSS issue:

    https://bugzilla.redhat.com/show_bug.cgi?id=1393668

The installer needs to be modified to use the two-step workaround described in the above bug.
Comment 1 Endi Sukma Dewata 2016-11-21 15:08:49 UTC 
Steps to reproduce:
1. Prepare a FIPS-enabled machine with HSM client
2. Install subordinate CA with HSM (see http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed_CA_Certificate)

Actual result: Installation failed with the following error:
certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN: The operation failed because the PKCS#11 token is not logged in.

Expected result: Installation should complete successfully.

Note: Since this is only a workaround, the above error message may continue to appear until bug #1393668 is fixed.
Comment 2 Endi Sukma Dewata 2016-11-21 15:10:39 UTC 
Fixed in master:
* 0bef3bbcc5c5cb2d6fb3f0d231c4f5b7fac5ca3b
* 65013d222a9e612aaaaf49ee03ceed5d6c154f59
Comment 3 Matthew Harmsen 2016-11-29 23:50:57 UTC 
Request rhel-7.3.z ? flag
Comment 4 Matthew Harmsen 2016-11-30 00:14:27 UTC 
(In reply to Matthew Harmsen from comment #3)
> Request rhel-7.3.z ? flag

also, provide justification
Comment 6 Matthew Harmsen 2016-12-13 03:48:17 UTC 
Fixed in master:

* 0bef3bbcc5c5cb2d6fb3f0d231c4f5b7fac5ca3b 
* 65013d222a9e612aaaaf49ee03ceed5d6c154f59 

Cherry-picked into DOGTAG_10_3_BRANCH:

* b058ded6f9708edc601041077339947f0f87c19f 
* c8553a5308e23b66cee7fc1a357042f99d07b0c7

Cherry-picked into DOGTAG_10_3_RHEL_BRANCH:

* ea4121886b2f8d9f2de34edcb20b1a9caae9c2c5
* de51508e2262cf98de4360c92af69249e2ef0876

Cherry-picked into DOGTAG_10_3_RHEL_UNRELEASED_BRANCH:

* 846fd761c7e1e9f6b307e05ddd1ac7732858be66
* 7a3986be354b4629d60d49d9324cb7ed884c8caa
Comment 8 Asha Akkiangady 2017-01-04 20:23:46 UTC 
CA installation using external CA cert shows following messages, the installation proceeds successfully. The installation is with ncipher hsm.

pkispawn    : INFO     ....... importing caSigningCert cert-pki-topCA-rhelfips-extca-csqa4-guest03 CA from /tmp/new-ca-signing.pem
certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN: The operation failed because the PKCS#11 token is not logged in.
pkispawn    : INFO     ....... importing certificate chain caSigningCert External CA from /tmp/new-ca-signing-cert-chain.p7b
certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN: The operation failed because the PKCS#11 token is not logged in.


Is it expected?
Comment 9 Endi Sukma Dewata 2017-01-05 03:59:01 UTC 
Yes, this is expected. As mentioned in comment #1 this fix is only a workaround for NSS bug #1393668 to allow the installation to complete. The error message may continue to appear until the NSS bug is fixed.
Comment 11 Geetika Kapoor 2017-06-22 16:37:29 UTC 
SubCA installation went as expected with some logging issues which are mentioned in https://pagure.io/dogtagpki/issue/1615
Comment 12 errata-xmlrpc 2017-08-01 22:48:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110