1395817 – Unable to install subordinate CA with HSM in FIPS mode

Bug 1395817 - Unable to install subordinate CA with HSM in FIPS mode

Summary: Unable to install subordinate CA with HSM in FIPS mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Endi Sukma Dewata
QA Contact:	Asha Akkiangady
Docs Contact:	Petr Bokoc
URL:
Whiteboard:
Depends On:
Blocks:	1404172
TreeView+	depends on / blocked

Reported:	2016-11-16 18:26 UTC by Matthew Harmsen
Modified:	2020-10-04 21:19 UTC (History)
CC List:	5 users (show)
Fixed In Version:	pki-core-10.4.0-1.el7
Doc Type:	Bug Fix
Doc Text:	Subordinate CA installation no longer fails due with a `PKCS#11 token is not logged in` error Previously, subordinate Certificate Authority (sub-CA) installation failed due to a bug in the Network Security Services (NSS) library, which generated the "SEC_ERROR_TOKEN_NOT_LOGGED_IN" error. This update adds a workaround to the installer which allows the installation to proceed. If the error is still displayed, it can now be ignored.
Clone Of:
Clones:	1404172 (view as bug list)
Environment:
Last Closed:	2017-08-01 22:48:25 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2663	0	None	closed	Unable to install subordinate CA with HSM in FIPS mode	2021-01-25 20:16:41 UTC
Red Hat Product Errata	RHBA-2017:2110	0	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2017-08-01 19:36:59 UTC

Description Matthew Harmsen 2016-11-16 18:26:11 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/pki/ticket/2543

Installing CA with externally-signed CA certificate (i.e. subordinate CA) with HSM in FIPS mode failed due to the following NSS issue:

    https://bugzilla.redhat.com/show_bug.cgi?id=1393668

The installer needs to be modified to use the two-step workaround described in the above bug.

Comment 1 Endi Sukma Dewata 2016-11-21 15:08:49 UTC

Steps to reproduce:
1. Prepare a FIPS-enabled machine with HSM client
2. Install subordinate CA with HSM (see http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed_CA_Certificate)

Actual result: Installation failed with the following error:
certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN: The operation failed because the PKCS#11 token is not logged in.

Expected result: Installation should complete successfully.

Note: Since this is only a workaround, the above error message may continue to appear until bug #1393668 is fixed.

Comment 2 Endi Sukma Dewata 2016-11-21 15:10:39 UTC

Fixed in master:
* 0bef3bbcc5c5cb2d6fb3f0d231c4f5b7fac5ca3b
* 65013d222a9e612aaaaf49ee03ceed5d6c154f59

Comment 3 Matthew Harmsen 2016-11-29 23:50:57 UTC

Request rhel-7.3.z ? flag

Comment 4 Matthew Harmsen 2016-11-30 00:14:27 UTC

(In reply to Matthew Harmsen from comment #3)
> Request rhel-7.3.z ? flag

also, provide justification

Comment 6 Matthew Harmsen 2016-12-13 03:48:17 UTC

Fixed in master:

* 0bef3bbcc5c5cb2d6fb3f0d231c4f5b7fac5ca3b 
* 65013d222a9e612aaaaf49ee03ceed5d6c154f59 

Cherry-picked into DOGTAG_10_3_BRANCH:

* b058ded6f9708edc601041077339947f0f87c19f 
* c8553a5308e23b66cee7fc1a357042f99d07b0c7

Cherry-picked into DOGTAG_10_3_RHEL_BRANCH:

* ea4121886b2f8d9f2de34edcb20b1a9caae9c2c5
* de51508e2262cf98de4360c92af69249e2ef0876

Cherry-picked into DOGTAG_10_3_RHEL_UNRELEASED_BRANCH:

* 846fd761c7e1e9f6b307e05ddd1ac7732858be66
* 7a3986be354b4629d60d49d9324cb7ed884c8caa

Comment 8 Asha Akkiangady 2017-01-04 20:23:46 UTC

CA installation using external CA cert shows following messages, the installation proceeds successfully. The installation is with ncipher hsm.

pkispawn    : INFO     ....... importing caSigningCert cert-pki-topCA-rhelfips-extca-csqa4-guest03 CA from /tmp/new-ca-signing.pem
certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN: The operation failed because the PKCS#11 token is not logged in.
pkispawn    : INFO     ....... importing certificate chain caSigningCert External CA from /tmp/new-ca-signing-cert-chain.p7b
certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN: The operation failed because the PKCS#11 token is not logged in.


Is it expected?

Comment 9 Endi Sukma Dewata 2017-01-05 03:59:01 UTC

Yes, this is expected. As mentioned in comment #1 this fix is only a workaround for NSS bug #1393668 to allow the installation to complete. The error message may continue to appear until the NSS bug is fixed.

Comment 11 Geetika Kapoor 2017-06-22 16:37:29 UTC

SubCA installation went as expected with some logging issues which are mentioned in https://pagure.io/dogtagpki/issue/1615

Comment 12 errata-xmlrpc 2017-08-01 22:48:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110

Note You need to log in before you can comment on or make changes to this bug.