Bug 245400 - Signing operation failed: (-8152) The key does not support the requested operation.
Signing operation failed: (-8152) The key does not support the requested oper...
Status: CLOSED WORKSFORME
Product: Red Hat Certificate System
Classification: Red Hat
Component: CA (Show other bugs)
7.2
All Linux
high Severity high
: ---
: ---
Assigned To: Thomas Kwan
Chandrasekar Kannan
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-22 16:50 EDT by Issue Tracker
Modified: 2015-01-04 18:27 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-22 20:11:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Issue Tracker 2007-06-22 16:50:01 EDT
Escalated to Bugzilla from IssueTracker
Comment 1 Issue Tracker 2007-06-22 16:50:04 EDT
Description of problem:
The CA of CS 7.2 fail to generate CRL at regular base.
After the "Signing operation failed", the CA malfunction.
Unable to access CA's service page, unable to submit any request.
 
How reproducible:
01) setup CRL publish to files every hours.
02) CA setup with Luna HSM
03) wait for "Signing operation failed"
Steps to Reproduce:

This event sent from IssueTracker by ble  [SEG - Certificate System Engineering]
 issue 121598
Comment 2 Issue Tracker 2007-06-22 16:50:06 EDT
Issue Registered (Severity: 2)
File uploaded:ca-da-debug
This event sent from IssueTracker by ble  [SEG - Certificate System
Engineering]
 issue 121598
it_file 91200
Comment 3 Issue Tracker 2007-06-22 16:50:08 EDT
File uploaded: ca-da-CS.cfg

This event sent from IssueTracker by ble  [SEG - Certificate System
Engineering]
 issue 121598
it_file 91248
Comment 4 Issue Tracker 2007-06-22 16:50:10 EDT
FYI:
Luna SA Client version: 3.2.3
Luna SA HSM version: 3.2.3
CS version: 7.2
I attached debug and CS.cfg files. Let me know, if you need more
information.

Thanks,
Fu


This event sent from IssueTracker by ble  [SEG - Certificate System
Engineering]
 issue 121598
Comment 5 Issue Tracker 2007-06-22 16:50:12 EDT
attn seg:

this is a certificate system 7.2 issue that AOL is having using a network
based HSM.  This needs to go to Certificate System Engineering,as Marco
Rhodes is aware of it.

thanks

kent



This event sent from IssueTracker by ble  [SEG - Certificate System
Engineering]
 issue 121598
Comment 6 Issue Tracker 2007-06-22 16:50:14 EDT
This problem happen again today on 14:01pm 05/23/2007

[23/May/2007:14:01:00][CRLIssuingPoint-Token_Signing]: Signing
Certificate
java.security.SignatureException: Signing operation failed: (-8152) The
key does not support the requested operation.
        at com.netscape.ca.SigningUnit.sign(SigningUnit.java:267)
        at
com.netscape.ca.CertificateAuthority.sign(CertificateAuthority.java:816)
        at
com.netscape.ca.CRLIssuingPoint.updateCRLNow(CRLIssuingPoint.java:2236)
        at
com.netscape.ca.CRLIssuingPoint.updateCRLNow(CRLIssuingPoint.java:1947)
        at
com.netscape.ca.CRLIssuingPoint.updateCRL(CRLIssuingPoint.java:1492)
        at com.netscape.ca.CRLIssuingPoint.run(CRLIssuingPoint.java:1443)
        at java.lang.Thread.run(Thread.java:595)
java.security.SignatureException: Signing operation failed: (-8152) The
key does not support the requested operation.
        at com.netscape.ca.SigningUnit.sign(SigningUnit.java:267)
        at
com.netscape.ca.CertificateAuthority.sign(CertificateAuthority.java:816)
        at
com.netscape.ca.CRLIssuingPoint.updateCRLNow(CRLIssuingPoint.java:2236)
        at
com.netscape.ca.CRLIssuingPoint.updateCRLNow(CRLIssuingPoint.java:1947)
        at
com.netscape.ca.CRLIssuingPoint.updateCRL(CRLIssuingPoint.java:1492)
        at com.netscape.ca.CRLIssuingPoint.run(CRLIssuingPoint.java:1443)
        at java.lang.Thread.run(Thread.java:595)
[23/May/2007:14:01:00][CRLIssuingPoint-Token_Signing]: update CRL error
Failed constructing CRL : java.security.SignatureException: Signing
operation failed: (-8152) The key does not support the requested
operation.
[23/May/2007:14:01:00][CRLIssuingPoint-Token_Encryption]: update CRL error
Failed constructing CRL : java.security.SignatureException: Signing
operation failed: (-8152) The key does not support the requested
operation.
Failed constructing CRL : java.security.SignatureException: Signing
operation failed: (-8152) The key does not support the requested
operation.



This event sent from IssueTracker by ble  [SEG - Certificate System
Engineering]
 issue 121598
Comment 7 Issue Tracker 2007-06-22 16:50:16 EDT
This problem happen again on 23:59 5/26/2007

[26/May/2007:23:59:00][CRLIssuingPoint-aolCodeSign]:
ObjectStreamMapper:mapObjectToLDAPAttributeSet expiredCerts
size=84java.security.SignatureException: Signing operation failed: (-8127)
The security card or token does not exist, needs to be initialized, or has
been removed.
        at com.netscape.ca.SigningUnit.sign(SigningUnit.java:267)
        at
com.netscape.ca.CertificateAuthority.sign(CertificateAuthority.java:816)
        at
com.netscape.ca.CRLIssuingPoint.updateCRLNow(CRLIssuingPoint.java:2236)
        at
com.netscape.ca.CRLIssuingPoint.updateCRLNow(CRLIssuingPoint.java:1947)
        at
com.netscape.ca.CRLIssuingPoint.updateCRL(CRLIssuingPoint.java:1492)
        at com.netscape.ca.CRLIssuingPoint.run(CRLIssuingPoint.java:1443)
        at java.lang.Thread.run(Thread.java:595)



This event sent from IssueTracker by ble  [SEG - Certificate System
Engineering]
 issue 121598
Comment 8 Issue Tracker 2007-06-22 16:50:19 EDT
This problem happen again on 14:01 5/30/2007

[30/May/2007:14:01:00][CRLIssuingPoint-Token_Signing]:
ObjectStreamMapper:mapObjectToLDAPAttributeSet expiredCerts size=84
java.security.SignatureException: Signing operation failed: (-8127) The
security card or token does not exist, needs to be initialized, or has
been removed.:14:01:00][CRLIssuingPoint-Token_Signing]: getConn: mNumConns
now 5
        at com.netscape.ca.SigningUnit.sign(SigningUnit.java:267)
        at
com.netscape.ca.CertificateAuthority.sign(CertificateAuthority.java:816)
        at
com.netscape.ca.CRLIssuingPoint.updateCRLNow(CRLIssuingPoint.java:2236)
        at
com.netscape.ca.CRLIssuingPoint.updateCRLNow(CRLIssuingPoint.java:1947)
        at
com.netscape.ca.CRLIssuingPoint.updateCRL(CRLIssuingPoint.java:1492)      
 at com.netscape.ca.CRLIssuingPoint.run(CRLIssuingPoint.java:1443)
        at java.lang.Thread.run(Thread.java:595)
[30/May/2007:14:01:00][CRLIssuingPoint-Token_Encryption]: update CRL error
Failed constructing CRL : java.security.SignatureException: Signing
operation failed: (-8127) The security card or token does not exist, needs
to be initialized, or has been removed.
Failed constructing CRL : java.security.SignatureException: Signing
operation failed: (-8127) The security card or token does not exist, needs
to be initialized, or has been
removed.oint.updateCRL(CRLIssuingPoint.java:1492)
        at
com.netscape.ca.CRLIssuingPoint.updateCRLNow(CRLIssuingPoint.java:2283)
        at
com.netscape.ca.CRLIssuingPoint.updateCRLNow(CRLIssuingPoint.java:1947)
        at
com.netscape.ca.CRLIssuingPoint.updateCRL(CRLIssuingPoint.java:1492)      
 at com.netscape.ca.CRLIssuingPoint.run(CRLIssuingPoint.java:1443)
        at
java.lang.Thread.run(Thread.java:595)[30/May/2007:14:01:00][CRLIssuingPoint-Token_Signing]:
returnConn: mNumConns now 6



This event sent from IssueTracker by ble  [SEG - Certificate System
Engineering]
 issue 121598
Comment 9 Issue Tracker 2007-06-22 16:50:22 EDT
This problem happen again on 09:01 6/12/2007



This event sent from IssueTracker by ble  [SEG - Certificate System
Engineering]
 issue 121598
Comment 10 Issue Tracker 2007-06-22 16:50:23 EDT
Marco,

On the AOL call today, both Bill and Fu expresses reservations regarding
getting the Luna debug logs.  There are 2 basic points they had.  One,
this is production, and there will be data that needs to be cleaned from
the logs.  They do not have an efficient way to do this.  I asked if they
could just take the specific failure from them log scrub it. They think
that would be fine.  The larger issue is that as this is production, Fu is
uneasy about doing this.  He will right up procedures, and send them to us,
asking us to review them.  

In the mean time, is there any way to get the info w/o the Luna debug log?
 That would be preferable to AOL.....


thanks

kent


Version set to: '7.1'

This event sent from IssueTracker by ble  [SEG - Certificate System
Engineering]
 issue 121598
Comment 11 Issue Tracker 2007-06-22 16:50:25 EDT
This problem happen again on 05:01 6/16/2007


This event sent from IssueTracker by ble  [SEG - Certificate System
Engineering]
 issue 121598
Comment 12 Issue Tracker 2007-06-22 16:50:27 EDT
To date, I have not been able to reproduce this issue. I've made some
architectual changes to our replica PKI environment to better match AOL's
configuration and will continue to try to replicate the error.  

Still waiting for sanitized Luna debug logs and a write-up from Fu on the
procedures that he used (see 6/14/07 update). 

 - Marco 



This event sent from IssueTracker by ble  [SEG - Certificate System
Engineering]
 issue 121598
Comment 13 Issue Tracker 2007-06-22 16:50:29 EDT
Fu,

When we last spoke, you had mentioned writing up some procedures for
getting the luna debug logs and then having our engineers look over the
procedures.  I wanted to check in with you and see if you have had a
chance to do that yet.  Let me know how I can help


kent


Internal Status set to 'Waiting on Customer'
Status set to: Waiting on Client

This event sent from IssueTracker by ble  [SEG - Certificate System
Engineering]
 issue 121598
Comment 17 Chandrasekar Kannan 2008-08-25 19:27:21 EDT
Bug already CLOSED/VERIFIED. setting screened+ flag

Note You need to log in before you can comment on or make changes to this bug.