search

Keyfactor / ejbca-ce

EJBCA® – Open-source public key infrastructure (PKI) and certificate authority (CA) software.
https://www.ejbca.org/
GNU Lesser General Public License v2.1
641 stars 107 forks source link

[BUG] HSM Module Failing to Properly Bind Slot ID, Always Returning -1 #708

Open WHN-JWEBB opened 1 week ago

WHN-JWEBB commented 1 week ago

Describe the Bug

I have created an install of EJBCA CE on Ubuntu 22.04 LTS. After getting the server built and running, I have attempted a lot of different ways to get it to talk to my YubiHSM2 module, but no matter what I do I get an index of -1 in the traces. YubiHSM2 only supports 0 for an index. The HSM test utility does work and reads the keys I have created on the HSM module. I have been able to get the build successfully completed by disabling the P11 modules and deploying/installing without them.

Install Information

2024-11-13 04:18:29,958 INFO [stdout] (default task-1) library = /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so 2024-11-13 04:18:29,958 INFO [stdout] (default task-1) slot = -1 2024-11-13 04:18:29,958 INFO [stdout] (default task-1) attributes(, CKO_PUBLIC_KEY, ) = { 2024-11-13 04:18:29,958 INFO [stdout] (default task-1) CKA_TOKEN = false 2024-11-13 04:18:29,958 INFO [stdout] (default task-1) CKA_ENCRYPT = true 2024-11-13 04:18:29,959 INFO [stdout] (default task-1) CKA_VERIFY = true 2024-11-13 04:18:29,959 INFO [stdout] (default task-1) CKA_WRAP = true 2024-11-13 04:18:29,959 INFO [stdout] (default task-1) } 2024-11-13 04:18:29,959 INFO [stdout] (default task-1) attributes(, CKO_PRIVATE_KEY, ) = { 2024-11-13 04:18:29,959 INFO [stdout] (default task-1) CKA_DERIVE = false 2024-11-13 04:18:29,959 INFO [stdout] (default task-1) CKA_TOKEN = true 2024-11-13 04:18:29,959 INFO [stdout] (default task-1) CKA_PRIVATE = true 2024-11-13 04:18:29,959 INFO [stdout] (default task-1) CKA_SENSITIVE = true 2024-11-13 04:18:29,960 INFO [stdout] (default task-1) CKA_EXTRACTABLE = false 2024-11-13 04:18:29,960 INFO [stdout] (default task-1) CKA_DECRYPT = true 2024-11-13 04:18:29,960 INFO [stdout] (default task-1) CKA_SIGN = true 2024-11-13 04:18:29,960 INFO [stdout] (default task-1) CKA_UNWRAP = true 2024-11-13 04:18:29,960 INFO [stdout] (default task-1) } 2024-11-13 04:18:29,960 INFO [stdout] (default task-1) disabledMechanisms = { 2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_SHA1_RSA_PKCS 2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_SHA256_RSA_PKCS 2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_SHA384_RSA_PKCS 2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_SHA512_RSA_PKCS 2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_MD2_RSA_PKCS 2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_MD5_RSA_PKCS 2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_DSA_SHA1 2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_ECDSA_SHA1 2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_ECDSA_SHA224 2024-11-13 04:18:29,962 INFO [stdout] (default task-1) CKM_ECDSA_SHA256 2024-11-13 04:18:29,962 INFO [stdout] (default task-1) CKM_ECDSA_SHA384 2024-11-13 04:18:29,962 INFO [stdout] (default task-1) CKM_ECDSA_SHA512 2024-11-13 04:18:29,962 INFO [stdout] (default task-1) } 2024-11-13 04:18:29,962 INFO [stdout] (default task-1) attributes(, CKO_SECRET_KEY, ) = { 2024-11-13 04:18:29,962 INFO [stdout] (default task-1) CKA_SENSITIVE = true 2024-11-13 04:18:29,962 INFO [stdout] (default task-1) CKA_EXTRACTABLE = false 2024-11-13 04:18:29,963 INFO [stdout] (default task-1) CKA_ENCRYPT = true 2024-11-13 04:18:29,963 INFO [stdout] (default task-1) CKA_DECRYPT = true 2024-11-13 04:18:29,963 INFO [stdout] (default task-1) CKA_SIGN = true 2024-11-13 04:18:29,963 INFO [stdout] (default task-1) CKA_VERIFY = true 2024-11-13 04:18:29,963 INFO [stdout] (default task-1) CKA_WRAP = true 2024-11-13 04:18:29,963 INFO [stdout] (default task-1) CKA_UNWRAP = true 2024-11-13 04:18:29,963 INFO [stdout] (default task-1) } 2024-11-13 04:18:29,964 ERROR [com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapper] (default task-1) Wrong arguments were passed to sun.security.pkcs11.wrapper.PKCS11.CK_C_INITIALIZE_ARGS.getInstance threw an exception for log.error(msg, e): java.lang.reflect.InvocationTargetException at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapper.(SunP11SlotListWrapper.java:144) at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapperFactory.getInstance(SunP11SlotListWrapperFactory.java:74) at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapperFactory.getInstance(SunP11SlotListWrapperFactory.java:35) at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.Pkcs11SlotLabel.getSlotListWrapper(Pkcs11SlotLabel.java:570) at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.Pkcs11SlotLabel.getProvider(Pkcs11SlotLabel.java:120) at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.Pkcs11SlotLabel.getP11Provider(Pkcs11SlotLabel.java:555) at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.Pkcs11SlotLabel.getP11Provider(Pkcs11SlotLabel.java:520) at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.P11Slot.(P11Slot.java:63) at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.P11Slot.getInstance(P11Slot.java:252) at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.P11Slot.getInstance(P11Slot.java:209) at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.P11Slot.getInstance(P11Slot.java:187) at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.delayedInit(PKCS11CryptoToken.java:132) at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.getP11slotWithDelayedInit(PKCS11CryptoToken.java:298) at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.activate(PKCS11CryptoToken.java:155) at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.keys.token.CryptoTokenManagementSessionBean.createCryptoToken(CryptoTokenManagementSessionBean.java:412) at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.keys.token.CryptoTokenManagementSessionBean.createCryptoToken(CryptoTokenManagementSessionBean.java:458) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.jboss.as.ee@26.1.3.Final//org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509) at org.jboss.as.weld.common@26.1.3.Final//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.delegateInterception(Jsr299BindingsInterceptor.java:79) at org.jboss.as.weld.common@26.1.3.Final//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:89) at org.jboss.as.weld.common@26.1.3.Final//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:102) at org.jboss.as.ee@26.1.3.Final//org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.jpa@26.1.3.Final//org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ee@26.1.3.Final//org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:40) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) at org.jboss.as.ee@26.1.3.Final//org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:52) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:56) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:254) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:390) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:160) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509) at org.jboss.weld.core@3.1.9.Final//org.jboss.weld.module.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:81) at org.jboss.as.weld.common@26.1.3.Final//org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:89) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.security.IdentityOutflowInterceptor.processInvocation(IdentityOutflowInterceptor.java:73) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.security.SecurityDomainInterceptor.processInvocation(SecurityDomainInterceptor.java:44) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.deployment.processors.EjbSuspendInterceptor.processInvocation(EjbSuspendInterceptor.java:57) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ee@26.1.3.Final//org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) at org.wildfly.security.elytron-base@1.19.1.Final//org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:633) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation@1.7.0.Final//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) at org.jboss.as.ee@26.1.3.Final//org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198) at org.wildfly.security.elytron-base@1.19.1.Final//org.wildfly.security.auth.server.SecurityIdentity.runAsFunctionEx(SecurityIdentity.java:421) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.remote.AssociationImpl.invokeWithIdentity(AssociationImpl.java:674) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.remote.AssociationImpl.invokeMethod(AssociationImpl.java:655) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.remote.AssociationImpl.lambda$receiveInvocationRequest$0(AssociationImpl.java:251) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.remote.AssociationImpl.execute(AssociationImpl.java:344) at org.jboss.as.ejb3@26.1.3.Final//org.jboss.as.ejb3.remote.AssociationImpl.receiveInvocationRequest(AssociationImpl.java:297) at org.jboss.ejb-client@4.0.44.Final//org.jboss.ejb.protocol.remote.EJBServerChannel$ReceiverImpl.handleInvocationRequest(EJBServerChannel.java:473) at org.jboss.ejb-client@4.0.44.Final//org.jboss.ejb.protocol.remote.EJBServerChannel$ReceiverImpl.handleMessage(EJBServerChannel.java:208) at org.jboss.remoting@5.0.25.Final//org.jboss.remoting3.remote.RemoteConnectionChannel.lambda$handleMessageData$3(RemoteConnectionChannel.java:432) at org.jboss.remoting@5.0.25.Final//org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:991) at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990) at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at org.jboss.xnio@3.8.7.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Initialize(Native Method) at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_Initialize(PKCS11.java:1667) at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.getInstance(PKCS11.java:166)

Results of HSM Tests w/ Built in Tools root@w1001341keyec01:/etc/ejbca-ce/dist/clientToolBox# ./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so 0 Test of keystore with ID 0. PKCS11 Token [SunPKCS11-yubihsm_pkcs11.so-slot0] Password:

Testing of key: keyDefaultRSA Private part: SunPKCS11-yubihsm_pkcs11.so-slot0 RSA private key, 2048 bitstoken object, sensitive, extractable) RSA key: modulus: public exponent: 10001 javax.crypto.BadPaddingException: doFinal() failed at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:402) at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.engineDoFinal(P11RSACipher.java:426) at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202) at org.ejbca.ui.cli.KeyStoreContainerTest$Crypto.doOperation(KeyStoreContainerTest.java:242) at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.test(KeyStoreContainerTest.java:494) at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.doIt(KeyStoreContainerTest.java:511) at org.ejbca.ui.cli.KeyStoreContainerTest.startNormal(KeyStoreContainerTest.java:145) at org.ejbca.ui.cli.KeyStoreContainerTest.test(KeyStoreContainerTest.java:84) at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:677) at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:737) at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40) at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:72) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_REJECTED at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Decrypt(Native Method) at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:379) ... 11 more 2024-11-13 07:00:14,372 INFO [com.keyfactor.util.keys.SignWithWorkingAlgorithm] Signature algorithm 'SHA1WithRSA' working for provider 'SunPKCS11-yubihsm_pkcs11.so-slot0 version 11'. Signature test of key keyDefaultRSA: signature length 256; first byte 38; verifying true Signings per second: 7 Crypto not possible with this key. See exception

Testing of key: keyTestECDSA Private part: SunPKCS11-yubihsm_pkcs11.so-slot0 EC private key, 384 bitstoken object, sensitive, extractable) Elliptic curve key: 2024-11-13 07:00:14,956 INFO [com.keyfactor.util.keys.SignWithWorkingAlgorithm] Signature algorithm 'SHA384withECDSA' working for provider 'SunPKCS11-yubihsm_pkcs11.so-slot0 version 11'. Signature test of key keyTestECDSA: signature length 103; first byte 30; verifying true Signings per second: 8 No encryption possible with this key.

Testing of key: certSignRootECDSA Private part: SunPKCS11-yubihsm_pkcs11.so-slot0 EC private key, 384 bitstoken object, sensitive, extractable) Elliptic curve key: Named curve: P-384 the affine x-coordinate: 2978f438cba005a99610964a8315baa11b138dec848fcc0ace4e672e20f3fd0bfcce7230f4790e3a22415c19823185ff the affine y-coordinate: 3901d6e467259229ac741815d6d4676ad961a0a6be4dbdcfc8f6523d16a972528747748d6b4f227a33f8ad2833cfa914 Signature test of key certSignRootECDSA: signature length 104; first byte 30; verifying true Signings per second: 8 No encryption possible with this key.

Testing of key: keyTestRSA Private part: SunPKCS11-yubihsm_pkcs11.so-slot0 RSA private key, 2048 bitstoken object, sensitive, extractable) RSA key: modulus: public exponent: 10001 javax.crypto.BadPaddingException: doFinal() failed at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:402) at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.engineDoFinal(P11RSACipher.java:426) at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202) at org.ejbca.ui.cli.KeyStoreContainerTest$Crypto.doOperation(KeyStoreContainerTest.java:242) at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.test(KeyStoreContainerTest.java:494) at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.doIt(KeyStoreContainerTest.java:511) at org.ejbca.ui.cli.KeyStoreContainerTest.startNormal(KeyStoreContainerTest.java:145) at org.ejbca.ui.cli.KeyStoreContainerTest.test(KeyStoreContainerTest.java:84) at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:677) at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:737) at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40) at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:72) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_REJECTED at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Decrypt(Native Method) at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:379) ... 11 more Signature test of key keyTestRSA: signature length 256; first byte 1b; verifying true Signings per second: 7 Crypto not possible with this key. See exception

Testing of key: keyEncryptECDSA Private part: SunPKCS11-yubihsm_pkcs11.so-slot0 RSA private key, 2048 bitstoken object, sensitive, extractable) RSA key: modulus: public exponent: 10001 javax.crypto.BadPaddingException: doFinal() failed at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:402) at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.engineDoFinal(P11RSACipher.java:426) at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202) at org.ejbca.ui.cli.KeyStoreContainerTest$Crypto.doOperation(KeyStoreContainerTest.java:242) at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.test(KeyStoreContainerTest.java:494) at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.doIt(KeyStoreContainerTest.java:511) at org.ejbca.ui.cli.KeyStoreContainerTest.startNormal(KeyStoreContainerTest.java:145) at org.ejbca.ui.cli.KeyStoreContainerTest.test(KeyStoreContainerTest.java:84) at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:677) at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:737) at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40) at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:72) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_REJECTED at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Decrypt(Native Method) at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:379) ... 11 more Signature test of key keyEncryptECDSA: signature length 256; first byte 53; verifying true Signings per second: 7 Crypto not possible with this key. See exception

Testing of key: keyEncryptRSA Private part: SunPKCS11-yubihsm_pkcs11.so-slot0 RSA private key, 2048 bitstoken object, sensitive, extractable) RSA key: modulus: public exponent: 10001 javax.crypto.BadPaddingException: doFinal() failed at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:402) at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.engineDoFinal(P11RSACipher.java:426) at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202) at org.ejbca.ui.cli.KeyStoreContainerTest$Crypto.doOperation(KeyStoreContainerTest.java:242) at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.test(KeyStoreContainerTest.java:494) at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.doIt(KeyStoreContainerTest.java:511) at org.ejbca.ui.cli.KeyStoreContainerTest.startNormal(KeyStoreContainerTest.java:145) at org.ejbca.ui.cli.KeyStoreContainerTest.test(KeyStoreContainerTest.java:84) at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:677) at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:737) at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40) at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:72) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_REJECTED at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Decrypt(Native Method) at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:379) ... 11 more Signature test of key keyEncryptRSA: signature length 256; first byte 53; verifying true Signings per second: 7 Crypto not possible with this key. See exception

Testing of key: certSignRootRSA Private part: SunPKCS11-yubihsm_pkcs11.so-slot0 RSA private key, 4096 bitstoken object, sensitive, extractable) RSA key: modulus: public exponent: 10001 javax.crypto.BadPaddingException: doFinal() failed at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:402) at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.engineDoFinal(P11RSACipher.java:426) at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202) at org.ejbca.ui.cli.KeyStoreContainerTest$Crypto.doOperation(KeyStoreContainerTest.java:242) at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.test(KeyStoreContainerTest.java:494) at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.doIt(KeyStoreContainerTest.java:511) at org.ejbca.ui.cli.KeyStoreContainerTest.startNormal(KeyStoreContainerTest.java:145) at org.ejbca.ui.cli.KeyStoreContainerTest.test(KeyStoreContainerTest.java:84) at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:677) at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:737) at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40) at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:72) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_REJECTED at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Decrypt(Native Method) at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:379) ... 11 more Signature test of key certSignRootRSA: signature length 512; first byte 62; verifying true Signings per second: 1 Crypto not possible with this key. See exception

Testing of key: keyDefaultECDSA Private part: SunPKCS11-yubihsm_pkcs11.so-slot0 EC private key, 384 bitstoken object, sensitive, extractable) Elliptic curve key: Signature test of key keyDefaultECDSA: signature length 102; first byte 30; verifying true Signings per second: 8 No encryption possible with this key.

To Reproduce On a fresh installation of Ubuntu 22.04 with IPv6 only enabled (no IPv4)

Create Env Variable Script

sudo nano /etc/profile.d/02-AddEnvVariables.sh.test

File Contents

export JAVA_HOME="/usr/lib/jvm/java-11-openjdk-amd64" export ANT_HOME="/opt/apache-ant-1.10.15" export PATH="$PATH:$ANT_HOME/bin" export APPSRV_HOME="/opt/wildfly" export YUBIHSM_PKCS11_CONF="/etc/yubico/yubihsm_pkcs11.conf" export EJBCA_HOME="/etc/ejbca-ce"

Enter Root Shell

sudo -i

Install Unzip

apt install -y unzip

Download YubiHSM SDK and Install

wget -O yubihsm2-sdk-2024-09-ubuntu2204-amd64.tar.gz https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2024-09-ubuntu2204-amd64.tar.gz tar -xvzf yubihsm2-sdk-2024-09-ubuntu2204-amd64.tar.gz cd yubihsm2-sdk apt --fix-broken -y install $(ls ./.deb | grep -v './libyubihsm-dev') cd .. rm -r yubi

Create and Modify Config Files for YubiHSM SDK

mkdir /etc/yubico nano /etc/yubico/yubihsm_pkcs11.conf

File Contents

connector = http://hsm1

debug

dinout

libdebug

debug-file = /tmp/yubihsm_pkcs11_debug

cacert = /tmp/cacert.pem

proxy = http://hsm1

timeout = 5

Install PostgreSQL 16

apt install curl ca-certificates -y install -d /usr/share/postgresql-common/pgdg curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc sh -c 'echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' apt update && sudo apt install postgresql-16 -y

Configure DB Settings

sudo -i -u postgres createuser ejbca_user -P createdb ejbcadb -O ejbca_user logout nano /etc/postgresql/16/main/pg_hba.conf systemctl restart postgresql

Clone EJBCA Repository to /etc/ejbca-ce

cd /etc git clone https://github.com/Keyfactor/ejbca-ce.git --branch r8.3.2 --single-branch

Modify EJBCA Configuration Files

rm -r /etc/ejbca-ce/conf/.properties.sample && rm -r /etc/ejbca-ce/conf/plugins/.properties.sample && rm -r /etc/ejbca-ce/conf/logdevices/*.properties.sample nano /etc/ejbca-ce/conf/catoken.properties

File Contents

sharedLibrary=/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so slotLabelType=SLOT_NUMBER slotLabelValue=0 defaultKey keyDefaultRSA certSignKey certSignRootRSA crlSignKey certSignRootRSA keyEncryptKey keyEncryptRSA testKey keyTestRSA pin

nano /etc/ejbca-ce/conf/cesecore.properties

File Contents

database.crlgenfetchordered=true

nano /etc/ejbca-ce/conf/database.properties

File Contents

datasource.jndi-name=EjbcaDS database.name=postgres database.useSeparateCertificateTable=true database.url=jdbc:postgresql://127.0.0.1/ejbcadb database.driver=org.postgresql.Driver database.username=ejbca_user database.password=ThisIsATestPassword

nano /etc/ejbca-ce/conf/ejbca.properties

File Contents

appserver.home=${env.APPSRV_HOME} ejbca.productionmode=true allow.external-dynamic.configuration=false

nano /etc/ejbca-ce/conf/install.properties

File Contents

ca.tokentype=org.cesecore.keys.token.PKCS11CryptoToken ca.tokenproperties=/etc/ejbca-ce/conf/catoken.properties

nano /etc/ejbca-ce/conf/web.properties

File Contents

java.trustpassword=changeit superadmin.cn=SuperAdmin superadmin.dn=CN=${superadmin.cn} superadmin.password=ejbca superadmin.batch=true httpsserver.password=serverpwd httpsserver.hostname=localhost httpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE httpsserver.tokentype=P12 httpserver.pubhttp=8080 httpserver.pubhttps=8442 httpserver.privhttps=8443 web.availablelanguages=en web.contentencoding=UTF-8 web.docbaseuri=disabled web.reqcertindb=true web.reqauth=true web.manualclasspathsenabled=false cryptotoken.p11.lib.120.name=YubiHSM2 cryptotoken.p11.lib.120.file=/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so cryptotoken.pqc.enabled=false

Install JDK11

apt install -y openjdk-11-jdk

Install Apache Ant

cd ~ wget https://dlcdn.apache.org//ant/binaries/apache-ant-1.10.15-bin.zip unzip apache-ant-1.10.15-bin.zip -d /opt rm apache-ant-1.10.15-bin.zip ant -version

Download and Build WildFly 26

wget https://github.com/wildfly/wildfly/releases/download/26.1.3.Final/wildfly-26.1.3.Final.tar.gz tar -xf wildfly-.Final.tar.gz mv wildfly-Final /opt/wildfly groupadd -r wildfly useradd -r -g wildfly -d /opt/wildfly -s /sbin/nologin wildfly chown -RH wildfly:wildfly /opt/wildfly mkdir -p /etc/wildfly cp /opt/wildfly/docs/contrib/scripts/systemd/wildfly.conf /etc/wildfly/ cp /opt/wildfly/docs/contrib/scripts/systemd/wildfly.service /etc/systemd/system/ cp /opt/wildfly/docs/contrib/scripts/systemd/launch.sh /opt/wildfly/bin/ chmod +x /opt/wildfly/bin/*.sh

Enable WildFly Daemons

systemctl enable --now wildfly systemctl daemon-reload

Modify Wildfly Config Files

rm /opt/wildfly/bin/standalone.conf nano /opt/wildfly/standalone/configuration/standalone.xml

Replace Existing Interfaces With

nano /etc/wildfly/wildfly.conf

File Contents

The configuration you want to run

WILDFLY_CONFIG=standalone.xml

The mode you want to run

WILDFLY_MODE=standalone

The address to bind to

WILDFLY_BIND=[::]

nano /opt/wildfly/bin/standalone.conf

File Contents

if [ "x$JBOSS_MODULES_SYSTEM_PKGS" = "x" ]; then JBOSS_MODULES_SYSTEM_PKGS="org.jboss.byteman" fi

if [ "x$JAVA_OPTS" = "x" ]; then JAVA_OPTS="-Xms2048m -Xmx3584m" JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1.2,TLSv1.3" JAVA_OPTS="$JAVA_OPTS -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3" JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv4Stack=false" JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv6Stack=true" JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS" JAVA_OPTS="$JAVA_OPTS -Djava.awt.headless=true" JAVA_OPTS="$JAVA_OPTS -Djboss.tx.node.id=101" JAVA_OPTS="$JAVA_OPTS -XX:+HeapDumpOnOutOfMemoryError" JAVA_OPTS="$JAVA_OPTS -Djdk.tls.ephemeralDHKeySize=2048" JAVA_OPTS="$JAVA_OPTS -Djava.security.debug=sunpkcs11" else echo "JAVA_OPTS already set in environment; overriding default settings with values: $JAVA_OPTS" fi

systemctl restart wildfly

Create WildFly Admin user

cd /opt/wildfly/bin ./add-user.sh

Prevent WildFly From Loading Native BouncyCastle

sed -i '/.org.jboss.resteasy.resteasy-crypto./d' /opt/wildfly/modules/system/layers/base/org/jboss/as/jaxrs/main/module.xml rm -rf /opt/wildfly/modules/system/layers/base/org/jboss/resteasy/resteasy-crypto/

Create a Credential Store

echo '#!/bin/sh' > /usr/bin/wildfly_pass echo "echo '$(openssl rand -base64 31)'" >> /usr/bin/wildfly_pass chown wildfly:wildfly /usr/bin/wildfly_pass chmod 700 /usr/bin/wildfly_pass mkdir /opt/wildfly/standalone/configuration/keystore chown wildfly:wildfly /opt/wildfly/standalone/configuration/keystore /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/credential-store=defaultCS:add(path=keystore/credentials, relative-to=jboss.server.config.dir, credential-reference={clear-text="{EXT}/usr/bin/wildfly_pass", type="COMMAND"}, create=true)'

Install the DB Driver for PGSQL

wget https://jdbc.postgresql.org/download/postgresql-42.2.18.jar -O /opt/wildfly/standalone/deployments/postgresql-jdbc4.jar

Add PGSQL Data Sources

/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/credential-store=defaultCS:add-alias(alias=dbPassword, secret-value="ThisIsATestPassword")' /opt/wildfly/bin/jboss-cli.sh --connect 'data-source add --name=ejbcads --connection-url="jdbc:postgresql://127.0.0.1/ejbcadb" --jndi-name="java:/EjbcaDS" --use-ccm=true --driver-name="postgresql-jdbc4.jar" --driver-class="org.postgresql.Driver" --user-name="ejbca_user" --credential-reference={store=defaultCS, alias=dbPassword} --validate-on-match=true --background-validation=false --prepared-statements-cache-size=50 --share-prepared-statements=true --min-pool-size=5 --max-pool-size=150 --pool-prefill=true --transaction-isolation=TRANSACTION_READ_COMMITTED --check-valid-connection-sql="select 1;"' /opt/wildfly/bin/jboss-cli.sh --connect ':reload'

Configure WildFly Remoting

/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=connector-ref,value=remoting)' /opt/wildfly/bin/jboss-cli.sh --connect '/socket-binding-group=standard-sockets/socket-binding=remoting:add(port=4447,interface=management)' /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=undertow/server=default-server/http-listener=remoting:add(socket-binding=remoting,enable-http2=true)' /opt/wildfly/bin/jboss-cli.sh --connect ':reload'

Configure WildFly Logging

/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.ejbca:add(level=INFO)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.cesecore:add(level=INFO)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=com.keyfactor:add(level=INFO)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.jboss.as.config:write-attribute(name=level, value=WARN)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.jboss:add(level=WARN)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.wildfly:add(level=WARN)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.xnio:add(level=WARN)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.hibernate:add(level=WARN)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.apache.cxf:add(level=WARN)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.cesecore.config.ConfigurationHolder:add(level=WARN)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=undertow/server=default-server/host=default-host/setting=access-log:add(pattern="%h %t \"%r\" %s \"%{i,User-Agent}\"", relative-to=jboss.server.log.dir, directory=access-logs)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=io.undertow.accesslog:add(level=INFO)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/root-logger=ROOT:remove-handler(name=CONSOLE)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/console-handler=CONSOLE:remove()'

/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.cesecore.keys.token.p11ng:add(level=DEBUG)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.ejbca.ui.p11ngcli:add(level=DEBUG)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.cesecore.keys.token.p11ng.provider.CryptokiDevice:add(level=TRACE)'

/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.pkcs11.jacknji11.Cryptoki:add' /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.pkcs11.jacknji11.Cryptoki:write-attribute(name=level, value=DEBUG)'

Configure Automatic Log Rotation

nano /etc/cron.daily/remove-old-wildfly-logs.sh

File Contents

!/bin/sh

Remove log files older than 7 days

find /opt/wildfly/standalone/log/ -type f -mtime +7 -name '.log' -execdir rm -- '{}' \;

chmod +x /etc/cron.daily/remove-old-wildfly-logs.sh

Remove Old Interfaces and Sockets for HTTP and TLS

/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=undertow/server=default-server/http-listener=default:remove()' && /opt/wildfly/bin/jboss-cli.sh --connect '/socket-binding-group=standard-sockets/socket-binding=http:remove()' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=undertow/server=default-server/https-listener=https:remove()' && /opt/wildfly/bin/jboss-cli.sh --connect '/socket-binding-group=standard-sockets/socket-binding=https:remove()' && /opt/wildfly/bin/jboss-cli.sh --connect ':reload'

Add New 3 Port Separation for Interfaces and Sockets

/opt/wildfly/bin/jboss-cli.sh --connect '/interface=http:add(inet-address="[::]")' && /opt/wildfly/bin/jboss-cli.sh --connect '/interface=httpspub:add(inet-address="[::]")' && /opt/wildfly/bin/jboss-cli.sh --connect '/interface=httpspriv:add(inet-address="[::]")' && /opt/wildfly/bin/jboss-cli.sh --connect '/socket-binding-group=standard-sockets/socket-binding=http:add(port="8080",interface="http")' && /opt/wildfly/bin/jboss-cli.sh --connect '/socket-binding-group=standard-sockets/socket-binding=httpspub:add(port="8442",interface="httpspub")' && /opt/wildfly/bin/jboss-cli.sh --connect '/socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port="8443",interface="httpspriv")'

Configure TLS

/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/credential-store=defaultCS:add-alias(alias=httpsKeystorePassword, secret-value="serverpwd")' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/credential-store=defaultCS:add-alias(alias=httpsTruststorePassword, secret-value="changeit")' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/key-store=httpsKS:add(path="keystore/keystore.p12",relative-to=jboss.server.config.dir,credential-reference={store=defaultCS, alias=httpsKeystorePassword},type=PKCS12)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/key-store=httpsTS:add(path="keystore/truststore.p12",relative-to=jboss.server.config.dir,credential-reference={store=defaultCS, alias=httpsTruststorePassword},type=PKCS12)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,algorithm="SunX509",credential-reference={store=defaultCS, alias=httpsKeystorePassword})' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/trust-manager=httpsTM:add(key-store=httpsTS)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/server-ssl-context=httpspub:add(key-manager=httpsKM,protocols=["TLSv1.3","TLSv1.2"],use-cipher-suites-order=false,cipher-suite-filter="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256")' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/server-ssl-context=httpspriv:add(key-manager=httpsKM,protocols=["TLSv1.3","TLSv1.2"],use-cipher-suites-order=false,cipher-suite-filter="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256",trust-manager=httpsTM,need-client-auth=true)'

Configure Listeners

/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=undertow/server=default-server/http-listener=http:add(socket-binding="http", redirect-socket="httpspriv")' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=undertow/server=default-server/https-listener=httpspub:add(socket-binding="httpspub", ssl-context="httpspub", max-parameters=2048)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=undertow/server=default-server/https-listener=httpspriv:add(socket-binding="httpspriv", ssl-context="httpspriv", max-parameters=2048)' && /opt/wildfly/bin/jboss-cli.sh --connect ':reload'

HTTP Protocol Behavior Configuration

/opt/wildfly/bin/jboss-cli.sh --connect '/system-property=org.apache.catalina.connector.URI_ENCODING:add(value="UTF-8")' && /opt/wildfly/bin/jboss-cli.sh --connect '/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add(value=true)' && /opt/wildfly/bin/jboss-cli.sh --connect '/system-property=org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:add(value=true)' && /opt/wildfly/bin/jboss-cli.sh --connect '/system-property=org.apache.tomcat.util.http.Parameters.MAX_COUNT:add(value=2048)' && /opt/wildfly/bin/jboss-cli.sh --connect '/system-property=org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH:add(value=true)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=webservices:write-attribute(name=wsdl-host, value=jbossws.undefined.host)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=webservices:write-attribute(name=modify-wsdl-address, value=true)' && /opt/wildfly/bin/jboss-cli.sh --connect ':reload'

Increase the Deployment Timeout

/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=deployment-scanner/scanner=default:write-attribute(name=deployment-timeout,value=300)'

Deploy Ear File to WildFly

cd /etc/ejbca-ce ant -q clean deployear

Run the Installation and Deploy Keystore

ant runinstall ant deploy-keystore chown wildfly:wildfly /opt/wildfly/standalone/configuration/keystore/*.p12 systemctl restart wildfly cp /etc/ejbca-ce/p12/superadmin.p12 /home/sysadmin/superadmin.p12 chown sysadmin:sysadmin /home/sysadmin/superadmin.p12

After Modifying the Properties Files and Building w/ Local CA

$EJBCA_HOME/bin/ejbca.sh cryptotoken create --token HSM1 --pin --autoactivate true --type PKCS11CryptoToken --exportkey false --forceusedslots --lib /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so --slotlabeltype SLOT_NUMBER --slotlabel 0

primetomas commented 1 week ago

Are you sure it is not Java 17 that is the runtime for WildFly?

WHN-JWEBB commented 1 week ago

Yeah, this machine only has JDK-11 installed. I did try installing the master repo using WF 32 and JDK17 but couldn't get the ear to successfully deploy so I rolled it back a version to see if that would at least install.

Last login: Wed Nov 13 05:20:14 2024 from fc01:1001:a013::2001:13b:1 sysadmin@w1001341keyec01:~ $ sudo update-java-alternatives -l [sudo] password for sysadmin: java-1.11.0-openjdk-amd64 1111 /usr/lib/jvm/java-1.11.0-openjdk-amd64 sysadmin@w1001341keyec01:~$