shared secret key is not imported under TPS instance using HSM when the config file has pki_import_shared_secret=True

[pki-bot]

This issue was migrated from Pagure Issue #2484. Originally filed by rpattath (@rpattath) on 2016-09-28 00:07:06:

• Assigned to nobody
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1379395

---

shared secret key is not imported under TPS instance using HSM when the config file has pki_import_shared_secret=True

Steps to Reproduce:

TPS config file

[root@nocp4 rpattath]# cat tps.cfg
[DEFAULT]
pki_instance_name = pki-tps-rpattath-Sep23-2016
pki_https_port = 25443
pki_http_port = 25080
pki_admin_password = Secret123
pki_hostname = nocp4.idm.lab.eng.rdu2.redhat.com
pki_security_domain_hostname = nocp4.idm.lab.eng.rdu2.redhat.com
pki_security_domain_https_port = 8443
pki_security_domain_password = Secret123
pki_client_dir = /opt/topology-TPS
pki_client_pkcs12_password = Secret123
pki_ds_password = Secret123
pki_ds_ldap_port = 8389
pki_client_database_password = Secret123
pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
pki_token_name=NHSM-RPATTATH-SOFTCARD
pki_token_password=*****

[Tomcat]
pki_ajp_port = 25009
pki_tomcat_server_port = 25005

[TPS]
pki_import_admin_cert = False
pki_ds_hostname = nocp4.idm.lab.eng.rdu2.redhat.com
pki_authdb_basedn = ou=People,dc=pki-tps
pki_authdb_hostname=nocp4.idm.lab.eng.rdu2.redhat.com
pki_authdb_port=8389
pki_ca_uri=https://nocp4.idm.lab.eng.rdu2.redhat.com:8443
pki_tks_uri=https://nocp4.idm.lab.eng.rdu2.redhat.com:23443
pki_kra_uri=https://nocp4.idm.lab.eng.rdu2.redhat.com:21443
pki_admin_nickname=PKI TPS Administrator for Example.Org
pki_enable_server_side_keygen=True
pki_import_shared_secret=True

Actual results:

[root@nocp4 rpattath]# tkstool -L -d
/var/lib/pki/pki-tps-rpattath-Sep23-2016/alias/ -h NHSM-RPATTATH-SOFTCARD

 slot:  NHSM-RPATTATH-SOFTCARD
token:  NHSM-RPATTATH-SOFTCARD

Enter Password or Pin for "NHSM-RPATTATH-SOFTCARD":
        tkstool: the specified token is empty
[root@nocp4 rpattath]# tkstool -L -d
/var/lib/pki/pki-tps-rpattath-Sep23-2016/alias/

 slot:  NSS User Private Key and Certificate Services
token:  NSS Certificate DB

Enter Password or Pin for "NSS Certificate DB":
Enter Password or Pin for "NSS Certificate DB":
        tkstool: the specified token is empty

Expected results:

pkispawn should fail with appropriate error message to remove the parameter
from the config

Additional info:

log messages

[26/Sep/2016:10:44:19][http-bio-25443-exec-3]: getTransportCert() start
[26/Sep/2016:10:44:19][http-bio-25443-exec-3]: ConfigurationUtils: POST
https://nocp4.idm.lab.eng.rdu2.redhat.com:21443/kra/admin/kra/getTransportCert
[26/Sep/2016:10:44:26][http-bio-25443-exec-3]: ConfigurationUtils: POST https:/
/nocp4.idm.lab.eng.rdu2.redhat.com:23443/tks/admin/tks/importTransportCert
[26/Sep/2016:10:44:32][http-bio-25443-exec-3]: exportTransportCert: status=0
[26/Sep/2016:10:44:32][http-bio-25443-exec-3]: exportTransportCert:
Successfully added transport cert to
https://nocp4.idm.lab.eng.rdu2.redhat.com:23443
[26/Sep/2016:10:44:32][http-bio-25443-exec-3]: finalizeConfiguration:
importSharedSecret:true
[26/Sep/2016:10:44:32][http-bio-25443-exec-3]: finalizeConfiguration:
importSharedSecret: importSharedSecret is true.
[26/Sep/2016:10:44:32][http-bio-25443-exec-3]: In
ConfigurationUtils.getSharedSecret! importKey: true
[26/Sep/2016:10:44:40][http-bio-25443-exec-3]: getSharedSecret: About to
attempt to import shared secret key.
[26/Sep/2016:10:44:40][http-bio-25443-exec-3]: getSharedSecret()): WARNING,
Failed to automatically import shared secret. Please follow the manual
procedure.java.security.InvalidKeyException: Key does not reside on the current
token

[pki-bot]

Comment from rpattath (@rpattath) at 2017-02-27 14:06:13

Metadata Update from @rpattath:

• Issue set to the milestone: UNTRIAGED

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-03-03 20:14:53

Metadata Update from @mharmsen:

• Custom field feature adjusted to ''
• Custom field proposedmilestone adjusted to ''
• Custom field proposedpriority adjusted to ''
• Custom field reviewer adjusted to ''
• Custom field version adjusted to ''
• Issue close_status updated to: None
• Issue set to the milestone: 10.4 (was: UNTRIAGED)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-08-09 12:43:41

Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-08-09 12:43:41

Metadata Update from @mharmsen:

• Issue set to the milestone: FUTURE (was: 10.4)