Configure a PKCS11 keystore in WildFly 21
88 views
Skip to first unread message
Bastian Fredriksson
Dec 21, 2020, 5:06:17 PM12/21/20
to wil...@googlegroups.com
Hi, I'm trying to store the private key for TLS in an HSM.
I'm using SoftHSM to test, but got stuck on what I believe could be a bug, but let me know if I have done something incorrectly.
I already have SoftHSM configured. There is an empty token with slot number 1843726896 which can be used for WildFly. Then I tried to configure WildFly as follows:
1. Create a pkcs11.cfg file as follows:
2. Make the file readable by WildFly
I already have SoftHSM configured. There is an empty token with slot number 1843726896 which can be used for WildFly. Then I tried to configure WildFly as follows:
1. Create a pkcs11.cfg file as follows:
name = SoftHSM 2
library = /usr/lib/softhsm/libsofthsm2.so
slot = 1843726896
attributes(*, CKO_PUBLIC_KEY, *) = {
CKA_TOKEN = false
CKA_ENCRYPT = false
CKA_VERIFY = true
CKA_WRAP = false
}
attributes(*, CKO_PRIVATE_KEY, *) = {
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_SENSITIVE = true
CKA_EXTRACTABLE = false
CKA_DECRYPT = false
CKA_SIGN = true
CKA_UNWRAP = false
CKA_DERIVE = false
}
2. Make the file readable by WildFly
chown wildfly:wildfly /opt/wildfly/standalone/configuration/pkcs11.cfg
3. Add the PIN to my credential store
4. Create a provider-loader:/subsystem=elytron/credential-store=defaultCS:add-alias(alias=hsm,secret-value=foo123)
{
"outcome" => "success",
"result" => undefined
}
/subsystem=elytron/provider-loader=pkcs11:add(class-names=[sun.security.pkcs11.SunPKCS11],path=pkcs11.cfg,relative-to=jboss.server.config.dir,module=sun.jdk)
{"outcome" => "success"}
5. And finally create the keystore. This is where I'm stuck.
/subsystem=elytron/key-store=httpsKSInHSM:add(credential-reference={store=defaultCS, alias=hsm},type=PKCS11,providers=pkcs11)
{
"outcome" => "failed",
"failure-description" => {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.httpsKSIn
HSM" => "WFLYELY00004: Unable to start the service.
Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provid
er found for type 'PKCS11'"}},
"rolled-back" => true
}
I found this bug report which seems to suggest that it stopped working back in 2017, but it was fixed: https://issues.redhat.com/browse/JBEAP-12216
Is it broken again, or should something be configured differently?
Cheers,
-- Cheers,
Bastian Fredriksson
dvilkola
Jan 4, 2021, 1:39:48 PM1/4/21
to WildFly
Hi, maybe the reason is version of Java. The issue you linked https://issues.redhat.com/browse/JBEAP-12216 was fixed for java 8, but does not work anymore on Java 11. I created
https://issues.redhat.com/browse/ELY-2065 to look into it.
https://issues.redhat.com/browse/ELY-2065 to look into it.
Bastian Fredriksson
Jan 8, 2021, 1:40:07 PM1/8/21
to dvilkola, WildFly
Hi,
Thanks for investigating. I saw that you made a pull request too! Awesome!
Do you think your fix will be available for WildFly 22?
Thanks for investigating. I saw that you made a pull request too! Awesome!
Do you think your fix will be available for WildFly 22?
--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/57a008cc-f00a-4adb-9949-06da7edea37dn%40googlegroups.com.
Bastian Fredriksson
+46 733 907 485
+46 733 907 485
Reply all
Reply to author
Forward
0 new messages