Use an HSM with WildFly, Elytron cannot create CSR
361 views
Skip to first unread message
Bastian Fredriksson
Sep 24, 2021, 7:02:14 AM9/24/21
to WildFly
Hi everyone,
This is a follow-up on the thread "Configure a PKCS11 keystore in WildFly 21" [1].
I'm trying to put the TLS certificate and the corresponding private key in an HSM (in this case SoftHSM 2) using the Sun P11 provider. It looks like the issue where the provider-loader for Sun P11 could not be added has been fixed, but I'm stuck trying to create the CSR using JBoss CLI.
Here is what I have done so far:
1. Create a pkcs11.cfg file as follows:
2. Make the file readable by WildFly
name = HSM
library = /usr/lib/softhsm/libsofthsm2.so
slot = {{ SLOT_NUMBER }}
attributes(*, CKO_PUBLIC_KEY, *) = {
CKA_TOKEN = false
CKA_ENCRYPT = false
CKA_VERIFY = true
CKA_WRAP = false
}
attributes(*, CKO_PRIVATE_KEY, *) = {
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_SENSITIVE = true
CKA_EXTRACTABLE = false
CKA_DECRYPT = false
CKA_SIGN = true
CKA_UNWRAP = false
CKA_DERIVE = false
}
2. Make the file readable by WildFly
chown wildfly:wildfly /opt/wildfly/standalone/configuration/pkcs11.cfg
3. Add the PIN to my credential store
4. Create a provider-loader:/subsystem=elytron/credential-store=defaultCS:add-alias(alias=hsm,secret-value=foo123)
{
"outcome" => "success",
"result" => undefined
}
/subsystem=elytron/provider-loader=pkcs11:add(class-names=[sun.security.pkcs11.SunPKCS11],path=pkcs11.cfg,relative-to=jboss.server.config.dir,module=sun.jdk)
{"outcome" => "success"}
5. Create a keystore. This didn't work with WildFly 21, but in WildFly 24 it works fine.
/subsystem=elytron/key-store=httpsKSInHSM:add(credential-reference={store=defaultCS, alias=hsm},type=PKCS11,providers=pkcs11)
{"outcome" => "success"}
6. Create a keypair in the HSM.
[1] https://groups.google.com/g/wildfly/c/mcb_RcJ2AuM/m/YQh3dSTSBgAJ?utm_medium=email&utm_source=footer
-- /subsystem=elytron/key-store=httpsKSInHSM:generate-key-pair(alias=tlsKey0001, distinguished-name="CN=nautilus", algorithm=RSA, key-size=2048)
{"outcome" => "success"}
7. Create a CSR. This is where the error happens.
Is there a way to get the stack trace to get a better idea of what happened?/subsystem=elytron/key-store=httpsKSInHSM:generate-certificate-signing-request(alias=tlsKey0001, path=keystore/csr.pem, relative-to=jboss.server.config.dir, signature-algorithm=SHA256withRSA)
{
"outcome" => "failed",
"failure-description" => "ELY10014: Failed to sign certification request inf
o",
"rolled-back" => true
}
[1] https://groups.google.com/g/wildfly/c/mcb_RcJ2AuM/m/YQh3dSTSBgAJ?utm_medium=email&utm_source=footer
Bastian Fredriksson
+46 733 907 485
+46 733 907 485
dvilkola
Sep 29, 2021, 5:37:57 AM9/29/21
to WildFly
To get a better idea what is wrong, you can enable logging by using: /subsystem=logging/logger=org.wildfly.security:add(level=ALL) and run the server with -Djavax.net.debug=all option.
Bastian Fredriksson
Sep 29, 2021, 8:30:44 AM9/29/21
to dvilkola, WildFly
Unfortunately it doesn't yield much.
I added both -Djavax.net.debug, -Djava.security.debug=sunpkcs11 and -Djava.security.debug=pkcs11keystore to standalone.conf for good measure, restarted WildFly and configured logging with JBoss CLI
2021-09-29 14:02:51,660 TRACE [org.wildfly.security] (management-handler-thread - 1) KeyStoreCredentialStore: contains exact type
2021-09-29 14:02:51,867 TRACE [org.wildfly.security] (management-handler-thread - 1) CredentialStoreCredentialSource: obtaining credential: type = hsm algorithm = class org.wildfly.security.credential.PasswordCredential exists = true
2021-09-29 14:02:51,867 TRACE [org.wildfly.security] (management-handler-thread - 1) KeyStoreCredentialStore: contains exact type
2021-09-29 14:02:51,988 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("generate-certificate-signing-request") failed - address: ([
("subsystem" => "elytron"),
("key-store" => "httpsKSInHSM")
]) - failure description: "ELY10014: Failed to sign certification request info"
/subsystem=logging/logger=sun.security:add(level=TRACE)
/subsystem=logging/logger=org.wildfly.security:add(level=TRACE)
/subsystem=logging/logger=org.wildfly.security:add(level=TRACE)
The output in the log is:
2021-09-29 14:02:51,660 TRACE [org.wildfly.security] (management-handler-thread - 1) KeyStoreCredentialStore: contains exact type
2021-09-29 14:02:51,867 TRACE [org.wildfly.security] (management-handler-thread - 1) CredentialStoreCredentialSource: obtaining credential: type = hsm algorithm = class org.wildfly.security.credential.PasswordCredential exists = true
2021-09-29 14:02:51,867 TRACE [org.wildfly.security] (management-handler-thread - 1) KeyStoreCredentialStore: contains exact type
2021-09-29 14:02:51,988 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("generate-certificate-signing-request") failed - address: ([
("subsystem" => "elytron"),
("key-store" => "httpsKSInHSM")
]) - failure description: "ELY10014: Failed to sign certification request info"
It feels like the exception message is swallowed? 😟
--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/034f54b4-b2aa-4e5c-8c6e-eb3e911244b9n%40googlegroups.com.
Martin Choma
Oct 20, 2021, 12:29:25 PM10/20/21
to WildFly
If exception is swallowed can you create issue in https://issues.redhat.com/projects/WFCORE to find a place where is it happening.
Not sure if you are aware, but note, when there is an issue in elytron subsystem in adding CSR into PKCS11 keystore. You do not need to wait for fix you can still continue with adding same with java keytool. All you need is configure java to use SunPKCS11 provider. [1]
Regards,
Martin
Reply all
Reply to author
Forward
0 new messages