Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11662

Error "Cannot convert to PKCS11 keys" written to logs if using an HSM

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 14.0.0, 14.1.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Rank:
      1|hzu47b:
    • Support Ticket IDs:

      Description

      Bug description

      Errors written to logs when using a keystore type of PKCS11.
      The use case is when a signing key, such as SAML2 or OIDC, is stored in an HSM. As described here:
      https://backstage.forgerock.com/knowledge/kb/article/a56661000)

      How to reproduce the issue

      Install the PKCS11 provider in the Security properties file ($JAVA_HOME/lib/security/java.security) by specifying the sun.security.pkcs11.SunPKCS11 class. For example:
      security.provider.10=sun.security.pkcs11.SunPKCS11 /opt/bar/cfg/pkcs11.cfg
      Where pkcs11.cfg contains the appropriate configuration for your HSM's PKCS#11 implementation.
      Confirm this is working by listing the keystore contents using the following command:

      $ keytool -keystore NONE -storetype PKCS11 -list

       

      In the AM console under Configure -> Server Defaults -> Security -> Key Store, for example:

      • Keystore File = /opt/openam/dummy.jks (this should be a 0 byte file)
      • Keystore Type = PKCS11
      • Keystore Password File = /opt/openam/.pass (plaintext password for HSM)
      • Private Key Password File = /opt/openam/.pass (as above, but the key alias for HSM, if different)

      Click the 'save' button to generate the error in logs.

      ==> debug/Configuration <==
      amSetupServlet:08/23/2017 05:42:22:720 PM BST: Thread[smIdmThreadPool,5,main]: TransactionId[2408a4ab-3872-4459-9fe7-894624697f36-261]
      ERROR: ServerConfigXMLObserver.notifyChanges
      com.sun.identity.common.configuration.ConfigurationException: Cannot convert to PKCS11 keys
      at com.sun.identity.setup.BootstrapCreator.update(BootstrapCreator.java:141)
      at com.sun.identity.setup.BootstrapCreator.updateBootstrap(BootstrapCreator.java:91)
      at com.sun.identity.common.configuration.ServerConfigXMLObserver.update(ServerConfigXMLObserver.java:108)
      at com.sun.identity.common.configuration.ServerConfigXMLObserver.notifyChanges(ServerConfigXMLObserver.java:80)
      at com.sun.identity.common.configuration.ConfigurationObserver.notifies(ConfigurationObserver.java:187)
      at com.sun.identity.common.configuration.ConfigurationObserver.globalConfigChanged(ConfigurationObserver.java:149)
      at com.sun.identity.sm.ServiceConfigManagerImpl.notifyGlobalConfigChange(ServiceConfigManagerImpl.java:484)
      at com.sun.identity.sm.ServiceConfigManagerImpl.objectChanged(ServiceConfigManagerImpl.java:456)
      at com.sun.identity.sm.SMSNotificationManager.sendNotifications(SMSNotificationManager.java:294)
      at com.sun.identity.sm.SMSNotificationManager$LocalChangeNotifcationTask.run(SMSNotificationManager.java:370)
      at org.forgerock.openam.audit.context.AuditRequestContextPropagatingRunnable.run(AuditRequestContextPropagatingRunnable.java:34)
      at com.iplanet.am.util.ThreadPool$WorkerThread.run(ThreadPool.java:314)

      Code analysis

      It appears that AMKeyProvider.java wants to write secrets to the keystore for the bootstrap process, not ideal if you want your keystore to be read-only.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              andrew.dunn Andrew Dunn [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated: