Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-13292

IDM trying to initialize SSL Cert for the internal DJ even if it's not configured as the repo, Incompatible with HSM

    Details

      Description

      Reproduction:

      • Configure an IDM instance with local keystore
      • Remove repo.opendj.json under conf
      • Remove openidm-repo-opendj-5.5.1.2.jar under bundle
      • Configure JDBC as repo
      • Local empty JCEKS keystore
      • Opendj is not listed from scr list

      NOTE: Notice the default server-cert gets created in the keystore during the startup:
      Alias name: server-cert
      Creation date: May 27, 2019
      Entry type: PrivateKeyEntry
      Certificate chain length: 1
      Certificate[1]:
      Owner: CN=server-cert, O=OpenDJ Self-Signed Certificate, OU=None, L=None, ST=None, C=None
      Issuer: CN=server-cert, O=OpenDJ Self-Signed Certificate, OU=None, L=None, ST=None, C=None
      Serial number: 16af9b06fa7
      Valid from: Sat Apr 27 10:27:30 EDT 2019 until: Sun May 27 10:27:30 EDT 2029
      Certificate fingerprints:
      MD5: D0:11:77:49:3B:06:EC:4F:05:33:2E:44:94:2D:84:E1
      SHA1: E0:58:1B:4E:62:6F:7B:21:D4:A3:5E:50:B6:80:7C:65:A4:F1:63:7F
      SHA256: DA:34:F5:6C:97:E8:C4:B4:2C:94:AA:9D:16:33:6F:15:33:28:3E:7E:4E:62:77:B2:FF:24:31:08:92:D2:B6:2F
      Signature algorithm name: SHA512withRSA
      Version: 3

      NOTE: This confirms that IDM is trying to initialize the SSL for the Internal DJ, even though it's not configured as the repo.

      NOTE: The issue is HSM does not allow for this configuration, hence the exceptions.
      Console log with exception:

      [17] May 27, 2019 9:06:42 AM org.forgerock.openidm.keystore.impl.DefaultKeyStoreInitializer initializeTrustStore
      SEVERE: Unable to create certificate
      java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCONSISTENT
      ...
      [2019-05-27 09:07:13 24929@HOSTNAME.com pool-81-thread-1 org.forgerock.openidm.info.impl.HealthService run SEVERE] OpenIDM failure during startup, ACTIVE_NOT_READY: Not all modules started [] [org.forgerock.openidm.repo-opendj] []

        Attachments

          Activity

            People

            • Assignee:
              matthias.grabiak Matthias Grabiak
              Reporter:
              jeremy.barras Jeremy Barras [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: