[OPENIDM-13292] IDM trying to initialize SSL Cert for the internal DJ even if it's not configured as the repo, Incompatible with HSM Created: 27/May/19  Updated: 25/Mar/20  Resolved: 25/Mar/20

Status: Closed
Project: OpenIDM
Component/s: Module - Cryptography
Affects Version/s: OpenIDM 6.0.0, OpenIDM 5.5.1.2, 6.0.0.4
Fix Version/s: OpenIDM 5.5.1.3, 6.0.0.6

Type: Bug Priority: Major
Reporter: Jeremy Barras [X] (Inactive) Assignee: Matthias Grabiak
Resolution: Fixed Votes: 0
Labels: Sustaining
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Verified Version/s:
Support Ticket IDs:
Zendesk ID: 39890

 Description   

Reproduction:

  • Configure an IDM instance with local keystore
  • Remove repo.opendj.json under conf
  • Remove openidm-repo-opendj-5.5.1.2.jar under bundle
  • Configure JDBC as repo
  • Local empty JCEKS keystore
  • Opendj is not listed from scr list

NOTE: Notice the default server-cert gets created in the keystore during the startup:
Alias name: server-cert
Creation date: May 27, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=server-cert, O=OpenDJ Self-Signed Certificate, OU=None, L=None, ST=None, C=None
Issuer: CN=server-cert, O=OpenDJ Self-Signed Certificate, OU=None, L=None, ST=None, C=None
Serial number: 16af9b06fa7
Valid from: Sat Apr 27 10:27:30 EDT 2019 until: Sun May 27 10:27:30 EDT 2029
Certificate fingerprints:
MD5: D0:11:77:49:3B:06:EC:4F:05:33:2E:44:94:2D:84:E1
SHA1: E0:58:1B:4E:62:6F:7B:21:D4:A3:5E:50:B6:80:7C:65:A4:F1:63:7F
SHA256: DA:34:F5:6C:97:E8:C4:B4:2C:94:AA:9D:16:33:6F:15:33:28:3E:7E:4E:62:77:B2:FF:24:31:08:92:D2:B6:2F
Signature algorithm name: SHA512withRSA
Version: 3

NOTE: This confirms that IDM is trying to initialize the SSL for the Internal DJ, even though it's not configured as the repo.

NOTE: The issue is HSM does not allow for this configuration, hence the exceptions.
Console log with exception:

[17] May 27, 2019 9:06:42 AM org.forgerock.openidm.keystore.impl.DefaultKeyStoreInitializer initializeTrustStore
SEVERE: Unable to create certificate
java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCONSISTENT
...
[2019-05-27 09:07:13 24929@HOSTNAME.com pool-81-thread-1 org.forgerock.openidm.info.impl.HealthService run SEVERE] OpenIDM failure during startup, ACTIVE_NOT_READY: Not all modules started [] [org.forgerock.openidm.repo-opendj] []



 Comments   
Comment by Brendan Miller [ 28/May/19 ]

We have not tested removing "unused" bundles. The DJ repo bundle should "be quiet" even if it is not configured.

The real problem seems to be that IDM is attempting to create the certs as part of the secrets configuration.

Comment by Jason Lemay [ 28/May/19 ]

This line suggests you are trying to have IDM create the certificate in the HSM.

[17] May 27, 2019 9:06:42 AM org.forgerock.openidm.keystore.impl.DefaultKeyStoreInitializer initializeTrustStore
SEVERE: Unable to create certificate
java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCONSISTENT

This is not supported. For HSM you have to create the certificate yourself in the HSM since IDM can not create it.

We don't have the option to disable certain certificates for unused services. You will still have to create the certificate even though it is unused. This should not be a problem with IDM master since the secrets API allows you to disable key/certificate generation. At the very least this is not a bug and should be an RFE if you want unused certificates to not be required.

Also I feel like the customer configuration is incorrect since DefaultKeyStoreInitializer will not try and create the certificates if the keystore type is PKCS11.

    public KeyStore initializeTrustStore(KeyStore keyStore, KeyStoreDetails keyStoreDetails, KeyStoreDetails trustStoreDetails) throws GeneralSecurityException {
        KeyStore trustStore = this.loadKeyStore(trustStoreDetails);
        if ("PKCS11".equals(trustStoreDetails.getType())) {
            logger.debug("Can't generate default keys when using PKCS11");
            return keyStore;

I would check the customers truststore type value.

Comment by Matthias Grabiak [ 28/May/19 ]

We should check the keystore type in this case also.

However, the main problem here is that IDM is trying to start the DJ repo service, which it should not do for jdbc repo. The solution may be to take out the reference to "**/openidm-repo-opendj.jar" in bin/launcher.json in the bundles includes. This may be something to suggestion in the installation guide when switching to jdbc repo.

Comment by Brendan Miller [ 04/Jun/19 ]

Please confirm that you have removed your repo.ds.json and the DS bundle will activate (as Jason said) but quick early and not be an issue.

Comment by Matthias Grabiak [ 05/Jun/19 ]

This is an issue only for IDM versions 6.0.x and below. As of IDM-6.5.0 this can be addressed by setting populateDefaults to false in conf/secrets.json.

Comment by Matthias Grabiak [ 21/Jun/19 ]

Please note that the fix only suppresses the generation of a certificate for HSM keystores.

Comment by Matthias Grabiak [ 21/Jun/19 ]

Fix can only be tested with an HSM keystore and applies only to that case. Just needs to be tested if the server-cert certificate in truststore and server-cert key in keystore are created on startup if missing for non HSM.

Comment by Matthias Grabiak [ 26/Jun/19 ]

Reopening for 5.5.1.3

Comment by Matthias Grabiak [ 27/Jun/19 ]

Fixed for 5.5.1.3

Comment by Michal Orlik [ 25/Mar/20 ]

6.0.0.6-360675
5.5.1.3-87e96a

Generated at Sun Sep 27 23:50:36 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.