[BUG] HSM Module Failing to Properly Bind Slot ID, Always Returning -1 #708
Labels
bug
Something isn't working
Comments
|
Are you sure it is not Java 17 that is the runtime for WildFly? |
|
Yeah, this machine only has JDK-11 installed. I did try installing the master repo using WF 32 and JDK17 but couldn't get the ear to successfully deploy so I rolled it back a version to see if that would at least install. Last login: Wed Nov 13 05:20:14 2024 from fc01:1001:a013::2001:13b:1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the Bug
I have created an install of EJBCA CE on Ubuntu 22.04 LTS. After getting the server built and running, I have attempted a lot of different ways to get it to talk to my YubiHSM2 module, but no matter what I do I get an index of -1 in the traces. YubiHSM2 only supports 0 for an index. The HSM test utility does work and reads the keys I have created on the HSM module. I have been able to get the build successfully completed by disabling the P11 modules and deploying/installing without them.
Install Information
2024-11-13 04:18:29,958 INFO [stdout] (default task-1) library = /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
2024-11-13 04:18:29,958 INFO [stdout] (default task-1) slot = -1
2024-11-13 04:18:29,958 INFO [stdout] (default task-1) attributes(*, CKO_PUBLIC_KEY, ) = {
2024-11-13 04:18:29,958 INFO [stdout] (default task-1) CKA_TOKEN = false
2024-11-13 04:18:29,958 INFO [stdout] (default task-1) CKA_ENCRYPT = true
2024-11-13 04:18:29,959 INFO [stdout] (default task-1) CKA_VERIFY = true
2024-11-13 04:18:29,959 INFO [stdout] (default task-1) CKA_WRAP = true
2024-11-13 04:18:29,959 INFO [stdout] (default task-1) }
2024-11-13 04:18:29,959 INFO [stdout] (default task-1) attributes(, CKO_PRIVATE_KEY, ) = {
2024-11-13 04:18:29,959 INFO [stdout] (default task-1) CKA_DERIVE = false
2024-11-13 04:18:29,959 INFO [stdout] (default task-1) CKA_TOKEN = true
2024-11-13 04:18:29,959 INFO [stdout] (default task-1) CKA_PRIVATE = true
2024-11-13 04:18:29,959 INFO [stdout] (default task-1) CKA_SENSITIVE = true
2024-11-13 04:18:29,960 INFO [stdout] (default task-1) CKA_EXTRACTABLE = false
2024-11-13 04:18:29,960 INFO [stdout] (default task-1) CKA_DECRYPT = true
2024-11-13 04:18:29,960 INFO [stdout] (default task-1) CKA_SIGN = true
2024-11-13 04:18:29,960 INFO [stdout] (default task-1) CKA_UNWRAP = true
2024-11-13 04:18:29,960 INFO [stdout] (default task-1) }
2024-11-13 04:18:29,960 INFO [stdout] (default task-1) disabledMechanisms = {
2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_SHA1_RSA_PKCS
2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_SHA256_RSA_PKCS
2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_SHA384_RSA_PKCS
2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_SHA512_RSA_PKCS
2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_MD2_RSA_PKCS
2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_MD5_RSA_PKCS
2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_DSA_SHA1
2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_ECDSA_SHA1
2024-11-13 04:18:29,961 INFO [stdout] (default task-1) CKM_ECDSA_SHA224
2024-11-13 04:18:29,962 INFO [stdout] (default task-1) CKM_ECDSA_SHA256
2024-11-13 04:18:29,962 INFO [stdout] (default task-1) CKM_ECDSA_SHA384
2024-11-13 04:18:29,962 INFO [stdout] (default task-1) CKM_ECDSA_SHA512
2024-11-13 04:18:29,962 INFO [stdout] (default task-1) }
2024-11-13 04:18:29,962 INFO [stdout] (default task-1) attributes(, CKO_SECRET_KEY, *) = {
2024-11-13 04:18:29,962 INFO [stdout] (default task-1) CKA_SENSITIVE = true
2024-11-13 04:18:29,962 INFO [stdout] (default task-1) CKA_EXTRACTABLE = false
2024-11-13 04:18:29,963 INFO [stdout] (default task-1) CKA_ENCRYPT = true
2024-11-13 04:18:29,963 INFO [stdout] (default task-1) CKA_DECRYPT = true
2024-11-13 04:18:29,963 INFO [stdout] (default task-1) CKA_SIGN = true
2024-11-13 04:18:29,963 INFO [stdout] (default task-1) CKA_VERIFY = true
2024-11-13 04:18:29,963 INFO [stdout] (default task-1) CKA_WRAP = true
2024-11-13 04:18:29,963 INFO [stdout] (default task-1) CKA_UNWRAP = true
2024-11-13 04:18:29,963 INFO [stdout] (default task-1) }
2024-11-13 04:18:29,964 ERROR [com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapper] (default task-1) Wrong arguments were passed to sun.security.pkcs11.wrapper.PKCS11.CK_C_INITIALIZE_ARGS.getInstance threw an exception for log.error(msg, e): java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapper.(SunP11SlotListWrapper.java:144)
at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapperFactory.getInstance(SunP11SlotListWrapperFactory.java:74)
at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapperFactory.getInstance(SunP11SlotListWrapperFactory.java:35)
at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.Pkcs11SlotLabel.getSlotListWrapper(Pkcs11SlotLabel.java:570)
at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.Pkcs11SlotLabel.getProvider(Pkcs11SlotLabel.java:120)
at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.Pkcs11SlotLabel.getP11Provider(Pkcs11SlotLabel.java:555)
at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.Pkcs11SlotLabel.getP11Provider(Pkcs11SlotLabel.java:520)
at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.P11Slot.(P11Slot.java:63)
at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.P11Slot.getInstance(P11Slot.java:252)
at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.P11Slot.getInstance(P11Slot.java:209)
at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.P11Slot.getInstance(P11Slot.java:187)
at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.delayedInit(PKCS11CryptoToken.java:132)
at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.getP11slotWithDelayedInit(PKCS11CryptoToken.java:298)
at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.activate(PKCS11CryptoToken.java:155)
at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.keys.token.CryptoTokenManagementSessionBean.createCryptoToken(CryptoTokenManagementSessionBean.java:412)
at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.keys.token.CryptoTokenManagementSessionBean.createCryptoToken(CryptoTokenManagementSessionBean.java:458)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at [email protected]//org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
at [email protected]//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.delegateInterception(Jsr299BindingsInterceptor.java:79)
at [email protected]//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:89)
at [email protected]//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:102)
at [email protected]//org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:40)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
at [email protected]//org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:52)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:56)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:254)
at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:390)
at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:160)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
at [email protected]//org.jboss.weld.module.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:81)
at [email protected]//org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:89)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.as.ejb3.security.IdentityOutflowInterceptor.processInvocation(IdentityOutflowInterceptor.java:73)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.as.ejb3.security.SecurityDomainInterceptor.processInvocation(SecurityDomainInterceptor.java:44)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.as.ejb3.deployment.processors.EjbSuspendInterceptor.processInvocation(EjbSuspendInterceptor.java:57)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
at [email protected]//org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:633)
at [email protected]//org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at [email protected]//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
at [email protected]//org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
at [email protected]//org.wildfly.security.auth.server.SecurityIdentity.runAsFunctionEx(SecurityIdentity.java:421)
at [email protected]//org.jboss.as.ejb3.remote.AssociationImpl.invokeWithIdentity(AssociationImpl.java:674)
at [email protected]//org.jboss.as.ejb3.remote.AssociationImpl.invokeMethod(AssociationImpl.java:655)
at [email protected]//org.jboss.as.ejb3.remote.AssociationImpl.lambda$receiveInvocationRequest$0(AssociationImpl.java:251)
at [email protected]//org.jboss.as.ejb3.remote.AssociationImpl.execute(AssociationImpl.java:344)
at [email protected]//org.jboss.as.ejb3.remote.AssociationImpl.receiveInvocationRequest(AssociationImpl.java:297)
at [email protected]//org.jboss.ejb.protocol.remote.EJBServerChannel$ReceiverImpl.handleInvocationRequest(EJBServerChannel.java:473)
at [email protected]//org.jboss.ejb.protocol.remote.EJBServerChannel$ReceiverImpl.handleMessage(EJBServerChannel.java:208)
at [email protected]//org.jboss.remoting3.remote.RemoteConnectionChannel.lambda$handleMessageData$3(RemoteConnectionChannel.java:432)
at [email protected]//org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:991)
at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at [email protected]//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Initialize(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_Initialize(PKCS11.java:1667)
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.getInstance(PKCS11.java:166)
** Results of HSM Tests w/ Built in Tools **
root@w1001341keyec01:/etc/ejbca-ce/dist/clientToolBox# ./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so 0
Test of keystore with ID 0.
PKCS11 Token [SunPKCS11-yubihsm_pkcs11.so-slot0] Password:
Testing of key: keyDefaultRSA
Private part:
SunPKCS11-yubihsm_pkcs11.so-slot0 RSA private key, 2048 bitstoken object, sensitive, extractable)
RSA key:
modulus:
public exponent: 10001
javax.crypto.BadPaddingException: doFinal() failed
at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:402)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.engineDoFinal(P11RSACipher.java:426)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202)
at org.ejbca.ui.cli.KeyStoreContainerTest$Crypto.doOperation(KeyStoreContainerTest.java:242)
at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.test(KeyStoreContainerTest.java:494)
at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.doIt(KeyStoreContainerTest.java:511)
at org.ejbca.ui.cli.KeyStoreContainerTest.startNormal(KeyStoreContainerTest.java:145)
at org.ejbca.ui.cli.KeyStoreContainerTest.test(KeyStoreContainerTest.java:84)
at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:677)
at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:737)
at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:72)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_REJECTED
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Decrypt(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:379)
... 11 more
2024-11-13 07:00:14,372 INFO [com.keyfactor.util.keys.SignWithWorkingAlgorithm] Signature algorithm 'SHA1WithRSA' working for provider 'SunPKCS11-yubihsm_pkcs11.so-slot0 version 11'.
Signature test of key keyDefaultRSA: signature length 256; first byte 38; verifying true
Signings per second: 7
Crypto not possible with this key. See exception
Testing of key: keyTestECDSA
Private part:
SunPKCS11-yubihsm_pkcs11.so-slot0 EC private key, 384 bitstoken object, sensitive, extractable)
Elliptic curve key:
2024-11-13 07:00:14,956 INFO [com.keyfactor.util.keys.SignWithWorkingAlgorithm] Signature algorithm 'SHA384withECDSA' working for provider 'SunPKCS11-yubihsm_pkcs11.so-slot0 version 11'.
Signature test of key keyTestECDSA: signature length 103; first byte 30; verifying true
Signings per second: 8
No encryption possible with this key.
Testing of key: certSignRootECDSA
Private part:
SunPKCS11-yubihsm_pkcs11.so-slot0 EC private key, 384 bitstoken object, sensitive, extractable)
Elliptic curve key:
Named curve: P-384
the affine x-coordinate: 2978f438cba005a99610964a8315baa11b138dec848fcc0ace4e672e20f3fd0bfcce7230f4790e3a22415c19823185ff
the affine y-coordinate: 3901d6e467259229ac741815d6d4676ad961a0a6be4dbdcfc8f6523d16a972528747748d6b4f227a33f8ad2833cfa914
Signature test of key certSignRootECDSA: signature length 104; first byte 30; verifying true
Signings per second: 8
No encryption possible with this key.
Testing of key: keyTestRSA
Private part:
SunPKCS11-yubihsm_pkcs11.so-slot0 RSA private key, 2048 bitstoken object, sensitive, extractable)
RSA key:
modulus:
public exponent: 10001
javax.crypto.BadPaddingException: doFinal() failed
at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:402)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.engineDoFinal(P11RSACipher.java:426)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202)
at org.ejbca.ui.cli.KeyStoreContainerTest$Crypto.doOperation(KeyStoreContainerTest.java:242)
at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.test(KeyStoreContainerTest.java:494)
at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.doIt(KeyStoreContainerTest.java:511)
at org.ejbca.ui.cli.KeyStoreContainerTest.startNormal(KeyStoreContainerTest.java:145)
at org.ejbca.ui.cli.KeyStoreContainerTest.test(KeyStoreContainerTest.java:84)
at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:677)
at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:737)
at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:72)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_REJECTED
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Decrypt(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:379)
... 11 more
Signature test of key keyTestRSA: signature length 256; first byte 1b; verifying true
Signings per second: 7
Crypto not possible with this key. See exception
Testing of key: keyEncryptECDSA
Private part:
SunPKCS11-yubihsm_pkcs11.so-slot0 RSA private key, 2048 bitstoken object, sensitive, extractable)
RSA key:
modulus:
public exponent: 10001
javax.crypto.BadPaddingException: doFinal() failed
at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:402)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.engineDoFinal(P11RSACipher.java:426)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202)
at org.ejbca.ui.cli.KeyStoreContainerTest$Crypto.doOperation(KeyStoreContainerTest.java:242)
at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.test(KeyStoreContainerTest.java:494)
at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.doIt(KeyStoreContainerTest.java:511)
at org.ejbca.ui.cli.KeyStoreContainerTest.startNormal(KeyStoreContainerTest.java:145)
at org.ejbca.ui.cli.KeyStoreContainerTest.test(KeyStoreContainerTest.java:84)
at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:677)
at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:737)
at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:72)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_REJECTED
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Decrypt(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:379)
... 11 more
Signature test of key keyEncryptECDSA: signature length 256; first byte 53; verifying true
Signings per second: 7
Crypto not possible with this key. See exception
Testing of key: keyEncryptRSA
Private part:
SunPKCS11-yubihsm_pkcs11.so-slot0 RSA private key, 2048 bitstoken object, sensitive, extractable)
RSA key:
modulus:
public exponent: 10001
javax.crypto.BadPaddingException: doFinal() failed
at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:402)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.engineDoFinal(P11RSACipher.java:426)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202)
at org.ejbca.ui.cli.KeyStoreContainerTest$Crypto.doOperation(KeyStoreContainerTest.java:242)
at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.test(KeyStoreContainerTest.java:494)
at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.doIt(KeyStoreContainerTest.java:511)
at org.ejbca.ui.cli.KeyStoreContainerTest.startNormal(KeyStoreContainerTest.java:145)
at org.ejbca.ui.cli.KeyStoreContainerTest.test(KeyStoreContainerTest.java:84)
at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:677)
at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:737)
at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:72)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_REJECTED
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Decrypt(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:379)
... 11 more
Signature test of key keyEncryptRSA: signature length 256; first byte 53; verifying true
Signings per second: 7
Crypto not possible with this key. See exception
Testing of key: certSignRootRSA
Private part:
SunPKCS11-yubihsm_pkcs11.so-slot0 RSA private key, 4096 bitstoken object, sensitive, extractable)
RSA key:
modulus:
public exponent: 10001
javax.crypto.BadPaddingException: doFinal() failed
at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:402)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.engineDoFinal(P11RSACipher.java:426)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202)
at org.ejbca.ui.cli.KeyStoreContainerTest$Crypto.doOperation(KeyStoreContainerTest.java:242)
at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.test(KeyStoreContainerTest.java:494)
at org.ejbca.ui.cli.KeyStoreContainerTest$NormalTest.doIt(KeyStoreContainerTest.java:511)
at org.ejbca.ui.cli.KeyStoreContainerTest.startNormal(KeyStoreContainerTest.java:145)
at org.ejbca.ui.cli.KeyStoreContainerTest.test(KeyStoreContainerTest.java:84)
at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:677)
at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:737)
at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:72)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_REJECTED
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Decrypt(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:379)
... 11 more
Signature test of key certSignRootRSA: signature length 512; first byte 62; verifying true
Signings per second: 1
Crypto not possible with this key. See exception
Testing of key: keyDefaultECDSA
Private part:
SunPKCS11-yubihsm_pkcs11.so-slot0 EC private key, 384 bitstoken object, sensitive, extractable)
Elliptic curve key:
Signature test of key keyDefaultECDSA: signature length 102; first byte 30; verifying true
Signings per second: 8
No encryption possible with this key.
To Reproduce
On a fresh installation of Ubuntu 22.04 with IPv6 only enabled (no IPv4)
Create Env Variable Script
sudo nano /etc/profile.d/02-AddEnvVariables.sh.test
File Contents
export JAVA_HOME="/usr/lib/jvm/java-11-openjdk-amd64"
export ANT_HOME="/opt/apache-ant-1.10.15"
export PATH="$PATH:$ANT_HOME/bin"
export APPSRV_HOME="/opt/wildfly"
export YUBIHSM_PKCS11_CONF="/etc/yubico/yubihsm_pkcs11.conf"
export EJBCA_HOME="/etc/ejbca-ce"
Enter Root Shell
sudo -i
Install Unzip
apt install -y unzip
Download YubiHSM SDK and Install
wget -O yubihsm2-sdk-2024-09-ubuntu2204-amd64.tar.gz https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2024-09-ubuntu2204-amd64.tar.gz
tar -xvzf yubihsm2-sdk-2024-09-ubuntu2204-amd64.tar.gz
cd yubihsm2-sdk
apt --fix-broken -y install $(ls ./.deb | grep -v './libyubihsm-dev')
cd ..
rm -r yubi
Create and Modify Config Files for YubiHSM SDK
mkdir /etc/yubico
nano /etc/yubico/yubihsm_pkcs11.conf
File Contents
connector = http://hsm1
#debug
#dinout
#libdebug
#debug-file = /tmp/yubihsm_pkcs11_debug
#cacert = /tmp/cacert.pem
#proxy = http://hsm1
timeout = 5
Install PostgreSQL 16
apt install curl ca-certificates -y
install -d /usr/share/postgresql-common/pgdg
curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc
sh -c 'echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
apt update && sudo apt install postgresql-16 -y
Configure DB Settings
sudo -i -u postgres
createuser ejbca_user -P
createdb ejbcadb -O ejbca_user
logout
nano /etc/postgresql/16/main/pg_hba.conf
systemctl restart postgresql
Clone EJBCA Repository to /etc/ejbca-ce
cd /etc
git clone https://github.com/Keyfactor/ejbca-ce.git --branch r8.3.2 --single-branch
Modify EJBCA Configuration Files
rm -r /etc/ejbca-ce/conf/.properties.sample && rm -r /etc/ejbca-ce/conf/plugins/.properties.sample && rm -r /etc/ejbca-ce/conf/logdevices/*.properties.sample
nano /etc/ejbca-ce/conf/catoken.properties
File Contents
sharedLibrary=/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
slotLabelType=SLOT_NUMBER
slotLabelValue=0
defaultKey keyDefaultRSA
certSignKey certSignRootRSA
crlSignKey certSignRootRSA
keyEncryptKey keyEncryptRSA
testKey keyTestRSA
pin
nano /etc/ejbca-ce/conf/cesecore.properties
File Contents
database.crlgenfetchordered=true
nano /etc/ejbca-ce/conf/database.properties
File Contents
datasource.jndi-name=EjbcaDS
database.name=postgres
database.useSeparateCertificateTable=true
database.url=jdbc:postgresql://127.0.0.1/ejbcadb
database.driver=org.postgresql.Driver
database.username=ejbca_user
database.password=ThisIsATestPassword
nano /etc/ejbca-ce/conf/ejbca.properties
File Contents
appserver.home=${env.APPSRV_HOME}
ejbca.productionmode=true
allow.external-dynamic.configuration=false
nano /etc/ejbca-ce/conf/install.properties
File Contents
ca.tokentype=org.cesecore.keys.token.PKCS11CryptoToken
ca.tokenproperties=/etc/ejbca-ce/conf/catoken.properties
nano /etc/ejbca-ce/conf/web.properties
File Contents
java.trustpassword=changeit
superadmin.cn=SuperAdmin
superadmin.dn=CN=${superadmin.cn}
superadmin.password=ejbca
superadmin.batch=true
httpsserver.password=serverpwd
httpsserver.hostname=localhost
httpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE
httpsserver.tokentype=P12
httpserver.pubhttp=8080
httpserver.pubhttps=8442
httpserver.privhttps=8443
web.availablelanguages=en
web.contentencoding=UTF-8
web.docbaseuri=disabled
web.reqcertindb=true
web.reqauth=true
web.manualclasspathsenabled=false
cryptotoken.p11.lib.120.name=YubiHSM2
cryptotoken.p11.lib.120.file=/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
cryptotoken.pqc.enabled=false
Install JDK11
apt install -y openjdk-11-jdk
Install Apache Ant
cd ~
wget https://dlcdn.apache.org//ant/binaries/apache-ant-1.10.15-bin.zip
unzip apache-ant-1.10.15-bin.zip -d /opt
rm apache-ant-1.10.15-bin.zip
ant -version
Download and Build WildFly 26
wget https://github.com/wildfly/wildfly/releases/download/26.1.3.Final/wildfly-26.1.3.Final.tar.gz
tar -xf wildfly-*.Final.tar.gz
mv wildfly-Final /opt/wildfly
groupadd -r wildfly
useradd -r -g wildfly -d /opt/wildfly -s /sbin/nologin wildfly
chown -RH wildfly:wildfly /opt/wildfly
mkdir -p /etc/wildfly
cp /opt/wildfly/docs/contrib/scripts/systemd/wildfly.conf /etc/wildfly/
cp /opt/wildfly/docs/contrib/scripts/systemd/wildfly.service /etc/systemd/system/
cp /opt/wildfly/docs/contrib/scripts/systemd/launch.sh /opt/wildfly/bin/
chmod +x /opt/wildfly/bin/.sh
Enable WildFly Daemons
systemctl enable --now wildfly
systemctl daemon-reload
Modify Wildfly Config Files
rm /opt/wildfly/bin/standalone.conf
nano /opt/wildfly/standalone/configuration/standalone.xml
Replace Existing Interfaces With
***************************************
nano /etc/wildfly/wildfly.conf
File Contents
The configuration you want to run
WILDFLY_CONFIG=standalone.xml
The mode you want to run
WILDFLY_MODE=standalone
The address to bind to
WILDFLY_BIND=[::]
nano /opt/wildfly/bin/standalone.conf
File Contents
if [ "x$JBOSS_MODULES_SYSTEM_PKGS" = "x" ]; then
JBOSS_MODULES_SYSTEM_PKGS="org.jboss.byteman"
fi
if [ "x$JAVA_OPTS" = "x" ]; then
JAVA_OPTS="-Xms2048m -Xmx3584m"
JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1.2,TLSv1.3"
JAVA_OPTS="$JAVA_OPTS -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3"
JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv4Stack=false"
JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv6Stack=true"
JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS"
JAVA_OPTS="$JAVA_OPTS -Djava.awt.headless=true"
JAVA_OPTS="$JAVA_OPTS -Djboss.tx.node.id=101"
JAVA_OPTS="$JAVA_OPTS -XX:+HeapDumpOnOutOfMemoryError"
JAVA_OPTS="$JAVA_OPTS -Djdk.tls.ephemeralDHKeySize=2048"
JAVA_OPTS="$JAVA_OPTS -Djava.security.debug=sunpkcs11"
else
echo "JAVA_OPTS already set in environment; overriding default settings with values: $JAVA_OPTS"
fi
systemctl restart wildfly
Create WildFly Admin user
cd /opt/wildfly/bin
./add-user.sh
Prevent WildFly From Loading Native BouncyCastle
sed -i '/.org.jboss.resteasy.resteasy-crypto./d' /opt/wildfly/modules/system/layers/base/org/jboss/as/jaxrs/main/module.xml
rm -rf /opt/wildfly/modules/system/layers/base/org/jboss/resteasy/resteasy-crypto/
Create a Credential Store
echo '#!/bin/sh' > /usr/bin/wildfly_pass
echo "echo '$(openssl rand -base64 31)'" >> /usr/bin/wildfly_pass
chown wildfly:wildfly /usr/bin/wildfly_pass
chmod 700 /usr/bin/wildfly_pass
mkdir /opt/wildfly/standalone/configuration/keystore
chown wildfly:wildfly /opt/wildfly/standalone/configuration/keystore
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/credential-store=defaultCS:add(path=keystore/credentials, relative-to=jboss.server.config.dir, credential-reference={clear-text="{EXT}/usr/bin/wildfly_pass", type="COMMAND"}, create=true)'
Install the DB Driver for PGSQL
wget https://jdbc.postgresql.org/download/postgresql-42.2.18.jar -O /opt/wildfly/standalone/deployments/postgresql-jdbc4.jar
Add PGSQL Data Sources
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/credential-store=defaultCS:add-alias(alias=dbPassword, secret-value="ThisIsATestPassword")'
/opt/wildfly/bin/jboss-cli.sh --connect 'data-source add --name=ejbcads --connection-url="jdbc:postgresql://127.0.0.1/ejbcadb" --jndi-name="java:/EjbcaDS" --use-ccm=true --driver-name="postgresql-jdbc4.jar" --driver-class="org.postgresql.Driver" --user-name="ejbca_user" --credential-reference={store=defaultCS, alias=dbPassword} --validate-on-match=true --background-validation=false --prepared-statements-cache-size=50 --share-prepared-statements=true --min-pool-size=5 --max-pool-size=150 --pool-prefill=true --transaction-isolation=TRANSACTION_READ_COMMITTED --check-valid-connection-sql="select 1;"'
/opt/wildfly/bin/jboss-cli.sh --connect ':reload'
Configure WildFly Remoting
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=connector-ref,value=remoting)'
/opt/wildfly/bin/jboss-cli.sh --connect '/socket-binding-group=standard-sockets/socket-binding=remoting:add(port=4447,interface=management)'
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=undertow/server=default-server/http-listener=remoting:add(socket-binding=remoting,enable-http2=true)'
/opt/wildfly/bin/jboss-cli.sh --connect ':reload'
Configure WildFly Logging
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.ejbca:add(level=INFO)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.cesecore:add(level=INFO)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=com.keyfactor:add(level=INFO)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.jboss.as.config:write-attribute(name=level, value=WARN)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.jboss:add(level=WARN)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.wildfly:add(level=WARN)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.xnio:add(level=WARN)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.hibernate:add(level=WARN)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.apache.cxf:add(level=WARN)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.cesecore.config.ConfigurationHolder:add(level=WARN)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=undertow/server=default-server/host=default-host/setting=access-log:add(pattern="%h %t "%r" %s "%{i,User-Agent}"", relative-to=jboss.server.log.dir, directory=access-logs)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=io.undertow.accesslog:add(level=INFO)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/root-logger=ROOT:remove-handler(name=CONSOLE)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/console-handler=CONSOLE:remove()'
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.cesecore.keys.token.p11ng:add(level=DEBUG)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.ejbca.ui.p11ngcli:add(level=DEBUG)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.cesecore.keys.token.p11ng.provider.CryptokiDevice:add(level=TRACE)'
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.pkcs11.jacknji11.Cryptoki:add'
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=logging/logger=org.pkcs11.jacknji11.Cryptoki:write-attribute(name=level, value=DEBUG)'
Configure Automatic Log Rotation
nano /etc/cron.daily/remove-old-wildfly-logs.sh
File Contents
#!/bin/sh
Remove log files older than 7 days
find /opt/wildfly/standalone/log/ -type f -mtime +7 -name '.log' -execdir rm -- '{}' ;
chmod +x /etc/cron.daily/remove-old-wildfly-logs.sh
Remove Old Interfaces and Sockets for HTTP and TLS
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=undertow/server=default-server/http-listener=default:remove()' && /opt/wildfly/bin/jboss-cli.sh --connect '/socket-binding-group=standard-sockets/socket-binding=http:remove()' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=undertow/server=default-server/https-listener=https:remove()' && /opt/wildfly/bin/jboss-cli.sh --connect '/socket-binding-group=standard-sockets/socket-binding=https:remove()' && /opt/wildfly/bin/jboss-cli.sh --connect ':reload'
Add New 3 Port Separation for Interfaces and Sockets
/opt/wildfly/bin/jboss-cli.sh --connect '/interface=http:add(inet-address="[::]")' && /opt/wildfly/bin/jboss-cli.sh --connect '/interface=httpspub:add(inet-address="[::]")' && /opt/wildfly/bin/jboss-cli.sh --connect '/interface=httpspriv:add(inet-address="[::]")' && /opt/wildfly/bin/jboss-cli.sh --connect '/socket-binding-group=standard-sockets/socket-binding=http:add(port="8080",interface="http")' && /opt/wildfly/bin/jboss-cli.sh --connect '/socket-binding-group=standard-sockets/socket-binding=httpspub:add(port="8442",interface="httpspub")' && /opt/wildfly/bin/jboss-cli.sh --connect '/socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port="8443",interface="httpspriv")'
Configure TLS
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/credential-store=defaultCS:add-alias(alias=httpsKeystorePassword, secret-value="serverpwd")' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/credential-store=defaultCS:add-alias(alias=httpsTruststorePassword, secret-value="changeit")' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/key-store=httpsKS:add(path="keystore/keystore.p12",relative-to=jboss.server.config.dir,credential-reference={store=defaultCS, alias=httpsKeystorePassword},type=PKCS12)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/key-store=httpsTS:add(path="keystore/truststore.p12",relative-to=jboss.server.config.dir,credential-reference={store=defaultCS, alias=httpsTruststorePassword},type=PKCS12)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,algorithm="SunX509",credential-reference={store=defaultCS, alias=httpsKeystorePassword})' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/trust-manager=httpsTM:add(key-store=httpsTS)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/server-ssl-context=httpspub:add(key-manager=httpsKM,protocols=["TLSv1.3","TLSv1.2"],use-cipher-suites-order=false,cipher-suite-filter="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256")' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/server-ssl-context=httpspriv:add(key-manager=httpsKM,protocols=["TLSv1.3","TLSv1.2"],use-cipher-suites-order=false,cipher-suite-filter="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256",trust-manager=httpsTM,need-client-auth=true)'
Configure Listeners
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=undertow/server=default-server/http-listener=http:add(socket-binding="http", redirect-socket="httpspriv")' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=undertow/server=default-server/https-listener=httpspub:add(socket-binding="httpspub", ssl-context="httpspub", max-parameters=2048)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=undertow/server=default-server/https-listener=httpspriv:add(socket-binding="httpspriv", ssl-context="httpspriv", max-parameters=2048)' && /opt/wildfly/bin/jboss-cli.sh --connect ':reload'
HTTP Protocol Behavior Configuration
/opt/wildfly/bin/jboss-cli.sh --connect '/system-property=org.apache.catalina.connector.URI_ENCODING:add(value="UTF-8")' && /opt/wildfly/bin/jboss-cli.sh --connect '/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add(value=true)' && /opt/wildfly/bin/jboss-cli.sh --connect '/system-property=org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:add(value=true)' && /opt/wildfly/bin/jboss-cli.sh --connect '/system-property=org.apache.tomcat.util.http.Parameters.MAX_COUNT:add(value=2048)' && /opt/wildfly/bin/jboss-cli.sh --connect '/system-property=org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH:add(value=true)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=webservices:write-attribute(name=wsdl-host, value=jbossws.undefined.host)' && /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=webservices:write-attribute(name=modify-wsdl-address, value=true)' && /opt/wildfly/bin/jboss-cli.sh --connect ':reload'
Increase the Deployment Timeout
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=deployment-scanner/scanner=default:write-attribute(name=deployment-timeout,value=300)'
Deploy Ear File to WildFly
cd /etc/ejbca-ce
ant -q clean deployear
Run the Installation and Deploy Keystore
ant runinstall
ant deploy-keystore
chown wildfly:wildfly /opt/wildfly/standalone/configuration/keystore/*.p12
systemctl restart wildfly
cp /etc/ejbca-ce/p12/superadmin.p12 /home/sysadmin/superadmin.p12
chown sysadmin:sysadmin /home/sysadmin/superadmin.p12
After Modifying the Properties Files and Building w/ Local CA
$EJBCA_HOME/bin/ejbca.sh cryptotoken create --token HSM1 --pin --autoactivate true --type PKCS11CryptoToken --exportkey false --forceusedslots --lib /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so --slotlabeltype SLOT_NUMBER --slotlabel 0
The text was updated successfully, but these errors were encountered: