KeyManager service error: pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR

1

Hi
We have built the keymanager using docker file and we have tried to start it but we are getting the following error:
. pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR

Please note that we have also updated the client.zip file that contains the hsm conf , it has been copied from softHsm to artifactory.

Below the stack error:

Error creating bean with name ‘keymanagerServiceImpl’: Unsatisf’; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'keykernel-keymanager-service.jar!/BOOT-INF/classes!/io/mosip/kernel/keymanager/hsm/impl/KeyStoreImpl.class]: Invocativa.lang.reflect.InvocationTargetException\n\tat org.springframework.beans.factory.annotation.AutowiredAnnotationBeowiredAnnotationBeanPostProcessor.java:587)\n\tat org.springframework.beans.factory.annotation.InjectionMetadata.igframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotaframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactoryory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:578)\n\tat orgutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:501)\n\tat org.springframework.beans.Bean$0(AbstractBeanFactory.java:317)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.28)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:315)\n\stractBeanFactory.getBean(AbstractBeanFactory.java:199)\n\tat org.springframework.beans.factory.config.DependencyDjava:251)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultLimework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1065)\n.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:584)\springframework.beans.factory.BeanCreationException: Error creating bean with name ‘keyStoreImpl’ defined in URL [ar!/BOOT-INF/classes!/io/mosip/kernel/keymanager/hsm/impl/KeyStoreImpl.class]: Invocation of init method failed; nargetException\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(Aat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapabk.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:501).AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:317)\n\tat org.springframework.beans.factory.suppfaultSingletonBeanRegistry.java:228)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBeanramework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)\n\tat org.springframeworkveCandidate(DependencyDescriptor.java:251)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactry.java:1138)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(Defaultramework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotn frames omitted\nCaused by: java.lang.reflect.InvocationTargetException: null\n\tat java.base/jdk.internal.reflecive Method)\n\tat java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccesslect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)\n\tat java.base/javar.java:490)\n\tat io.mosip.kernel.keymanager.hsm.impl.KeyStoreImpl.afterPropertiesSet(KeyStoreImpl.java:156)\n\tatactAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1765)\n\tat org.springframbleBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1702)\n\t… 50 common frames omitted\nCauseNoSuchSecurityProviderException: KER-KMA-001 → Config file invalid; \nnested exception is java.security.Providerkernel.keymanager.hsm.impl.pkcs.PKCS11KeyStoreImpl.setupProvider(PKCS11KeyStoreImpl.java:176)\n\tat io.mosip.kerneitKeystore(PKCS11KeyStoreImpl.java:147)\n\tat io.mosip.kernel.keymanager.hsm.impl.pkcs.PKCS11KeyStoreImpl.(Pmes omitted\nCaused by: java.security.ProviderException: Initialization failed\n\tat jdk.crypto.cryptoki/sun.securn\tat jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:115)\n\tat jdk.crypto.cryptoki/sun.se)\n\tat java.base/java.security.AccessController.doPrivileged(Native Method)\n\tat jdk.crypto.cryptoki/sun.securit\n\tat io.mosip.kernel.keymanager.hsm.impl.pkcs.PKCS11KeyStoreImpl.setupProvider(PKCS11KeyStoreImpl.java:173)\n\t.rity.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR\n\tat jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS1ryptoki/sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_Initialize(PKCS11.java:1631)\n\tat jdk.crypto.crypnce(PKCS11.java:166)\n\tat jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:338)\n\t… 64 nager-service"

2

Are you using softhsm or a commercial HSM?

3

Hi
I’am using sofHsm of mosip.
Please note that I have tested the below command and it worked perfectly:
pkcs11-tool --module /usr/local/lib/libpkcs11-proxy.so -l -k --key-type rsa:2048 --id 4142 --label tokenKey1 --pin 1111
This command has been executed inside the softhsm conatiner.
below its output:

Using slot 0 with a present token (0x68df9638)
Key pair generated:
Private Key Object; RSA
label: tokenKey1
ID: 4142
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label: tokenKey1
ID: 4142
Usage: encrypt, verify, wrap

4

Hi Zeddari,

softHSM docker configuration looks fine. MOSIP keymanager container uses “pcks11 proxy” as client to softHSM. This PKCS11 proxy communicates with softHSM through tcp connection and this proxy client expects an environment variable in keymanager container. Can you please confirm whether the environment variable added in keymanager docker.

Here is environment variable name:
PKCS11_PROXY_SOCKET=tcp://:

5

Here is full value
PKCS11_PROXY_SOCKET=tcp://{softhsm-container-host-name}:{port-no}

6

Hi
thank you for your replay.
we should add it in the docker run command:
docker run --add-host config-server:xxx --add-host postgres:xx–add-host artifactory-service:xx -d -e iam_adapter_url=‘https://repo1.maven.org/maven2/io/mosip/kernel/kernel-auth-adapter/1.2.0/kernel-auth-adapter-1.2.0.jar’ -e db.dbuser.password=‘xxxxx’ -e PKCS11_DAEMON_SOCKET=‘tcp://xxxxx:5666’ -e PKCS11_PROXY_SOCKET=‘tcp://xx:5666’

7

Are you not using Kubernetes? Any specific reason?

9

We get the same error when we deploy the keymanager in kubernetes and we add variables in Dockerfile.

image
image1548×208 16.6 KB

10

Hi Slimab,

Can you check whether “PKCS11_PROXY_SOCKET” environment variable is added or not.

we need to add only the PROXY_SOCKET variable and “PKCS11_DAEMON_SOCKET” variable should be available in kernel-softhsm docker.

Please recheck the same. Share full keyamanger service logs if getting same error.

11

Hello mahammedtaheer,
Do you mean that the PROXY_SOCKET should be available in Keymanager, and the PKCS11_DAEMON_SOCKET is added only in kernel-softhsm docker or in both (Keymanager, kernel-softhsm docker)!!!

Thanks

12

Hi slimab,

Add PKCS11_DAEMON_SOCKET=tcp://0.0.0.0:5666 in kernel-softhsm
and add PKCS11_PROXY_SOCKET=‘tcp://kernel-softhms:5666’ in keymanager service.

Thanks

13

hello @mahammedtaheer
it’s a variable environment of keymanager
image

softhsm-kernel.softhsm is the service name and 5666 is the port

it’s a variable environment of softhsm
image

But always the same error appears :

image
image1652×148 82.1 KB

14

Hi Slimab,

Please check there is port redirect happening in the cluster. The PKCS11_PROXY_SOCKET value should be “PKCS11_PROXY_SOCKET=tcp://softhsm-kernel.softhsm:80”. please change the port to 80 and try.

Also can you please share full logs of keymanager service.

Thanks