EJBCA and SoftHSM2 #273

aleloco09 · 2023-04-18T01:37:21Z

aleloco09
Apr 18, 2023

Hi,
I am currently working on a project on EJBCA with my university for my master's degree thesis.
The idea is running EJBCA on a container and SoftHSM2 on an other container and make them work together.
The first thing I've done is to install SoftHSM2 directly inside the host and see if it can communicate with EJBCA that is installed in a container. Here it comes the problem because it looks like that EJBCA can see SoftHSM2 in the machine but as soon as i create a PKCS11 token it gives me an error like this:
ejbca | 2023-04-17 23:31:22,521+0000 ERROR [org.cesecore.keys.token.p11.SunP11SlotListWrapper] (default task-2) Wrong arguments were passed to sun.security.pkcs11.wrapper.PKCS11.CK_C_INITIALIZE_ARGS.getInstance threw an exception for log.error(msg, e): java.lang.reflect.InvocationTargetException

The question is: is it possible to achieve this type of configuration (distributed VirtualHSM and EJBCA) in the Community Edition or can i only do this in the EE? If i can do it in this version, what should i do? are there any drivers for softhsm that i need to install?

here i attach the docker-compose.yml that i use (before pointing to the tokens folder)
docker-compose.yml.txt

Answered by aleloco09

Oct 30, 2023

Thanks guys for all your support, I have really appreciated that.
Thanks to your prompts, I have actually managed to run SoftHSM and EJBCA in 2 separated containers.
Bashing on the EJBCA container, I have ldd on libsofthsm2.so and there was a dependency problem: libcrypto.so.10 was missing.
To overcome this, on the Dockerfile suggested by Sven that lib should be copied as well from the builder:
COPY --from=builder --chown=10001:0 /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10

Anyways there is another little doubt now, whenever I create a new slot at runtime:
softhsm2-util --init-token --free --label RootCA --so-pin foo123 --pin foo123
In order to see it from the webapp, I need to r…

View full answer

primetomas · 2023-04-18T07:58:01Z

primetomas
Apr 18, 2023
Maintainer

I would use a volume mount, as you also need to mount the SoftHSM instance files with the actual keys in them, and probably want to share those between different containers?
There are some HSM integration examples here:
https://github.com/Keyfactor/ejbca-containers/tree/master/hsm-integration

The DPoD example uses mounts, while the Fortanix one uses file system overlay.

Have you pulled the latest EJBCA container so it is updated?

10 replies

primetomas Apr 25, 2023
Maintainer

Correct, that guide uses an Enterprise feature. For now I'd recommend more the thing I pointed to.
For EJBCA for find the driver, so it's selectable in the Admin UI. It must be located in one of the following paths, accessible from the WildFly process when it starts up.

/usr/local/lib/softhsm/libsofthsm2.so
/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
/usr/lib/softhsm/libsofthsm2.so
/usr/lib64/pkcs11/libsofthsm2.so

This is from conf/web.properties.sample, which has all the default locations listed.

aleloco09 May 4, 2023
Author

Finally i can see the PKCS11 option in the EJBCA Create Token page again. I've mounted the libsofthsm2.so in this location /usr/local/lib/softhsm/libsofthsm2.so
But i have a new problem
This is the error i get

ejbca           | 2023-05-04 16:24:41,746+0000 ERROR [org.cesecore.keys.token.p11.SunP11SlotListWrapper] (default task-2) Wrong arguments were passed to sun.security.pkcs11.wrapper.PKCS11.CK_C_INITIALIZE_ARGS.getInstance threw an exception for log.error(msg, e): java.lang.reflect.InvocationTargetException
ejbca           | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
ejbca           | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
ejbca           | 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
ejbca           | 	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
ejbca           | 	at deployment.ejbca.ear//org.cesecore.keys.token.p11.SunP11SlotListWrapper.<init>(SunP11SlotListWrapper.java:145)
ejbca           | 	at deployment.ejbca.ear//org.cesecore.keys.token.p11.SunP11SlotListWrapperFactory.getInstance(SunP11SlotListWrapperFactory.java:75)
ejbca           | 	at deployment.ejbca.ear//org.cesecore.keys.token.p11.SunP11SlotListWrapperFactory.getInstance(SunP11SlotListWrapperFactory.java:36)
ejbca           | 	at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11SlotListWrapperHelper.getSlotListWrapper(PKCS11SlotListWrapperHelper.java:39)
ejbca           | 	at deployment.ejbca.ear//org.cesecore.keys.token.p11.Pkcs11SlotLabel.getProvider(Pkcs11SlotLabel.java:122)
ejbca           | 	at deployment.ejbca.ear//org.cesecore.keys.token.p11.Pkcs11SlotLabel.getP11Provider(Pkcs11SlotLabel.java:553)
ejbca           | 	at deployment.ejbca.ear//org.cesecore.keys.token.p11.Pkcs11SlotLabel.getP11Provider(Pkcs11SlotLabel.java:518)
ejbca           | 	at deployment.ejbca.ear//org.cesecore.keys.token.p11.P11Slot.<init>(P11Slot.java:59)
ejbca           | 	at deployment.ejbca.ear//org.cesecore.keys.token.p11.P11Slot.getInstance(P11Slot.java:248)
ejbca           | 	at deployment.ejbca.ear//org.cesecore.keys.token.p11.P11Slot.getInstance(P11Slot.java:205)
ejbca           | 	at deployment.ejbca.ear//org.cesecore.keys.token.p11.P11Slot.getInstance(P11Slot.java:183)
ejbca           | 	at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.delayedInit(PKCS11CryptoToken.java:123)
ejbca           | 	at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.getP11slotWithDelayedInit(PKCS11CryptoToken.java:289)
ejbca           | 	at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.activate(PKCS11CryptoToken.java:146)
ejbca           | 	at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.keys.token.CryptoTokenManagementSessionBean.createCryptoToken(CryptoTokenManagementSessionBean.java:402)
ejbca           | 	at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.keys.token.CryptoTokenManagementSessionBean.createCryptoToken(CryptoTokenManagementSessionBean.java:448)
ejbca           | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
ejbca           | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
ejbca           | 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
ejbca           | 	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
ejbca           | 	at [email protected]//org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
ejbca           | 	at [email protected]//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.delegateInterception(Jsr299BindingsInterceptor.java:79)
ejbca           | 	at [email protected]//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:89)
ejbca           | 	at [email protected]//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:102)
ejbca           | 	at [email protected]//org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:40)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
ejbca           | 	at [email protected]//org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:52)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:56)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:254)
ejbca           | 	at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:390)
ejbca           | 	at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:160)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
ejbca           | 	at [email protected]//org.jboss.weld.module.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:72)
ejbca           | 	at [email protected]//org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:89)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.as.ejb3.security.IdentityOutflowInterceptor.processInvocation(IdentityOutflowInterceptor.java:73)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.as.ejb3.security.SecurityDomainInterceptor.processInvocation(SecurityDomainInterceptor.java:44)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
ejbca           | 	at [email protected]//org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:633)
ejbca           | 	at [email protected]//org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
ejbca           | 	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca           | 	at [email protected]//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
ejbca           | 	at [email protected]//org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
ejbca           | 	at [email protected]//org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:191)
ejbca           | 	at [email protected]//org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81)
ejbca           | 	at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.keys.token.CryptoTokenManagementSessionLocal$$$view44.createCryptoToken(Unknown Source)
ejbca           | 	at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.cryptotoken.CryptoTokenMBean.saveCurrentCryptoToken(CryptoTokenMBean.java:1138)
ejbca           | 	at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.cryptotoken.CryptoTokenMBean.saveCurrentCryptoTokenWithCheck(CryptoTokenMBean.java:987)
ejbca           | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
ejbca           | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
ejbca           | 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
ejbca           | 	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
ejbca           | 	at [email protected]//com.sun.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:153)
ejbca           | 	at [email protected]//com.sun.el.parser.AstValue.invoke(AstValue.java:261)
ejbca           | 	at [email protected]//com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:237)
ejbca           | 	at [email protected]//org.jboss.weld.module.web.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40)
ejbca           | 	at [email protected]//org.jboss.weld.module.web.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50)
ejbca           | 	at [email protected]//org.jboss.weld.module.web.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40)
ejbca           | 	at [email protected]//org.jboss.weld.module.web.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50)
ejbca           | 	at [email protected]//com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:65)
ejbca           | 	at [email protected]//com.sun.faces.application.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:66)
ejbca           | 	at [email protected]//com.sun.faces.application.ActionListenerImpl.getNavigationOutcome(ActionListenerImpl.java:82)
ejbca           | 	at [email protected]//com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:71)
ejbca           | 	at [email protected]//javax.faces.component.UICommand.broadcast(UICommand.java:222)
ejbca           | 	at [email protected]//javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:847)
ejbca           | 	at [email protected]//javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1396)
ejbca           | 	at [email protected]//com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:58)
ejbca           | 	at [email protected]//com.sun.faces.lifecycle.Phase.doPhase(Phase.java:76)
ejbca           | 	at [email protected]//com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:177)
ejbca           | 	at [email protected]//javax.faces.webapp.FacesServlet.executeLifecyle(FacesServlet.java:707)
ejbca           | 	at [email protected]//javax.faces.webapp.FacesServlet.service(FacesServlet.java:451)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
ejbca           | 	at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.NoCacheFilter.doFilter(NoCacheFilter.java:68)
ejbca           | 	at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
ejbca           | 	at deployment.ejbca.ear//org.owasp.filters.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:223)
ejbca           | 	at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
ejbca           | 	at deployment.ejbca.ear.adminweb.war//org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:357)
ejbca           | 	at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
ejbca           | 	at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.ProxiedAuthenticationFilter.doFilter(ProxiedAuthenticationFilter.java:104)
ejbca           | 	at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
ejbca           | 	at [email protected]//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.lambda$handleRequest$1(ElytronRunAsHandler.java:68)
ejbca           | 	at [email protected]//org.wildfly.security.auth.server.FlexibleIdentityAssociation.runAsFunctionEx(FlexibleIdentityAssociation.java:103)
ejbca           | 	at [email protected]//org.wildfly.security.auth.server.Scoped.runAsFunctionEx(Scoped.java:161)
ejbca           | 	at [email protected]//org.wildfly.security.auth.server.Scoped.runAs(Scoped.java:73)
ejbca           | 	at [email protected]//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.handleRequest(ElytronRunAsHandler.java:67)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
ejbca           | 	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
ejbca           | 	at [email protected]//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
ejbca           | 	at [email protected]//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
ejbca           | 	at [email protected]//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
ejbca           | 	at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
ejbca           | 	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
ejbca           | 	at [email protected]//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
ejbca           | 	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
ejbca           | 	at [email protected]//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
ejbca           | 	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)
ejbca           | 	at [email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
ejbca           | 	at [email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
ejbca           | 	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
ejbca           | 	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
ejbca           | 	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
ejbca           | 	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
ejbca           | 	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79)
ejbca           | 	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100)
ejbca           | 	at [email protected]//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
ejbca           | 	at [email protected]//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852)
ejbca           | 	at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
ejbca           | 	at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
ejbca           | 	at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
ejbca           | 	at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
ejbca           | 	at [email protected]//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
ejbca           | 	at java.base/java.lang.Thread.run(Unknown Source)
ejbca           | Caused by: java.io.IOException: libcrypto.so.3: cannot open shared object file: No such file or directory/usr/local/lib/softhsm/libsofthsm2.so
ejbca           | 	at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.connect(Native Method)
ejbca           | 	at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.<init>(Unknown Source)
ejbca           | 	at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.<init>(Unknown Source)
ejbca           | 	at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.getInstance(Unknown Source)
ejbca           | 	at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.getInstance(Unknown Source)
ejbca           | 	... 168 more

aleloco09 May 5, 2023
Author

Please tell me the right environments in order to configure SoftHSM successfully

primetomas May 8, 2023
Maintainer

You have to make sure your files are in the right place and readable. The error is from Java:

Caused by: java.io.IOException: libcrypto.so.3: cannot open shared object file: No such file or directory/usr/local/lib/softhsm/libsofthsm2.so

This means that Java can not open this file. Perhaps you have file system privileges that prevents Java from opening the file?

aleloco09 May 8, 2023
Author

I think it is an environment issue because I put libsofthsm2.so and libcrypto.so.3 in a shared directory /softhsm-lib/lib that inside the container points to /usr/local/lib/softhsm and i can see them from the container but I'm still having that problem...
Here i show you my volume and environment section of ejbca-node1.

ejbca-node1:
    hostname: ejbca-node1
    ...
    environment:
      - DATABASE_JDBC_URL=jdbc:mariadb://ejbca-database:3306/ejbca?characterEncoding=UTF-8
      - LOG_LEVEL_APP=INFO
      - LOG_LEVEL_SERVER=INFO
      - TLS_SETUP_ENABLED=simple
      - SOFTHSM2_CONF=/opt/softhsm/config/softhsm2.conf
      - HSM_PKCS11_LIBRARY=/usr/local/lib/softhsm/

    volumes:
      - ./softhsm-lib/lib:/usr/local/lib/softhsm:ro
      - ./softhsm-lib/tokens:/opt/softhsm/tokens:rw
      - ./softhsm-lib/config:/opt/softhsm/config:ro

Note that - HSM_PKCS11_LIBRARY=/usr/local/lib/softhsm/ before it was - HSM_PKCS11_LIBRARY=/usr/local/lib/softhsm/libsofthsm2.so but it was the same.

primetomas · 2023-05-09T09:55:36Z

primetomas
May 9, 2023
Maintainer

I started the container with:
sudo docker run -it --rm --name my_test -p 80:8080 -p 443:8443 -e TLS_SETUP_ENABLED="simple" -e SOFTHSM2_CONF=/opt/softhsm/config/softhsm2.conf -v /opt/softhsm/lib:/usr/local/lib/softhsm -v /opt/softhsm/tokens:/opt/softhsm/tokens -v /opt/softhsm/config:/opt/softhsm/config -e LOG_LEVEL_APP=DEBUG keyfactor/ejbca-ce:latest

I got the same issue as you.

By enabling debug logging on the container I could see that EJBCA gets a response from softhsm, CKR_TOKEN_NOT_RECOGNIZED. This is a message from SoftHSM, meaning that it can't read the "token".
I entered with a bash console on the container and could see that /opt/tokens/ was not readable. On my host I changed privileges on these files and then restarted the container. Now it works.
You need +rw privileges on the token directory and files from the container in order to generate keys.

2 replies

aleloco09 May 9, 2023
Author

This stuff is blowing my mind... I have given all the needed permissions but still I'm having problems and the Debugger does not give me the same response. Actually, it does not give me anything that i do not already know. Plus i've installed the softhsm directly inside the host, without using a container for the softhsm but i'm getting the same result.

2023-05-09 22:53:31,475+0000 DEBUG [org.cesecore.keys.token.PKCS11SlotListWrapperHelper] (default task-1) Using PKCS11SlotListWrapperFactory of type org.cesecore.keys.token.p11.SunP11SlotListWrapperFactory
2023-05-09 22:53:31,475+0000 DEBUG [org.cesecore.keys.token.p11.Pkcs11SlotLabel] (default task-1) >getSunP11ProviderInputStream: -1, /usr/local/lib/softhsm/libsofthsm2.so, Slot Number, null, null
2023-05-09 22:53:31,475+0000 DEBUG [org.cesecore.keys.token.p11.Pkcs11SlotLabel] (default task-1) name = libsofthsm2.so-slot-1
2023-05-09 22:53:31,475+0000 DEBUG [org.cesecore.keys.token.p11.Pkcs11SlotLabel] (default task-1) Using JDK9 (and later) SUN PKCS11 provider: SunPKCS11
2023-05-09 22:53:31,476+0000 DEBUG [org.cesecore.keys.token.p11.Pkcs11SlotLabel] (default task-1) Get dummy sun provider throws an exception for /usr/local/lib/softhsm/libsofthsm2.so. This is OK.: java.lang.reflect.InvocationTargetException
2023-05-09 22:53:31,613+0000 DEBUG [org.ejbca.ui.web.admin.BaseManagedBean] (default task-1) Exception occurred in Admin Web interface, adding error message: org.cesecore.keys.token.CryptoTokenOfflineException: Error when creating Crypto Token with ID 2018891238.
2023-05-09 22:53:31,624+0000 DEBUG [org.ejbca.ui.web.admin.BaseManagedBean] (default task-1) Adding error message: Error: Error when creating Crypto Token with ID 2018891238.

is there a way to have better debug messages?

primetomas May 10, 2023
Maintainer

If you bash into the container and check all the files and paths, does everything list well?

aleloco09 · 2023-10-10T15:09:06Z

aleloco09
Oct 10, 2023
Author

Hi,
After few months of stop, I am back to work on this EJBCA project but I have still issues. Is it possible to have support on a video-call? I feel so bad because if I cannot solve the problem I cannot move on with my thesis...

0 replies

aleloco09 · 2023-10-11T15:58:13Z

aleloco09
Oct 11, 2023
Author

It is not just me that is experiencing issues, I'm asking some colleagues to help me with this configuration and they have the same problems...

1 reply

primetomas Oct 11, 2023
Maintainer

We are using softHSM on our Jenkins pipe-line to run system tests, and the tests run on the container built. So there is nothing in EJBCA or the container itself that prevents using softHSM. Are you sure your SoftHSM instance is initialized?
https://doc.primekey.com/ejbca/ejbca-integration/hardware-security-modules-hsm/softhsm

Video support can only be offered with a SLA support subscription.

aleloco09 · 2023-10-20T15:22:42Z

aleloco09
Oct 20, 2023
Author

Ok, could you at least have a look at this zip to see what is going on? because I have no other option, i have tried every single possibility.
Please, I want to solve this issue once for all.
containers.tar.gz

4 replies

primetomas Oct 23, 2023
Maintainer

Do like me and ssh into the container to investigate why your files can not be read.
docker exec -it /bin/bash

Also make sure you can actually use SoftHSM, to generate keys, outside of the container. I.e. make sure that your "slot" is initialized. According to: https://doc.primekey.com/ejbca/ejbca-integration/hardware-security-modules-hsm/softhsm

aleloco09 Oct 23, 2023
Author

Actually I have done it already, on the ejbca container I bashed to check if the token folder and its subfolders could be read and written, and yes it is possible. I tried to create a dummy file and it let me do it.
Of course I first initialize the slot inside the softhsm container using softhsm2-util and then I try to use the token with the ID it gives me.
I tried to fully open the token folder using a chmod -R 777 but still nothing.
Finally I have tried 3 cases.
A. Installing SoftHSM2 directly inside the keyfactor/ejbca-ce image. then chown -R 10001:0 on the token folder to give the permissions.
B. Installing SoftHSM2 in the host and keeping the ejbca inside the container
C. Having SoftHSM2 and EJBCA in 2 separate containers (which is what i want to achieve)

Only case A worked properly. But having a virtual-hsm inside the same container does not make much sense.
Please, I kindly ask to have a look at the zip and check what is going on.
I cannot go any further with my thesis if I do not solve this issue.

svenska-primekey Oct 25, 2023

Option A is the only way I would do this and then volume mount the tokens inside of the container. Then you could volume mount that same directory inside other EJBCA containers for HA. Trying to use a separate container is adding a lot more complication and something we have never tried to do. SoftHSM is only for testing pkcs11. If you have a network based HSM or USB adding another layer to the EJBCA CE container to install the pkcs11 driver is the recommended way to proceed.

You can try this for building the softhsm container:

FROM centos:7 AS builder

WORKDIR /build

# Copy the configuration file into the container
COPY softhsm2.conf /etc/softhsm2.conf

RUN yum -y update && \
    yum -y groupinstall "Development Tools" && \
    yum -y install openssl-devel automake autoconf libtool pkgconfig openssl-devel && \
    curl --silent -D - -L "https://github.com/opendnssec/SoftHSMv2/archive/refs/tags/2.6.1.tar.gz" -o SoftHSMv2-current.tar.gz && \
    mkdir -p /build/softhsmv2 && \
    tar -xf SoftHSMv2-current.tar.gz -C "/build/softhsmv2" --strip-components=1 && \
    cd softhsmv2/ && \
    ./autogen.sh && \
    ./configure --disable-non-paged-memory --prefix=/usr && \
    make -s && \
    make -s install && \
    # Create the directory for the tokens
    mkdir -p /var/lib/softhsm/tokens && \
    chgrp -R 0   /var/lib/softhsm/ /etc/softhsm2.conf && \
    chmod -R g=u /var/lib/softhsm/ /etc/softhsm2.conf && \
    chown -R 10001:0 /var/lib/softhsm/tokens

FROM centos:7

COPY --from=builder --chown=10001:0  /var/lib/softhsm/                  /var/lib/softhsm/
COPY --from=builder --chown=10001:0  /usr/lib64/softhsm/libsofthsm2.so  /usr/lib64/softhsm/libsofthsm2.so
COPY --from=builder --chown=10001:0  /usr/bin/softhsm2-keyconv          /usr/bin/softhsm2-keyconv
COPY --from=builder --chown=10001:0  /usr/bin/softhsm2-util             /usr/bin/softhsm2-util
COPY --from=builder --chown=10001:0  /usr/bin/softhsm2-dump-file        /usr/bin/softhsm2-dump-file
COPY --from=builder --chown=10001:0  /etc/softhsm2.conf                 /etc/softhsm2.conf


# Create a volume for the tokens
VOLUME /var/lib/softhsm/tokens

# Set the environment variable for the configuration file
ENV SOFTHSM2_CONF="/etc/softhsm2.conf"

USER 10001:0

CMD ["tail", "-f", "/dev/null"]

This sets all the permissions and user to what the EJBCA container would expect to see.

aleloco09 Oct 25, 2023
Author

Thanks so much, I will try this asap.
Actually the idea would be to set a network based HSM later on, but I thought that proceeding by step, creating 2 containers in local and then migrate it to the network could be the best solution, but actually complicated me the things.

aleloco09 · 2023-10-26T10:04:18Z

aleloco09
Oct 26, 2023
Author

I have just configured the SoftHSM container as you suggested, but it still does not work along with the image keyfactor/ejbca-ce:latest as it is, the framework cannot manipulate the slots from the webpage (even if I can see and manipulate the token and lib folders using docker exec)...

ejbca | Caused by: java.io.IOException: libcrypto.so.10: cannot open shared object file: No such file or directory/usr/local/lib/softhsm/libsofthsm2.so

I am afraid I have not understood well, you mean that I should create a custom image of EJBCA and install the SoftHSM not only in a separate container, but ALSO inside the EJBCA container? Is that right?

Another question that may or may not be related. @svenska-primekey here you say:

If you have a network based HSM or USB adding another layer to the EJBCA CE container to install the pkcs11 driver is the recommended way to proceed.

What do you mean by PKCS#11 driver? What should I install inside my EJBCA container?

3 replies

svenska-primekey Oct 26, 2023

Here is a container file to compile the softhsm and then add that into the EJBCA container. I tested this build and softhsm2 shows up under the pcks11 options. Make sure you mount a volume to for the tokens. After the container is started, exec into the container to create a a slot with the softhsm tool. Then you can access the UI and add the crypto token to EJBCA.

FROM centos:7 AS builder

WORKDIR /build
# docker build -t ejbca-ce-softhsm:test -f Containerfile.sh .
# Copy the configuration file into the container
COPY softhsm2.conf /etc/softhsm2.conf

RUN yum -y update && \
    yum -y groupinstall "Development Tools" && \
    yum -y install openssl-devel automake autoconf libtool pkgconfig openssl-devel && \
    curl --silent -D - -L "https://github.com/opendnssec/SoftHSMv2/archive/refs/tags/2.6.1.tar.gz" -o SoftHSMv2-current.tar.gz && \
    mkdir -p /build/softhsmv2 && \
    tar -xf SoftHSMv2-current.tar.gz -C "/build/softhsmv2" --strip-components=1 && \
    cd softhsmv2/ && \
    ./autogen.sh && \
    ./configure --disable-non-paged-memory --prefix=/usr && \
    make -s && \
    make -s install && \
    # Create the directory for the tokens
    mkdir -p /var/lib/softhsm/tokens && \
    chgrp -R 0   /var/lib/softhsm/ /usr/lib/softhsm/ /etc/softhsm2.conf && \
    chmod -R g=u /var/lib/softhsm/ /usr/lib/softhsm/ /etc/softhsm2.conf && \
    chown -R 10001:0 /var/lib/softhsm/tokens

FROM keyfactor/ejbca-ce:latest

USER 0:0

COPY --from=builder --chown=10001:0  /var/lib/softhsm/                  /var/lib/softhsm/
COPY --from=builder --chown=10001:0  /usr/lib/softhsm/libsofthsm2.so    /usr/lib/softhsm/libsofthsm2.so
COPY --from=builder --chown=10001:0  /usr/bin/softhsm2-keyconv          /usr/bin/softhsm2-keyconv
COPY --from=builder --chown=10001:0  /usr/bin/softhsm2-util             /usr/bin/softhsm2-util
COPY --from=builder --chown=10001:0  /usr/bin/softhsm2-dump-file        /usr/bin/softhsm2-dump-file
COPY --from=builder --chown=10001:0  /etc/softhsm2.conf                 /etc/softhsm2.conf

# Create a volume for the tokens
VOLUME /var/lib/softhsm/tokens

# Set the environment variable for the configuration file
ENV SOFTHSM2_CONF="/etc/softhsm2.conf"

USER 10001:0

To create some slots the command is like this:

softhsm2-util --init-token --free --label RootCA --so-pin foo123 --pin foo123
softhsm2-util --init-token --free --label SubCA --so-pin foo123 --pin foo123

The container file above would be very similar to install a PKCS11 client from a HSM vendor and then copy the pieces needed to the EJBCA container. This is a much better example to give you and hopefully clears up the confusion :-)

aleloco09 Oct 26, 2023
Author

Oh ok now I understand. Thanks. Yeah that solution works.
What is confusing me is that in some previous answers of this discussion, @primetomas said:

I started the container with: sudo docker run -it --rm --name my_test -p 80:8080 -p 443:8443 -e TLS_SETUP_ENABLED="simple" -e SOFTHSM2_CONF=/opt/softhsm/config/softhsm2.conf -v /opt/softhsm/lib:/usr/local/lib/softhsm -v /opt/softhsm/tokens:/opt/softhsm/tokens -v /opt/softhsm/config:/opt/softhsm/config -e LOG_LEVEL_APP=DEBUG keyfactor/ejbca-ce:latest

I got the same issue as you.

By enabling debug logging on the container I could see that EJBCA gets a response from softhsm, CKR_TOKEN_NOT_RECOGNIZED. This is a message from SoftHSM, meaning that it can't read the "token". I entered with a bash console on the container and could see that /opt/tokens/ was not readable. On my host I changed privileges on these files and then restarted the container. Now it works. You need +rw privileges on the token directory and files from the container in order to generate keys.

So I understood that he was actually able to have SoftHSM2 inside his host and EJBCA inside a separate container (they just share the libraries, the tokens, and config file), that's why I was trying to repeat that case inside my machine but without success.

primetomas Oct 29, 2023
Maintainer

Yep, that works for me. What Sven is suggesting is definitely a cleaner solutions though. Will add some more verbosity to the documentation here: https://github.com/Keyfactor/keyfactorcommunity/tree/main/hsm-integration

aleloco09 · 2023-10-30T15:59:40Z

aleloco09
Oct 30, 2023
Author

Thanks guys for all your support, I have really appreciated that.
Thanks to your prompts, I have actually managed to run SoftHSM and EJBCA in 2 separated containers.
Bashing on the EJBCA container, I have ldd on libsofthsm2.so and there was a dependency problem: libcrypto.so.10 was missing.
To overcome this, on the Dockerfile suggested by Sven that lib should be copied as well from the builder:
COPY --from=builder --chown=10001:0 /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10

Anyways there is another little doubt now, whenever I create a new slot at runtime:
softhsm2-util --init-token --free --label RootCA --so-pin foo123 --pin foo123
In order to see it from the webapp, I need to restart the EJBCA container. It looks like that it does not get a refresh.
if i do --show slots I can see the new token anyways.
This happens in both situations, when the EJBCA / SoftHSM are separated and together
Is that behavior normal?

1 reply

primetomas Oct 30, 2023
Maintainer

Yes that is expected. The Sun P11 Provider loads everything at startup, and need a restart to load new things that are created outside of itself.

Babacar98 · 2025-01-09T11:43:46Z

Babacar98
Jan 9, 2025

Hello @svenska-primekey @aleloco09 @primetomas ,
I have followed your recommendations and performed the same configuration, meaning I have installed EJBCA and SoftHSMv2 in the same container. However, I would like to integrate SignServer into my configuration using the same SoftHSMv2. Could you please help me?

1 reply

primetomas Jan 9, 2025
Maintainer

That may be tricky. SoftHSM stores its stuff on files. You could always try to put those files on a common mounted filessystem.

Babacar98 · 2025-01-09T16:48:37Z

Babacar98
Jan 9, 2025

@primetomas I have this problem when i wanna create a crypto token with Pkcs11 on ejbca interface .

2025-01-09 ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca ejbca-ca | at io.unde 16:41:02,363+0000 ERROR [com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapper] (default task-10) Method sun.security.pkcs11.wrapper.PKCS11.CK_C_INITIALIZE_ARGS.getInstance was not accessible, this may be due to a change in the underlying library.: java.lang.IllegalAccessException: class com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapper cannot access class sun.security.pkcs11.wrapper.PKCS11 (in module jdk.crypto.cryptoki) because module jdk.crypto.cryptoki does not export sun.security.pkcs11.wrapper to unnamed module @7c10ea75
| at java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Unknown Source)
| at java.base/java.lang.reflect.AccessibleObject.checkAccess(Unknown Source)
| at java.base/java.lang.reflect.Method.invoke(Unknown Source)
| at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapper.(SunP11SlotListWrapper.java:144)
| at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapperFactory.getInstance(SunP11SlotListWrapperFactory.java:74)
| at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapperFactory.getInstance(SunP11SlotListWrapperFactory.java:35)
| at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.Pkcs11SlotLabel.getSlotListWrapper(Pkcs11SlotLabel.java:570)
| at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.Pkcs11SlotLabel.getProvider(Pkcs11SlotLabel.java:120)
| at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.Pkcs11SlotLabel.getP11Provider(Pkcs11SlotLabel.java:555)
| at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.Pkcs11SlotLabel.getP11Provider(Pkcs11SlotLabel.java:520)
| at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.P11Slot.(P11Slot.java:63)
| at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.P11Slot.getInstance(P11Slot.java:252)
| at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.P11Slot.getInstance(P11Slot.java:209)
| at deployment.ejbca.ear//com.keyfactor.util.keys.token.pkcs11.P11Slot.getInstance(P11Slot.java:187)
| at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.delayedInit(PKCS11CryptoToken.java:132)
| at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.getP11slotWithDelayedInit(PKCS11CryptoToken.java:298)
| at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.activate(PKCS11CryptoToken.java:155)
| at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.keys.token.CryptoTokenManagementSessionBean.createCryptoToken(CryptoTokenManagementSessionBean.java:411)
| at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.keys.token.CryptoTokenManagementSessionBean.createCryptoToken(CryptoTokenManagementSessionBean.java:457)
| at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
| at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
| at java.base/java.lang.reflect.Method.invoke(Unknown Source)
| at [email protected]//org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:35)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
| at [email protected]//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.delegateInterception(Jsr299BindingsInterceptor.java:62)
| at [email protected]//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:72)
| at [email protected]//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:85)
| at [email protected]//org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:46)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:26)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:30)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:28)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:40)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
| at [email protected]//org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:35)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:34)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:39)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:237)
| at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:373)
| at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:143)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
| at [email protected]//org.jboss.weld.module.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:78)
| at [email protected]//org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:72)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:24)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:30)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.as.ejb3.security.IdentityOutflowInterceptor.processInvocation(IdentityOutflowInterceptor.java:56)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.as.ejb3.security.SecurityDomainInterceptor.processInvocation(SecurityDomainInterceptor.java:27)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:27)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:47)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:50)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:33)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
| at [email protected]//org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:633)
| at [email protected]//org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
| at [email protected]//org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:181)
| at [email protected]//org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:174)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.as.ejb3.security.IdentityInterceptor.lambda$processInvocation$0(IdentityInterceptor.java:30)
| at [email protected]//org.wildfly.security.auth.server.SecurityIdentity.runAsFunctionEx(SecurityIdentity.java:421)
| at [email protected]//org.wildfly.security.auth.server.Scoped.runAsFunctionEx(Scoped.java:161)
| at [email protected]//org.wildfly.security.auth.server.Scoped.runAsSupplierEx(Scoped.java:229)
| at [email protected]//org.jboss.as.ejb3.security.IdentityInterceptor.processInvocation(IdentityInterceptor.java:30)
| at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
| at [email protected]//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
| at [email protected]//org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:64)
| at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.keys.token.CryptoTokenManagementSessionLocal$$$view26.createCryptoToken(Unknown Source)
| at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.cryptotoken.CryptoTokenMBean.saveCurrentCryptoToken(CryptoTokenMBean.java:1212)
| at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.cryptotoken.CryptoTokenMBean.saveCurrentCryptoTokenWithCheck(CryptoTokenMBean.java:1049)
| at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
| at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
| at java.base/java.lang.reflect.Method.invoke(Unknown Source)
| at [email protected]//org.glassfish.expressly.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:186)
| at [email protected]//org.glassfish.expressly.parser.AstValue.invoke(AstValue.java:253)
| at [email protected]//org.glassfish.expressly.MethodExpressionImpl.invoke(MethodExpressionImpl.java:248)
| at [email protected]//org.jboss.weld.module.web.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40)
| at [email protected]//org.jboss.weld.module.web.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50)
| at [email protected]//com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:70)
| at [email protected]//com.sun.faces.application.ActionListenerImpl.getNavigationOutcome(ActionListenerImpl.java:74)
| at [email protected]//com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:62)
| at [email protected]//jakarta.faces.component.UICommand.broadcast(UICommand.java:205)
| at [email protected]//jakarta.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:858)
| at [email protected]//jakarta.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1332)
| at [email protected]//com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:56)
| at [email protected]//com.sun.faces.lifecycle.Phase.doPhase(Phase.java:72)
| at [email protected]//com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:131)
| at [email protected]//jakarta.faces.webapp.FacesServlet.executeLifecyle(FacesServlet.java:691)
| at [email protected]//jakarta.faces.webapp.FacesServlet.service(FacesServlet.java:449)
| at [email protected]//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
| at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
| at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.NoCacheFilter.doFilter(NoCacheFilter.java:68)
| at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67)
| at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
| at deployment.ejbca.ear//org.owasp.filters.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:151)
| at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67)
| at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
| at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.ProxiedAuthenticationFilter.doFilter(ProxiedAuthenticationFilter.java:104)
| at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67)
| at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
| at [email protected]//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
| at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
| at [email protected]//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
| at [email protected]//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
| at [email protected]//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.lambda$handleRequest$1(ElytronRunAsHandler.java:68)
| at [email protected]//org.wildfly.security.auth.server.FlexibleIdentityAssociation.runAsFunctionEx(FlexibleIdentityAssociation.java:103)
| at [email protected]//org.wildfly.security.auth.server.Scoped.runAsFunctionEx(Scoped.java:161)
| at [email protected]//org.wildfly.security.auth.server.Scoped.runAs(Scoped.java:73)
| at [email protected]//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.handleRequest(ElytronRunAsHandler.java:67)
| at [email protected]//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
| at [email protected]//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
| at [email protected]//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
| at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
| at [email protected]//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
| at [email protected]//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
| at [email protected]//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

3 replies

Babacar98 Jan 10, 2025

@primetomas
@svenska-primekey hello can you help me here ?

svenska-primekey Jan 11, 2025

I'm going to have to ask another dev. I don't know the code at that level. Let me see what I can find out.

Babacar98 Jan 13, 2025

@svenska-primekey Okay , thanks you I stay tuned.

Babacar98 · 2025-01-13T09:47:41Z

Babacar98
Jan 13, 2025

@svenska-primekey @primetomas
when i bash into the container and i test the commande "pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l -t"
i have this error :
root@ip-... :~/PKI/containers_ejbca# docker exec -it ejbca-container /bin/bash
I have no name!@********:/$ ls
bin boot dev etc home lib lib32 lib64 libx32 media mnt opt proc root run sbin srv sys tmp usr var
I have no name!@*******:/$ pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l -t
bash: pkcs11-tool: command not found

Hello,
I wanted to inform you that the library libsofthsm2.so is indeed present in the /usr/local/lib/softhsm directory of my container. Additionally, I have installed the pkcs11-tools module in my Dockerfile to ensure that all necessary tools are available.
However, when I try to execute the following command:
pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l -t
I still receive the following error:
bash: pkcs11-tool: command not found
This might indicate an issue with the path or the installation. Could you please help me resolve this issue?
Thank you in advance for your assistance!

1 reply

primetomas Jan 13, 2025
Maintainer

Can you start another thread on this topic. This thread as started by aleloco was been marked as answered. You can still mark us all in the new topic.

EJBCA and SoftHSM2 #273

Replies: 10 comments · 26 replies

primetomas Apr 18, 2023 Maintainer

primetomas Apr 25, 2023 Maintainer

aleloco09 May 4, 2023 Author

aleloco09 May 5, 2023 Author

primetomas May 8, 2023 Maintainer

aleloco09 May 8, 2023 Author

primetomas May 9, 2023 Maintainer

aleloco09 May 9, 2023 Author

primetomas May 10, 2023 Maintainer

aleloco09 Oct 10, 2023 Author

aleloco09 Oct 11, 2023 Author

primetomas Oct 11, 2023 Maintainer

aleloco09 Oct 20, 2023 Author

primetomas Oct 23, 2023 Maintainer

aleloco09 Oct 23, 2023 Author

aleloco09 Oct 25, 2023 Author

aleloco09 Oct 26, 2023 Author

aleloco09 Oct 26, 2023 Author

primetomas Oct 29, 2023 Maintainer

aleloco09 Oct 30, 2023 Author

primetomas Oct 30, 2023 Maintainer

primetomas Jan 9, 2025 Maintainer

primetomas Jan 13, 2025 Maintainer

Replies: 10 comments 26 replies

primetomas
Apr 18, 2023
Maintainer

primetomas Apr 25, 2023
Maintainer

aleloco09 May 4, 2023
Author

aleloco09 May 5, 2023
Author

primetomas May 8, 2023
Maintainer

aleloco09 May 8, 2023
Author

primetomas
May 9, 2023
Maintainer

aleloco09 May 9, 2023
Author

primetomas May 10, 2023
Maintainer

aleloco09
Oct 10, 2023
Author

aleloco09
Oct 11, 2023
Author

primetomas Oct 11, 2023
Maintainer

aleloco09
Oct 20, 2023
Author

primetomas Oct 23, 2023
Maintainer

aleloco09 Oct 23, 2023
Author

aleloco09 Oct 25, 2023
Author

aleloco09
Oct 26, 2023
Author

aleloco09 Oct 26, 2023
Author

primetomas Oct 29, 2023
Maintainer

aleloco09
Oct 30, 2023
Author

primetomas Oct 30, 2023
Maintainer

primetomas Jan 9, 2025
Maintainer

primetomas Jan 13, 2025
Maintainer