EJBCA with Luna HSM issues

[martincorr]

Hi Im trying to get ejbca to work with Luna HSM but failing. luna client is installed and I can view the slots via lunacm. running ejbca standard docker image. running docker as root.
When I start ejbca with debug logging I see this:
ejbca-ce | 2025-02-04 15:16:27,563+0000 DEBUG [org.ejbca.config.WebConfiguration] (default task-1) PKCS#11 library /usr/safenet/lunaclient/lib/libCryptoki2_64.so was not detected in file system and will not be available.

but the file is there:
sh-4.2$ pwd
/usr/safenet/lunaclient/lib
sh-4.2$ ls -l
total 32164
-rwxr-xr-x 1 root root 974536 Mar 22 2024 libcklog2.so
-rwxr-xr-x 1 root root 10716192 Mar 22 2024 libCryptoki2_64.so
-rwxr-xr-x 1 root root 10716192 Jan 20 13:47 libCryptoki2.so
-rwxr-xr-x 1 root root 146272 Mar 22 2024 libethsm.so
-rwxr-xr-x 1 root root 4849824 Mar 22 2024 libshim.so
-r-xr-x--- 1 root hsmusers 5519032 Mar 22 2024 libSoftToken.so

Ive followed the guide here https://hub.docker.com/r/keyfactor/ejbca-ce Im running on aws and when I change my local config I can toggle seeing the aws token or not.

Any ideas what Im doing wrong or what else I can check?

Thanks, Martin

[merryo11]

I believe your are in containerized environment so you need to move the luna crypto library libCryptoki2_64.so or libCryptoki2.so in your container fillesystem to make it work. Besides this you must also need to edit web.properties.

to check the container file system you can run the following command

docker container exec ls

to copy any file with continer file system you can run following command
docker cp host file path :/container file path
e.g..
docker cp /path/to/host/file.txt a1b2c3d4e5f6:/app/file.txt

[primetomas]

I do it by mounting. There is actually a command last in the Docker Hub page that gives an example:
https://hub.docker.com/r/keyfactor/ejbca-ce

Mounting it in the right path makes it so you don't have to edit any properties files.

There are more detailed HSM integration examples on out GitHub: https://github.com/Keyfactor/keyfactorcommunity/tree/main/hsm-integration

If the log says "PKCS#11 library /usr/safenet/lunaclient/lib/libCryptoki2_64.so was not detected in file system and will not be available." typically means privilege issues if you have mounted the filesystem in the right location. The file accessed by the container...

[hablutzel1]

@martincorr , just in case review the permissions of /usr/safenet/lunaclient/lib and all parent directories to confirm that directory is readable to the WildFly process. Something like this from within the container:

bash-5.1$ cd /usr/local/luna/libs/64 && while [[ $PWD != "/" ]]; do ls -ld "$(pwd)"; cd ..; done
drwxr-xr-x 2 10001 root 4096 Nov 22  2022 /usr/local/luna/libs/64
drwxr-xr-x 3 10001 root 4096 Nov 22  2022 /usr/local/luna/libs
drwxr-xr-x 1 root root 4096 Feb  6 17:04 /usr/local/luna
drwxr-xr-x 1 root root 4096 Jan  1 21:30 /usr/local
drwxr-xr-x 1 root root 4096 Jan  1  1970 /usr