August 9, 2019

Installing Dogtag on Fedora 30 with SoftHSM

Official Documentation

  1. https://www.dogtagpki.org/wiki/PKI_Install_Guide
  2. https://www.dogtagpki.org/wiki/PKI_10_Installation
  3. https://www.dogtagpki.org/wiki/PKI_10_Installation

Prerequisite

Check OS version.


# cat /etc/redhat-release 
Fedora release 30 (Thirty)

This is a lab setup, so we disable local firewall. This should never be done in production, but here we we want to focus on Dogtag and SoftHSM.


# systemctl stop firewalld; systemctl disable firewalld

The same goes for DNS, hardcode it.


# hostnamectl set-hostname dogtag-10.7.0-hsm.magnuskkarlsson.local

# ip addr show
...
    inet 192.168.122.230/24 brd 192.168.122.255 scope global dynamic noprefixroute enp1s0
...

# echo "192.168.122.230 dogtag-10.7.0-hsm.magnuskkarlsson.local" >> /etc/hosts

And finally patch and reboot to make sure all new patches are installed.


# yum update -y

# reboot

389 Directory Server (1.4.1.6-1.fc30) - Installation of just Base DS


# yum install -y 389-ds-base 389-ds-base-legacy-tools

Difference between 389 DS packages 
    389-ds
        Description : The 389 Directory Server, Administration Server, and Console Suite provide
            : the LDAPv3 server, the httpd daemon used to administer the server, and the
            : console GUI application used for server and user/group administration.

    389-ds-base
        Description : 389 Directory Server is an LDAPv3 compliant server.  The base package includes
                    : the LDAP server and command line utilities for server administration.

The system user the 389 DS is running as.


# grep dirsrv /etc/passwd; grep dirsrv /etc/group
dirsrv:x:389:389:user for 389-ds-base:/usr/share/dirsrv:/sbin/nologin
dirsrv:x:389:

Configure 389 DS with setup-ds.pl.


# setup-ds.pl --silent \
    General.FullMachineName='dogtag-10.7.0-hsm.magnuskkarlsson.local' \
    General.SuiteSpotUserID=dirsrv \
    General.SuiteSpotGroup=dirsrv \
    slapd.ServerPort=389 \
    slapd.ServerIdentifier=pki-tomcat \
    slapd.Suffix=dc=magnuskkarlsson,dc=se \
    slapd.RootDN="cn=Directory Manager" \
    slapd.RootDNPwd=redhat123
Your new DS instance 'pki-tomcat' was successfully created.
Exiting . . .
Log file is '/tmp/setup7Mv_YS.log'

Check installation log, that everything is OK.


# cat /tmp/setup7Mv_YS.log
[19/08/07:11:06:49] - [Setup] Info Your new DS instance 'pki-tomcat' was successfully created.
[19/08/07:11:06:49] - [Setup] Success Exiting . . .
Log file is '/tmp/setup7Mv_YS.log'

Test and verify 389 installation, by simple query.


# ldapsearch -x -h dogtag-10.7.0-hsm.magnuskkarlsson.local -p 389 -s base -b "" "objectclass=*" 

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: objectclass=*
# requesting: ALL
#

#
dn:
objectClass: top
defaultnamingcontext: dc=magnuskkarlsson,dc=se
dataversion: 020190807090649
netscapemdsuffix: cn=ldap://dc=dogtag-hsm,dc=magnuskkarlsson,dc=local:389

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

To start all instances.


# systemctl enable dirsrv.target; systemctl start dirsrv.target

To start specific instance.


# systemctl status dirsrv@pki-tomcat.service

Install Dogtag (10.7.0-1.fc30)


# yum install -y dogtag-pki

SoftHSM (2.5.0-3.fc30.1)

The Dogtag HSM configuration is not always complete, but here it is https://www.dogtagpki.org/wiki/SoftHSM.


# yum install -y softhsm

Configure a new slot in SoftHSM named "Dogtag" and with PIN "redhat123".


# softhsm2-util --init-token --label "Dogtag" --so-pin redhat123 --pin redhat123 --free

Since we are initializing the SoftHSM as root and Dogtag is running as pkiuser, we need to add file permission. Here we add all permission, since using SoftHSM is only for development and testing HSM, in production you use a real HSM.


# chmod 777 /var/lib/softhsm -Rv

p11-kit

p11-kit is a new feature in Fedora 29 and 30. We need to disable it, otherwise will Dogtag installation script not work.

https://pagure.io/freeipa/issue/7810


# rm -f /etc/crypto-policies/local.d/nss-p11-kit.config && update-crypto-policies

# reboot

Bugg 3093 Installation Script Ignore sslserver Token Configuration

https://pagure.io/dogtagpki/issue/3093

https://github.com/dogtagpki/pki/pull/203/commits/7ce31807907416f681af9cbd0f1007bb3f1b41e8

Implement above pull 230. Comment 'token = pki.nssdb.normalize_token(token)'


# vi /usr/lib/python3.7/site-packages/pki/server/deployment/pkiparser.py
...
    def normalize_cert_token(self, name):

        # get cert token
        token = self.mdict.get(name)

        # if not specified, get default token name
        if not token:
            token = self.mdict.get('pki_token_name')

        # normalize token name
        # token = pki.nssdb.normalize_token(token)

        # update cert token
        self.mdict[name] = token
...

Also hardcode sslserver token to internal 'token = pki.nssdb.INTERNAL_TOKEN_NAME'


# vi /usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py
...
    def import_perm_sslserver_cert(self, deployer, instance, cert):

        nickname = cert['nickname']
        token = pki.nssdb.normalize_token(cert['token'])

        if not token:
            token = deployer.mdict['pki_token_name']

        # BUG FIX hardcoded value
        token = pki.nssdb.INTERNAL_TOKEN_NAME

        logger.info(
            'Importing permanent SSL server cert into %s token: %s',
            token, nickname)

        tmpdir = tempfile.mkdtemp()
        nssdb = instance.open_nssdb(token)

        try:
            pem_cert = pki.nssdb.convert_cert(cert['data'], 'base64', 'pem')

            cert_file = os.path.join(tmpdir, 'sslserver.crt')
            with open(cert_file, 'w') as f:
                f.write(pem_cert)

            nssdb.add_cert(
                nickname=nickname,
                cert_file=cert_file)

        finally:
            nssdb.close()
            shutil.rmtree(tmpdir)
...

Install Dogtag CA (10.7.0-1.fc30)

http://www.dogtagpki.org/wiki/Installing_CA_with_HSM


# vi /root/dogtag-ca-softhsm.cfg
  
[DEFAULT]
pki_server_database_password=redhat123

pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so
pki_hsm_modulename=softhsm
pki_token_name=Dogtag
pki_token_password=redhat123

[CA]
pki_admin_email=caadmin@example.com
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=redhat123
pki_admin_uid=caadmin

pki_client_database_password=redhat123
pki_client_database_purge=False
pki_client_pkcs12_password=redhat123

pki_ds_hostname=dogtag-10.7.0-hsm.magnuskkarlsson.local
pki_ds_ldap_port=389
pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=redhat123
pki_ds_base_dn=o=pki-tomcat-CA

pki_security_domain_name=EXAMPLE

pki_ca_signing_token=Dogtag
pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_token=Dogtag
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_token=Dogtag
pki_audit_signing_nickname=ca_audit_signing
pki_ssl_server_token=internal
pki_sslserver_token=internal
pki_sslserver_nickname=sslserver
pki_subsystem_token=Dogtag
pki_subsystem_nickname=subsystem

# pkispawn -f /root/dogtag-ca-softhsm.cfg -s CA

Log file: /var/log/pki/pki-ca-spawn.20190808224648.log
Loading deployment configuration from /root/dogtag-ca-softhsm.cfg.
WARNING: The 'pki_ssl_server_token' in [CA] has been deprecated. Use 'pki_sslserver_token' instead.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Module "softhsm" added to database.
Notice: Trust flag u is set automatically if the private key is present.
The unit files have no installation config (WantedBy=, RequiredBy=, Also=,
Alias= settings in the [Install] section, and DefaultInstance= for template
units). This means they are not meant to be enabled using systemctl.
 
Possible reasons for having this kind of units are:
• A unit may be statically enabled by being symlinked from another unit's
  .wants/ or .requires/ directory.
• A unit's purpose may be to act as a helper for some other unit which has
  a requirement dependency on it.
• A unit may be started when needed via activation (socket, path, timer,
  D-Bus, udev, scripted systemctl call, ...).
• In case of template units, the unit is meant to be enabled with some
  instance name specified.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:
            /root/.dogtag/pki-tomcat/ca_admin_cert.p12

      Administrator's certificate nickname:
            caadmin
      Administrator's certificate database:
            /root/.dogtag/pki-tomcat/ca/alias

      This CA subsystem of the 'pki-tomcat' instance
      has FIPS mode enabled on this operating system.

      REMINDER:  Don't forget to update the appropriate FIPS
                 algorithms in server.xml in the 'pki-tomcat' instance.

      To check the status of the subsystem:
            systemctl status pki-tomcatd@pki-tomcat.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@pki-tomcat.service

      The URL for the subsystem is:
            https://dogtag-10.7.0-hsm.magnuskkarlsson.local:8443/ca

      PKI instances will be enabled upon system boot

    ==========================================================================

Verification

https://github.com/dogtagpki/pki/blob/master/docs/installation/Installing_CA_with_HSM.md

Check Dogtag NSS database and that HSM token is there and sslserver is only stored locally.


# echo redhat123 > password.txt

# certutil -L -d /var/lib/pki/pki-tomcat/alias -h all -f password.txt

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

sslserver                                                    u,u,u
ca_audit_signing                                             u,u,Pu
ca_signing                                                   CTu,Cu,Cu
Dogtag:ca_signing                                            CTu,Cu,Cu
Dogtag:ca_audit_signing                                      u,u,Pu
Dogtag:ca_ocsp_signing                                       u,u,u
Dogtag:subsystem                                             u,u,u

Test to connect with Dogtag by creating a User NSS DB ~/.dogtag/nssdb. First initialize it.


# pki -c redhat123 client-init

Add new Dogtag CA as trusted CA. To do that we first need to export it from Dogtag NSS DB.


# certutil -L -d /var/lib/pki/pki-tomcat/alias -n "ca_signing" -a -o ca_signing.crt

Then import it to Local User NSS DB.


# pki -c redhat123 client-cert-import --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf
----------------------------------------
Imported certificates from PKCS #12 file
----------------------------------------

And finally import the new generated admin P12 file.


# pki -c redhat123 client-cert-import --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf
----------------------------------------
Imported certificates from PKCS #12 file
----------------------------------------

Now we are ready to query Dogtag.


# pki -c redhat123 -n caadmin ca-user-show caadmin
--------------
User "caadmin"
--------------
  User ID: caadmin
  Full name: caadmin
  Email: caadmin@example.com
  Type: adminType
  State: 1

No comments: