On la, 09 touko 2020, Anthony Joseph Messina via FreeIPA-users wrote:
On Saturday, May 9, 2020 3:17:25 PM CDT Anthony Joseph Messina via
FreeIPA-users wrote:
> After upgrading FreeIPA from F31 to F32, on startup I now see a lot of these
> errors from certmonger, ns-slapd, java, etc.
>
> May 08 17:57:28 certmonger[38]: usr/lib/api/apiutil.c Could not open
> /run/lock/opencryptoki/LCK..APIlock May 08 17:57:30 ns-slapd[67]:
> usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
> May 08 17:57:33 dogtag-ipa-renew-agent-submit[143]: usr/lib/api/apiutil.c
> Could not open /run/lock/opencryptoki/LCK..APIlock May 08 17:57:42
> java[640]: usr/lib/api/apiutil.c Could not open
> /run/lock/opencryptoki/LCK..APIlock
>
> The server seems to come up without issue, but can you point me in the right
> direction to resolve these errors?
>
> freeipa-server-4.8.6-1.fc32.x86_64
> opendnssec-2.1.6-5.fc32.x86_64
> opencryptoki-3.13.0-1.fc32.x86_64
>
> I've installed a fresh F32 freeipa-server (on a test domain) and I don't see
> these errors.
I've tracked this to a difference in the crypto-policies package -- the F31 version
contains the p11-kit-proxy stuff whereas the F32 version does not.
#
# F31: /etc/crypto-policies/back-ends/nss.config
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
name=p11-kit-proxy
library=p11-kit-proxy.so
#
# F32: /etc/crypto-policies/back-ends/nss.config
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
I'm not sure whether removing the p11-kit-proxy related stuff from
/etc/crypto-policies/back-ends/nss.config is the right thing to do, but
the errors go away after that.
p11-kit-proxy simplifies configuration of HSM modules -- it
automatically proxies HSM modules configured in the system.
Either through crypto-policies before F32 or with nss package in F32,
nss library configures to import HSM moduels through p11-kit proxy
automatically. In F32 nss installs /etc/crypto-policies/local.d/nss-p11-kit.config
which contains the configuration that imports p11 kit automatically.
Since opendnssec uses SoftHSM, SoftHSM package is installed and it is
automatically loaded into all applications using nss libraries, unless
they are specifically configured to ignore p11-kit-proxy.
On a new install, FreeIPA creates /etc/pkcs11/modules/softhsm2.module
that disables import of SoftHSM module through p11-kit-proxy. This was
done with ticket
https://pagure.io/freeipa/issue/7810 in FreeIPA 4.8.0,
about a year ago. I guess, your installation was older than F31.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland