On Sunday, May 10, 2020 1:32:14 PM CDT Alexander Bokovoy wrote:
On la, 09 touko 2020, Anthony Joseph Messina via FreeIPA-users wrote:
On Saturday, May 9, 2020 3:17:25 PM CDT Anthony Joseph Messina via FreeIPA-
users wrote:
After upgrading FreeIPA from F31 to F32, on startup I now see a lot of these errors from certmonger, ns-slapd, java, etc.
May 08 17:57:28 certmonger[38]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock May 08 17:57:30 ns-slapd[67]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock May 08 17:57:33 dogtag-ipa-renew-agent-submit[143]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock May 08 17:57:42 java[640]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
The server seems to come up without issue, but can you point me in the right direction to resolve these errors?
freeipa-server-4.8.6-1.fc32.x86_64 opendnssec-2.1.6-5.fc32.x86_64 opencryptoki-3.13.0-1.fc32.x86_64
I've installed a fresh F32 freeipa-server (on a test domain) and I don't see these errors.
I've tracked this to a difference in the crypto-policies package -- the F31 version contains the p11-kit-proxy stuff whereas the F32 version does not.
# # F31: /etc/crypto-policies/back-ends/nss.config library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:S ECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes12 8-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tl s-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA- MIN=2048"
name=p11-kit-proxy library=p11-kit-proxy.so
# # F32: /etc/crypto-policies/back-ends/nss.config library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:S ECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes12 8-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tl s-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA- MIN=2048"
I'm not sure whether removing the p11-kit-proxy related stuff from /etc/crypto-policies/back-ends/nss.config is the right thing to do, but the errors go away after that.
p11-kit-proxy simplifies configuration of HSM modules -- it automatically proxies HSM modules configured in the system.
Either through crypto-policies before F32 or with nss package in F32, nss library configures to import HSM moduels through p11-kit proxy automatically. In F32 nss installs /etc/crypto-policies/local.d/nss-p11-kit.config which contains the configuration that imports p11 kit automatically.
Since opendnssec uses SoftHSM, SoftHSM package is installed and it is automatically loaded into all applications using nss libraries, unless they are specifically configured to ignore p11-kit-proxy.
On a new install, FreeIPA creates /etc/pkcs11/modules/softhsm2.module that disables import of SoftHSM module through p11-kit-proxy. This was done with ticket https://pagure.io/freeipa/issue/7810 in FreeIPA 4.8.0, about a year ago. I guess, your installation was older than F31.
Thank you Alexander for the guidance.
I have removed/backed up the /etc/crypto-policies/local.d/nss-p11-kit.config and regenerated the configuration via update-crypto-policies --set on my F32 FreeIPA servers.
Oddly, I did (and do) have the following file in place:
# cat /etc/pkcs11/modules/softhsm2.module # created by IPA installer module: /usr/lib64/pkcs11/libsofthsm2.so disable-in: p11-kit-proxy
But that didn't make a difference to the errors until I removed /etc/crypto-policies/local.d/nss-p11-kit.config