Utimaco is not referring to a defined value when i start signserver with docker

[MorganReid]

I start signserver with docker:
docker run -it --rm --name signserver
-p 80:8080 -p 443:8443
-e CRYPTO_SERVER_IP=****
-v /ca-cert.pem:/mnt/external/secrets/tls/cas/ManagementCA.crt
signserver:1.0

Now, i need connect signserver to PKCS11 on HSM.I has changed signserver-deploy.configuaration:
cryptotoken.p11.lib.30.name=Utimaco
cryptotoken.p11.lib.30.file=/opt/utimaco/p11/libcs_pkcs11_R3.so

Then I add PKCS#11 crypto worker from template,and i change the configuration:
WORKERGENID1.SHAREDLIBRARYNAME=Utimaco

The PKCS#11 crypto worker status is offline,so i active it and enter authentication Code.but i get errors:

• Failed to initialize crypto token: SHAREDLIBRARYNAME Utimaco is not referring to a defined value
  Could you please help me Thank you so much!

[mlundblad]

Hi!

You refer to the filename signserver-deploy.configuration, is that the literal file name you used?
If, so it wouldn't work as it should be conf/signserver_deploy.properties.

And also those shared libraries which are configured, and pointing to a valid shared library physically on disk with the configured path will show up in the error message if you try to setup a P11 crypto worker with an unknown SHAREDLIBRARYNAME.

[MorganReid]

Thank you very much for your answer, but I still have no success after following your method.

My dockerfile content below:
FROM keyfactor/signserver-ce
ADD conf/cs_pkcs11_R3.cfg /root/
ADD conf/signserver_deploy.properties /opt/primekey/signserver/conf/
ADD lib/libcs_pkcs11_R3.so /opt/utimaco/p11/
ADD bin/start.sh /usr/local/bin/
ENV CS_PKCS11_R3_CFG=/root/cs_pkcs11_R3.cfg
ENV CRYPTO_SERVER_IP=
USER root
CMD ["/usr/local/bin/start.sh"]

My start.sh content below:

#!/bin/bash
if [ -n "$CRYPTO_SERVER_IP" ]; then
  sed -i "s/Device=/Device=${CRYPTO_SERVER_IP}/g" /root/cs_pkcs11_R3.cfg
else
  echo "CRYPTO_SERVER_IP is not specified."
fi
echo "alias ll='ls -l'" >> ~/.bashrc
bash /opt/primekey/bin/start.sh

Where My signserver_deploy.properties changed:

cryptotoken.p11.lib.30.name=Utimaco
cryptotoken.p11.lib.30.file=/opt/utimaco/p11/libcs_pkcs11_R3.so

Then I build the image and execute:

docker build -t sec-signserver:1.0 .

docker run -it --rm --name signserver
-p 80:8080 -p 443:8443
-e CRYPTO_SERVER_IP=****
-v /ca-cert.pem:/mnt/external/secrets/tls/cas/ManagementCA.crt
signserver:1.0

PKCS#11 crypto worker create by template:

# Sample configuration of a PKCS#11 crypto worker
#

# Type of worker and implementation
WORKERGENID1.TYPE=CRYPTO_WORKER
WORKERGENID1.IMPLEMENTATION_CLASS=org.signserver.server.signers.CryptoWorker

# Uses a HSM or smart card through PKCS#11:
WORKERGENID1.CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.server.cryptotokens.PKCS11CryptoToken

# Name for other workers to reference this worker:
WORKERGENID1.NAME=CryptoTokenP11

# Name of the PKCS#11 shared library to use:
# The samples below corresponds to the ones set by default in the deploy
# configuration. 
# To add new definitions or customize existing ones, see 
# conf/signserver_deploy.properties.sample.
#WORKERGENID1.SHAREDLIBRARYNAME=P11 Proxy
#WORKERGENID1.SHAREDLIBRARYNAME=SafeNet ProtectServer Gold
#WORKERGENID1.SHAREDLIBRARYNAME=SafeNet ProtectServer Gold Emulator
#WORKERGENID1.SHAREDLIBRARYNAME=SoftHSM
#WORKERGENID1.SHAREDLIBRARYNAME=SafeNet Luna Client
#WORKERGENID1.SHAREDLIBRARYNAME=SafeNet Luna SA
#WORKERGENID1.SHAREDLIBRARYNAME=SafeNet Luna PCI
WORKERGENID1.SHAREDLIBRARYNAME=Utimaco
#WORKERGENID1.SHAREDLIBRARYNAME=nCipher
#WORKERGENID1.SHAREDLIBRARYNAME=OpenSC

# Method for pointing out which slot to use:
WORKERGENID1.SLOTLABELTYPE=SLOT_NUMBER
#WORKERGENID1.SLOTLABELTYPE=SLOT_INDEX
#WORKERGENID1.SLOTLABELTYPE=SLOT_LABEL

# Which slot to use:
#WORKERGENID1.SLOTLABELVALUE=1
WORKERGENID1.SLOTLABELVALUE=0
#WORKERGENID1.SLOTLABELVALUE=MySlot

# Optional password of the slot. If specified the token is "auto-activated".
#WORKERGENID1.PIN=foo123

# Optional PKCS#11 attributes file or attributes
#WORKERGENID1.ATTRIBUTESFILE=/opt/signserver/doc/sample-config/p11attributes.cfg
WORKERGENID1.ATTRIBUTES=\
    attributes(generate,CKO_PUBLIC_KEY,*) \= {\n   \
       CKA_TOKEN \= false\n   \
       CKA_ENCRYPT \= false\n   \
       CKA_VERIFY \= true\n   \
       CKA_WRAP \= false\n\
    }\n\
    attributes(generate, CKO_PRIVATE_KEY,*) \= {\n   \
       CKA_TOKEN \= true\n   \
       CKA_PRIVATE \= true\n   \
       CKA_SENSITIVE \= true\n   \
       CKA_EXTRACTABLE \= false\n   \
       CKA_DECRYPT \= false\n   \
       CKA_SIGN \= true\n   \
       CKA_UNWRAP \= false\n\
    }

# Optional PKCS#11 attributes to override those specified statically in the ATTRIBUTES
# property or file
#WORKERGENID1.ATTRIBUTE.PRIVATE.RSA.CKA_ALLOWED_MECHANISMS=CKM_RSA_PKCS, CKM_SHA256_RSA_PKCS, CKM_SHA384_RSA_PKCS, CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS_PSS, CKM_SHA256_RSA_PKCS_PSS, CKM_SHA384_RSA_PKCS_PSS, CKM_SHA512_RSA_PKCS_PSS
#WORKERGENID1.ATTRIBUTE.PRIVATE.RSA.CKA_ALLOWED_MECHANISMS=CKM_RSA_PKCS_PSS, CKM_SHA256_RSA_PKCS_PSS, CKM_SHA384_RSA_PKCS_PSS, CKM_SHA512_RSA_PKCS_PSS
#WORKERGENID1.ATTRIBUTE.PRIVATE.ECDSA.CKA_ALLOWED_MECHANISMS=CKM_ECDSA

# One key to test activation with is required. If this key does not already
# exist generate it after the worker has been created.
WORKERGENID1.DEFAULTKEY=testkey0

I feel that the modification of signserver_deploy.properties does not take effect, because I modified other places, such as setting cryptotoken.disablekeygeneration=true, but it has no effect.

I found a sentence at the beginning of signserver_deploy.properties:
# Build configuration of SignServer. Modify at will before building and deploying.
Does this mean that the build is not reading my modified file? But after I logged into the container, I found that the file was modified. Is it related to the loading order, I want to implement my function, what should I do?

I have also searched for other information and tried my best to solve it, but it has never been successful. Hope you can help me, thank you very much.

[netmackan]

Hi,

Note that signserver_deploy.properties is the configuration file used when configuring the signserver.ear for deployment to the application server and is read and used when one runs the 'bin/ant deploy-ear' command. However, for the container packaging that command is run when the container is built and not at runtime and what is available in the container is an already configured application.

We are discussing if we should change the container packaging to configure the signserver.ear during startup so that all properties are read from conf/signserver_deploy.properties so that the container would behave more similar to a normal SignServer installation.

There is also an other solution of having SignServer read the configuration files during startup (sometimes referred to as "external configuration") however that is not supported for any packaging of SignServer and does not provide all SignServer deployment features.

In the short-term I suppose one could figure out what the configuration run during "bin/ant deploy" is doing with the cryptotoken.p11.lib.* properties and change the place where they end up. Roughly it would be something like this:

1. Find where the signserver.ear is in the container (probably under the appserver deployments folder and it might be folder instead of a ZIP file).
2. Find the JAR file which has the configuration, likely lib/SignServer-Common.jar
3. Find the properties file in that JAR file, something like org/signserver/common/.../signservercompile.properties
4. Change the property in that file and save it back to the ZIP file

Cheers,
Markus

[netmackan]

A similar issue is also discussed in #11

[MorganReid]

Thank you very much for your help, following your suggestion, the problem is now resolved.

[netmackan]

Great to hear. Cheers!