a docker container will fail to activate "Crypto Tokens" after restarting with imported CA keystores

[SvenRoederer]

I'm new to EJBCA and started a new docker container based on "keyfactor/ejbca-ce:7.11.0". I made a simple docker-compose.yml which uses am separate MariaDB-instance.
After initial tests I changed to a production-setup, which includes setting own encryption-passwords (https://hub.docker.com/r/keyfactor/ejbca-ce --> Security Parameters).

In this setup, I'm not able to activate the "Crypto Tokens" anymore, for default "ManagmentCA" of my imported CA. I do the following steps, which always end in the situation:

• create container from scratch (including new database and removing all volumes)
• in Webadmin --> Home --> CA Status --> "ManagementCA" shows green checkmarks for CA Service and CRL Status
• in Webadmin --> Crypto Tokens --> "ManagementCA" shows green checkmarks for Active and Auto-Activation
• in Webadmin --> Certification Authorities --> import CA keystore --> import an existing SubCA "Application-CA"--> imported SubCA shows up
• gracefully shutting down container
• restarting container
• in Webadmin --> Home --> CA Status --> "ManagementCA" & "ApplicationCA" show red checkmarks
• in Webadmin --> Crypto Tokens --> "ManagementCA" & "ApplicationCA" show red checkmarks for Active ; "ManagementCA" has still green checkmark for Auto-Activation
• in WebAdmin --> Crypto Tokens --> "ApplicationCA" entering password and clicking "activate" --> results in some "password incorrect" red colored message

When I do the same without defining own passwords in docker-setup, all is working as expected.

That are the passwords I used initially, but also simple alpha-numerical password resulting in the same problem.

PASSWORD_ENCRYPTION_KEY=@qc)A;n![tP"CTC4W:3oaXWE=3up~hUe[wJN?o/
CA_KEYSTOREPASS=Fda|x<X]|h!o/4KoF4+bW>sx*PjqgXm3*:W~pHE
EJBCA_CLI_DEFAULTPASSWORD=TTtX.IqSM</#w-}:y+\mIWwR4+kBv|ybE@5]rbj=

the docker-compose.yml

version: "2"
services:
  ejbca:
    image: keyfactor/ejbca-ce:7.11.0
    hostname: ejbca-auger
    container_name: ejbca
    volumes:
      - persistent:/mnt/persistent
      - plugins:/opt/primekey/ejbca/plugins
    ports:
      - 8008:8080
      - 8443:8443
    environment:
      - TLS_SETUP_ENABLED=simple
      - DATABASE_JDBC_URL=jdbc:mysql://172.16.10.33:3306/ejbca?characterEncoding=UTF-8
      - DATABASE_USER=ejbca
      - DATABASE_PASSWORD=secure-password
    env_file:
      - local-settings.env
volumes:
  persistent:
  plugins:

docker log of initial startup, import, restart

[primetomas]

I made a simple test and it looks to be working as expected. What difference are you doing?

sudo docker run -it -p 18080:8080 -p 18443:8443 -h mycahostname -e TLS_SETUP_ENABLED="simple" -e DATABASE_JDBC_URL=jdbc:mysql://172.26.0.1:3306/ejbcatest?characterEncoding=UTF-8 -e DATABASE_USER=ejbca -e DATABASE_PASSWORD=ejbca -e PASSWORD_ENCRYPTION_KEY="secretpwdEnryptionKey" -e CA_KEYSTOREPASS="secretKeystorePass" -e EJBCA_CLI_DEFAULTPASSWORD="secretCliPassword" keyfactor/ejbca-ce

• created a crypto token, with auto-activattion
• created a CA using this crypto token
• restarted the container
• crypto token and CA is active and working as expected
• restarted with a different PASSWORD_ENCRYPTION_KEY (secretpwdEnryptionKey2), this is the one that affects stored auto-activation passwords
• crypto token and CA are not active as expected (error shown in log while starting container), "Unable to issue TLS certificate for local instance using ManagementCA."
• I can edit crypto tokens and save them again with the correct password (which is the old CA_KEYSTOREPASS for the default ManagementCA. I can enable autoactivation, the stored password will not be encrypted using the new PASSWORD_ENCRYPTION_KEY
• restarted the container
• crypto token and CA is active and working as expected

Importing a CA keystore should not make any difference from creating a new crypto token. I actually tested this as well.
Imported crypto tokens are not imported with auto-activation, so after restart of the container the imported crypto token need to be activated, but the already existing ones were auto-activated as expected.

It sounds like the custom PASSWORD_ENCRYPTION_KEY was not set correctly when you restarted the container?

The imported crypto token does not affect existing ones in any way, they are in separate rows in the database table.

[primetomas]

Converting to a discussion

[pakjebakmeel]

Hi I'm facing exactly the same issue and cannot find any information on this. I can see this in the logs like it's expecting a keystore but from what I found it's supposed to store the secret in the database?

2023-07-17 21:41:47,402+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) No truststore and/or password file were detected at '/opt/keyfactor/secrets/external/tls/ts/truststore.[jks|storepasswd]'. Check mount points and file permissions if this is not what you expected.