EJBCA with Luna HSM issues

[martincorr]

Hi Im trying to get ejbca to work with Luna HSM but failing. luna client is installed and I can view the slots via lunacm. running ejbca standard docker image. running docker as root.
When I start ejbca with debug logging I see this:
ejbca-ce | 2025-02-04 15:16:27,563+0000 DEBUG [org.ejbca.config.WebConfiguration] (default task-1) PKCS#11 library /usr/safenet/lunaclient/lib/libCryptoki2_64.so was not detected in file system and will not be available.

but the file is there:
sh-4.2$ pwd
/usr/safenet/lunaclient/lib
sh-4.2$ ls -l
total 32164
-rwxr-xr-x 1 root root 974536 Mar 22 2024 libcklog2.so
-rwxr-xr-x 1 root root 10716192 Mar 22 2024 libCryptoki2_64.so
-rwxr-xr-x 1 root root 10716192 Jan 20 13:47 libCryptoki2.so
-rwxr-xr-x 1 root root 146272 Mar 22 2024 libethsm.so
-rwxr-xr-x 1 root root 4849824 Mar 22 2024 libshim.so
-r-xr-x--- 1 root hsmusers 5519032 Mar 22 2024 libSoftToken.so

Ive followed the guide here https://hub.docker.com/r/keyfactor/ejbca-ce Im running on aws and when I change my local config I can toggle seeing the aws token or not.

Any ideas what Im doing wrong or what else I can check?

Thanks, Martin

[merryo11]

I believe your are in containerized environment so you need to move the luna crypto library libCryptoki2_64.so or libCryptoki2.so in your container fillesystem to make it work. Besides this you must also need to edit web.properties.

to check the container file system you can run the following command

docker container exec ls

to copy any file with continer file system you can run following command
docker cp host file path :/container file path
e.g..
docker cp /path/to/host/file.txt a1b2c3d4e5f6:/app/file.txt

[primetomas]

I do it by mounting. There is actually a command last in the Docker Hub page that gives an example:
https://hub.docker.com/r/keyfactor/ejbca-ce

Mounting it in the right path makes it so you don't have to edit any properties files.

There are more detailed HSM integration examples on out GitHub: https://github.com/Keyfactor/keyfactorcommunity/tree/main/hsm-integration

If the log says "PKCS#11 library /usr/safenet/lunaclient/lib/libCryptoki2_64.so was not detected in file system and will not be available." typically means privilege issues if you have mounted the filesystem in the right location. The file accessed by the container...

[hablutzel1]

@martincorr , just in case review the permissions of /usr/safenet/lunaclient/lib and all parent directories to confirm that directory is readable to the WildFly process. Something like this from within the container:

bash-5.1$ cd /usr/local/luna/libs/64 && while [[ $PWD != "/" ]]; do ls -ld "$(pwd)"; cd ..; done
drwxr-xr-x 2 10001 root 4096 Nov 22  2022 /usr/local/luna/libs/64
drwxr-xr-x 3 10001 root 4096 Nov 22  2022 /usr/local/luna/libs
drwxr-xr-x 1 root root 4096 Feb  6 17:04 /usr/local/luna
drwxr-xr-x 1 root root 4096 Jan  1 21:30 /usr/local
drwxr-xr-x 1 root root 4096 Jan  1  1970 /usr

[martincorr]

thanks guys, got it working in the end. for anyone with a similar issue this is what I did:

I tried installing the minimal luna client install within docker but it just wasnt finding libraries. The thales guides on this arent that clear (to me) Instead I:

• Created a copy of mother system /usr/safenet in mother system /opt/safenet
• volume mapped mother system /opt/safenet into the docker image /usr/safenet
• File mapped mother system /etc/Chrystoki.conf into the docker image
• As pointed out by hablutzel1 on file permissions, I couldnt use local mother system /usr/safenet directly because the restricted permissions were screwing access to the pem files and sporadically to dependent libraries within the container

In some versions of java, internal classes within sunpkcs11 are not exported. Ejbca uses the sunpkcs11 classes for mechanisms etc so it was throwing exceptions around classes not being exported. So in the app server startup I modified the java options to include:

• --add-exports=jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED

as an aside, ejbca standard docker image comes with all the supported hsms included in the config. You should be able to override this by supplying your own web.properties but this didnt seem to have any effect. So I just had to make the pkcs11 lib appear in the expected place.

After restart I could see the hsm and enumerate the slots when adding a crypto token.

thanks all for your help and advice.

[primetomas]

Thanks for sharing the resolution, it will be helpful for many.