CKR_PIN_INCORRECT when creating HSM Crpto token

[martincorr]

After finally getting ejbca to connect to a Luna HSM, Im creating the HSM crypto token. It connects pkcs11 correctly and if I choose slot/token label ejbca does indeed enumerate the available slots. But when I try the security/crypto officer pin I always get CKR_PIN_INCORRECT . I can run the vendor tool ckdemo and logon there as the officer with the PIN then that works.

Reading the integration guide https://www.thalesdocs.com/gphsm/integrations/guides/ejbca/index.html#create_pkcs11_crypto_token_on_ejbca this tells me that "Crypto Token Details: Proceed to enter the necessary details to create a PKCS11 token. Ensure that you use the Luna crypto library name you added earlier. The Authentication Code corresponds to the Luna HSM Crypto Officer password." so I should be on the right track.

If I use ckdemo and try to logon as the security/crypto user then that fails but with a different error (vendor specific CKR_INVALID_ENTRY_TYPE) due to PED authentication.

Has anyone seen this type of behaviour? Seems pretty basic but for the life of me I cant see whats going wrong.

Im using the latest docker image of ejbca here https://hub.docker.com/r/keyfactor/ejbca-ce
Trace:

ejbca-ce | 2025-02-14 15:34:01,746+0000 DEBUG [org.ejbca.ui.web.admin.BaseManagedBean] (default task-2) Exception occurred in Admin Web interface, adding error message: com.keyfactor.util.keys.token.CryptoTokenAuthenticationFailedException: Failed to initialize PKCS11 provider slot 'test03'.
ejbca-ce | at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.activate(PKCS11CryptoToken.java:166)
ejbca-ce | at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.keys.token.CryptoTokenManagementSessionBean.createCryptoToken(CryptoTokenManagementSessionBean.java:411)
ejbca-ce | at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.keys.token.CryptoTokenManagementSessionBean.createCryptoToken(CryptoTokenManagementSessionBean.java:457)
ejbca-ce | at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
ejbca-ce | at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
ejbca-ce | at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
ejbca-ce | at java.base/java.lang.reflect.Method.invoke(Unknown Source)
ejbca-ce | at [email protected]//org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:35)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
ejbca-ce | at [email protected]//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.delegateInterception(Jsr299BindingsInterceptor.java:62)
ejbca-ce | at [email protected]//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:72)
ejbca-ce | at [email protected]//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:85)
ejbca-ce | at [email protected]//org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:46)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:26)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:30)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:28)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:40)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
ejbca-ce | at [email protected]//org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:35)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:34)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:39)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:237)
ejbca-ce | at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:373)
ejbca-ce | at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:143)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
ejbca-ce | at [email protected]//org.jboss.weld.module.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:78)
ejbca-ce | at [email protected]//org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:72)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:24)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:30)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.as.ejb3.security.IdentityOutflowInterceptor.processInvocation(IdentityOutflowInterceptor.java:56)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.as.ejb3.security.SecurityDomainInterceptor.processInvocation(SecurityDomainInterceptor.java:27)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:27)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:47)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:50)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:33)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
ejbca-ce | at [email protected]//org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:633)
ejbca-ce | at [email protected]//org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
ejbca-ce | at [email protected]//org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:181)
ejbca-ce | at [email protected]//org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:174)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.as.ejb3.security.IdentityInterceptor.lambda$processInvocation$0(IdentityInterceptor.java:30)
ejbca-ce | at [email protected]//org.wildfly.security.auth.server.SecurityIdentity.runAsFunctionEx(SecurityIdentity.java:421)
ejbca-ce | at [email protected]//org.wildfly.security.auth.server.Scoped.runAsFunctionEx(Scoped.java:161)
ejbca-ce | at [email protected]//org.wildfly.security.auth.server.Scoped.runAsSupplierEx(Scoped.java:229)
ejbca-ce | at [email protected]//org.jboss.as.ejb3.security.IdentityInterceptor.processInvocation(IdentityInterceptor.java:30)
ejbca-ce | at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
ejbca-ce | at [email protected]//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
ejbca-ce | at [email protected]//org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:64)
ejbca-ce | at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.keys.token.CryptoTokenManagementSessionLocal$$$view49.createCryptoToken(Unknown Source)
ejbca-ce | at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.cryptotoken.CryptoTokenMBean.saveCurrentCryptoToken(CryptoTokenMBean.java:1212)
ejbca-ce | at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.cryptotoken.CryptoTokenMBean.saveCurrentCryptoTokenWithCheck(CryptoTokenMBean.java:1049)
ejbca-ce | at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
ejbca-ce | at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
ejbca-ce | at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
ejbca-ce | at java.base/java.lang.reflect.Method.invoke(Unknown Source)
ejbca-ce | at [email protected]//org.glassfish.expressly.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:186)
ejbca-ce | at [email protected]//org.glassfish.expressly.parser.AstValue.invoke(AstValue.java:253)
ejbca-ce | at [email protected]//org.glassfish.expressly.MethodExpressionImpl.invoke(MethodExpressionImpl.java:248)
ejbca-ce | at [email protected]//org.jboss.weld.module.web.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40)
ejbca-ce | at [email protected]//org.jboss.weld.module.web.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50)
ejbca-ce | at [email protected]//com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:70)
ejbca-ce | at [email protected]//com.sun.faces.application.ActionListenerImpl.getNavigationOutcome(ActionListenerImpl.java:74)
ejbca-ce | at [email protected]//com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:62)
ejbca-ce | at [email protected]//jakarta.faces.component.UICommand.broadcast(UICommand.java:205)
ejbca-ce | at [email protected]//jakarta.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:858)
ejbca-ce | at [email protected]//jakarta.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1332)
ejbca-ce | at [email protected]//com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:56)
ejbca-ce | at [email protected]//com.sun.faces.lifecycle.Phase.doPhase(Phase.java:72)
ejbca-ce | at [email protected]//com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:131)
ejbca-ce | at [email protected]//jakarta.faces.webapp.FacesServlet.executeLifecyle(FacesServlet.java:691)
ejbca-ce | at [email protected]//jakarta.faces.webapp.FacesServlet.service(FacesServlet.java:449)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
ejbca-ce | at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.NoCacheFilter.doFilter(NoCacheFilter.java:68)
ejbca-ce | at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
ejbca-ce | at deployment.ejbca.ear//org.owasp.filters.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:151)
ejbca-ce | at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
ejbca-ce | at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.ProxiedAuthenticationFilter.doFilter(ProxiedAuthenticationFilter.java:104)
ejbca-ce | at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
ejbca-ce | at [email protected]//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.lambda$handleRequest$1(ElytronRunAsHandler.java:68)
ejbca-ce | at [email protected]//org.wildfly.security.auth.server.FlexibleIdentityAssociation.runAsFunctionEx(FlexibleIdentityAssociation.java:103)
ejbca-ce | at [email protected]//org.wildfly.security.auth.server.Scoped.runAsFunctionEx(Scoped.java:161)
ejbca-ce | at [email protected]//org.wildfly.security.auth.server.Scoped.runAs(Scoped.java:73)
ejbca-ce | at [email protected]//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.handleRequest(ElytronRunAsHandler.java:67)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
ejbca-ce | at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
ejbca-ce | at [email protected]//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
ejbca-ce | at [email protected]//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:60)
ejbca-ce | at [email protected]//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
ejbca-ce | at org.wildfly.security.elytron-web.undertow-server-servlet@4.1.0.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
ejbca-ce | at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
ejbca-ce | at [email protected]//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:44)
ejbca-ce | at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
ejbca-ce | at [email protected]//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:51)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
ejbca-ce | at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:276)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:132)
ejbca-ce | at [email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
ejbca-ce | at [email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
ejbca-ce | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421)
ejbca-ce | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421)
ejbca-ce | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421)
ejbca-ce | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421)
ejbca-ce | at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:256)
ejbca-ce | at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:101)
ejbca-ce | at [email protected]//io.undertow.server.Connectors.executeRootHandler(Connectors.java:393)
ejbca-ce | at [email protected]//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:859)
ejbca-ce | at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
ejbca-ce | at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
ejbca-ce | at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
ejbca-ce | at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
ejbca-ce | at [email protected]//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
ejbca-ce | at java.base/java.lang.Thread.run(Unknown Source)
ejbca-ce | Caused by: java.io.IOException: load failed
ejbca-ce | at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineLoad(Unknown Source)
ejbca-ce | at java.base/java.security.KeyStore.load(Unknown Source)
ejbca-ce | at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.createKeyStore(PKCS11CryptoToken.java:203)
ejbca-ce | at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.activate(PKCS11CryptoToken.java:162)
ejbca-ce | ... 150 more
ejbca-ce | Caused by: java.security.UnrecoverableKeyException
ejbca-ce | ... 154 more
ejbca-ce | Caused by: javax.security.auth.login.FailedLoginException
ejbca-ce | at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.login(Unknown Source)
ejbca-ce | at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.login(Unknown Source)
ejbca-ce | ... 154 more
ejbca-ce | Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_PIN_INCORRECT
ejbca-ce | at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method)
ejbca-ce | ... 156 more
ejbca-ce |

Chrystoki.conf looks like this:
hrystoki2 = {
LibUNIX = /usr/safenet/lunaclient/lib/libCryptoki2.so
LibUNIX64 = /usr/safenet/lunaclient/lib/libCryptoki2_64.so
}

Luna = {
DefaultTimeOut = 500000;
PEDTimeout1 = 100000;
PEDTimeout2 = 200000;
PEDTimeout3 = 20000;
KeypairGenTimeOut = 2700000;
CloningCommandTimeOut = 300000;
CommandTimeOutPedSet = 720000;
}

CardReader = {
RemoteCommand = 1;
}

Misc = {
PE1746Enabled = 0;
ValidateHost = 0;
ToolsDir = /usr/safenet/lunaclient/bin;
PartitionPolicyTemplatePath = /usr/safenet/lunaclient/data/partition_policy_templates;
ProtectedAuthenticationPathFlagStatus = 0;
MutexFolder = /usr/safenet/lunaclient/lock;
PluginModuleDir = /usr/safenet/lunaclient/plugins;
}
LunaSA Client = {
ReceiveTimeout = 20000;
SSLConfigFile = /usr/safenet/lunaclient/bin/openssl.cnf;
ClientPrivKeyFile = /usr/safenet/lunaclient/cert/client/192.168.10.65Key.pem;
ClientCertFile = /usr/safenet/lunaclient/cert/client/192.168.10.65.pem;
ServerCAFile = /usr/safenet/lunaclient/cert/server/CAFile.pem;
NetClient = 1;
TCPKeepAlive = 1;
ServerName00 = ;
ServerPort00 = 1792;
ServerHtl00 = 0;
}
Secure Trusted Channel = {
SoftTokenDir = /usr/safenet/lunaclient/configData/token;
ClientIdentitiesDir = /usr/safenet/lunaclient/data/client_identities;
PartitionIdentitiesDir = /usr/safenet/lunaclient/data/partition_identities;
ClientTokenLib = /usr/safenet/lunaclient/lib/libSoftToken.so;
}
VirtualToken = {

VirtualToken00Label = myha;
VirtualToken00SN = 11374107993610;
VirtualToken00Members = 1374107993610,1374107993609,1374107993608;
VirtualTokenActiveRecovery = activeEnhanced;
}
HASynchronize = {
myha = 1;
}
HAConfiguration = {
haLogStatus = enabled;
HAOnly = 0;
reconnAtt = 60;
haLogPath = /hsm/safenet/lunaclient/HAlog;
}
CkLog2 = {
Enabled = 1;
NewFormat = 1;
File = /tmp/cklog.txt;
FileSize = 100;
Error = /tmp/error.txt;
LibUNIX = /usr/safenet/lunaclient/lib/libCryptoki2.so;
LibUNIX64 = /usr/safenet/lunaclient/lib/libCryptoki2_64.so;
}

[primetomas]

Did you read the configuration guide here? https://docs.keyfactor.com/ejbca/latest/thales-luna-hsm
Pay attention to the policy config of the partition. I assume you are using the latest firmware and PKCS#11 client.

[martincorr]

thanks tomas.
partitions are activated.
One thing that strikes me as inconsistent. the link mentions the "Record Partition Client Password (TP)" but this is for pre-v7 firmware (Im using 7.7.0). Looking here
https://cpl.thalesgroup.com/sites/default/files/content/integration_guides/field_document/2021-02/EJBCA_LunaHSM_IntegrationGuide_RevN.pdf
it specifies "Enter the details to create a PKCS11 token using the Luna crypto library name you added earlier. The Authentication Code is the Luna HSM Crypto Officer password."
this is what Im doing. It seems so basic an issue.
lunacm says this:
lunacm (64-bit) v10.7.1-125. Copyright (c) 2024 Thales Group. All rights reserved.

    Available HSMs:

    Slot Id ->              0
    Label ->                codesign
    Serial Number ->        1374107993612
    Model ->                LunaSA 7.7.1
    Firmware Version ->     7.7.2
    Bootloader Version ->   1.1.2
    Configuration ->        Luna User Partition With SO (PED) Key Export With Cloning Mode
    Slot Description ->     Net Token Slot
    FM HW Status ->         FM Ready

    Slot Id ->              1
    Label ->                test02
    Serial Number ->        1374107993613
    Model ->                LunaSA 7.7.1
    Firmware Version ->     7.7.2
    Bootloader Version ->   1.1.2
    Configuration ->        Luna User Partition With SO (PED) Key Export With Cloning Mode
    Slot Description ->     Net Token Slot
    FM HW Status ->         FM Ready

    Slot Id ->              2
    Label ->                test03
    Serial Number ->        1374107993614
    Model ->                LunaSA 7.7.1
    Firmware Version ->     7.7.2
    Bootloader Version ->   1.1.2
    Configuration ->        Luna User Partition With SO (PED) Key Export With Cloning Mode
    Slot Description ->     Net Token Slot
    FM HW Status ->         FM Ready
    
    Anything else to try?

thanks, martin

[martincorr]

Looking at the trace output:

ejbca2-ce | Caused by: java.io.IOException: load failed
ejbca2-ce | at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineLoad(Unknown Source)
ejbca2-ce | at java.base/java.security.KeyStore.load(Unknown Source)
ejbca2-ce | at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.createKeyStore(PKCS11CryptoToken.java:203)
ejbca2-ce | at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.activate(PKCS11CryptoToken.java:162)
ejbca2-ce | ... 150 more
ejbca2-ce | Caused by: java.security.UnrecoverableKeyException
ejbca2-ce | ... 154 more
ejbca2-ce | Caused by: javax.security.auth.login.FailedLoginException
ejbca2-ce | at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.login(Unknown Source)
ejbca2-ce | at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.login(Unknown Source)
ejbca2-ce | ... 154 more
ejbca2-ce | Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_PIN_INCORRECT
ejbca2-ce | at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method)
ejbca2-ce | ... 156 more

looking at SunPKCS11.java:
p11.C_Login(session.id(), CKU_USER, pin);

its logging in a CU not CO. The EJBCA documentation talks about logging in as CO not CU. Is that right?

thanks, martin

[primetomas]

Now it was a long time since I did the initialization. The DPoD specific documentation talks about crypto officer.
In the Initialize Partition section.

The Crypto Officer is the user in the HSM that can create objects and use them, i.e. an R/W User. 
Luna also defines a Crypto User which is a Read-Only User. This is typically not used from EJBCA 
as it does not allow to generate keys and no Crypto User is therefore created in the example below,

[martincorr]

thanks tomas, Im still a bit stuck here:
Our luna 7 is ped protected. Ive created a CO password from the ped and that is cached.
Ive configured the docker image as a luna client and allowed it to see one slot only
I can run the lunacm and ckdemo programs interactively from within the docker image and logon with the co password. those work fine.
When I run ejbca I can connect to the HSM and it correctly identifies the slot Ive permitted the docker client to see. But when I try to create the hsm crypto token with the co password it always fails.
when I use the ejbca HSM tool to test the hsm that also fails:
docker exec -it 049c34d661c9 /opt/keyfactor/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/safenet/lunaclient/lib/libCryptoki2_64.so 0 password
2025-04-17 14:13:24,791+0000 INFO [org.apache.commons.beanutils.FluentPropertyBeanIntrospector] (main) Error when creating PropertyDescriptor for public final void org.apache.commons.configuration2.AbstractConfiguration.setProperty(java.lang.String,java.lang.Object)! Ignoring this property.
Test of keystore with ID 0.
2025-04-17 14:13:33,781+0000 ERROR [org.ejbca.ui.cli.KeyStoreContainerTest] (main) Not possible to load keys.
java.security.KeyStoreException: KeyStore instantiation failed
at java.security.KeyStore$Builder$2.getKeyStore(Unknown Source) ~[?:?]
at org.ejbca.util.keystore.KeyStoreToolsFactory.getInstance(KeyStoreToolsFactory.java:75) ~[clientToolBox.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
at org.ejbca.util.keystore.KeyStoreToolsFactory.getInstance(KeyStoreToolsFactory.java:49) ~[clientToolBox.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
at org.ejbca.util.keystore.KeyStoreToolsFactory.getInstance(KeyStoreToolsFactory.java:95) ~[clientToolBox.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
at org.ejbca.util.keystore.KeyStoreToolsFactory.getInstance(KeyStoreToolsFactory.java:112) ~[clientToolBox.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
at org.ejbca.ui.cli.KeyStoreContainerTest.getKeyStoreTools(KeyStoreContainerTest.java:186) [clientToolBox.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
at org.ejbca.ui.cli.KeyStoreContainerTest.startNormal(KeyStoreContainerTest.java:136) [clientToolBox.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
at org.ejbca.ui.cli.KeyStoreContainerTest.test(KeyStoreContainerTest.java:84) [clientToolBox.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:677) [clientToolBox.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:737) [clientToolBox.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40) [clientToolBox.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:72) [clientToolBox.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
Caused by: java.io.IOException: load failed
at sun.security.pkcs11.P11KeyStore.engineLoad(Unknown Source) ~[jdk.crypto.cryptoki:?]
at java.security.KeyStore.load(Unknown Source) ~[?:?]
at java.security.KeyStore$Builder$2$1.run(Unknown Source) ~[?:?]
at java.security.KeyStore$Builder$2$1.run(Unknown Source) ~[?:?]
at java.security.AccessController.doPrivileged(Unknown Source) ~[?:?]
... 12 more
Caused by: javax.security.auth.login.FailedLoginException
at sun.security.pkcs11.SunPKCS11.login(Unknown Source) ~[jdk.crypto.cryptoki:?]
at sun.security.pkcs11.P11KeyStore.login(Unknown Source) ~[jdk.crypto.cryptoki:?]
at sun.security.pkcs11.P11KeyStore.engineLoad(Unknown Source) ~[jdk.crypto.cryptoki:?]
at java.security.KeyStore.load(Unknown Source) ~[?:?]
at java.security.KeyStore$Builder$2$1.run(Unknown Source) ~[?:?]
at java.security.KeyStore$Builder$2$1.run(Unknown Source) ~[?:?]
at java.security.AccessController.doPrivileged(Unknown Source) ~[?:?]
... 12 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_PIN_INCORRECT
at sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method) ~[jdk.crypto.cryptoki:?]
at sun.security.pkcs11.SunPKCS11.login(Unknown Source) ~[jdk.crypto.cryptoki:?]
at sun.security.pkcs11.P11KeyStore.login(Unknown Source) ~[jdk.crypto.cryptoki:?]
at sun.security.pkcs11.P11KeyStore.engineLoad(Unknown Source) ~[jdk.crypto.cryptoki:?]
at java.security.KeyStore.load(Unknown Source) ~[?:?]
at java.security.KeyStore$Builder$2$1.run(Unknown Source) ~[?:?]
at java.security.KeyStore$Builder$2$1.run(Unknown Source) ~[?:?]
at java.security.AccessController.doPrivileged(Unknown Source) ~[?:?]
... 12 more

    I wonder if its the difference between luna 6 and luna 7? The documentation seems to talk about luna 6.

thanks, martin

[primetomas]

Luna 7 is one of the most commonly used HSMs with EJBCA. If I remember correctly when trying to log into a slot it will prompt you on the PED. Since you reference the Thales documentation above, did you look at our documentation? https://docs.keyfactor.com/ejbca/latest/thales-luna-hsm

[martincorr]

thanks tomas, yes Ive followed those instructions.
We are using peds but have cached the co user pin. from within the container I can run thales ckdemo program and open a session and logon. that proves the partition is configured correctly for my docker client and that the PN Im presenting is working fine from within ckdemo.

Ive turned on luna logs and I can see evidence of that logon at the hsm level:
,6A61022975CF0B5B6BCA7BBE813FB07ADADE3FF531D7F0D8860F530C60500F10,190401400140CA002B090968000000008FFDF7E5E534B58B5F010900000000000000000041636365737320393545383646304100
66586,25/04/23 15:37:20,S/N 1374107993618 session 185 Access a3b7eb593d9f7321 operation LUNA_LOGIN returned RC_OK(0x00000000) roleID=0 container=11 (using PIN (entry=LUNA_ENTRY_CHALLENGE_RESPONSE)) ,EB3E9389082F458FA7FBF93A94FCD45203F0F8C501E76D88EF1D2939B8E8DBBB,1A04014002600D003009096800000000A3B7EB593D9F7321120638EF3F010000B90000000B000000040000000000000000000000
66587,25/04/23 15:37:20,S/N 1374107993618 session 185 Access a3b7eb593d9f7321 operation LUNA_AUTHORIZE_KEY returned RC_OK(0x00000000)

If I try the wrong pin to force an error I see this in the logs:

,B973D14405C70280F319F3F962B8C3F26A8589BC64E97216DF2E357BAFF1E732,5CF8004082602600AC00096800000000019C7C021A436D0F5F010900000000004D01000000000000000000000000000000000000
63581,25/04/23 15:01:00,S/N 1374107993618 session 98 Access 5c789b437cfc2faa operation LUNA_LOGIN returned LUNA_RET_CHALLENGE_RESPONSE_INCORRECT(0x00a00b03) roleID=0 container=11 (using PIN (entry=LUNA_ENTRY_CHALLENGE_RESPONSE))

However when I use HSMkeytool OR try to create the crypto token in pkcs11, Im not seeing any logging activity within the hsm logs. EJBCA is able to enumerate the slot name and it only shows me the slot/partition Im allowed to see. So theres clearly some good conversation going on through the wrapper. But its like ejbca/hmskeytoolbox is not even sending the C_Login call through the pkcs11 wrapper to the hsm.

Im baffled.

[primetomas]

Using clientToolBox is the right way to troubleshoot. What command doubly run there, and what version do you run of everything?

[martincorr]

thanks tomas, Im using ejbca community edition latest and greatest. Im running toolbox from within the docker image.
docker exec -it 049c34d661c9 /opt/keyfactor/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/safenet/lunaclient/lib/libCryptoki2_64.so 0 passwd

Yeah agreed, if I can get the toolbox to work then ejbca will work. Is there a way of turning on debug output like the java.security debug settings?

[primetomas]

If you build clientToolBox from source you can edit the logging settings very easily. There is a properties/log4j.xml file where you can manipulate logging settings. You can also edit the .sh file to add -Djava... logging settings as well. I believe there are some p11 ones?

[martincorr]

So I think Im making a bit of progress here:
I think the issue is that I cannot use sunpkcs11 to talk to the luna:

sh-4.2$ /usr/lib/jvm/jdk-21.0.5-oracle-x64/bin/keytool -debug -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -list -storepass passwd
Command line args: [-debug, -keystore, NONE, -storetype, PKCS11, -providerClass, sun.security.pkcs11.SunPKCS11, -list, -storepass, passwd]
loadProviderByClass: sun.security.pkcs11.SunPKCS11
keytool error: java.io.IOException: load failed
Exception in thread "main" java.io.IOException: load failed
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:775)
at java.base/java.security.KeyStore.load(KeyStore.java:1500)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1016)
at java.base/sun.security.tools.keytool.Main.run(Main.java:419)
at java.base/sun.security.tools.keytool.Main.main(Main.java:412)
Caused by: java.security.UnrecoverableKeyException
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:774)
... 4 more
Caused by: javax.security.auth.login.FailedLoginException
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1679)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.login(P11KeyStore.java:890)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:765)
... 4 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_PIN_INCORRECT
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1666)
... 6 more

    I can access the HSM using the thales luna provider:

/usr/lib/jvm/jdk-21.0.5-oracle-x64/bin/keytool -debug -keystore lunastore -storetype luna -list -storepass passwd -providerpath "/usr/safenet/lunaclient/jsp/lib/LunaProvider.jar" -providerclass com.safenetinc.luna.provider.LunaProvider -J-Djava.library.path=/usr/safenet/lunaclient/jsp/lib/ -J-cp -J/usr/safenet/lunaclient/jsp/lib/LunaProvider.jar
Command line args: [-debug, -keystore, lunastore, -storetype, luna, -list, -storepass, passwd, -providerpath, /usr/safenet/lunaclient/jsp/lib/LunaProvider.jar, -providerclass, com.safenetinc.luna.provider.LunaProvider]
loadProviderByClass: com.safenetinc.luna.provider.LunaProvider
Keystore type: LUNA
Keystore provider: LunaProvider

Your keystore contains 0 entries

sh-4.2$ cat lunastore
tokenlabel:ebjca
slot:0

My luna has crypto officer defined with the password Im using. Crypto User isnt defined.

[primetomas]

The Sun PKCS11 provider used in Community certainly have limitations which are out of our control.

[primetomas]

And Oracte/Java can change things between java versions, and there may even be differences between OracleJDK and OpenJDK. Sometimes it has broken even due to what OracltJDK/OpenJDK has done, although that has been very rare.

[martincorr]

thanks tomas. So I guess I need to find a java version that has a working sunpkcs11 then put that in the docker and run ejbca using that one rather than the one that comes with docker as standard. when you test this inhouse, which jre works for you?

Ive been reading up on P11NGCryptoToken which sounds the way to go but is this available in ejbca community? I see it in man pages for signserver but is it in ejbca as well?

thanks martin

[primetomas]

You are correct, we created P11NG to not be tied with the limitations of JavaP11, including things like PQC algorithms using Vendor defined P11 mechanisms. P11NG is only available in Enterprise.

[MRuth]

@martincorr ,

You may try setting ProtectedAuthenticationPathFlagStatus = 1 under the Misc section in the /etc/Chrystoki.conf file and see if that causes the Thales / Luna library to force the login to be under the Crypto Officer context. If I recall, I also had the same issues at one point in deploying an EJBCA instance with Luna HSM integrations and found that seemed to work for me.

Thales has this flag documented here and I also found it referenced on this troubleshooting page within the Keyfactor SignServer section with a similar issue / behavior as you've found.

Hope this helps!

[martincorr]

bingo! this sorted it - many thanks :-)

so for all, if creating an ejbca using a luna hsm ped enabled AND youre getting incorrect PIN (on-browser error is failed to initialise PKCS11), then:

• register the host (of ebjca container) machine as a luna client
• register the client to have access to a hsm partition
• in chrystoki.conf, under misc section, define ProtectedAuthenticationPathFlagStatus = 1
• ensure the /usr/safenet/lunaclient directory structure is mapped into the docker filespace
• ensure /etc/Chrystoki.conf is mapped into docker same location
• ensure java is configured to use sunpkcs11 provider (for both the host and the container)
• test that the host and the docker image are configured correctly using thales tool lunacm and java keytool:
  - host: "/usr/safenet/lunaclient/bin/lunacm" then "role login -co -password passwd" then "exit"
  - host: "keytool -debug -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -list -storepass passwd" to ensure java apps can connect to the HSM.
  - docker: start ejbca, then "docker ps" and find the dockerid of ejbca, then "docker exec -it dockerid sh" to get a shell then "/usr/safenet/lunaclient/bin/lunacm"
  - docker: within the same shell run "/keytool -debug -keystore NONE -storetype PKCS11 -providerClass" sun.security.pkcs11.SunPKCS11 -list -storepass passwd" to ensure java apps running within docker can see the HSM.
• start ejbca, then once started use a browser to view the admin ui
• browse to crypto tokens, then create new
• select pks11 and your HSM
• select auto activate, and enter the co password.

hopefully this should work.

You can run ejbca container as its own independent luna client if desired. I can explain if needed.

good luck!

[primetomas]

That's great. I will add it to the documentation.