Startup error when switching to SoftCA

[ryu22b]

EJBCA Community,

I'm in the process of switching from external cloud HSM to SoftCA on my EJBCA deployment. I reconfigured the following properties files to exclude references to external cloud HSM, and run ant clean; ant -q deployear successfully. Upon startup, the following errors are still seen, which leads me to believe that on initializing, EJBCA is still trying to connect to the external cloud HSM. Once I'm able to resolve this issue, I will be looking to upgrade to the most current CE edition, but was looking to isolate the process of moving away from cloud HSM first.

Thanks in advance for any feedback.

Reconfigured properties:

install.properties
ca.tokentype=soft
ca.tokenpassword=null

web.properties
#cryptotoken.p11.lib.23.name=
#cryptotoken.p11.lib.23.file=

EJBCA version 6.10

Wildfly log output excerpt:

^[[0m2025-Jan-13 16:05:17.399883: error: Thrd=13211, Authentication token retrieval failed with error: 401 ({"error":"unauthorized","error_description":"Bad credentials"}) 2025-Jan-13 16:05:27.079344: error: Thrd=13115, Failed to initialize Cloud plugin REST client: Failed to retrieve authentication token from https://<redacted> ^[[31m16:05:27,096 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service jboss.server.controller.management.security_realm.SSLRealm.ssl-context: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.SSLRealm.ssl-context: Failed to start service at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:750) Caused by: java.lang.ExceptionInInitializerError at sun.security.ssl.CipherSuite.<clinit>(CipherSuite.java:65) at sun.security.ssl.SSLContextImpl.getApplicableSupportedCipherSuites(SSLContextImpl.java:345) at sun.security.ssl.SSLContextImpl.access$100(SSLContextImpl.java:46) at sun.security.ssl.SSLContextImpl$AbstractTLSContext.<clinit>(SSLContextImpl.java:577) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:264) at java.security.Provider$Service.getImplClass(Provider.java:1634) at java.security.Provider$Service.newInstance(Provider.java:1592) at sun.security.jca.GetInstance.getInstance(GetInstance.java:236) at sun.security.jca.GetInstance.getInstance(GetInstance.java:164) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156) at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:97) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) ... 3 more Caused by: java.security.ProviderException: Initialization failed at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:387) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206) at java.security.AccessController.doPrivileged(Native Method) at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206) at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187) at sun.security.jca.ProviderList.getProvider(ProviderList.java:233) at sun.security.jca.ProviderList$ServiceList.tryGet(ProviderList.java:434) at sun.security.jca.ProviderList$ServiceList.access$200(ProviderList.java:376) at sun.security.jca.ProviderList$ServiceList$1.hasNext(ProviderList.java:486) at javax.crypto.Cipher.getInstance(Cipher.java:516) at sun.security.ssl.JsseJce.getCipher(JsseJce.java:213) at sun.security.ssl.SSLCipher.isTransformationAvailable(SSLCipher.java:483) at sun.security.ssl.SSLCipher.<init>(SSLCipher.java:472) at sun.security.ssl.SSLCipher.<clinit>(SSLCipher.java:81) ... 17 more Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SLOT_ID_INVALID at sun.security.pkcs11.wrapper.PKCS11.C_GetSlotInfo(Native Method) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:376) ... 36 more

[primetomas]

You have an existing installation so all values are read from your database. It is the crypto tokens you have configured in EJBCA that matters. install.properties is only read once when you do your initial installation, after that it is never used again.

[primetomas]

You can remove specific entries from cryptotokendata yes.

[ryu22b]

I've removed the cryptotokendata row which is related, with the same result. Is there any other references within the database I should look for?

[primetomas]

Your error seems to come from your TLS configuration of WildFly and not from EJBCA. I didn't see that before, but your error comes from jboss.server.controller.management.security_realm.SSLRealm.ssl-context. That has nothing todo with EJBCA.

[ryu22b]

Further down in the stacktrace, where Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SLOT_ID_INVALID I thought might be relevant to reference of cloud HSM, slot number.

[primetomas]

Didn't someone configure your JBoss/WildFly to use HSM for TLS? Check your TLS configuration of the application server.