<div dir="ltr"><div>Hi Rohan,</div><div>I have only played with IP UID/PWD auth with SCEP, which I just tried and seems to be working.</div><div>Could you maybe give me info on how you set up CN/PWD and I could look into that.</div><div><br></div><div>thanks,</div><div>Christina<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Nov 29, 2020 at 11:57 PM Rohan Raymore (rraymore) <<a href="mailto:rraymore@cisco.com">rraymore@cisco.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">





<div style="overflow-wrap: break-word;" lang="EN-US">
<div class="gmail-m_2246783088893613138WordSection1">
<p class="MsoNormal"><span style="color:black">Hello,<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">I am looking for some guidance/assistance with  a dogtag-pki CA server setup that I am testing.<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">Environment:<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">Cisco ASR router<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">CentOS 7 vm<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">PKI version 10.5.18-7.e17 installed<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">Configured to use flatfile to authenticate Cisco router using UID/PWD via SCEP<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">I am able to successfully authenticate and enroll the router via SCEP using UID/PWD in flatfile<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">Issue:<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">The UID=IP-address of the router interface toward the CA server, this IP is assigned via DHCP, thus not deterministic.<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">When I configured an IP address of a Loopback interface under the Trustpoint configuration of the router I can see that it seen by the CA in the logs but it is not used for authentication/enroll<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">I tried to change the CS.cfg file to use the CN/PWD to authenticate, however it appears I may have missed something as it fails with a password null.<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">Can you please assist with providing one of two options:<u></u><u></u></span></p>
<ol style="margin-top:0in;font-variant-caps:normal;text-align:start;word-spacing:0px" type="1" start="1">
<li class="gmail-m_2246783088893613138MsoListParagraph" style="color:black;margin-top:0in;margin-bottom:0in">
How to authenticate/enroll router via Loopback interface IP address that is specified in the Trustpoint configuration of the router?<span style="font-size:12pt"><u></u><u></u></span></li><li class="gmail-m_2246783088893613138MsoListParagraph" style="color:black;margin-top:0in;margin-bottom:0in">
How to authenticate/enroll the router using the CN/PWD in the flatfile?<span style="font-size:12pt"><u></u><u></u></span></li></ol>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">Thanks in advance for  your assistance!<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">See below some output from the debug file:<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"><snip><u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length = 1<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth:  concatenating: 10.0.1.1<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key 10.0.1.1  <-------- this is the IP I have configured in flatfile<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length = 1<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth:  concatenating: null<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating string i=0  keyAttrs[0] = UID<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: authenticating user: finding user from key: 10.1.1.1 <----- this is the router outside interface IP<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: User not found in password file.<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: operation failure - Invalid Credential.<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"><snap><u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"><snip><u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Found profile=caRouterCert<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Retrieving authenticator<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth:  concatenating: <a href="http://dev-sec-a-2.example.com" target="_blank">dev-sec-a-2.example.com</a><u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key <a href="http://dev-sec-a-2.example.com" target="_blank">dev-sec-a-2.example.com</a><u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth:  concatenating: null<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating string i=0  keyAttrs[0] = CN<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: operation failure - Authentication credential for CN is null.<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"><snap><u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">Regards,<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">Rohan Raymore <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif;color:black"><img style="width: 0.8333in; height: 0.4479in;" id="gmail-m_2246783088893613138Picture_x0020_1" src="cid:1764a6d64ff4cff311" alt="signature_652684385" width="80" height="43"></span><span style="color:black"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:6.5pt;font-family:"Times New Roman",serif;color:black"> </span><span style="color:black"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;color:black"><a href="http://directory.cisco.com/dir/details/rraymore" target="_blank"><span style="font-size:10pt;font-family:"Arial",sans-serif;color:rgb(0,0,100)">Rohan Raymore</span></a></span><span style="color:black"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif;color:black"> </span><span style="color:black"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
</div>
</div>

_______________________________________________<br>
Pki-users mailing list<br>
<a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a></blockquote></div>