[Pki-users] failed Administrator logon
Marc Sauton
msauton at redhat.com
Wed Oct 29 19:37:39 UTC 2008
Heyden, Klaus (Allianz ASIC) wrote:
> Hello,
>
> i have the problem the the CA don't accept the Administrator login.
> Either on HTTPS-interface or via pkiconsole. It's a new installation
> and the Admin-Certificate exists in the Browser with secret key. The
> problem ist that the CA first dor thier job normal. When i now try to
> login i got a catalina error like this. i dont reconfigure the CA only
> restart. I also configured an HSM (Luna) but dont use key's inside the
> HSM.
You may want to collect the ca debug log when you try to do client auth
in your browser against the https agent pages.
Or review the debug log during the ca instance configuration, near the
key generation for the ca instance or when you selected either a
software token or hsm, for any errors.
I suppose the ca instance was restarted after the web based wizard
configuration was successfully completed.
It is always possible to use another client certificate for an agent or
admin user of the certificate system.
You may want to verify the browser has and trust the issuer of the agent
cert you try to use.
> -------------------catalina.out----------------------------------
> Oct 29, 2008 5:43:55 PM org.apache.catalina.core.ApplicationContext log"
> INFO: caListRequests: You did not provide a valid certificate for this
> operation
> ----------------------------------------------------------------------
>
> the debug-file shows:
> ---------------------debug----------------------------------------
> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service()
> uri = /ca/agent/header
> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet::service()
> param name='selected' value='ca'
> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: caheader
> start to service.
> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet.java:
> renderTemplate
> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: curDate=Wed
> Oct 29 18:15:07 CET 2008 id=caheader time=0
> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service()
> uri = /ca/agent/ca/listRequests.html
> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:
> caListRequests start to service.
> [29/Oct/2008:18:15:07][http-9443-Processor21]: DisplayHtmlServlet
> about to service
> [29/Oct/2008:18:15:07][http-9443-Processor21]: IP: 10.94.112.222
> [29/Oct/2008:18:15:07][http-9443-Processor21]: AuthMgrName:
> certUserDBAuthMgr
> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: retrieving
> SSL certificate
> [29/Oct/2008:18:15:07][http-9443-Processor21]:
> SignedAuditEventFactory: create()
> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=$Unidentified$][AttemptedCred=$Unidentified$]
> authentication failure
> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: getConn: mNumConns
> now 2
> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]:
> ObjectStreamMapper:mapObjectToLDAPAttributeSet revokedCerts size=84
> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]:
> ObjectStreamMapper:mapObjectToLDAPAttributeSet unrevokedCerts size=84
> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]:
> ObjectStreamMapper:mapObjectToLDAPAttributeSet expiredCerts size=84
> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: returnConn:
> mNumConns now 3
> ----------------------------------------------------------------------
>
> certutil -L -d . shows me:
> ----------------------------------------------------------------------
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
> ocspSigningCert cert-ca4-1 u,u,u
> subsystemCert cert-ca4-1 u,u,u
> caSigningCert cert-ca4-1 CTu,Cu,Cu
> Server-Cert cert-ca4-1 u,u,u
> Allianz Group Root CA II - Allianz Group CT,C,C
> ----------------------------------------------------------------------
>
>
> reagards
> Klaus Heyden
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
More information about the Pki-users
mailing list