From rafal.kaminski at blstream.com Tue Dec 1 10:37:46 2009 From: rafal.kaminski at blstream.com (=?ISO-8859-2?Q?Rafa=B3_Kami=F1ski?=) Date: Tue, 01 Dec 2009 11:37:46 +0100 Subject: [Pki-users] Problem with install RA (pki-ra) Message-ID: <4B14F1FA.1050201@blstream.com> Hi all, I installed two Fedora and two pki-ca. Pki-ca works great, and pki-ca1 which is clone on pki-ca works great two. Now I want to install pki-ra to use it with pki-ca1. Installation is compleat, but i have problem with configuration. First site - click Next. Second site - Join an Existing Security Domain and write https://pki-ca1:9445. Click Next. Third site - show me Certificate Chain. Click Next. And I see: --- Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, you at example.com and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. --- And in pki-ra.log: --- [Tue Dec 01 05:36:08 2009] [error] [client 192.168.6.243] Could not find httpd.xml in /usr/sbin/ at /var/lib/pki-ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm line 228\n, referer: https://ra.vpn.ca:12890/ra/admin/console/config/wizard --- I can't find anywhere that file - httpd.xml Can somebody help me? Why does it happens? Br, Rafal K From Julius.Adewumi at gdc4s.com Tue Dec 1 16:53:34 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Tue, 1 Dec 2009 09:53:34 -0700 Subject: [Pki-users] Problem with install RA (pki-ra) In-Reply-To: <4B14F1FA.1050201@blstream.com> References: <4B14F1FA.1050201@blstream.com> Message-ID: <150446754087724BA4B8F287083846B205BCD120@AZ25EXM04.gddsi.com> How did you install RA? Did you do pkicreate? It seems the install missed something. From: Julius Adewumi -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Rafal Kaminski Sent: Tuesday, December 01, 2009 3:38 AM To: pki-users at redhat.com Subject: [Pki-users] Problem with install RA (pki-ra) Hi all, I installed two Fedora and two pki-ca. Pki-ca works great, and pki-ca1 which is clone on pki-ca works great two. Now I want to install pki-ra to use it with pki-ca1. Installation is compleat, but i have problem with configuration. First site - click Next. Second site - Join an Existing Security Domain and write https://pki-ca1:9445. Click Next. Third site - show me Certificate Chain. Click Next. And I see: --- Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, you at example.com and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. --- And in pki-ra.log: --- [Tue Dec 01 05:36:08 2009] [error] [client 192.168.6.243] Could not find httpd.xml in /usr/sbin/ at /var/lib/pki-ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm line 228\n, referer: https://ra.vpn.ca:12890/ra/admin/console/config/wizard --- I can't find anywhere that file - httpd.xml Can somebody help me? Why does it happens? Br, Rafal K _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From rafal.kaminski at blstream.com Tue Dec 1 19:17:20 2009 From: rafal.kaminski at blstream.com (=?ISO-8859-2?Q?Rafa=B3_Kami=F1ski?=) Date: Tue, 01 Dec 2009 20:17:20 +0100 Subject: [Pki-users] Problem with install RA (pki-ra) In-Reply-To: <150446754087724BA4B8F287083846B205BCD120@AZ25EXM04.gddsi.com> References: <4B14F1FA.1050201@blstream.com> <150446754087724BA4B8F287083846B205BCD120@AZ25EXM04.gddsi.com> Message-ID: <4B156BC0.3080303@blstream.com> Hi, > How did you install RA? Did you do pkicreate? > It seems the install missed something. No, I install by "yum install pki-ra" and on the end I saw the http://, which put to my web browser. The same http is in log - /var/log/pki-ra-install.log Can you tell me how can I install by pkicreate? I always think - that the pkicreate or pkiremove manage installed packet - not use to install. Br, Rafal K From sean.veale at gdc4s.com Tue Dec 1 20:22:40 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Tue, 1 Dec 2009 15:22:40 -0500 Subject: [Pki-users] Problem with install RA (pki-ra) In-Reply-To: <4B156BC0.3080303@blstream.com> References: <4B14F1FA.1050201@blstream.com><150446754087724BA4B8F287083846B205BCD120@AZ25EXM04.gddsi.com> <4B156BC0.3080303@blstream.com> Message-ID: <5E904A528F23FA469961CECAC5F417870212D63F@NDHMC4SXCH.gdc4s.com> The install when run through yum eventual calls pkicreate. For a bit of usage enter pkicreate -h There is also a pkisilent which can be used to configure a subsystem that has been installed. I.e. it replaces the web based wizard. For some online information on the pkicreate and pkisilent scripts look online here http://www.redhat.com/docs/manuals/cert-system/8.0/cli/html/Create_and_R emove_Instance_Tools.html I haven't used the RA subsystem though so I don't have specific help on your problem, sorry. sean -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Rafal Kaminski Sent: Tuesday, December 01, 2009 2:17 PM To: pki-users at redhat.com Subject: Re: [Pki-users] Problem with install RA (pki-ra) Hi, > How did you install RA? Did you do pkicreate? > It seems the install missed something. No, I install by "yum install pki-ra" and on the end I saw the http://, which put to my web browser. The same http is in log - /var/log/pki-ra-install.log Can you tell me how can I install by pkicreate? I always think - that the pkicreate or pkiremove manage installed packet - not use to install. Br, Rafal K _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From rafal.kaminski at blstream.com Fri Dec 4 12:38:51 2009 From: rafal.kaminski at blstream.com (=?UTF-8?B?UmFmYcWCIEthbWnFhHNraQ==?=) Date: Fri, 04 Dec 2009 13:38:51 +0100 Subject: [Pki-users] Problem with install RA (pki-ra) In-Reply-To: <5E904A528F23FA469961CECAC5F417870212D63F@NDHMC4SXCH.gdc4s.com> References: <4B14F1FA.1050201@blstream.com><150446754087724BA4B8F287083846B205BCD120@AZ25EXM04.gddsi.com> <4B156BC0.3080303@blstream.com> <5E904A528F23FA469961CECAC5F417870212D63F@NDHMC4SXCH.gdc4s.com> Message-ID: <4B1902DB.3050801@blstream.com> Hi, > The install when run through yum eventual calls pkicreate. For a bit of > usage enter pkicreate -h I use pkicreate to create RA too. But it didn't work too. The same error - httpd.xml missing and Internal Error on RA configure page. > There is also a pkisilent which can be used to configure a subsystem > that has been installed. I.e. it replaces the web based wizard. I should try but: -bash-4.0# yum search pkisilent Warning: No matches found for: pkisilent No Matches found -bash-4.0# BR, Rafal Kaminski From kchamart at redhat.com Fri Dec 4 13:00:23 2009 From: kchamart at redhat.com (Kashyap Chamarthy) Date: Fri, 04 Dec 2009 18:30:23 +0530 Subject: [Pki-users] Problem with install RA (pki-ra) In-Reply-To: <4B1902DB.3050801@blstream.com> References: <4B14F1FA.1050201@blstream.com><150446754087724BA4B8F287083846B205BCD120@AZ25EXM04.gddsi.com> <4B156BC0.3080303@blstream.com> <5E904A528F23FA469961CECAC5F417870212D63F@NDHMC4SXCH.gdc4s.com> <4B1902DB.3050801@blstream.com> Message-ID: <4B1907E7.6000208@redhat.com> On 12/04/2009 06:08 PM, Rafa? Kami?ski wrote: > Hi, > >> The install when run through yum eventual calls pkicreate. For a bit of >> usage enter pkicreate -h > > I use pkicreate to create RA too. But it didn't work too. The same error > - httpd.xml missing and Internal Error on RA configure page. not sure about this error though.. > >> There is also a pkisilent which can be used to configure a subsystem >> that has been installed. I.e. it replaces the web based wizard. > > I should try but: > > -bash-4.0# yum search pkisilent > Warning: No matches found for: pkisilent > No Matches found > -bash-4.0# try yum search pki-silent after installing the package, you can also notice a template for silent installations which you can refer to, /usr/share/pki/silent/pki_silent.template /Kashyap > > BR, > > Rafal Kaminski > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From rafal.kaminski at blstream.com Fri Dec 4 14:14:20 2009 From: rafal.kaminski at blstream.com (=?UTF-8?B?UmFmYcWCIEthbWnFhHNraQ==?=) Date: Fri, 04 Dec 2009 15:14:20 +0100 Subject: [Pki-users] Problem with install RA (pki-ra) In-Reply-To: <4B1907E7.6000208@redhat.com> References: <4B14F1FA.1050201@blstream.com><150446754087724BA4B8F287083846B205BCD120@AZ25EXM04.gddsi.com> <4B156BC0.3080303@blstream.com> <5E904A528F23FA469961CECAC5F417870212D63F@NDHMC4SXCH.gdc4s.com> <4B1902DB.3050801@blstream.com> <4B1907E7.6000208@redhat.com> Message-ID: <4B19193C.9020002@blstream.com> >> There is also a pkisilent which can be used to configure a subsystem >>> that has been installed. I.e. it replaces the web based wizard. >> >> I should try but: >> > try yum search pki-silent > > after installing the package, you can also notice a template for silent > installations which you can refer to, > /usr/share/pki/silent/pki_silent.template Yupi :) I install pki-silent - but now how can I configure RA? Without any errors? Br, Rafal Kaminski From rafal.kaminski at blstream.com Tue Dec 8 08:13:55 2009 From: rafal.kaminski at blstream.com (=?ISO-8859-2?Q?Rafa=B3_Kami=F1ski?=) Date: Tue, 08 Dec 2009 09:13:55 +0100 Subject: [Pki-users] Centos Repo PKI Message-ID: <4B1E0AC3.3060308@blstream.com> Hello all, I have one questions - can somebody write me good Centos Repo? Where is package pki (dogtag)? I found to Fedora but not to Centos. I try use that Fedora packages, but it didn't work :( I have Centos 5.4 and 5.3 BR, Rafal Kaminski - Kamyk From kchamart at redhat.com Tue Dec 8 09:14:54 2009 From: kchamart at redhat.com (Kashyap Chamarthy) Date: Tue, 08 Dec 2009 14:44:54 +0530 Subject: [Pki-users] Centos Repo PKI In-Reply-To: <4B1E0AC3.3060308@blstream.com> References: <4B1E0AC3.3060308@blstream.com> Message-ID: <4B1E190E.3080201@redhat.com> On 12/08/2009 01:43 PM, Rafa? Kami?ski wrote: > Hello all, > > I have one questions - can somebody write me good Centos Repo? Where is > package pki (dogtag)? not sure if there is a CentOS repo. (But I could be wrong here) > > I found to Fedora but not to Centos. I try use that Fedora packages, but > it didn't work :( can you be a little more specific about _what_ didn't work? things like error messages from logs would help.. you might also want to check the manuals from Red Hat, which can also be applied for dogtag certificate system. For instance, to configure RA successfully(assuming you already have CA up and running), see here http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Configuring_an-RA.html hope that helps, Kashyap > > I have Centos 5.4 and 5.3 > > BR, > > Rafal Kaminski - Kamyk > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From kchamart at redhat.com Tue Dec 8 09:56:39 2009 From: kchamart at redhat.com (Kashyap Chamarthy) Date: Tue, 08 Dec 2009 15:26:39 +0530 Subject: [Pki-users] Centos Repo PKI In-Reply-To: <4B1E1E6E.6010407@blstream.com> References: <4B1E0AC3.3060308@blstream.com> <4B1E190E.3080201@redhat.com> <4B1E1E6E.6010407@blstream.com> Message-ID: <4B1E22D7.8000001@redhat.com> On 12/08/2009 03:07 PM, Rafa? Kami?ski wrote: >> For instance, to configure RA successfully(assuming you already have >> CA up and running), see here >> http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Configuring_an-RA.html > > > Nice Tutorial! > > But ... when I configure on Fedora RA, after I "Join an Existing > Security Domain" I see: > > --CUT-- > Internal Server Error > > The server encountered an internal error or misconfiguration and was > unable to complete your request. > > Please contact the server administrator, you at example.com and inform them > of the time the error occurred, and anything you might have done that > may have caused the error. > > More information about this error may be available in the server error log. check in your RA error and debug logs, if there is anything interesting. location( if your RA instance name is pki-ra) error log: /var/lib/pki-ra/error_log debug log: /var/lib/pki-ra/debug /kashyap > --END-- > > Because I want to install PKI-RA on Centos to check is that problem > exist on Centos - which I have on Fedora. > > BR, > > Rafal Kaminski - Kamyk > > From rafal.kaminski at blstream.com Tue Dec 8 10:04:25 2009 From: rafal.kaminski at blstream.com (=?ISO-8859-2?Q?Rafa=B3_Kami=F1ski?=) Date: Tue, 08 Dec 2009 11:04:25 +0100 Subject: [Pki-users] Centos Repo PKI In-Reply-To: <4B1E22D7.8000001@redhat.com> References: <4B1E0AC3.3060308@blstream.com> <4B1E190E.3080201@redhat.com> <4B1E1E6E.6010407@blstream.com> <4B1E22D7.8000001@redhat.com> Message-ID: <4B1E24A9.70108@blstream.com> >> Nice Tutorial! >> >> But ... when I configure on Fedora RA, after I "Join an Existing >> Security Domain" I see: >> >> --CUT-- >> Internal Server Error >> >> The server encountered an internal error or misconfiguration and was >> unable to complete your request. >> >> Please contact the server administrator, you at example.com and inform them >> of the time the error occurred, and anything you might have done that >> may have caused the error. >> >> More information about this error may be available in the server error >> log. > > check in your RA error and debug logs, if there is anything interesting. > > location( if your RA instance name is pki-ra) > > error log: /var/lib/pki-ra/error_log > debug log: /var/lib/pki-ra/debug > >> Because I want to install PKI-RA on Centos to check is that problem >> exist on Centos - which I have on Fedora. In my log i have only: [Tue Dec 08 04:31:18 2009] [error] [client 192.168.6.243] Could not find httpd.xml in /usr/sbin/ at /var/lib/pki-ra/pki-ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm line 228\n, referer: https://10.8.3.4:12223/ra/admin/console/config/wizard And that is the problem - I don't have httpd.xml :( Br, Rafal Kaminski From mharmsen at redhat.com Fri Dec 11 01:59:13 2009 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 10 Dec 2009 17:59:13 -0800 Subject: [Pki-users] Notification of "pki.fedoraproject.org" downtime . . . Message-ID: <4B21A771.7000207@redhat.com> ========================================== NOTICE OF 'pki.fedoraproject.org' DOWNTIME ========================================== This outage will begin at 5:30am MST on 12/12. Every effort will be taken to minimize downtime. Please note that 'pki.fedoraproject.org' will be back online no later than 5pm on 12/13, although if all goes as planned 'pki.fedoraproject.org' should be online before the evening of 12/12. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6654 bytes Desc: S/MIME Cryptographic Signature URL: From alee at redhat.com Mon Dec 14 19:50:08 2009 From: alee at redhat.com (Ade Lee) Date: Mon, 14 Dec 2009 14:50:08 -0500 Subject: [Pki-users] Problem with install RA (pki-ra) In-Reply-To: <4B19193C.9020002@blstream.com> References: <4B14F1FA.1050201@blstream.com> <150446754087724BA4B8F287083846B205BCD120@AZ25EXM04.gddsi.com> <4B156BC0.3080303@blstream.com> <5E904A528F23FA469961CECAC5F417870212D63F@NDHMC4SXCH.gdc4s.com> <4B1902DB.3050801@blstream.com> <4B1907E7.6000208@redhat.com> <4B19193C.9020002@blstream.com> Message-ID: <1260820208.27813.222.camel@localhost.localdomain> Rafal, What version of Fedora are you using? Do you have selinux in enforcing mode? What is the output of : rpm -qa |grep pki thanks, Ade Lee On Fri, 2009-12-04 at 15:14 +0100, Rafa? Kami?ski wrote: > >> There is also a pkisilent which can be used to configure a subsystem > >>> that has been installed. I.e. it replaces the web based wizard. > >> > >> I should try but: > >> > > try yum search pki-silent > > > > after installing the package, you can also notice a template for silent > > installations which you can refer to, > > /usr/share/pki/silent/pki_silent.template > > Yupi :) I install pki-silent - but now how can I configure RA? Without > any errors? > > Br, > > Rafal Kaminski > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From rafal.kaminski at blstream.com Tue Dec 15 08:33:08 2009 From: rafal.kaminski at blstream.com (=?UTF-8?B?UmFmYcWCIEthbWnFhHNraQ==?=) Date: Tue, 15 Dec 2009 09:33:08 +0100 Subject: [Pki-users] Problem with install RA (pki-ra) In-Reply-To: <1260820208.27813.222.camel@localhost.localdomain> References: <4B14F1FA.1050201@blstream.com> <150446754087724BA4B8F287083846B205BCD120@AZ25EXM04.gddsi.com> <4B156BC0.3080303@blstream.com> <5E904A528F23FA469961CECAC5F417870212D63F@NDHMC4SXCH.gdc4s.com> <4B1902DB.3050801@blstream.com> <4B1907E7.6000208@redhat.com> <4B19193C.9020002@blstream.com> <1260820208.27813.222.camel@localhost.localdomain> Message-ID: <4B2749C4.2040605@blstream.com> Hi, Thanks for your answer. > What version of Fedora are you using? Fedora release 11 (Leonidas) > Do you have selinux in enforcing mode? I had enforcing mode on Selinux. Now I diabled selinux and first: - Join an Existing Security Domain - and I use https://domain:9545 <- I not using default port 9445 but 9545 port Because I have that status on CA: -bash-4.0# /etc/init.d/pki-ca status pki-ca (pid 5892) is running ... Unsecure Port = http://domain:9580/ca/ee/ca Secure Agent Port = https://domain:9543/ca/agent/ca Secure EE Port = https://domain:9544/ca/ee/ca Secure Admin Port = https://domain:9545/ca/services PKI Console Port = pkiconsole https://domain:9545/ca Tomcat Port = 9801 (for shutdown) Maybe this is problem? - After that I see: Display Certificate Chain - Click Next - And: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, you at example.com and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. :( > What is the output of : > rpm -qa |grep pki bash-4.0# rpm -qa |grep pki pki-setup-1.2.0-1.fc11.noarch pki-ra-1.2.0-2.fc11.noarch dogtag-pki-common-ui-1.2.0-1.fc11.noarch pki-util-1.2.0-1.fc11.noarch pki-selinux-1.2.0-2.fc11.noarch pki-common-1.2.0-1.fc11.noarch pki-native-tools-1.2.0-2.fc11.i586 dogtag-pki-ra-ui-1.2.0-1.fc11.noarch pki-java-tools-1.2.0-1.fc11.noarch pki-silent-1.2.0-1.fc11.noarch BR, Thanks for your help. Rafal Kaminski From alee at redhat.com Thu Dec 17 02:40:06 2009 From: alee at redhat.com (Ade Lee) Date: Wed, 16 Dec 2009 21:40:06 -0500 Subject: [Pki-users] Problem with install RA (pki-ra) In-Reply-To: <4B2749C4.2040605@blstream.com> References: <4B14F1FA.1050201@blstream.com> <150446754087724BA4B8F287083846B205BCD120@AZ25EXM04.gddsi.com> <4B156BC0.3080303@blstream.com> <5E904A528F23FA469961CECAC5F417870212D63F@NDHMC4SXCH.gdc4s.com> <4B1902DB.3050801@blstream.com> <4B1907E7.6000208@redhat.com> <4B19193C.9020002@blstream.com> <1260820208.27813.222.camel@localhost.localdomain> <4B2749C4.2040605@blstream.com> Message-ID: <1261017606.27813.259.camel@localhost.localdomain> Hmm, I was hoping something obvious would stand out, but thats not the case. I tried installing the RA on a FC11 system I have here - and had no problems. Of course, I'm using the latest versions of all the pki-* components. The port you are using is fine. It should be the one for the security domain which is on the secure admin port. You can also see this in the section at the end of the status display - which looks something like: Registered PKI Security Domain Information: ========================================================================== Name: foo domain URL: https://host:19145 ========================================================================== So, its time to look at the logs. In the /var/lib//logs/debug logfile, you should see something like the following for this panel in the installation: Tue Dec 15 09:31:06 EST 2009 - RA wizard: setting up test objects Tue Dec 15 09:31:06 EST 2009 - RA wizard: found 2 certtags Tue Dec 15 09:31:06 EST 2009 - DisplayCertChainPanel: update Tue Dec 15 09:31:06 EST 2009 - content = <?xml version="1.0" encoding="UTF-8"?><DomainInfo><Name>workpc domain 1 093009</Name><CAList><CA><Host>dhcp231-70.rdu.redhat.com</Host><SecurePort>9544</SecurePort><SecureAgentPort>9543</SecureAgentPort><SecureAdminPort>9545</SecureAdminPort><UnSecurePort>9580</UnSecurePort><Clone>false</Clone><SubsystemName>Certificate Authority pki-ca1</SubsystemName><DomainManager>true</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>0 Tue Dec 15 09:31:06 EST 2009 - DisplayCertChainPanel: security domain 'workpc domain 1 093009' Tue Dec 15 09:31:06 EST 2009 - DisplayCertChainPanel: Found CA 'Certificate Authority pki-ca1' We're particularly interested in what content is displaying .. What do you see? In fact, please open a bugzilla against dogtag, attach the debug and error_log, and let me know the bug number. Thanks, Ade Lee On Tue, 2009-12-15 at 09:33 +0100, Rafa? Kami?ski wrote: > Hi, > > Thanks for your answer. > > > What version of Fedora are you using? > > Fedora release 11 (Leonidas) > > > Do you have selinux in enforcing mode? > > I had enforcing mode on Selinux. Now I diabled selinux and first: > > - Join an Existing Security Domain - and I use https://domain:9545 <- I > not using default port 9445 but 9545 port > > Because I have that status on CA: > > -bash-4.0# /etc/init.d/pki-ca status > pki-ca (pid 5892) is running ... > > Unsecure Port = http://domain:9580/ca/ee/ca > Secure Agent Port = https://domain:9543/ca/agent/ca > Secure EE Port = https://domain:9544/ca/ee/ca > Secure Admin Port = https://domain:9545/ca/services > PKI Console Port = pkiconsole https://domain:9545/ca > Tomcat Port = 9801 (for shutdown) > > Maybe this is problem? > > - After that I see: Display Certificate Chain > > - Click Next > > - And: > > Internal Server Error > > The server encountered an internal error or misconfiguration and was > unable to complete your request. > > Please contact the server administrator, you at example.com and inform them > of the time the error occurred, and anything you might have done that > may have caused the error. > > More information about this error may be available in the server error log. > > :( > > > What is the output of : > > rpm -qa |grep pki > > bash-4.0# rpm -qa |grep pki > > pki-setup-1.2.0-1.fc11.noarch > pki-ra-1.2.0-2.fc11.noarch > dogtag-pki-common-ui-1.2.0-1.fc11.noarch > pki-util-1.2.0-1.fc11.noarch > pki-selinux-1.2.0-2.fc11.noarch > pki-common-1.2.0-1.fc11.noarch > pki-native-tools-1.2.0-2.fc11.i586 > dogtag-pki-ra-ui-1.2.0-1.fc11.noarch > pki-java-tools-1.2.0-1.fc11.noarch > pki-silent-1.2.0-1.fc11.noarch > > BR, > > Thanks for your help. > > Rafal Kaminski > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From czeller at sjm.com Thu Dec 17 04:15:36 2009 From: czeller at sjm.com (Craig Zeller - SysAdmin) Date: Wed, 16 Dec 2009 20:15:36 -0800 Subject: [Pki-users] Dogtag autoenrollment from an embedded Linux device Message-ID: <1261023336.4856.23.camel@ws-ussy-55142-x.sjm.com> We have been testing pki-ra-1.2.0-2 on Fedora 11 via SSCEP as a possible solution. Our problem is that we need to be able to automatically deploy certificates to thousands of embedded Linux devices, each equipped with a common initial shared-secret or cert. Each needs to be able to enroll, recover an initial individual cert based on the system's serial number, and renew the cert... all over a dial-up connection. SSCEP seems to be falling out of the solution based on the requirement for one-time PINs and manual approval of the requests. Although the web interface works beautifully, we can't seem to get SSCEP working. We've looked at the CMCEnroll tool, but that requires Java which is not part of the embedded software. This is an embedded flash rom based system that does not have the memory available. Any suggestions? I'd hate to have to cave-in to those that want a Microsoft solution. Craig Zeller This communication, including any attachments, may contain information that is proprietary, privileged, confidential or legally exempt from disclosure. If you are not a named addressee, you are hereby notified that you are not authorized to read, print, retain a copy of or disseminate any portion of this communication without the consent of the sender and that doing so may be unlawful. If you have received this communication in error, please immediately notify the sender via return e-mail and delete it from your system. From dpal at redhat.com Thu Dec 17 04:26:58 2009 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 16 Dec 2009 23:26:58 -0500 Subject: [Pki-users] Dogtag autoenrollment from an embedded Linux device In-Reply-To: <1261023336.4856.23.camel@ws-ussy-55142-x.sjm.com> References: <1261023336.4856.23.camel@ws-ussy-55142-x.sjm.com> Message-ID: <4B29B312.8070903@redhat.com> Craig Zeller - SysAdmin wrote: > We have been testing pki-ra-1.2.0-2 on Fedora 11 via SSCEP as > a possible solution. > > Our problem is that we need to be able to automatically deploy > certificates to thousands of embedded Linux devices, each > equipped with a common initial shared-secret or cert. Each needs > to be able to enroll, recover an initial individual cert based > on the system's serial number, and renew the cert... all over > a dial-up connection. > > SSCEP seems to be falling out of the solution based on the > requirement for one-time PINs and manual approval of the requests. > Although the web interface works beautifully, we can't seem > to get SSCEP working. > > We've looked at the CMCEnroll tool, but that requires Java which > is not part of the embedded software. This is an embedded flash > rom based system that does not have the memory available. Any > suggestions? I'd hate to have to cave-in to those that want a > Microsoft solution. > > Craig Zeller > > > > This communication, including any attachments, may contain information that is proprietary, privileged, confidential or legally exempt from disclosure. If you are not a named addressee, you are hereby notified that you are not authorized to read, print, retain a copy of or disseminate any portion of this communication without the consent of the sender and that doing so may be unlawful. If you have received this communication in error, please immediately notify the sender via return e-mail and delete it from your system. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > Hi, Will that help as a client? https://fedorahosted.org/certmonger/ It will work with IPA v2 which in turn will embed CA&RA and would not require manual approval. Community release of IPA v2 has now shifted to the beginning of next year. You can read about IPA on www.freeIPA.org. If it does not come up please try again a day later. There are some DNS issues being sorted out. The site just moved from one place into another and is not fully back online but we expect it to get online any day. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From arshad.noor at strongauth.com Thu Dec 17 04:43:07 2009 From: arshad.noor at strongauth.com (Arshad Noor) Date: Wed, 16 Dec 2009 20:43:07 -0800 Subject: [Pki-users] Dogtag autoenrollment from an embedded Linux device In-Reply-To: <1261023336.4856.23.camel@ws-ussy-55142-x.sjm.com> References: <1261023336.4856.23.camel@ws-ussy-55142-x.sjm.com> Message-ID: <4B29B6DB.5080405@strongauth.com> Have you considered using a proxy between your embedded devices and the PKI? With such a scheme you can pretty much do anything you want and shield the devices and the PKI from changes to their respective interfaces. A solution such as this (that we deployed last year) works well for a bio-tech firm that is embedding digital certificates into "throw-away" consumables with embedded processors. The proxy machine is a PC with custom a application responsible for provisioning certificates to the embedded devices (based on serial number, lot #, etc.), and bridges the devices to the PKI. Arshad Noor StrongAuth, Inc. Craig Zeller - SysAdmin wrote: > We have been testing pki-ra-1.2.0-2 on Fedora 11 via SSCEP as > a possible solution. > > Our problem is that we need to be able to automatically deploy > certificates to thousands of embedded Linux devices, each > equipped with a common initial shared-secret or cert. Each needs > to be able to enroll, recover an initial individual cert based > on the system's serial number, and renew the cert... all over > a dial-up connection. > > SSCEP seems to be falling out of the solution based on the > requirement for one-time PINs and manual approval of the requests. > Although the web interface works beautifully, we can't seem > to get SSCEP working. > > We've looked at the CMCEnroll tool, but that requires Java which > is not part of the embedded software. This is an embedded flash > rom based system that does not have the memory available. Any > suggestions? I'd hate to have to cave-in to those that want a > Microsoft solution. > > Craig Zeller > > > > This communication, including any attachments, may contain information that is proprietary, privileged, confidential or legally exempt from disclosure. If you are not a named addressee, you are hereby notified that you are not authorized to read, print, retain a copy of or disseminate any portion of this communication without the consent of the sender and that doing so may be unlawful. If you have received this communication in error, please immediately notify the sender via return e-mail and delete it from your system. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From cfu at redhat.com Thu Dec 17 04:59:07 2009 From: cfu at redhat.com (Christina Fu) Date: Wed, 16 Dec 2009 20:59:07 -0800 Subject: [Pki-users] Dogtag autoenrollment from an embedded Linux device In-Reply-To: <1261023336.4856.23.camel@ws-ussy-55142-x.sjm.com> References: <1261023336.4856.23.camel@ws-ussy-55142-x.sjm.com> Message-ID: <4B29BA9B.30904@redhat.com> Craig Zeller - SysAdmin wrote: > We have been testing pki-ra-1.2.0-2 on Fedora 11 via SSCEP as > a possible solution. > > Our problem is that we need to be able to automatically deploy > certificates to thousands of embedded Linux devices, each > equipped with a common initial shared-secret or cert. Each needs > to be able to enroll, recover an initial individual cert based > on the system's serial number, and renew the cert... all over > a dial-up connection. > For initial enrollment, have you tried the bulkissuance tool? You get the cert auto-approved and returned immediately, provided you have the authorized agent cert to sign: http://www.redhat.com/docs/manuals/cert-system/8.0/cli/html/Bulk_Issuance_Tool.html You could use certutil to generate csrs. for renewal, there are different ways, but the easiest way for you is to re-submit the same request (assuming you saved it). > SSCEP seems to be falling out of the solution based on the > requirement for one-time PINs and manual approval of the requests. > Although the web interface works beautifully, we can't seem > to get SSCEP working. > > We've looked at the CMCEnroll tool, but that requires Java which > is not part of the embedded software. This is an embedded flash > rom based system that does not have the memory available. Any > suggestions? I'd hate to have to cave-in to those that want a > Microsoft solution. > > Craig Zeller > > > > This communication, including any attachments, may contain information that is proprietary, privileged, confidential or legally exempt from disclosure. If you are not a named addressee, you are hereby notified that you are not authorized to read, print, retain a copy of or disseminate any portion of this communication without the consent of the sender and that doing so may be unlawful. If you have received this communication in error, please immediately notify the sender via return e-mail and delete it from your system. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From rafal.kaminski at blstream.com Thu Dec 17 10:34:27 2009 From: rafal.kaminski at blstream.com (=?UTF-8?B?UmFmYcWCIEthbWnFhHNraQ==?=) Date: Thu, 17 Dec 2009 11:34:27 +0100 Subject: [Pki-users] Problem with install RA (pki-ra) In-Reply-To: <1261017606.27813.259.camel@localhost.localdomain> References: <4B14F1FA.1050201@blstream.com> <150446754087724BA4B8F287083846B205BCD120@AZ25EXM04.gddsi.com> <4B156BC0.3080303@blstream.com> <5E904A528F23FA469961CECAC5F417870212D63F@NDHMC4SXCH.gdc4s.com> <4B1902DB.3050801@blstream.com> <4B1907E7.6000208@redhat.com> <4B19193C.9020002@blstream.com> <1260820208.27813.222.camel@localhost.localdomain> <4B2749C4.2040605@blstream.com> <1261017606.27813.259.camel@localhost.localdomain> Message-ID: <4B2A0933.1050109@blstream.com> Hi :) I have better humour, because it's work :) My problem was in "Security Domain" - I used wrong address and wrong port. Because: - i have two CA - main CA and second clone CA1 ca --- ca1 ---- ra - and always when I install ra I use ca1 Security Domain - and that was problem. Now I installed pki-ra and now configure that to my uses. Thanks a lot for you Helps!!! Br, Rafal Kaminski From Alan.Mikolajczuk at gdc4s.com Mon Dec 21 19:56:02 2009 From: Alan.Mikolajczuk at gdc4s.com (Mikolajczuk, Alan) Date: Mon, 21 Dec 2009 14:56:02 -0500 Subject: [Pki-users] Tpsclient - error enrolling token generated keys Message-ID: <3DFFB0670A395946974CE996C720732419790186@NDHMC4SXCH.gdc4s.com> All, I have CS 8.0 GA installed and I am trying to use the tpsclient tool for testing the TPS. When enrolling a user there are 2 keys, (signing and ID) generated on the card and the encryption key is generated server side. When the tpsclient enrollment is complete it states "Success - Operation 'ra_enroll' Success". But looking into the tps-error log it states that: [2009-12-21 11:41:01] a6b19c50 CertEnroll::verifyProof - VFY_CreateContext() failed [2009-12-21 11:41:01] a6b19c50 CertEnroll::ParsePublicKeyBlob - verify proof failed [2009-12-21 11:41:01] a6b19c50 RA_Enroll_Processor::DoEnrollment - Failed to parse public key [2009-12-21 11:41:01] a6b19c50 CertEnroll::verifyProof - VFY_CreateContext() failed [2009-12-21 11:41:01] a6b19c50 CertEnroll::ParsePublicKeyBlob - verify proof failed [2009-12-21 11:41:01] a6b19c50 RA_Enroll_Processor::DoEnrollment - Failed to parse public key These errors are not seen when enrolling with a SafeNet 330J. My tpsclint script is below. Is there are way to use the tpsclient and have keys generated on the fake token verified successfully? op=var_set name=ra_host value=tps op=var_set name=ra_port value=7888 op=var_set name=ra_uri value=/nk_service op=token_set cuid=00000000000000000003 op=token_set msn=01020304 op=token_set app_ver=499dc06c op=token_set key_info=0101 op=token_set major_ver=1 op=token_set minor_ver=4 op=token_set auth_key=404142434445464748494a4b4c4d4e4f op=token_set mac_key=404142434445464748494a4b4c4d4e4f op=token_set kek_key=404142434445464748494a4b4c4d4e4f op=ra_enroll uid=frederick.c.meyer pwd=aixAeiYZnhhnbzBB num_threads=1 new_pin=not4long keygen=true op=exit Thanks, Alan Mikolajczuk -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Mon Dec 21 21:57:56 2009 From: jmagne at redhat.com (John Magne) Date: Mon, 21 Dec 2009 16:57:56 -0500 (EST) Subject: [Pki-users] Tpsclient - error enrolling token generated keys In-Reply-To: <472463796.2041101261432367265.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> Message-ID: <542688073.2041491261432676481.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> Try setting the following CS.cfg parameter as a workaround: general.verifyProof=0 ----- Original Message ----- From: "Alan Mikolajczuk" To: pki-users at redhat.com Sent: Monday, December 21, 2009 11:56:02 AM GMT -08:00 US/Canada Pacific Subject: [Pki-users] Tpsclient - error enrolling token generated keys Tpsclient - error enrolling token generated keys All, I have CS 8.0 GA installed and I am trying to use the tpsclient tool for testing the TPS. When enrolling a user there are 2 keys, (signing and ID) generated on the card and the encryption key is generated server side. When the tpsclient enrollment is complete it states "Success - Operation 'ra_enroll' Success". But looking into the tps-error log it states that: [2009-12-21 11:41:01] a6b19c50 CertEnroll::verifyProof - VFY_CreateContext() failed [2009-12-21 11:41:01] a6b19c50 CertEnroll::ParsePublicKeyBlob - verify proof failed [2009-12-21 11:41:01] a6b19c50 RA_Enroll_Processor::DoEnrollment - Failed to parse public key [2009-12-21 11:41:01] a6b19c50 CertEnroll::verifyProof - VFY_CreateContext() failed [2009-12-21 11:41:01] a6b19c50 CertEnroll::ParsePublicKeyBlob - verify proof failed [2009-12-21 11:41:01] a6b19c50 RA_Enroll_Processor::DoEnrollment - Failed to parse public key These errors are not seen when enrolling with a SafeNet 330J. My tpsclint script is below. Is there are way to use the tpsclient and have keys generated on the fake token verified successfully? op=var_set name=ra_host value=tps op=var_set name=ra_port value=7888 op=var_set name=ra_uri value=/nk_service op=token_set cuid=00000000000000000003 op=token_set msn=01020304 op=token_set app_ver=499dc06c op=token_set key_info=0101 op=token_set major_ver=1 op=token_set minor_ver=4 op=token_set auth_key=404142434445464748494a4b4c4d4e4f op=token_set mac_key=404142434445464748494a4b4c4d4e4f op=token_set kek_key=404142434445464748494a4b4c4d4e4f op=ra_enroll uid=frederick.c.meyer pwd=aixAeiYZnhhnbzBB num_threads=1 new_pin=not4long keygen=true op=exit Thanks, Alan Mikolajczuk _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users