From cyril.dangerville at thalesgroup.com Mon Mar 2 17:04:58 2009 From: cyril.dangerville at thalesgroup.com (Cyril Dangerville) Date: Mon, 02 Mar 2009 18:04:58 +0100 Subject: [Pki-users] Support for XKMS in Dogtag Certificate System Message-ID: <49AC11BA.9090902@thalesgroup.com> Hello, does Dogtag support XKMS (W3C XML Key Management Specification)? If not, is it in the roadmap? What priority? Thanks for any tip. regards -- Cyril Dangerville From kevinu at redhat.com Tue Mar 3 18:24:49 2009 From: kevinu at redhat.com (Kevin Unthank) Date: Tue, 03 Mar 2009 10:24:49 -0800 Subject: [Pki-users] Support for XKMS in Dogtag Certificate System In-Reply-To: <49AC11BA.9090902@thalesgroup.com> References: <49AC11BA.9090902@thalesgroup.com> Message-ID: <49AD75F1.2080005@redhat.com> Hi Cyril, Dogtag does not currently support XKMS. However, support for XML-based interfaces to Dogtag PKI functionality is on the development roadmap and XKMS is a natural open-standards candidate for such interfaces. Support for X.509-related management under XKMS is unlikely to be available during the CY 2009 timeframe. Cheers, Kev Cyril Dangerville wrote: > Hello, > does Dogtag support XKMS (W3C XML Key Management Specification)? If not, > is it in the roadmap? What priority? > > Thanks for any tip. > > regards -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From sean.veale at gdc4s.com Tue Mar 10 19:39:06 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Tue, 10 Mar 2009 15:39:06 -0400 Subject: [Pki-users] Format for specifing subject in a profile Message-ID: <5E904A528F23FA469961CECAC5F4178701A81EE2@NDHMC4SXCH.gdc4s.com> Is the following the correct format for 1) pulling the common name from the directory server assuming support for doing so has been set up in the CA's CS.cfg. 2) Specifing the ou, o and c as parts of the subject? policyset.IDUserSet.1.default.params.dnpattern=cn=$request.auth_token.cn [0]$, ou=const1,ou=const2,ou=const3,O=const4,C=const5 If the common name is Sean.Veale the goal is so the subject looks like CN=Sean.Veale OU=const1 OU=const2 OU=const3 O=const4 C=const5 Thanks Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From sean.veale at gdc4s.com Tue Mar 10 19:39:06 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Tue, 10 Mar 2009 15:39:06 -0400 Subject: [Pki-users] Format for specifing subject in a profile Message-ID: <5E904A528F23FA469961CECAC5F4178701A81EE2@NDHMC4SXCH.gdc4s.com> Is the following the correct format for 1) pulling the common name from the directory server assuming support for doing so has been set up in the CA's CS.cfg. 2) Specifing the ou, o and c as parts of the subject? policyset.IDUserSet.1.default.params.dnpattern=cn=$request.auth_token.cn [0]$, ou=const1,ou=const2,ou=const3,O=const4,C=const5 If the common name is Sean.Veale the goal is so the subject looks like CN=Sean.Veale OU=const1 OU=const2 OU=const3 O=const4 C=const5 Thanks Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From sean.veale at gdc4s.com Tue Mar 17 20:50:59 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Tue, 17 Mar 2009 16:50:59 -0400 Subject: [Pki-users] Using a something other then the default schema for directory based enrollment? Message-ID: <5E904A528F23FA469961CECAC5F4178701AF44F4@NDHMC4SXCH.gdc4s.com> Has anyone able to implement directory base enrollment using their own custom schema for the LDAP directory? I.e. either direving from the default one (person is the object class I think) or their own entirelly. I would like do this, but have been running into problems durning the enrollment process. This is using the 8.0 alpha build of the CS but I imagine the dogtag works the same. I'm attching my TPS and CA configs and Tps-debug log if someone see's a problem with the configuration. Thanks Sean <> <> <> -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ca-cs.cfg Type: application/octet-stream Size: 70114 bytes Desc: ca-cs.cfg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Tps-debug.log Type: application/octet-stream Size: 6948 bytes Desc: Tps-debug.log URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: tps-cs.cfg Type: application/octet-stream Size: 77290 bytes Desc: tps-cs.cfg URL: From Julius.Adewumi at gdc4s.com Tue Mar 17 22:42:12 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Tue, 17 Mar 2009 15:42:12 -0700 Subject: [Pki-users] Using a something other then the default schema fordirectory based enrollment? In-Reply-To: <5E904A528F23FA469961CECAC5F4178701AF44F4@NDHMC4SXCH.gdc4s.com> References: <5E904A528F23FA469961CECAC5F4178701AF44F4@NDHMC4SXCH.gdc4s.com> Message-ID: <150446754087724BA4B8F287083846B20409C517@AZ25EXM04.gddsi.com> Sean, when I was on the CS, I successfully enrolled with Smartcard using directory based enrollment. I had to modify my schema at times to conform to what CS was sending to the directory server (using wireshark to see what is sent). For example, if CS sends out o=Certificate Authority which was not an object in my DS, I added it to the subtree and it works. So I did customize to fit what CS wants else it comes back too often with denial. (No way to customize CS to fit the DS.) Julius ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Veale, Sean Sent: Tuesday, March 17, 2009 1:51 PM To: pki-users at redhat.com Subject: [Pki-users] Using a something other then the default schema fordirectory based enrollment? Has anyone able to implement directory base enrollment using their own custom schema for the LDAP directory? I.e. either direving from the default one (person is the object class I think) or their own entirelly. I would like do this, but have been running into problems durning the enrollment process. This is using the 8.0 alpha build of the CS but I imagine the dogtag works the same. I'm attching my TPS and CA configs and Tps-debug log if someone see's a problem with the configuration. Thanks Sean <> <> <> -------------- next part -------------- An HTML attachment was scrubbed... URL: From cyril.dangerville at gmail.com Wed Mar 18 17:40:03 2009 From: cyril.dangerville at gmail.com (Cyril DANGERVILLE) Date: Wed, 18 Mar 2009 18:40:03 +0100 Subject: [Pki-users] Dogtag/Red Hat Certificate System End-Entity's Guide Message-ID: <8de3ba710903181040k4c5c4573j6dc86141f6eaabfb@mail.gmail.com> Hello, I am unable to find the /Red Hat Certificate System End-Entity's Guide /(Provides detailed reference information on RHCS end-entity interfaces) on my Dogtag/RCHCS v7.3 instance. RHCS 7.1 release notes read "To access this information, click the help button from one of the End-Entity Services pages." But no mention of it in RHCS v7.3 doc, and I can't even find the Help button on the End Entity Services page. Am I missing something? regards, Cyril Dangerville From sean.veale at gdc4s.com Wed Mar 25 13:11:58 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Wed, 25 Mar 2009 09:11:58 -0400 Subject: [Pki-users] Dir based enrollment question Message-ID: <5E904A528F23FA469961CECAC5F4178701AF4D1B@NDHMC4SXCH.gdc4s.com> Is this bug fixed in the redhat 8.0 CS Alpha release? https://bugzilla.redhat.com/show_bug.cgi?id=487592 It seems I'm still running into it where when I set up the system for directary based enrollment the attributes are not being filled in. I.e. I'll see the tag $request.mail$ for the subject alt name in the cert instead of the users email address. I'm attaching a zip of the tps/ca CS.cfg the profile I am trying this with, the debug logs of the tps and ca subsystems and the access log of the dir srv instance. <> sean -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: PropertiesFromLdap.zip Type: application/x-zip-compressed Size: 83841 bytes Desc: PropertiesFromLdap.zip URL: From cfu at redhat.com Wed Mar 25 15:16:26 2009 From: cfu at redhat.com (Christina Fu) Date: Wed, 25 Mar 2009 08:16:26 -0700 Subject: [Pki-users] Dir based enrollment question In-Reply-To: <5E904A528F23FA469961CECAC5F4178701AF4D1B@NDHMC4SXCH.gdc4s.com> References: <5E904A528F23FA469961CECAC5F4178701AF4D1B@NDHMC4SXCH.gdc4s.com> Message-ID: <49CA4ACA.3090204@redhat.com> Hi Sean, I took a quick look of your profile. You are using nsTokenDeviceKeySubjectNameDefaultImpl. Unfortunately, unlike nsTokenUserKeySubjectNameDefaultImpl, which draws it's info form LDAP, nsTokenDeviceKeySubjectNameDefaultImpl does not. If you just want to try i t out for a quick result, you might want to switch to using nsTokenUserKeySubjectNameDefaultImpl, instead. Hope this helps. Christina Veale, Sean wrote: > > Is this bug fixed in the redhat 8.0 CS Alpha release? > > _https://bugzilla.redhat.com/show_bug.cgi?id=487592_ > > It seems I'm still running into it where when I set up the system for > directary based enrollment the attributes are not being filled in. > > I.e. I'll see the tag $request.mail$ for the subject alt name in the > cert instead of the users email address. > > > I'm attaching a zip of the tps/ca CS.cfg the profile I am trying this > with, the debug logs of the tps and ca subsystems and the access log > of the dir srv instance. > > <> > > sean > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users