From rashmeepawar at gmail.com Thu Oct 1 09:02:36 2009 From: rashmeepawar at gmail.com (Rashmi Pawar) Date: Thu, 1 Oct 2009 14:32:36 +0530 Subject: [Pki-users] Authentication using ldap Message-ID: <816962df0910010202j22f5221dw80b2eeff11327bce@mail.gmail.com> Hi, I have installed and configured the pki subsytems. I need to configure it for user authentication using fedora directory server installed on the same system. However in current environment all the user information is stored on Windows Active Directory server and also the authentication is being done by existing Windows AD server. In the console for administrator configuration: #pkiconsole https: server.example.com:9445/ca I searched if i could enter the information of the AD server (that holds user information, that checks if user is valid) in "Authentication" section of the console but did not find one. I need to provide Windows ADS information in the authentication section of console, where do I provide the same?, or is there any other way for authenticating users as the user information is based on another system (Windows AD Server)? Thanks Rashmi -------------- next part -------------- An HTML attachment was scrubbed... URL: From ckannan at redhat.com Thu Oct 1 12:51:32 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Thu, 01 Oct 2009 05:51:32 -0700 Subject: [Pki-users] Authentication using ldap In-Reply-To: <816962df0910010202j22f5221dw80b2eeff11327bce@mail.gmail.com> References: <816962df0910010202j22f5221dw80b2eeff11327bce@mail.gmail.com> Message-ID: <4AC4A5D4.6060603@redhat.com> On 10/01/2009 02:02 AM, Rashmi Pawar wrote: > Hi, > I have installed and configured the pki subsytems. I need to configure > it for user authentication using fedora directory server installed on > the same system. However in current environment all the user > information is stored on Windows Active Directory server and also the > authentication is being done by existing Windows AD server. > In the console for administrator configuration: #pkiconsole > https:server.example.com:9445/ca > I searched if i could enter the > information of the AD server (that holds user information, that checks > if user is valid) in "Authentication" section of the console but did > not find one. > I need to provide Windows ADS information in the authentication > section of console, where do I provide the same?, You can't because we currently don't support this. > or is there any other way for authenticating users as the user > information is based on another system (Windows AD Server)? Yes. Setup a fedora directory server instance that automagically synchronizes users and passwords from windows active directory using our "Password Sync utility". A Howto is here - http://directory.fedoraproject.org/wiki/Howto:WindowsSync Downloads here - http://directory.fedoraproject.org/wiki/Download Once the initial sync to fedora directory server is complete , then you can use pkiconsole to authenticate to this instance. Hope that helps. thanks, --Chandra > Thanks > Rashmi > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Thu Oct 1 15:03:00 2009 From: awnuk at redhat.com (Andrew Wnuk) Date: Thu, 01 Oct 2009 08:03:00 -0700 Subject: [Pki-users] Authentication using ldap In-Reply-To: <4AC4A5D4.6060603@redhat.com> References: <816962df0910010202j22f5221dw80b2eeff11327bce@mail.gmail.com> <4AC4A5D4.6060603@redhat.com> Message-ID: <4AC4C4A4.7020506@redhat.com> On 10/01/09 05:51, Chandrasekar Kannan wrote: > On 10/01/2009 02:02 AM, Rashmi Pawar wrote: >> Hi, >> I have installed and configured the pki subsytems. I need to >> configure it for user authentication using fedora directory server >> installed on the same system. However in current environment all the >> user information is stored on Windows Active Directory server and >> also the authentication is being done by existing Windows AD server. >> In the console for administrator configuration: #pkiconsole >> https:server.example.com:9445/ca >> I searched if i could enter >> the information of the AD server (that holds user information, >> that checks if user is valid) in "Authentication" section of the >> console but did not find one. >> I need to provide Windows ADS information in the authentication >> section of console, where do I provide the same?, > > You can't because we currently don't support this. but you could write your own authentication plug-in. > >> or is there any other way for authenticating users as the user >> information is based on another system (Windows AD Server)? > > Yes. Setup a fedora directory server instance that automagically > synchronizes users and passwords from windows active directory using > our "Password Sync utility". A Howto is here - > http://directory.fedoraproject.org/wiki/Howto:WindowsSync Downloads > here - http://directory.fedoraproject.org/wiki/Download Once the > initial sync to fedora directory server is complete , then you can use > pkiconsole to authenticate to this instance. > > Hope that helps. > > thanks, > --Chandra > > >> Thanks >> Rashmi >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rashmeepawar at gmail.com Mon Oct 5 16:21:27 2009 From: rashmeepawar at gmail.com (Rashmi Pawar) Date: Mon, 5 Oct 2009 21:51:27 +0530 Subject: [Pki-users] Authentication using ldap In-Reply-To: <4AC4A5D4.6060603@redhat.com> References: <816962df0910010202j22f5221dw80b2eeff11327bce@mail.gmail.com> <4AC4A5D4.6060603@redhat.com> Message-ID: <816962df0910050921r58213f77kae9ba47cc22588a1@mail.gmail.com> thank you...will try this... On Thu, Oct 1, 2009 at 6:21 PM, Chandrasekar Kannan wrote: > On 10/01/2009 02:02 AM, Rashmi Pawar wrote: > > Hi, > > I have installed and configured the pki subsytems. I need to configure it > for user authentication using fedora directory server installed on the same > system. However in current environment all the user information is stored > on Windows Active Directory server and also the authentication is being done > by existing Windows AD server. > > In the console for administrator configuration: #pkiconsole https: > server.example.com:9445/ca I searched if i could enter the information > of the AD server (that holds user information, that checks if user is valid) > in "Authentication" section of the console but did not find one. > > I need to provide Windows ADS information in the authentication section of > console, where do I provide the same?, > > > You can't because we currently don't support this. > > or is there any other way for authenticating users as the user > information is based on another system (Windows AD Server)? > > > Yes. Setup a fedora directory server instance that automagically > synchronizes users and passwords from windows active directory using our > "Password Sync utility". A Howto is here - > http://directory.fedoraproject.org/wiki/Howto:WindowsSync Downloads here - > http://directory.fedoraproject.org/wiki/Download Once the initial sync to > fedora directory server is complete , then you can use pkiconsole to > authenticate to this instance. > > Hope that helps. > > thanks, > --Chandra > > > > Thanks > Rashmi > > ------------------------------ > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rashmeepawar at gmail.com Mon Oct 5 16:23:02 2009 From: rashmeepawar at gmail.com (Rashmi Pawar) Date: Mon, 5 Oct 2009 21:53:02 +0530 Subject: [Pki-users] Authentication using ldap In-Reply-To: <4AC4C4A4.7020506@redhat.com> References: <816962df0910010202j22f5221dw80b2eeff11327bce@mail.gmail.com> <4AC4A5D4.6060603@redhat.com> <4AC4C4A4.7020506@redhat.com> Message-ID: <816962df0910050923h6330102cue953275f4b416f02@mail.gmail.com> Thank you...will search more on writing own authentication plug-in...will try this too... On Thu, Oct 1, 2009 at 8:33 PM, Andrew Wnuk wrote: > On 10/01/09 05:51, Chandrasekar Kannan wrote: > > On 10/01/2009 02:02 AM, Rashmi Pawar wrote: > > Hi, > > I have installed and configured the pki subsytems. I need to configure it > for user authentication using fedora directory server installed on the same > system. However in current environment all the user information is stored > on Windows Active Directory server and also the authentication is being done > by existing Windows AD server. > > In the console for administrator configuration: #pkiconsole https: > server.example.com:9445/ca I searched if i could enter the information > of the AD server (that holds user information, that checks if user is valid) > in "Authentication" section of the console but did not find one. > > I need to provide Windows ADS information in the authentication section of > console, where do I provide the same?, > > > You can't because we currently don't support this. > > but you could write your own authentication plug-in. > > > or is there any other way for authenticating users as the user > information is based on another system (Windows AD Server)? > > > Yes. Setup a fedora directory server instance that automagically > synchronizes users and passwords from windows active directory using our > "Password Sync utility". A Howto is here - > http://directory.fedoraproject.org/wiki/Howto:WindowsSync Downloads here - > http://directory.fedoraproject.org/wiki/Download Once the initial sync to > fedora directory server is complete , then you can use pkiconsole to > authenticate to this instance. > > Hope that helps. > > thanks, > --Chandra > > > > Thanks > Rashmi > > ------------------------------ > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > ------------------------------ > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From KLAUS.HEYDEN at allianz.de Tue Oct 13 09:21:15 2009 From: KLAUS.HEYDEN at allianz.de (Heyden, Klaus (Allianz ASIC SE)) Date: Tue, 13 Oct 2009 11:21:15 +0200 Subject: [Pki-users] cloning of PKI-CA Message-ID: <613BB4A6A18A9C44B1D029946BD525BA0CBF27102B@naimuclh.wwg00m.rootdom.net> Hello, i have propblems cloning an CA. The import of the keys failed. First when adding the filename the servlet every time adds the path "/usr/lib//alias. I put the PKCS12 file directy in the alias-directory and changed the owner to pkiuser, the i get an error "missing permissions". in debug-log: [09/Oct/2009:15:55:04][http-9445-Processor22]: panel no=5 [09/Oct/2009:15:55:04][http-9445-Processor22]: panel name=restorekeys [09/Oct/2009:15:55:04][http-9445-Processor22]: total number of panels=19 [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet: process [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet:service() uri = /ca/admin/console/config/wizard [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet::service() param name='__password' value='(sensitive)' [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet::service() param name='path' value='master.p12' [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet::service() param name='p' value='5' [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet::service() param name='op' value='next' [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet: op=next [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet: size=19 [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet: in next 5 [09/Oct/2009:15:55:25][http-9445-Processor24]: panel no=5 What is going wron Kind regards, Klaus Heyden E-Mail Klaus.Heyden at Allianz.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From kchamart at redhat.com Tue Oct 13 09:43:49 2009 From: kchamart at redhat.com (kashyap chamarthy) Date: Tue, 13 Oct 2009 15:13:49 +0530 Subject: [Pki-users] cloning of PKI-CA In-Reply-To: <613BB4A6A18A9C44B1D029946BD525BA0CBF27102B@naimuclh.wwg00m.rootdom.net> References: <613BB4A6A18A9C44B1D029946BD525BA0CBF27102B@naimuclh.wwg00m.rootdom.net> Message-ID: <4AD44BD5.1040205@redhat.com> Heyden, Klaus (Allianz ASIC SE) wrote: > Hello, > > i have propblems cloning an CA. The import of the keys failed. > First when adding the filename the servlet every time adds the path > "/usr/lib//alias. I put the PKCS12 file directy in the > alias-directory and changed the owner to pkiuser, the i get an error > "missing permissions". in debug-log: > > [09/Oct/2009:15:55:04][http-9445-Processor22]: panel no=5 > [09/Oct/2009:15:55:04][http-9445-Processor22]: panel name=restorekeys > [09/Oct/2009:15:55:04][http-9445-Processor22]: total number of panels=19 > [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet: process > [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet:service() > uri = /ca/admin/console/config/wizard > [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet::service() > param name='__password' value='(sensitive)' > [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet::service() > param name='path' value='master.p12' > [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet::service() > param name='p' value='5' > [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet::service() > param name='op' value='next' > [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet: op=next > [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet: size=19 > [09/Oct/2009:15:55:25][http-9445-Processor24]: WizardServlet: in next 5 > [09/Oct/2009:15:55:25][http-9445-Processor24]: panel no=5 > What is going wron Hi, can you try as below? -- create a new slapd(directory) instance for clone-CA (note the new directory server port) -- create a new CA instance (for clone) -- use the PKCS12Export utility the certificates from Master CA and copy it to clone alias directory ( *before* you start configuring the clone CA instance) -- chown pkiuser:pkiuser cacerts.p12 -- /now/ , start configuring the clone CA instance -- Join an "existing" security domain(the master CA domain) -- At the "Internal Database" , enter the Fully Qualified Domain Name(instead of localhost) of Clone CA and appropriate port no. -- Just enter the cacerts.p12 file name when "Path where the pk12 files are located" is prompted for the clone CA ( /do not/ mention the complete file path) -- Enter the rest of the details and see if you're able to proceed with clone CA instance. what version of certificate system are you trying to use? hope that helps, /kashyap > > Kind regards, > Klaus Heyden > > E-Mail Klaus.Heyden at Allianz.com > > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From mmercier at gmail.com Fri Oct 16 19:05:46 2009 From: mmercier at gmail.com (Mike Mercier) Date: Fri, 16 Oct 2009 15:05:46 -0400 Subject: [Pki-users] OpenSSL user certificates with DogTag Message-ID: <4959d1510910161205j430aec1bp1affaa43cd02da5c@mail.gmail.com> Hello, I have some questions someone can hopefully answer. I would like to be able to create a user key pair using OpenSSL and then sign the public key with DogTag. I know you can create user keys with using a browser, but this is *not* what I am looking for. 1. Is this possible? 2. If possible, what template should be used for the request? Thanks, Mike From ckannan at redhat.com Fri Oct 16 19:11:29 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Fri, 16 Oct 2009 12:11:29 -0700 Subject: [Pki-users] OpenSSL user certificates with DogTag In-Reply-To: <4959d1510910161205j430aec1bp1affaa43cd02da5c@mail.gmail.com> References: <4959d1510910161205j430aec1bp1affaa43cd02da5c@mail.gmail.com> Message-ID: <4AD8C561.7050802@redhat.com> On 10/16/2009 12:05 PM, Mike Mercier wrote: > Hello, > > I have some questions someone can hopefully answer. > > I would like to be able to create a user key pair using OpenSSL and > then sign the public key with DogTag. I know you can create user keys > with using a browser, but this is *not* what I am looking for. > > 1. Is this possible? > 2. If possible, what template should be used for the request? > http://pki.fedoraproject.org/wiki/Apache_Cert_Enrollment this page describes how to do the same for "server certificates". What you do need to do is , something along these lines .. 1 - customize a profile like "caOtherCert" for example and add the right extensions you need. 2 - submit your pkcs10 request there and get it approved. --Chandra > Thanks, > Mike > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From sean.veale at gdc4s.com Wed Oct 21 17:51:20 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Wed, 21 Oct 2009 13:51:20 -0400 Subject: [Pki-users] Internal ocsp CS 8.0 question Message-ID: <5E904A528F23FA469961CECAC5F4178702054415@NDHMC4SXCH.gdc4s.com> For 8.0 at least is there always an internal ocsp service setup at http://fqdn:9180/ca/ocsp where fqdn is the fully qualified domain name of the box the ca is sitting on? thanks Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From kchamart at redhat.com Wed Oct 21 17:52:14 2009 From: kchamart at redhat.com (kashyap chamarthy) Date: Wed, 21 Oct 2009 23:22:14 +0530 Subject: [Pki-users] Internal ocsp CS 8.0 question In-Reply-To: <5E904A528F23FA469961CECAC5F4178702054415@NDHMC4SXCH.gdc4s.com> References: <5E904A528F23FA469961CECAC5F4178702054415@NDHMC4SXCH.gdc4s.com> Message-ID: <4ADF4A4E.7070008@redhat.com> Veale, Sean wrote: > > For 8.0 at least is there always an internal ocsp service setup at > > _http://fqdn:9180/ca/ocsp_ where fqdn is the fully qualified domain > name of the box the ca is sitting on? yes, it is. /kashyap > > thanks > Sean > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From sean.veale at gdc4s.com Tue Oct 27 14:54:46 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Tue, 27 Oct 2009 10:54:46 -0400 Subject: [Pki-users] Connections between the subsystems (CS 8.0 question) Message-ID: <5E904A528F23FA469961CECAC5F417870209FEAB@NDHMC4SXCH.gdc4s.com> Hi, For interprocess communications between the subsystems in a security domian(I.e. between the tps and ca for example) is ssl turned on by default? If so just Sever auth? If not can this be configured for each of the subsystems? (CA,DRM,TPS and TKS?) Thnaks Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Tue Oct 27 15:54:11 2009 From: cfu at redhat.com (Christina Fu) Date: Tue, 27 Oct 2009 08:54:11 -0700 Subject: [Pki-users] Connections between the subsystems (CS 8.0 question) In-Reply-To: <5E904A528F23FA469961CECAC5F417870209FEAB@NDHMC4SXCH.gdc4s.com> References: <5E904A528F23FA469961CECAC5F417870209FEAB@NDHMC4SXCH.gdc4s.com> Message-ID: <4AE717A3.5050701@redhat.com> Veale, Sean wrote: > > Hi, > > For interprocess communications between the subsystems in a security > domian(I.e. between the tps and ca for example) is ssl turned on by > default? If so just Sever auth? If not can this be configured for > each of the subsystems? (CA,DRM,TPS and TKS?) > > Thnaks > Sean > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > SSL client auth. If you look at your nss db, you will find the "subsystemCert xxx" certs. Those are the client auth cert. Christina From sean.veale at gdc4s.com Tue Oct 27 15:56:03 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Tue, 27 Oct 2009 11:56:03 -0400 Subject: [Pki-users] Connections between the subsystems (CS 8.0 question) In-Reply-To: <4AE717A3.5050701@redhat.com> References: <5E904A528F23FA469961CECAC5F417870209FEAB@NDHMC4SXCH.gdc4s.com> <4AE717A3.5050701@redhat.com> Message-ID: <5E904A528F23FA469961CECAC5F417870209FEDC@NDHMC4SXCH.gdc4s.com> Ok. Thanks for the info. Sean -----Original Message----- From: Christina Fu [mailto:cfu at redhat.com] Sent: Tuesday, October 27, 2009 11:54 AM To: Veale, Sean Cc: pki-users at redhat.com Subject: Re: [Pki-users] Connections between the subsystems (CS 8.0 question) Veale, Sean wrote: > > Hi, > > For interprocess communications between the subsystems in a security > domian(I.e. between the tps and ca for example) is ssl turned on by > default? If so just Sever auth? If not can this be configured for > each of the subsystems? (CA,DRM,TPS and TKS?) > > Thnaks > Sean > > ---------------------------------------------------------------------- > -- > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > SSL client auth. If you look at your nss db, you will find the "subsystemCert xxx" certs. Those are the client auth cert. Christina