From andrew.commons at bigpond.com Tue Feb 2 04:06:09 2010 From: andrew.commons at bigpond.com (Andrew Commons) Date: Tue, 2 Feb 2010 14:36:09 +1030 Subject: [Pki-users] RA Wizard failing References: <004f01caa0d9$811dc640$835952c0$@commons@bigpond.com> <1153092304.589321264786672448.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> Message-ID: <003e01caa3bd$0d757b70$28607250$@commons@bigpond.com> Manually installing the missing Perl module (perl-DBD-SQLite), removing the pki-ra instance with pkiremove and then recreating it with pkicreate allowed the RA to be configured by the Wizard. Cheers, Andrew -----Original Message----- From: Andrew Commons [mailto:andrew.commons at bigpond.com] Sent: Saturday, 30 January 2010 9:57 PM To: 'John Magne' Cc: 'pki-users at redhat.com' Subject: RE: [Pki-users] RA Wizard failing John, Maybe this might help a bit more: [Fri Jan 29 22:02:22 2010] [error] [client 192.168.0.9] install_driver(SQLite) failed: Can't locate DBD/SQLite.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.10.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.10.0/i386-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/lib/perl5/site_perl . /var/lib/pki-ra /var/lib/pki-ra/lib/perl) at (eval 152) line 3.\nPerhaps the DBD::SQLite perl module hasn't been fully installed,\nor perhaps the capitalisation of 'SQLite' isn't right.\nAvailable drivers: DBM, ExampleP, File, Gofer, Proxy, Sponge.\n at /var/lib/pki-ra/lib/perl/PKI/RA/DatabasePanel.pm line 79\n, referer: https://xxxxxx.yyyyy.zzzzzz:12890/ra/admin/console/config/wizard That looks like 'Ouch!' to me :) It would appear that package perl-DBD-SQLite should be a dependency? I will install it and recreate everything. Is removing the pki-ra directory and all its contents going to be enough to roll back the configuration? Cheers, Andrew -----Original Message----- From: John Magne [mailto:jmagne at redhat.com] Sent: Saturday, 30 January 2010 4:08 AM To: Andrew Commons Cc: pki-users at redhat.com Subject: Re: [Pki-users] RA Wizard failing Those lines are not much to go on. At least for me :) If you could perhaps look in the log file directory to see if there are any clues in any of other log files present. This should be /var/lib/pki-ra/logs I believe. Also, in your pkicreate command you are using the redirect switch which might not be needed since you are using the default file locations. This should not be an issue though. ----- Original Message ----- From: "Andrew Commons" To: pki-users at redhat.com Sent: Friday, January 29, 2010 3:52:16 AM GMT -08:00 US/Canada Pacific Subject: [Pki-users] RA Wizard failing I am getting a fatal server error running the RA Wizard at the Internal Database step when I click Next. The last few lines in the log that seem associated with that page are: Fri Jan 29 22:02:22 CST 2010 - RA wizard: in handler Fri Jan 29 22:02:22 CST 2010 - RA wizard: uri='/ra/admin/console/config/wizard' Fri Jan 29 22:02:22 CST 2010 - RA wizard: http parameter name='p' value='5' Fri Jan 29 22:02:22 CST 2010 - RA wizard: http parameter name='op' value='next' Fri Jan 29 22:02:22 CST 2010 - RA wizard: before argparsing Fri Jan 29 22:02:22 CST 2010 - RA wizard: setting up test objects Fri Jan 29 22:02:22 CST 2010 - RA wizard: found 2 certtags These lines are repeated if I use the Back Arrow to return to the page. Clicking Next again does not add anything to the log after that. The system is Fedora 11. The pki-ra install was performed with the "Test Updates" repositories enabled since this was required to get the CA up and running. The pkicreate command used to setup the RA was: pkicreate -pki_instance_root=/var/lib -pki_instance_name=pki-ra -subsystem_type=ra -secure_port=12889 -non_clientauth_secure_port=12890 -unsecure_port=12888 -user=pkiuser -group=pkiuser -redirect conf=/etc/pki-ra -redirect logs=/var/log/pki-ra -verbose Which is the RA example out of the pkicreate help. The command used to setup the CA was the example command as well. The CA Config Wizard was fine and the CA seems to be functioning. Any suggestions? Cheers, Andrew _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From rafal.kaminski at blstream.com Tue Feb 2 09:54:51 2010 From: rafal.kaminski at blstream.com (=?UTF-8?B?UmFmYcWCIEthbWnFhHNraQ==?=) Date: Tue, 02 Feb 2010 10:54:51 +0100 Subject: [Pki-users] Problem with install Message-ID: <4B67F66B.4060900@blstream.com> Hi all, I install dogtag two months ago, and now I repeat that move, but ... When I use: yum install pki-ca I see: Installing : pki-common-1.3.0-7.fc11.noarch 156/158 Installing : hal-info-20090414-1.fc11.noarch 157/158 Adding default PKI group "pkiuser" to /etc/group. Adding default PKI user "pkiuser" to /etc/passwd. useradd: warning: the home directory already exists. Not copying any file from skel directory into it. Installing : pki-ca-1.2.0-4.fc11.noarch 158/158 PKI instance creation Utility ... [2010-02-02 04:39:15] [error] create_symbolic_link(): illegal destination path => /usr/share/java/ca.jar. Error detected would you like to clean up /var/lib/pki-ca (Y/N)? Error detected would you like to clean up /var/lib/pki-ca (Y/N)? Can sombody tell me why? BR, Rafal Kaminski From kchamart at redhat.com Tue Feb 2 10:01:29 2010 From: kchamart at redhat.com (Kashyap Chamarthy) Date: Tue, 02 Feb 2010 15:31:29 +0530 Subject: [Pki-users] Problem with install In-Reply-To: <4B67F66B.4060900@blstream.com> References: <4B67F66B.4060900@blstream.com> Message-ID: <4B67F7F9.1020905@redhat.com> On 02/02/2010 03:24 PM, Rafa? Kami?ski wrote: > Hi all, > > I install dogtag two months ago, and now I repeat that move, but ... > > When I use: yum install pki-ca > > I see: > > Installing : pki-common-1.3.0-7.fc11.noarch > 156/158 > Installing : hal-info-20090414-1.fc11.noarch > 157/158 > Adding default PKI group "pkiuser" to /etc/group. > Adding default PKI user "pkiuser" to /etc/passwd. > useradd: warning: the home directory already exists. > Not copying any file from skel directory into it. > Installing : pki-ca-1.2.0-4.fc11.noarch > 158/158 > PKI instance creation Utility ... > > [2010-02-02 04:39:15] [error] create_symbolic_link(): illegal > destination path => /usr/share/java/ca.jar. > > Error detected would you like to clean up /var/lib/pki-ca (Y/N)? > Error detected would you like to clean up /var/lib/pki-ca (Y/N)? > > Can sombody tell me why? I think you already have some old cruft left over on your F11 machine(I'm assuming you're using F11). Please try to create a new CA instance with a *unique* name(ex: pki-ca-test1) using 'pkicreate' (see 'pkicreate --help' for syntax) Couple of days ago, a user on this list confirmed that install/configure works fine on Fedora-11 and Fedora-12. Please check the archives. /kashyap > > BR, > > Rafal Kaminski > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From ehimawan at gmail.com Wed Feb 3 02:26:19 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Tue, 2 Feb 2010 20:26:19 -0600 Subject: [Pki-users] Fwd: Problem with install In-Reply-To: <2b8d35db1002021825g5b747950u529438cc6584e2c3@mail.gmail.com> References: <4B67F66B.4060900@blstream.com> <2b8d35db1002021825g5b747950u529438cc6584e2c3@mail.gmail.com> Message-ID: <2b8d35db1002021826k208d5423v8a83e3913d37ff50@mail.gmail.com> ---------- Forwarded message ---------- From: Erwin Himawan Date: 2010/2/2 Subject: Re: [Pki-users] Problem with install To: Rafa? Kami?ski I am using Fedora 11 and DCS 1.2.0. and I also had the same issue. I got it to install without error following the suggestion from other member. Here is the reference link: https://www.redhat.com/archives/pki-users/2010-January/msg00017.html Here is what I did: 1. I clean all the install: yum remove pki-ca 2. edit the /etc/yum.repos.d/fedora-updates-testing.repo 3. under the [updates-testing], I uncomment the baseurl= and comment the mirrorlist= 4. Also, under the [updates-testing], I make enabled=1 5. reinstall pki-ca: yum install pki-ca 6. run the /usr/bin/pkicreate to create the pki-ca instance However, my pki-ca process failed, it complained about "permission denied" on "pki-ca.pid" Hope, it helps. Regards, Erwin. 2010/2/2 Rafa? Kami?ski Hi all, > > I install dogtag two months ago, and now I repeat that move, but ... > > When I use: yum install pki-ca > > I see: > > Installing : pki-common-1.3.0-7.fc11.noarch > 156/158 > Installing : hal-info-20090414-1.fc11.noarch > 157/158 > Adding default PKI group "pkiuser" to /etc/group. > Adding default PKI user "pkiuser" to /etc/passwd. > useradd: warning: the home directory already exists. > Not copying any file from skel directory into it. > Installing : pki-ca-1.2.0-4.fc11.noarch > 158/158 > PKI instance creation Utility ... > > [2010-02-02 04:39:15] [error] create_symbolic_link(): illegal destination > path => /usr/share/java/ca.jar. > > Error detected would you like to clean up /var/lib/pki-ca (Y/N)? > Error detected would you like to clean up /var/lib/pki-ca (Y/N)? > > Can sombody tell me why? > > BR, > > Rafal Kaminski > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ehimawan at gmail.com Wed Feb 3 02:53:05 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Tue, 2 Feb 2010 20:53:05 -0600 Subject: [Pki-users] Problem with install In-Reply-To: <2b8d35db1002021826k208d5423v8a83e3913d37ff50@mail.gmail.com> References: <4B67F66B.4060900@blstream.com> <2b8d35db1002021825g5b747950u529438cc6584e2c3@mail.gmail.com> <2b8d35db1002021826k208d5423v8a83e3913d37ff50@mail.gmail.com> Message-ID: <2b8d35db1002021853o7a9e515dhc99b7df17a5d3a87@mail.gmail.com> On Tue, Feb 2, 2010 at 8:26 PM, Erwin Himawan wrote: > > > ---------- Forwarded message ---------- > From: Erwin Himawan > Date: 2010/2/2 > Subject: Re: [Pki-users] Problem with install > To: Rafa? Kami?ski > > > I am using Fedora 11 and DCS 1.2.0. and I also had the same issue. I got > it to install without error following the suggestion from other member. > Here is the reference link: > https://www.redhat.com/archives/pki-users/2010-January/msg00017.html > > Here is what I did: > 1. I clean all the install: yum remove pki-ca > 2. edit the /etc/yum.repos.d/fedora-updates-testing.repo > 3. under the [updates-testing], I uncomment the baseurl= and comment the > mirrorlist= > 4. Also, under the [updates-testing], I make enabled=1 > 5. reinstall pki-ca: yum install pki-ca > 6. run the /usr/bin/pkicreate to create the pki-ca instance > > However, my pki-ca process failed, it complained about "permission denied" > on "pki-ca.pid" > >> This is caused by SELinux. I disabled SELinux, and the processes is running. > > Hope, it helps. > > Regards, > Erwin. > 2010/2/2 Rafa? Kami?ski > > Hi all, >> >> I install dogtag two months ago, and now I repeat that move, but ... >> >> When I use: yum install pki-ca >> >> I see: >> >> Installing : pki-common-1.3.0-7.fc11.noarch >> 156/158 >> Installing : hal-info-20090414-1.fc11.noarch >> 157/158 >> Adding default PKI group "pkiuser" to /etc/group. >> Adding default PKI user "pkiuser" to /etc/passwd. >> useradd: warning: the home directory already exists. >> Not copying any file from skel directory into it. >> Installing : pki-ca-1.2.0-4.fc11.noarch >> 158/158 >> PKI instance creation Utility ... >> >> [2010-02-02 04:39:15] [error] create_symbolic_link(): illegal destination >> path => /usr/share/java/ca.jar. >> >> Error detected would you like to clean up /var/lib/pki-ca (Y/N)? >> Error detected would you like to clean up /var/lib/pki-ca (Y/N)? >> >> Can sombody tell me why? >> >> BR, >> >> Rafal Kaminski >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ehimawan at gmail.com Wed Feb 3 05:42:52 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Tue, 2 Feb 2010 23:42:52 -0600 Subject: [Pki-users] Confiduring pki-ca instance Message-ID: <9C1BF573311142A6B6BF71CC0F88E3D0@d8400> Hi pki-users, I am using Fedora 11 and DCS 1.2.x.x. I was installing only pki-ca instance; no other DCS PKI subsystem is installed. I was also able to start the pki-ca process. When I was about to configure the pki-ca instance, I could not access the CA's GUI using the web browser. I am using firefox web browser in the machine to access the CA's configuration URL provided at the end of the log file. Could you help me to guide me in the right direction to solve this issue? Thanks, Erwin From alee at redhat.com Wed Feb 3 05:50:34 2010 From: alee at redhat.com (Ade Lee) Date: Wed, 03 Feb 2010 00:50:34 -0500 Subject: [Pki-users] Confiduring pki-ca instance In-Reply-To: <9C1BF573311142A6B6BF71CC0F88E3D0@d8400> References: <9C1BF573311142A6B6BF71CC0F88E3D0@d8400> Message-ID: <1265176234.5491.35.camel@localhost.localdomain> As a quick test, try setting selinux in permissive mode. setenforce 0 and restart the pki-ca instance. Ade On Tue, 2010-02-02 at 23:42 -0600, Erwin Himawan wrote: > Hi pki-users, > > I am using Fedora 11 and DCS 1.2.x.x. > I was installing only pki-ca instance; no other DCS PKI subsystem is > installed. > I was also able to start the pki-ca process. > > When I was about to configure the pki-ca instance, I could not access the > CA's GUI using the web browser. > I am using firefox web browser in the machine to access the CA's > configuration URL provided at the end of the log file. > > Could you help me to guide me in the right direction to solve this issue? > > Thanks, > Erwin > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From ehimawan at gmail.com Thu Feb 4 00:39:13 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Wed, 3 Feb 2010 18:39:13 -0600 Subject: [Pki-users] Confiduring pki-ca instance In-Reply-To: <1265176234.5491.35.camel@localhost.localdomain> References: <9C1BF573311142A6B6BF71CC0F88E3D0@d8400> <1265176234.5491.35.camel@localhost.localdomain> Message-ID: <2b8d35db1002031639l23128d41o26bf6bb26534299e@mail.gmail.com> Ade, Thanks for your suggestion; I did "setenforce 0". In addition to that, I entered wrong URL, which I obtained from the logfile; i.e. https://:9445/ca/admin/console/config/login?pin=xxxxxxxxxxx Once I entered this URL; i.e. http://FQDN:9180/ca/admin/console/config/login?pin=xxxxxxxxxxxxxxx, I can access the CA configuration UI. Regards, Erwin On Tue, Feb 2, 2010 at 11:50 PM, Ade Lee wrote: > As a quick test, try setting selinux in permissive mode. > > setenforce 0 > > and restart the pki-ca instance. > > Ade > > On Tue, 2010-02-02 at 23:42 -0600, Erwin Himawan wrote: > > Hi pki-users, > > > > I am using Fedora 11 and DCS 1.2.x.x. > > I was installing only pki-ca instance; no other DCS PKI subsystem is > > installed. > > I was also able to start the pki-ca process. > > > > When I was about to configure the pki-ca instance, I could not access the > > CA's GUI using the web browser. > > I am using firefox web browser in the machine to access the CA's > > configuration URL provided at the end of the log file. > > > > Could you help me to guide me in the right direction to solve this issue? > > > > Thanks, > > Erwin > > > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From fujyhluo at yahoo.com Thu Feb 4 21:33:44 2010 From: fujyhluo at yahoo.com (Fu-Jyh Luo) Date: Thu, 4 Feb 2010 13:33:44 -0800 (PST) Subject: [Pki-users] change Root CA's Validity In-Reply-To: <2b8d35db1002031639l23128d41o26bf6bb26534299e@mail.gmail.com> Message-ID: <770655.8800.qm@web110411.mail.gq1.yahoo.com> Dear All, I installed DogTag. The default validity of ROOT CA is 2 years. Is a way to change the ROOT CA's validity during the configuration wizard? Thanks, Fu-Jyh Luo From ehimawan at gmail.com Fri Feb 5 00:46:39 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Thu, 4 Feb 2010 18:46:39 -0600 Subject: [Pki-users] Example of Configuration Data for DCS Message-ID: <2b8d35db1002041646odb1bc1es26032aa7e30f4013@mail.gmail.com> Hi PKI-Users, Maybe this is too much to ask. However, I throw it anyway. Is there any documentation which guide DCS (or PKI) beginnerr to get practical hands-on with DCS. Thinking out loud, I am thinking more of a document with a case study whereby the case study provides readers with the set of configuration parameter which eventually properly configure the DCS's subsystem (i.e. CA, RA, Directory) such that using these set of configuration information, the reader can easily get a DCS up and running. Thanks, Erwin -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Fri Feb 5 01:30:53 2010 From: msauton at redhat.com (Marc Sauton) Date: Thu, 04 Feb 2010 17:30:53 -0800 Subject: [Pki-users] Example of Configuration Data for DCS In-Reply-To: <2b8d35db1002041646odb1bc1es26032aa7e30f4013@mail.gmail.com> References: <2b8d35db1002041646odb1bc1es26032aa7e30f4013@mail.gmail.com> Message-ID: <4B6B74CD.8020000@redhat.com> May be the deployment guide is what you may be looking for: http://www.redhat.com/docs/manuals/cert-system/8.0/deploy/Deployment_Guide.pdf Otherwise: http://pki.fedoraproject.org/wiki/PKI_Documentation http://pki.fedoraproject.org/wiki/PKI_FAQ http://www.redhat.com/docs/manuals/cert-system/ M. On 02/04/2010 04:46 PM, Erwin Himawan wrote: > Hi PKI-Users, > Maybe this is too much to ask. However, I throw it anyway. > Is there any documentation which guide DCS (or PKI) beginnerr to get > practical hands-on with DCS. > Thinking out loud, I am thinking more of a document with a case study > whereby the case study provides readers with the set of configuration > parameter which eventually properly configure the DCS's subsystem > (i.e. CA, RA, Directory) such that using these set of configuration > information, the reader can easily get a DCS up and running. > Thanks, > Erwin > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6650 bytes Desc: S/MIME Cryptographic Signature URL: From ehimawan at gmail.com Fri Feb 5 03:50:50 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Thu, 4 Feb 2010 21:50:50 -0600 Subject: [Pki-users] Example of Configuration Data for DCS In-Reply-To: <4B6B74CD.8020000@redhat.com> References: <2b8d35db1002041646odb1bc1es26032aa7e30f4013@mail.gmail.com> <4B6B74CD.8020000@redhat.com> Message-ID: <2b8d35db1002041950s4326c279j46f3c11b86067a2c@mail.gmail.com> Marc, Thanks for the quick response. The last URL (i.e. http://www.redhat.com/docs/manuals/cert-system/) is what I am looking for. It has a lot of good configuration example. Using the document, I have some idea what info should be shown on my CA configuration page. This document also helps me to troubleshoot my directory installation and CA installation. At the end of the day, I was able to access my CA's services page. I would like to recommend to include this URL in the PKI Subsystem Configuration (as a reference ?) Thanks again. Regards, Erwin On Thu, Feb 4, 2010 at 7:30 PM, Marc Sauton wrote: > May be the deployment guide is what you may be looking for: > > http://www.redhat.com/docs/manuals/cert-system/8.0/deploy/Deployment_Guide.pdf > Otherwise: > http://pki.fedoraproject.org/wiki/PKI_Documentation > http://pki.fedoraproject.org/wiki/PKI_FAQ > http://www.redhat.com/docs/manuals/cert-system/ > M. > > > On 02/04/2010 04:46 PM, Erwin Himawan wrote: > > Hi PKI-Users, > > Maybe this is too much to ask. However, I throw it anyway. > > Is there any documentation which guide DCS (or PKI) beginnerr to get > practical hands-on with DCS. > Thinking out loud, I am thinking more of a document with a case study > whereby the case study provides readers with the set of configuration > parameter which eventually properly configure the DCS's subsystem (i.e. CA, > RA, Directory) such that using these set of configuration information, the > reader can easily get a DCS up and running. > > Thanks, > Erwin > > > > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ehimawan at gmail.com Mon Feb 8 19:06:27 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Mon, 8 Feb 2010 13:06:27 -0600 Subject: [Pki-users] Issue with pki-ca install Message-ID: <2b8d35db1002081106g41686ce6o700f9b40df43571f@mail.gmail.com> Hi all, I am trying to install pki-ca only. I am using fedora 11 and using DCS 1.2.0. I am following the binary installation guide. I had install issue when installing pki-ca; "yum install pki-ca" whereby, it complained that it can create a soft link. Following the suggestion of other pki-user; enabling the fedora-updates-testing.repo, I was able to install pki-ca succesfully. However, during the install, I notice, yum picked up 1.3.0 version. Continuing using pki-ca v1.3.0, I was able to execute pkicreate. When it finished, this is what I got. https://:9445/ca/admin/console/config/login?pin=xxxxxxxxxxxxx This configuration URL is not right, since it does not include the FQDN of my pki-ca. When I looked into the catalina.out, I notice the following error: CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn. port missing value| Server is started. Can somebody help me to troubleshoot this install issue? PS: Yesterday, I was able to access the configuration URL and for some reasons, my virtual fedora 11 got corrupted. Hence, I reinstalled everything again. Regards, Erwin -------------- next part -------------- An HTML attachment was scrubbed... URL: From ehimawan at gmail.com Wed Feb 10 02:10:28 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Tue, 9 Feb 2010 20:10:28 -0600 Subject: [Pki-users] netscape.ldap.LDAPException: error result (21); telephoneNumber: value #0 invalid per syntax Message-ID: <2b8d35db1002091810u4ff18b1evc6824d07d99b49b6@mail.gmail.com> Hi All, I encountered the following error during Administrator configuration page: netscape.ldap.LDAPException: error result (21); telephoneNumber: value #0 invalid per syntax I am not sure how to resolve this. Could someone help me how to resolve this error? Here is my system configuration I am running fedora 11 and DCS 1.2.0 I was able to install the pki-ca successfully. Here is the grep of my pki-ca installed from the yum list dogtag-pki-ca-ui.noarch 1.2.0-1.fc11 installed dogtag-pki-common-ui.noarch 1.2.0-1.fc11 installed pki-ca.noarch 1.2.0-4.fc11 installed pki-common.noarch 1.2.0-1.fc11 installed pki-java-tools.noarch 1.2.0-1.fc11 installed pki-native-tools.i586 1.2.0-2.fc11 installed pki-selinux.noarch 1.2.0-2.fc11 installed pki-setup.noarch 1.2.0-1.fc11 installed pki-util.noarch 1.2.0-1.fc11 installed I also was able to access the pki-ca configuration web-page. At the last step during administrator configuration page. I encountered this error: netscape.ldap.LDAPException: error result (21); telephoneNumber: value #0 invalid per syntax Thanks, Erwin -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Wed Feb 10 15:28:30 2010 From: alee at redhat.com (Ade Lee) Date: Wed, 10 Feb 2010 10:28:30 -0500 Subject: [Pki-users] netscape.ldap.LDAPException: error result (21); telephoneNumber: value #0 invalid per syntax In-Reply-To: <2b8d35db1002091810u4ff18b1evc6824d07d99b49b6@mail.gmail.com> References: <2b8d35db1002091810u4ff18b1evc6824d07d99b49b6@mail.gmail.com> Message-ID: <1265815710.16077.99.camel@localhost.localdomain> Hi Erwin, This is due to syntax checking being on in the latest versions of DS. There is a setting in the dse.ldif to disable this. nsslapd-syntaxcheck: off Alternatively, this has been fixed in the latest Dogtag source code. Ade On Tue, 2010-02-09 at 20:10 -0600, Erwin Himawan wrote: > Hi All, > > I encountered the following error during Administrator configuration > page: > netscape.ldap.LDAPException: error result (21); telephoneNumber: value > #0 invalid per syntax > > I am not sure how to resolve this. > > Could someone help me how to resolve this error? > > > Here is my system configuration > I am running fedora 11 and DCS 1.2.0 > I was able to install the pki-ca successfully. > > Here is the grep of my pki-ca installed from the yum list > > dogtag-pki-ca-ui.noarch 1.2.0-1.fc11 > installed > dogtag-pki-common-ui.noarch 1.2.0-1.fc11 > installed > pki-ca.noarch 1.2.0-4.fc11 > installed > pki-common.noarch 1.2.0-1.fc11 > installed > pki-java-tools.noarch 1.2.0-1.fc11 > installed > pki-native-tools.i586 1.2.0-2.fc11 > installed > pki-selinux.noarch 1.2.0-2.fc11 > installed > pki-setup.noarch 1.2.0-1.fc11 > installed > pki-util.noarch 1.2.0-1.fc11 > installed > > I also was able to access the pki-ca configuration web-page. > > At the last step during administrator configuration page. > I encountered this error: netscape.ldap.LDAPException: error result > (21); telephoneNumber: value #0 invalid per syntax > > > Thanks, > Erwin > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From ehimawan at gmail.com Thu Feb 11 00:19:53 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Wed, 10 Feb 2010 18:19:53 -0600 Subject: [Pki-users] netscape.ldap.LDAPException: error result (21); telephoneNumber: value #0 invalid per syntax In-Reply-To: <1265815710.16077.99.camel@localhost.localdomain> References: <2b8d35db1002091810u4ff18b1evc6824d07d99b49b6@mail.gmail.com> <1265815710.16077.99.camel@localhost.localdomain> Message-ID: <2b8d35db1002101619s20c761a4h357692abda763c8b@mail.gmail.com> Hi Ade, Thanks for your help. I was able to resolve this issue and move forward with my CA configuration. Regards, Erwin On Wed, Feb 10, 2010 at 9:28 AM, Ade Lee wrote: > Hi Erwin, > > This is due to syntax checking being on in the latest versions of DS. > There is a setting in the dse.ldif to disable this. > > nsslapd-syntaxcheck: off > > Alternatively, this has been fixed in the latest Dogtag source code. > > Ade > > On Tue, 2010-02-09 at 20:10 -0600, Erwin Himawan wrote: > > Hi All, > > > > I encountered the following error during Administrator configuration > > page: > > netscape.ldap.LDAPException: error result (21); telephoneNumber: value > > #0 invalid per syntax > > > > I am not sure how to resolve this. > > > > Could someone help me how to resolve this error? > > > > > > Here is my system configuration > > I am running fedora 11 and DCS 1.2.0 > > I was able to install the pki-ca successfully. > > > > Here is the grep of my pki-ca installed from the yum list > > > > dogtag-pki-ca-ui.noarch 1.2.0-1.fc11 > > installed > > dogtag-pki-common-ui.noarch 1.2.0-1.fc11 > > installed > > pki-ca.noarch 1.2.0-4.fc11 > > installed > > pki-common.noarch 1.2.0-1.fc11 > > installed > > pki-java-tools.noarch 1.2.0-1.fc11 > > installed > > pki-native-tools.i586 1.2.0-2.fc11 > > installed > > pki-selinux.noarch 1.2.0-2.fc11 > > installed > > pki-setup.noarch 1.2.0-1.fc11 > > installed > > pki-util.noarch 1.2.0-1.fc11 > > installed > > > > I also was able to access the pki-ca configuration web-page. > > > > At the last step during administrator configuration page. > > I encountered this error: netscape.ldap.LDAPException: error result > > (21); telephoneNumber: value #0 invalid per syntax > > > > > > Thanks, > > Erwin > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ehimawan at gmail.com Thu Feb 11 00:36:03 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Wed, 10 Feb 2010 18:36:03 -0600 Subject: [Pki-users] java.lang.NullPointerException Message-ID: <2b8d35db1002101636n44a02fddicbc3875d3a75220@mail.gmail.com> Hi All, First of all, thanks for the help of the pki-users to get me through. Here is the last step of my pki-ca configuration. I am in the "Import Administrator Certificate" When I clicked "next", I got this error: java.lang.NullPointerException Here is some output from the /var/log/pki-ca1/debug: [10/Feb/2010:18:17:59][http-9545-Processor24]: increasing minimum connections by 3 [10/Feb/2010:18:17:59][http-9545-Processor24]: new total available connections 3 [10/Feb/2010:18:17:59][http-9545-Processor24]: new number of connections 3 [10/Feb/2010:18:17:59][http-9545-Processor24]: getNextPanel input p=16 [10/Feb/2010:18:17:59][http-9545-Processor24]: getNextPanel output p=17 [10/Feb/2010:18:17:59][http-9545-Processor24]: ImportAdminCertPanel: display [10/Feb/2010:18:17:59][http-9545-Processor24]: panel no=17 [10/Feb/2010:18:17:59][http-9545-Processor24]: panel name=importadmincert [10/Feb/2010:18:17:59][http-9545-Processor24]: total number of panels=19 [10/Feb/2010:18:17:59][http-9545-Processor24]: according to ccMode, authorization for servlet: caGetAdminBySerial is LDAP based, not XML {1}, use default authz mgr: {2}. [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet:service() uri = /ca/admin/ca/getBySerial [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet::service() param name='serialNumber' value='1' [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet::service() param name='browser' value='netscape' [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet::service() param name='importCert' value='true' [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet: caGetAdminBySerial start to service. [10/Feb/2010:18:17:59][http-9545-Processor24]: IP: 10.7.20.82 [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet: no authMgrName [10/Feb/2010:18:17:59][http-9545-Processor24]: checkACLS(): ACLEntry expressions= user="anybody" [10/Feb/2010:18:17:59][http-9545-Processor24]: evaluating expressions: user="anybody" [10/Feb/2010:18:17:59][http-9545-Processor24]: evaluated expression: user="anybody" to be true [10/Feb/2010:18:17:59][http-9545-Processor24]: DirAclAuthz: authorization passed [10/Feb/2010:18:17:59][http-9545-Processor24]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][aclResource=certServer.admin.certificate][Op=import] authorization success [10/Feb/2010:18:17:59][http-9545-Processor24]: getConn: mNumConns now 2 [10/Feb/2010:18:17:59][http-9545-Processor24]: returnConn: mNumConns now 3 [10/Feb/2010:18:17:59][http-9545-Processor24]: SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Success][Role=] assume privileged role [10/Feb/2010:18:17:59][http-9545-Processor24]: getConn: mNumConns now 2 [10/Feb/2010:18:17:59][http-9545-Processor24]: returnConn: mNumConns now 3 [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet: curDate=Wed Feb 10 18:17:59 CST 2010 id=caGetAdminBySerial time=51 [10/Feb/2010:18:17:59][http-9545-Processor24]: com.netscape.cms.servlet.filter.AgentRequestFilter: Use HTTPS port '9543' instead of '9545' when performing Agent tasks! [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: process [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet:service() uri = /ca/admin/console/config/wizard [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() param name='p' value='17' [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() param name='caHost' value='FQDN' [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() param name='serialNumber' value='1' [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() param name='pkcs7' value='PKCS7-VALUExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() param name='op' value='next' [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() param name='caPort' value='9545' [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: op=next [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: size=19 [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: in next 17 [10/Feb/2010:18:18:01][http-9545-Processor24]: ImportAdminCertPanel update: Root CA subsystem - (new Security Domain) [10/Feb/2010:18:18:01][http-9545-Processor24]: getConn: mNumConns now 2 [10/Feb/2010:18:18:01][http-9545-Processor24]: returnConn: mNumConns now 3 [10/Feb/2010:18:18:01][http-9545-Processor24]: getConn: mNumConns now 2 [10/Feb/2010:18:18:01][http-9545-Processor24]: returnConn: mNumConns now 3 [10/Feb/2010:18:18:01][http-9545-Processor24]: ImportAdminCertPanel update: failed to add certificate. Exception: java.lang.NullPointerException [10/Feb/2010:18:18:01][http-9545-Processor24]: panel no=17 [10/Feb/2010:18:18:01][http-9545-Processor24]: panel name=importadmincert [10/Feb/2010:18:18:01][http-9545-Processor24]: total number of panels=19 Any idea how to resolve this issue? Regards, Erwin -------------- next part -------------- An HTML attachment was scrubbed... URL: From ehimawan at gmail.com Thu Feb 11 00:53:49 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Wed, 10 Feb 2010 18:53:49 -0600 Subject: [Pki-users] java.lang.NullPointerException In-Reply-To: <2b8d35db1002101636n44a02fddicbc3875d3a75220@mail.gmail.com> References: <2b8d35db1002101636n44a02fddicbc3875d3a75220@mail.gmail.com> Message-ID: <2b8d35db1002101653h2285f92y62d92624a844ba39@mail.gmail.com> Here is the output of /var/log/pki-ca1/catalina.out DAP operation failure - cn=2,ou=ca,ou=requests,dc=FQDN-pki-ca1 netscape.ldap.LDAPException: error result (68) http-9545-Processor19: log level: {0} is invalid, should be 0-6 Here is the output of /var/log/pki-ca1/system 6889.http-9545-Processor19 - [10/Feb/2010:18:47:18 CST] [3] [3] Servlet caGetAdminBySerial: Error getting certRecord for serialNo 0x2. Error LDAP operation failure - cn=2,ou=certificateRepository, ou=ca, dc=FQDN-pki-ca1 netscape.ldap.LDAPException: error result (32); matchedDN = ou=certificaterepository,ou=ca,dc=FQDN-pki-ca1. 6889.http-9545-Processor19 - [10/Feb/2010:18:47:18 CST] [3] [3] Servlet caGetAdminBySerial: Certificate Serial Number 2 not found 6889.http-9545-Processor19 - [10/Feb/2010:18:47:18 CST] [3] [20] CMSgateway:Could not load template /var/lib/pki-ca1/webapps/ca/admin/GenError.template error java.io.FileNotFoundException: /var/lib/pki-ca1/webapps/ca/admin/GenError.template (No such file or directory). 6889.http-9545-Processor19 - [10/Feb/2010:18:47:18 CST] [3] [3] Servlet caGetAdminBySerial: Error outputting template /admin/GenError.template . Error encountered while loading output template.. [10/Feb/2010:18:47:18][http-9545-Processor19]: getConn: mNumConns now 2 [10/Feb/2010:18:47:18][http-9545-Processor19]: returnConn: mNumConns now 3 [10/Feb/2010:18:47:18][http-9545-Processor19]: SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Success][Role=] assume privileged role [10/Feb/2010:18:47:18][http-9545-Processor19]: getConn: mNumConns now 2 [10/Feb/2010:18:47:18][http-9545-Processor19]: returnConn: mNumConns now 3 [10/Feb/2010:18:47:18][http-9545-Processor19]: CMSServlet: curDate=Wed Feb 10 18:47:18 CST 2010 id=caGetAdminBySerial time=20 [10/Feb/2010:18:47:19][http-9545-Processor19]: com.netscape.cms.servlet.filter.AgentRequestFilter: Use HTTPS port '9543' instead of '9545' when performing Agent tasks! On Wed, Feb 10, 2010 at 6:36 PM, Erwin Himawan wrote: > Hi All, > > First of all, thanks for the help of the pki-users to get me through. > > Here is the last step of my pki-ca configuration. > I am in the "Import Administrator Certificate" > When I clicked "next", I got this error: java.lang.NullPointerException > > > Here is some output from the /var/log/pki-ca1/debug: > > [10/Feb/2010:18:17:59][http-9545-Processor24]: increasing minimum > connections by 3 > [10/Feb/2010:18:17:59][http-9545-Processor24]: new total available > connections 3 > [10/Feb/2010:18:17:59][http-9545-Processor24]: new number of connections 3 > [10/Feb/2010:18:17:59][http-9545-Processor24]: getNextPanel input p=16 > [10/Feb/2010:18:17:59][http-9545-Processor24]: getNextPanel output p=17 > [10/Feb/2010:18:17:59][http-9545-Processor24]: ImportAdminCertPanel: > display > [10/Feb/2010:18:17:59][http-9545-Processor24]: panel no=17 > [10/Feb/2010:18:17:59][http-9545-Processor24]: panel name=importadmincert > [10/Feb/2010:18:17:59][http-9545-Processor24]: total number of panels=19 > [10/Feb/2010:18:17:59][http-9545-Processor24]: according to ccMode, > authorization for servlet: caGetAdminBySerial is LDAP based, not XML {1}, > use default authz mgr: {2}. > [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet:service() uri = > /ca/admin/ca/getBySerial > [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet::service() param > name='serialNumber' value='1' > [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet::service() param > name='browser' value='netscape' > [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet::service() param > name='importCert' value='true' > [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet: > caGetAdminBySerial start to service. > [10/Feb/2010:18:17:59][http-9545-Processor24]: IP: 10.7.20.82 > [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet: no authMgrName > [10/Feb/2010:18:17:59][http-9545-Processor24]: checkACLS(): ACLEntry > expressions= user="anybody" > [10/Feb/2010:18:17:59][http-9545-Processor24]: evaluating expressions: > user="anybody" > [10/Feb/2010:18:17:59][http-9545-Processor24]: evaluated expression: > user="anybody" to be true > [10/Feb/2010:18:17:59][http-9545-Processor24]: DirAclAuthz: authorization > passed > [10/Feb/2010:18:17:59][http-9545-Processor24]: SignedAuditEventFactory: > create() > message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][aclResource=certServer.admin.certificate][Op=import] > authorization success > > [10/Feb/2010:18:17:59][http-9545-Processor24]: getConn: mNumConns now 2 > [10/Feb/2010:18:17:59][http-9545-Processor24]: returnConn: mNumConns now 3 > [10/Feb/2010:18:17:59][http-9545-Processor24]: SignedAuditEventFactory: > create() > message=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Success][Role=] > assume privileged role > > [10/Feb/2010:18:17:59][http-9545-Processor24]: getConn: mNumConns now 2 > [10/Feb/2010:18:17:59][http-9545-Processor24]: returnConn: mNumConns now 3 > [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet: curDate=Wed Feb > 10 18:17:59 CST 2010 id=caGetAdminBySerial time=51 > [10/Feb/2010:18:17:59][http-9545-Processor24]: > com.netscape.cms.servlet.filter.AgentRequestFilter: Use HTTPS port '9543' > instead of '9545' when performing Agent tasks! > [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: process > [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet:service() uri > = /ca/admin/console/config/wizard > [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() > param name='p' value='17' > [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() > param name='caHost' value='FQDN' > [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() > param name='serialNumber' value='1' > [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() > param name='pkcs7' value='PKCS7-VALUExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' > [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() > param name='op' value='next' > [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() > param name='caPort' value='9545' > [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: op=next > [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: size=19 > [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: in next 17 > [10/Feb/2010:18:18:01][http-9545-Processor24]: ImportAdminCertPanel > update: Root CA subsystem - (new Security Domain) > [10/Feb/2010:18:18:01][http-9545-Processor24]: getConn: mNumConns now 2 > [10/Feb/2010:18:18:01][http-9545-Processor24]: returnConn: mNumConns now 3 > [10/Feb/2010:18:18:01][http-9545-Processor24]: getConn: mNumConns now 2 > [10/Feb/2010:18:18:01][http-9545-Processor24]: returnConn: mNumConns now 3 > [10/Feb/2010:18:18:01][http-9545-Processor24]: ImportAdminCertPanel update: > failed to add certificate. Exception: java.lang.NullPointerException > [10/Feb/2010:18:18:01][http-9545-Processor24]: panel no=17 > [10/Feb/2010:18:18:01][http-9545-Processor24]: panel name=importadmincert > [10/Feb/2010:18:18:01][http-9545-Processor24]: total number of panels=19 > > Any idea how to resolve this issue? > > Regards, > Erwin > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Thu Feb 11 01:22:23 2010 From: msauton at redhat.com (Marc Sauton) Date: Wed, 10 Feb 2010 17:22:23 -0800 Subject: [Pki-users] java.lang.NullPointerException In-Reply-To: <2b8d35db1002101653h2285f92y62d92624a844ba39@mail.gmail.com> References: <2b8d35db1002101636n44a02fddicbc3875d3a75220@mail.gmail.com> <2b8d35db1002101653h2285f92y62d92624a844ba39@mail.gmail.com> Message-ID: <4B735BCF.2090506@redhat.com> looks like there are several different errors and different time stamps. In the first log provided, watch out for [10/Feb/2010:18:17:59][http-9545-Processor24]: com.netscape.cms.servlet.filter.AgentRequestFilter: Use HTTPS port '9543' instead of '9545' when performing Agent tasks! Use the admin secure port to reach the web configuration wizard, like shown from the service pki-ca1status command after a pkicreate (or by the pkicreate command itself). M. On 02/10/2010 04:53 PM, Erwin Himawan wrote: > Here is the output of /var/log/pki-ca1/catalina.out > > DAP operation failure - cn=2,ou=ca,ou=requests,dc=FQDN-pki-ca1 > netscape.ldap.LDAPException: error result (68) > http-9545-Processor19: log level: {0} is invalid, should be 0-6 > > > Here is the output of /var/log/pki-ca1/system > > 6889.http-9545-Processor19 - [10/Feb/2010:18:47:18 CST] [3] [3] > Servlet caGetAdminBySerial: Error getting certRecord for serialNo 0x2. > Error LDAP operation failure - cn=2,ou=certificateRepository, ou=ca, > dc=FQDN-pki-ca1 netscape.ldap.LDAPException: error result (32); > matchedDN = ou=certificaterepository,ou=ca,dc=FQDN-pki-ca1. > 6889.http-9545-Processor19 - [10/Feb/2010:18:47:18 CST] [3] [3] > Servlet caGetAdminBySerial: Certificate Serial Number 2 not found > 6889.http-9545-Processor19 - [10/Feb/2010:18:47:18 CST] [3] [20] > CMSgateway:Could not load template > /var/lib/pki-ca1/webapps/ca/admin/GenError.template error > java.io.FileNotFoundException: > /var/lib/pki-ca1/webapps/ca/admin/GenError.template (No such file or > directory). > 6889.http-9545-Processor19 - [10/Feb/2010:18:47:18 CST] [3] [3] > Servlet caGetAdminBySerial: Error outputting template > /admin/GenError.template . Error encountered while loading output > template.. > > [10/Feb/2010:18:47:18][http-9545-Processor19]: getConn: mNumConns now 2 > [10/Feb/2010:18:47:18][http-9545-Processor19]: returnConn: mNumConns now 3 > [10/Feb/2010:18:47:18][http-9545-Processor19]: > SignedAuditEventFactory: create() > message=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Success][Role=] > assume privileged role > > [10/Feb/2010:18:47:18][http-9545-Processor19]: getConn: mNumConns now 2 > [10/Feb/2010:18:47:18][http-9545-Processor19]: returnConn: mNumConns now 3 > [10/Feb/2010:18:47:18][http-9545-Processor19]: CMSServlet: curDate=Wed > Feb 10 18:47:18 CST 2010 id=caGetAdminBySerial time=20 > [10/Feb/2010:18:47:19][http-9545-Processor19]: > com.netscape.cms.servlet.filter.AgentRequestFilter: Use HTTPS port > '9543' instead of '9545' when performing Agent tasks! > > > > On Wed, Feb 10, 2010 at 6:36 PM, Erwin Himawan > wrote: > > Hi All, > > First of all, thanks for the help of the pki-users to get me through. > > Here is the last step of my pki-ca configuration. > I am in the "Import Administrator Certificate" > When I clicked "next", I got this error: > java.lang.NullPointerException > > > Here is some output from the /var/log/pki-ca1/debug: > > [10/Feb/2010:18:17:59][http-9545-Processor24]: increasing minimum > connections by 3 > [10/Feb/2010:18:17:59][http-9545-Processor24]: new total available > connections 3 > [10/Feb/2010:18:17:59][http-9545-Processor24]: new number of > connections 3 > [10/Feb/2010:18:17:59][http-9545-Processor24]: getNextPanel input p=16 > [10/Feb/2010:18:17:59][http-9545-Processor24]: getNextPanel output > p=17 > [10/Feb/2010:18:17:59][http-9545-Processor24]: > ImportAdminCertPanel: display > [10/Feb/2010:18:17:59][http-9545-Processor24]: panel no=17 > [10/Feb/2010:18:17:59][http-9545-Processor24]: panel > name=importadmincert > [10/Feb/2010:18:17:59][http-9545-Processor24]: total number of > panels=19 > [10/Feb/2010:18:17:59][http-9545-Processor24]: according to > ccMode, authorization for servlet: caGetAdminBySerial is LDAP > based, not XML {1}, use default authz mgr: {2}. > [10/Feb/2010:18:17:59][http-9545-Processor24]: > CMSServlet:service() uri = /ca/admin/ca/getBySerial > [10/Feb/2010:18:17:59][http-9545-Processor24]: > CMSServlet::service() param name='serialNumber' value='1' > [10/Feb/2010:18:17:59][http-9545-Processor24]: > CMSServlet::service() param name='browser' value='netscape' > [10/Feb/2010:18:17:59][http-9545-Processor24]: > CMSServlet::service() param name='importCert' value='true' > [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet: > caGetAdminBySerial start to service. > [10/Feb/2010:18:17:59][http-9545-Processor24]: IP: 10.7.20.82 > [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet: no > authMgrName > [10/Feb/2010:18:17:59][http-9545-Processor24]: checkACLS(): > ACLEntry expressions= user="anybody" > [10/Feb/2010:18:17:59][http-9545-Processor24]: evaluating > expressions: user="anybody" > [10/Feb/2010:18:17:59][http-9545-Processor24]: evaluated > expression: user="anybody" to be true > [10/Feb/2010:18:17:59][http-9545-Processor24]: DirAclAuthz: > authorization passed > [10/Feb/2010:18:17:59][http-9545-Processor24]: > SignedAuditEventFactory: create() > message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][aclResource=certServer.admin.certificate][Op=import] > authorization success > > [10/Feb/2010:18:17:59][http-9545-Processor24]: getConn: mNumConns > now 2 > [10/Feb/2010:18:17:59][http-9545-Processor24]: returnConn: > mNumConns now 3 > [10/Feb/2010:18:17:59][http-9545-Processor24]: > SignedAuditEventFactory: create() > message=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Success][Role=] > assume privileged role > > [10/Feb/2010:18:17:59][http-9545-Processor24]: getConn: mNumConns > now 2 > [10/Feb/2010:18:17:59][http-9545-Processor24]: returnConn: > mNumConns now 3 > [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet: > curDate=Wed Feb 10 18:17:59 CST 2010 id=caGetAdminBySerial time=51 > [10/Feb/2010:18:17:59][http-9545-Processor24]: > com.netscape.cms.servlet.filter.AgentRequestFilter: Use HTTPS > port '9543' instead of '9545' when performing Agent tasks! > [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: process > [10/Feb/2010:18:18:01][http-9545-Processor24]: > WizardServlet:service() uri = /ca/admin/console/config/wizard > [10/Feb/2010:18:18:01][http-9545-Processor24]: > WizardServlet::service() param name='p' value='17' > [10/Feb/2010:18:18:01][http-9545-Processor24]: > WizardServlet::service() param name='caHost' value='FQDN' > [10/Feb/2010:18:18:01][http-9545-Processor24]: > WizardServlet::service() param name='serialNumber' value='1' > [10/Feb/2010:18:18:01][http-9545-Processor24]: > WizardServlet::service() param name='pkcs7' > value='PKCS7-VALUExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' > [10/Feb/2010:18:18:01][http-9545-Processor24]: > WizardServlet::service() param name='op' value='next' > [10/Feb/2010:18:18:01][http-9545-Processor24]: > WizardServlet::service() param name='caPort' value='9545' > [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: op=next > [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: size=19 > [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: in > next 17 > [10/Feb/2010:18:18:01][http-9545-Processor24]: > ImportAdminCertPanel update: Root CA subsystem - (new Security > Domain) > [10/Feb/2010:18:18:01][http-9545-Processor24]: getConn: mNumConns > now 2 > [10/Feb/2010:18:18:01][http-9545-Processor24]: returnConn: > mNumConns now 3 > [10/Feb/2010:18:18:01][http-9545-Processor24]: getConn: mNumConns > now 2 > [10/Feb/2010:18:18:01][http-9545-Processor24]: returnConn: > mNumConns now 3 > [10/Feb/2010:18:18:01][http-9545-Processor24]: > ImportAdminCertPanel update: failed to add certificate. Exception: > java.lang.NullPointerException > [10/Feb/2010:18:18:01][http-9545-Processor24]: panel no=17 > [10/Feb/2010:18:18:01][http-9545-Processor24]: panel > name=importadmincert > [10/Feb/2010:18:18:01][http-9545-Processor24]: total number of > panels=19 > > Any idea how to resolve this issue? > > Regards, > Erwin > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6650 bytes Desc: S/MIME Cryptographic Signature URL: From ehimawan at gmail.com Thu Feb 11 02:32:31 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Wed, 10 Feb 2010 20:32:31 -0600 Subject: [Pki-users] java.lang.NullPointerException In-Reply-To: <4B735BCF.2090506@redhat.com> References: <2b8d35db1002101636n44a02fddicbc3875d3a75220@mail.gmail.com> <2b8d35db1002101653h2285f92y62d92624a844ba39@mail.gmail.com> <4B735BCF.2090506@redhat.com> Message-ID: <2b8d35db1002101832ra694787m4bd4535b026f5e4f@mail.gmail.com> Marc, Thanks for your support. I am sorry to confuse you. For some reasons, I wrongly cut and paste different log files. Anyway, after I updated all my Dogtag components from version 1.2.0 to 1.3.0, I did not experience any issue in configuring the pki-ca instance. Is it fair to assume that some of the issue I experienced during 1.2.0 pki-ca configuration might have been resolved in 1.3.0? I guess, in order to validate my hypothesis, I am willing to perform another fresh OS and DCS install. Once again, thanks. Thanks, Erwin On Wed, Feb 10, 2010 at 7:22 PM, Marc Sauton wrote: > looks like there are several different errors and different time stamps. > In the first log provided, watch out for > > [10/Feb/2010:18:17:59][http-9545-Processor24]: > com.netscape.cms.servlet.filter.AgentRequestFilter: Use HTTPS port '9543' > instead of '9545' when performing Agent tasks! > Use the admin secure port to reach the web configuration wizard, like shown > from the service pki-ca1status command after a pkicreate (or by the > pkicreate command itself). > M. > > > On 02/10/2010 04:53 PM, Erwin Himawan wrote: > > Here is the output of /var/log/pki-ca1/catalina.out > > DAP operation failure - cn=2,ou=ca,ou=requests,dc=FQDN-pki-ca1 > netscape.ldap.LDAPException: error result (68) > http-9545-Processor19: log level: {0} is invalid, should be 0-6 > > > Here is the output of /var/log/pki-ca1/system > > 6889.http-9545-Processor19 - [10/Feb/2010:18:47:18 CST] [3] [3] Servlet > caGetAdminBySerial: Error getting certRecord for serialNo 0x2. Error LDAP > operation failure - cn=2,ou=certificateRepository, ou=ca, dc=FQDN-pki-ca1 > netscape.ldap.LDAPException: error result (32); matchedDN = > ou=certificaterepository,ou=ca,dc=FQDN-pki-ca1. > 6889.http-9545-Processor19 - [10/Feb/2010:18:47:18 CST] [3] [3] Servlet > caGetAdminBySerial: Certificate Serial Number 2 not found > 6889.http-9545-Processor19 - [10/Feb/2010:18:47:18 CST] [3] [20] > CMSgateway:Could not load template > /var/lib/pki-ca1/webapps/ca/admin/GenError.template error > java.io.FileNotFoundException: > /var/lib/pki-ca1/webapps/ca/admin/GenError.template (No such file or > directory). > 6889.http-9545-Processor19 - [10/Feb/2010:18:47:18 CST] [3] [3] Servlet > caGetAdminBySerial: Error outputting template /admin/GenError.template . > Error encountered while loading output template.. > > [10/Feb/2010:18:47:18][http-9545-Processor19]: getConn: mNumConns now 2 > [10/Feb/2010:18:47:18][http-9545-Processor19]: returnConn: mNumConns now 3 > [10/Feb/2010:18:47:18][http-9545-Processor19]: SignedAuditEventFactory: > create() > message=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Success][Role=] > assume privileged role > > [10/Feb/2010:18:47:18][http-9545-Processor19]: getConn: mNumConns now 2 > [10/Feb/2010:18:47:18][http-9545-Processor19]: returnConn: mNumConns now 3 > [10/Feb/2010:18:47:18][http-9545-Processor19]: CMSServlet: curDate=Wed Feb > 10 18:47:18 CST 2010 id=caGetAdminBySerial time=20 > [10/Feb/2010:18:47:19][http-9545-Processor19]: > com.netscape.cms.servlet.filter.AgentRequestFilter: Use HTTPS port '9543' > instead of '9545' when performing Agent tasks! > > > > On Wed, Feb 10, 2010 at 6:36 PM, Erwin Himawan wrote: > >> Hi All, >> >> First of all, thanks for the help of the pki-users to get me through. >> >> Here is the last step of my pki-ca configuration. >> I am in the "Import Administrator Certificate" >> When I clicked "next", I got this error: java.lang.NullPointerException >> >> >> Here is some output from the /var/log/pki-ca1/debug: >> >> [10/Feb/2010:18:17:59][http-9545-Processor24]: increasing minimum >> connections by 3 >> [10/Feb/2010:18:17:59][http-9545-Processor24]: new total available >> connections 3 >> [10/Feb/2010:18:17:59][http-9545-Processor24]: new number of connections 3 >> [10/Feb/2010:18:17:59][http-9545-Processor24]: getNextPanel input p=16 >> [10/Feb/2010:18:17:59][http-9545-Processor24]: getNextPanel output p=17 >> [10/Feb/2010:18:17:59][http-9545-Processor24]: ImportAdminCertPanel: >> display >> [10/Feb/2010:18:17:59][http-9545-Processor24]: panel no=17 >> [10/Feb/2010:18:17:59][http-9545-Processor24]: panel name=importadmincert >> [10/Feb/2010:18:17:59][http-9545-Processor24]: total number of panels=19 >> [10/Feb/2010:18:17:59][http-9545-Processor24]: according to ccMode, >> authorization for servlet: caGetAdminBySerial is LDAP based, not XML {1}, >> use default authz mgr: {2}. >> [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet:service() uri = >> /ca/admin/ca/getBySerial >> [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet::service() param >> name='serialNumber' value='1' >> [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet::service() param >> name='browser' value='netscape' >> [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet::service() param >> name='importCert' value='true' >> [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet: >> caGetAdminBySerial start to service. >> [10/Feb/2010:18:17:59][http-9545-Processor24]: IP: 10.7.20.82 >> [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet: no authMgrName >> [10/Feb/2010:18:17:59][http-9545-Processor24]: checkACLS(): ACLEntry >> expressions= user="anybody" >> [10/Feb/2010:18:17:59][http-9545-Processor24]: evaluating expressions: >> user="anybody" >> [10/Feb/2010:18:17:59][http-9545-Processor24]: evaluated expression: >> user="anybody" to be true >> [10/Feb/2010:18:17:59][http-9545-Processor24]: DirAclAuthz: authorization >> passed >> [10/Feb/2010:18:17:59][http-9545-Processor24]: SignedAuditEventFactory: >> create() >> message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][aclResource=certServer.admin.certificate][Op=import] >> authorization success >> >> [10/Feb/2010:18:17:59][http-9545-Processor24]: getConn: mNumConns now 2 >> [10/Feb/2010:18:17:59][http-9545-Processor24]: returnConn: mNumConns now 3 >> [10/Feb/2010:18:17:59][http-9545-Processor24]: SignedAuditEventFactory: >> create() >> message=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Success][Role=] >> assume privileged role >> >> [10/Feb/2010:18:17:59][http-9545-Processor24]: getConn: mNumConns now 2 >> [10/Feb/2010:18:17:59][http-9545-Processor24]: returnConn: mNumConns now 3 >> [10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet: curDate=Wed Feb >> 10 18:17:59 CST 2010 id=caGetAdminBySerial time=51 >> [10/Feb/2010:18:17:59][http-9545-Processor24]: >> com.netscape.cms.servlet.filter.AgentRequestFilter: Use HTTPS port '9543' >> instead of '9545' when performing Agent tasks! >> [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: process >> [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet:service() uri >> = /ca/admin/console/config/wizard >> [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() >> param name='p' value='17' >> [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() >> param name='caHost' value='FQDN' >> [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() >> param name='serialNumber' value='1' >> [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() >> param name='pkcs7' value='PKCS7-VALUExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' >> [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() >> param name='op' value='next' >> [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service() >> param name='caPort' value='9545' >> [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: op=next >> [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: size=19 >> [10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: in next 17 >> [10/Feb/2010:18:18:01][http-9545-Processor24]: ImportAdminCertPanel >> update: Root CA subsystem - (new Security Domain) >> [10/Feb/2010:18:18:01][http-9545-Processor24]: getConn: mNumConns now 2 >> [10/Feb/2010:18:18:01][http-9545-Processor24]: returnConn: mNumConns now 3 >> [10/Feb/2010:18:18:01][http-9545-Processor24]: getConn: mNumConns now 2 >> [10/Feb/2010:18:18:01][http-9545-Processor24]: returnConn: mNumConns now 3 >> [10/Feb/2010:18:18:01][http-9545-Processor24]: ImportAdminCertPanel >> update: failed to add certificate. Exception: java.lang.NullPointerException >> [10/Feb/2010:18:18:01][http-9545-Processor24]: panel no=17 >> [10/Feb/2010:18:18:01][http-9545-Processor24]: panel name=importadmincert >> [10/Feb/2010:18:18:01][http-9545-Processor24]: total number of panels=19 >> >> Any idea how to resolve this issue? >> >> Regards, >> Erwin >> >> >> >> > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ehimawan at gmail.com Thu Feb 11 02:51:11 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Wed, 10 Feb 2010 20:51:11 -0600 Subject: [Pki-users] DCS Release Strategy Message-ID: <2b8d35db1002101851j15a7d2c6i8f71b9443eebe64a@mail.gmail.com> Hi All, I am in the process of evaluating various opensource PKI products and DCS seems very promising. I started to pay more attention into the various releases of DCS when I encountered issues during installation and configuration. Especially, when the installation and configuration issues seem to be resolved when I used the latest testing release. I might have missed some information about general DCS release strategy. Here are some initial questions: 1. What does the number in the version represent? 1.1.0 (major.minor.??) 2. Where and how to obtain patches for a particular release? Once again, thanks for all the great and responsive support from the pki-users community. Regards, Erwin -------------- next part -------------- An HTML attachment was scrubbed... URL: From ckannan at redhat.com Thu Feb 11 04:59:03 2010 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Wed, 10 Feb 2010 20:59:03 -0800 Subject: [Pki-users] DCS Release Strategy In-Reply-To: <2b8d35db1002101851j15a7d2c6i8f71b9443eebe64a@mail.gmail.com> References: <2b8d35db1002101851j15a7d2c6i8f71b9443eebe64a@mail.gmail.com> Message-ID: <4B738E97.8010602@redhat.com> On 02/10/2010 06:51 PM, Erwin Himawan wrote: > Hi All, > > I am in the process of evaluating various opensource PKI products and > DCS seems very promising. I started to pay more attention into the > various releases of DCS when I encountered issues during installation > and configuration. Especially, when the installation and > configuration issues seem to be resolved when I used the latest > testing release. > > I might have missed some information about general DCS release > strategy. Here are some initial questions: > 1. What does the number in the version represent? 1.1.0 (major.minor.??) I'm guessing these pages might address what you are looking for. http://pki.fedoraproject.org/wiki/PKI_Release_Notes http://pki.fedoraproject.org/wiki/PKI_Open_Source_History > 2. Where and how to obtain patches for a particular release? we are making efforts to make pki components a feature of the Fedora Operating system. We believe it will be available from F-13 onwards. https://fedoraproject.org/wiki/Features/DogtagCertificateSystem Patch strategy for F-12,F-11 are done as we find_issues/time - as rpm updates. They will be pushed to the fedora updates repo. yum -y update is all you would need to do to get the patches. HTH. thanks, --Chandra > > Once again, thanks for all the great and responsive support from the > pki-users community. > > Regards, > Erwin > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.donnan at thalesgroup.com Fri Feb 12 12:06:13 2010 From: david.donnan at thalesgroup.com (David (Dave) Donnan) Date: Fri, 12 Feb 2010 13:06:13 +0100 Subject: [Pki-users] change Root CA's Validity In-Reply-To: <770655.8800.qm@web110411.mail.gq1.yahoo.com> References: <770655.8800.qm@web110411.mail.gq1.yahoo.com> Message-ID: <4B754435.3070100@thalesgroup.com> Fu-Jyh Luo hello. This might be overkill but you're welcome to it. I think the default cert expiry period with CMS is 2 years -- way too short. This script enables 7300 days = 20 years, rather. #!/bin/bash # # COMPONENT_NAME: ca-delta-range.sh # # HISTORY: Version 1.0 2008/10 Dave (David) Donnan # cd /var/lib/pki-ca/profiles/ca for file in *.cfg; do echo $file cp -p $file $file.pre7300 sed 's/range=[0-9]*/range=7300/' $file.pre7300 > $file chmod 755 $file chown pkiuser:pkiuser $file done cd /var/lib/pki-ca/conf for file in *.profile; do echo $file cp -p $file $file.pre7300 sed 's/range=[0-9]*/range=7300/' $file.pre7300 > $file chmod 755 $file chown pkiuser:pkiuser $file done # end Similarly, I wrote kra-dra-delta-range.sh to be used later: #!/bin/bash # # COMPONENT_NAME: kra-dra-delta-range.sh # # HISTORY: Version 1.0 2008/10 Dave (David) Donnan Original # # cd /var/lib/pki-kra/conf for file in *.profile; do echo $file cp -p $file $file.pre7300 sed 's/range=[0-9]*/range=7300/' $file.pre7300 > $file chmod 755 $file chown pkiuser:pkiuser $file done # end Fu-Jyh Luo wrote: > Dear All, > > I installed DogTag. The default validity of ROOT CA is 2 years. Is a way to change the ROOT CA's validity during the configuration wizard? > > Thanks, > Fu-Jyh Luo > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ehimawan at gmail.com Fri Feb 12 16:09:23 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Fri, 12 Feb 2010 10:09:23 -0600 Subject: [Pki-users] change Root CA's Validity In-Reply-To: <4B754435.3070100@thalesgroup.com> References: <770655.8800.qm@web110411.mail.gq1.yahoo.com> <4B754435.3070100@thalesgroup.com> Message-ID: <2b8d35db1002120809l32745111wad69b194e1c3203e@mail.gmail.com> Dave, It is a good and useful script. Where should the script be run? After creating pki-ca instance and prior to configuring the pki-ca instance? Thanks, Erwin On Fri, Feb 12, 2010 at 6:06 AM, David (Dave) Donnan < david.donnan at thalesgroup.com> wrote: > Fu-Jyh Luo hello. This might be overkill but you're welcome to it. > > I think the default cert expiry period with CMS is 2 years ? way too short. > This script enables 7300 days = 20 years, rather. > > > > #!/bin/bash > > # > > # COMPONENT_NAME: ca-delta-range.sh > > # > > # HISTORY: Version 1.0 2008/10 Dave (David) Donnan > > # > > > > cd /var/lib/pki-ca/profiles/ca > > for file in *.cfg; do > > echo $file > > cp -p $file $file.pre7300 > > sed 's/range=[0-9]*/range=7300/' $file.pre7300 > $file > > chmod 755 $file > > chown pkiuser:pkiuser $file > > done > > > > cd /var/lib/pki-ca/conf > > for file in *.profile; do > > echo $file > > cp -p $file $file.pre7300 > > sed 's/range=[0-9]*/range=7300/' $file.pre7300 > $file > > chmod 755 $file > > chown pkiuser:pkiuser $file > > done > > # end > > > > > > Similarly, I wrote kra-dra-delta-range.sh to be used later: > > > > #!/bin/bash > > # > > # COMPONENT_NAME: kra-dra-delta-range.sh > > # > > # HISTORY: Version 1.0 2008/10 Dave (David) Donnan Original > > # > > # > > > > cd /var/lib/pki-kra/conf > > for file in *.profile; do > > echo $file > > cp -p $file $file.pre7300 > > sed 's/range=[0-9]*/range=7300/' $file.pre7300 > $file > > chmod 755 $file > > chown pkiuser:pkiuser $file > > done > > # end > Fu-Jyh Luo wrote: > > Dear All, > > I installed DogTag. The default validity of ROOT CA is 2 years. Is a way to change the ROOT CA's validity during the configuration wizard? > > Thanks, > Fu-Jyh Luo > > > > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.donnan at thalesgroup.com Mon Feb 15 14:57:05 2010 From: david.donnan at thalesgroup.com (David (Dave) Donnan) Date: Mon, 15 Feb 2010 15:57:05 +0100 Subject: [Pki-users] change Root CA's Validity In-Reply-To: <2b8d35db1002120809l32745111wad69b194e1c3203e@mail.gmail.com> References: <770655.8800.qm@web110411.mail.gq1.yahoo.com> <4B754435.3070100@thalesgroup.com> <2b8d35db1002120809l32745111wad69b194e1c3203e@mail.gmail.com> Message-ID: <4B7960C1.9060902@thalesgroup.com> Immediately after ?yum install? and before launching the following URL, in your Browser, run the following script, http://dogtag.x.y:9080/ca/admin/console/config/login?pin=wefcqIpLK76vmfs7Pjye Cdlt, Dave -------- Erwin Himawan wrote: > Dave, > > It is a good and useful script. Where should the script be run? > After creating pki-ca instance and prior to configuring the pki-ca > instance? > > Thanks, > Erwin > > On Fri, Feb 12, 2010 at 6:06 AM, David (Dave) Donnan > > > wrote: > > Fu-Jyh Luo hello. This might be overkill but you're welcome to it. > > I think the default cert expiry period with CMS is 2 years ? way > too short. This script enables 7300 days = 20 years, rather. > > > > #!/bin/bash > > # > > # COMPONENT_NAME: ca-delta-range.sh > > # > > # HISTORY: Version 1.0 2008/10 Dave (David) Donnan > > # > > > > cd /var/lib/pki-ca/profiles/ca > > for file in *.cfg; do > > echo $file > > cp -p $file $file.pre7300 > > sed 's/range=[0-9]*/range=7300/' $file.pre7300 > $file > > chmod 755 $file > > chown pkiuser:pkiuser $file > > done > > > > cd /var/lib/pki-ca/conf > > for file in *.profile; do > > echo $file > > cp -p $file $file.pre7300 > > sed 's/range=[0-9]*/range=7300/' $file.pre7300 > $file > > chmod 755 $file > > chown pkiuser:pkiuser $file > > done > > # end > > > > > > Similarly, I wrote kra-dra-delta-range.sh to be used later: > > > > #!/bin/bash > > # > > # COMPONENT_NAME: kra-dra-delta-range.sh > > # > > # HISTORY: Version 1.0 2008/10 Dave (David) Donnan Original > > # > > # > > > > cd /var/lib/pki-kra/conf > > for file in *.profile; do > > echo $file > > cp -p $file $file.pre7300 > > sed 's/range=[0-9]*/range=7300/' $file.pre7300 > $file > > chmod 755 $file > > chown pkiuser:pkiuser $file > > done > > # end > > Fu-Jyh Luo wrote: >> Dear All, >> >> I installed DogTag. The default validity of ROOT CA is 2 years. Is a way to change the ROOT CA's validity during the configuration wizard? >> >> Thanks, >> Fu-Jyh Luo >> >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> >> > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jkanniappan at perisoftware.com Sat Feb 27 06:47:50 2010 From: jkanniappan at perisoftware.com (Jagan Kanniappan) Date: Sat, 27 Feb 2010 01:47:50 -0500 Subject: [Pki-users] SMTP-authentication on email notification in pki server Message-ID: <4B88C016.6050205@perisoftware.com> Hi , I am using pki dog-tag package to provide digital certificates in the local network. I have followed the redhat-cs documents to configure the email notifications to send the email-queue notifications. However my email server requires "*SMTP authentication*". But i cannot able to do SMTP authentication in pki-console page and cs.cfg file. Please assist me to configure the "SMTP authentication" in pki-console or in cs.cfg file. Here my system specifications, OS = fedora 10 pki = dogtag localmailserver = sendmail Waiting for the reply asap. Thanks, Jagan.k -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2752 bytes Desc: S/MIME Cryptographic Signature URL: From Didier.Moens at dmbr.vib-UGent.be Thu Feb 25 13:33:08 2010 From: Didier.Moens at dmbr.vib-UGent.be (Didier Moens) Date: Thu, 25 Feb 2010 14:33:08 +0100 Subject: [Pki-users] Unable to connect to Secure Admin Port Message-ID: <4B867C14.9000901@dmbr.vib-UGent.be> Dear all, For the past few days, I've been struggling trying to set up our dogtag-based PKI. Unfortunately, I am unable to access the Secure Admin Port / Configuration Wizard (https://...:9445/...), probably due to Tomcat failing to open SSL sockets. - Configuration : clean RHEL5u4 ; - Installed pki-ca-1.3.0 (tried 1.3.2 too) from EPEL, with all its dependencies (except jss-4.2.6, which is installed from EPEL-testing) ; - tomcatjss-1.2.0 is installed as a dependency too. There is no "tomcat5-native" package installed, and LANG is set to C, all to no avail. After manually creating user 'pkiuser' (pki-setup 1.3.1 does not automatically create this user) , "pkicreate" (with parameters from the root CA example) yields the following errors in /var/log/pki-ca/catalina.out : ... org.apache.coyote.http11.Http11BaseProtocol init SEVERE: Error initializing socket factory java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.apache.tomcat.util.net.jss.JSSImplementation at org.apache.tomcat.util.net.SSLImplementation.getInstance(SSLImplementation.java:79) at org.apache.coyote.http11.Http11BaseProtocol.checkSocketFactory(Http11BaseProtocol.java:731) at org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:121) at org.apache.catalina.connector.Connector.initialize(Connector.java:1017) at org.apache.catalina.core.StandardService.initialize(StandardService.java:578) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782) at org.apache.catalina.startup.Catalina.load(Catalina.java:504) at org.apache.catalina.startup.Catalina.load(Catalina.java:524) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432) Feb 25, 2010 1:52:12 PM org.apache.catalina.startup.Catalina load SEVERE: Catalina.start LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.apache.tomcat.util.net.jss.JSSImplementation at org.apache.catalina.connector.Connector.initialize(Connector.java:1019) at org.apache.catalina.core.StandardService.initialize(StandardService.java:578) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782) at org.apache.catalina.startup.Catalina.load(Catalina.java:504) at org.apache.catalina.startup.Catalina.load(Catalina.java:524) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432) ... Strangely enough, connections are set up on e.g. the Agent Secure Port (9443), but neither on the EE Secure Port (9444) : # lsof |grep pkiuser |grep TCP java 28349 pkiuser 71u IPv6 1445890 TCP *:9180 (LISTEN) java 28349 pkiuser 76u IPv6 1445899 TCP *:9443 (LISTEN) java 28349 pkiuser 77u IPv6 1445900 TCP localhost.localdomain:9701 (LISTEN) Both '/etc/pki-ca/tomcat5.conf' and '/etc/pki-ca/server.xml' look valid (disclaimer: I am a Tomcat novice). Stracing (-e trace=file) the pki-cad process yields nothing useful, except for the fact that tomcatjss.jar seems to be nowhere accessed. When manually adding ":/usr/share/java/tomcatjss.jar" to the CLASSPATH variable in '/usr/bin/dtomcat5-pki-ca', Tomcat throws these exceptions in catalina.out : ... org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-9180 java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432) Caused by: java.lang.NoClassDefFoundError: org/apache/tomcat/util/net/SSLImplementation at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:632) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:277) at java.net.URLClassLoader.access$000(URLClassLoader.java:73) at java.net.URLClassLoader$1.run(URLClassLoader.java:212) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:205) at java.lang.ClassLoader.loadClass(ClassLoader.java:319) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294) at java.lang.ClassLoader.loadClass(ClassLoader.java:312) at java.lang.ClassLoader.loadClass(ClassLoader.java:312) at java.lang.ClassLoader.loadClass(ClassLoader.java:264) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:332) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:186) at org.apache.tomcat.util.net.SSLImplementation.getInstance(SSLImplementation.java:73) at org.apache.coyote.http11.Http11BaseProtocol.checkSocketFactory(Http11BaseProtocol.java:731) at org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:121) at org.apache.catalina.connector.Connector.initialize(Connector.java:1017) at org.apache.catalina.core.StandardService.initialize(StandardService.java:578) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782) at org.apache.catalina.startup.Catalina.load(Catalina.java:504) at org.apache.catalina.startup.Catalina.load(Catalina.java:524) ... 6 more Caused by: java.lang.ClassNotFoundException: org.apache.tomcat.util.net.SSLImplementation at java.net.URLClassLoader$1.run(URLClassLoader.java:217) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:205) at java.lang.ClassLoader.loadClass(ClassLoader.java:319) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294) at java.lang.ClassLoader.loadClass(ClassLoader.java:264) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:332) ... 30 more As a last resort, I created a tomcat keystore too, but as this is nowhere mentioned in the docs, I guess this is way off. I would be grateful for any clue whatsoever. Best regards, Didier -- =================================================================== Didier Moens IT services Department for Molecular Biomedical Research (DMBR) VIB - Ghent University Fiers-Schell-Van Montagu Research Building Technologiepark 927 , B-9052 Zwijnaarde , Belgium tel ++32(9)3313605 fax ++32(9)3313609 mailto:Didier.Moens at dmbr.vib-UGent.be http://www.dmbr.UGent.be =================================================================== This message represents the official view of the voices in my head.