From sean.veale at gdc4s.com Mon Jan 4 19:26:36 2010 From: sean.veale at gdc4s.com (Veale, Sean) Date: Mon, 4 Jan 2010 14:26:36 -0500 Subject: [Pki-users] DS 8.1 question -- password unlock attribute Message-ID: <5E904A528F23FA469961CECAC5F417870222181F@NDHMC4SXCH.gdc4s.com> I'm trying to set up a password policy such that if a user attempts to bind with the incorrect password x times they will need to have it unlocked by an administrator. I have it mostly set up but have a question on the passwordUnlock attribute. From the 8.1 admin guide, passwordLockoutDuration This attribute indicates the time, in seconds, that users will be locked out of the directory. The passwordUnlock attribute specifies that a user is locked out until the password is reset by an administrator. By default, the user is locked out for 3600 seconds. Do I need to set the passwordUnlock attribute to "off" to make it so an admin has to reset a users password? Or does it need to set to "on" to turn on the feature that I want? Thanks Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Mon Jan 4 20:19:12 2010 From: msauton at redhat.com (Marc Sauton) Date: Mon, 04 Jan 2010 12:19:12 -0800 Subject: [Pki-users] DS 8.1 question -- password unlock attribute In-Reply-To: <5E904A528F23FA469961CECAC5F417870222181F@NDHMC4SXCH.gdc4s.com> References: <5E904A528F23FA469961CECAC5F417870222181F@NDHMC4SXCH.gdc4s.com> Message-ID: <4B424D40.40305@redhat.com> Veale, Sean wrote: > > > I'm trying to set up a password policy such that if a user attempts to > bind with the incorrect password x times they will need to have it > unlocked by an administrator. > > I have it mostly set up but have a question on the passwordUnlock > attribute. From the 8.1 admin guide, > > passwordLockoutDuration This attribute indicates the time, in seconds, > that users will be locked out of the directory. The > /passwordUnlock/ attribute specifies that a user > is locked out until the password is reset by an > administrator. By default, the user is locked out > for* 3600* seconds. > > Do I need to set the passwordUnlock attribute to "off" to make it so > an admin has to reset a users password? Or does it need to set to > "on" to turn on the feature that I want? > I understand passwordUnlock means a user's can unlock its entry/account when it is set to 'on': With passwordUnlock on (default) and passwordRetryCount reached, the user account is locked until the specified passwordLockoutDuration value is expired. With passwordUnlock off and passwordRetryCount reached, the user account is locked until the admin resets this user entry's password, no matter what passwordLockoutDuration is set to. With passwordUnlock off and passwordLockoutDuration set to 0, account is always locked until some admin action on passwordLockoutDuration or passwordUnlock. I would likely set passwordUnlock to off, and test. M. > > Thanks > Sean > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6650 bytes Desc: S/MIME Cryptographic Signature URL: From ide4you at gmail.com Tue Jan 12 00:06:56 2010 From: ide4you at gmail.com (Uzor Ide) Date: Mon, 11 Jan 2010 19:06:56 -0500 Subject: [Pki-users] CA Validity Message-ID: <5ef5c0c61001111606q1fde0f5dq5896d65ba94bdcb5@mail.gmail.com> Hi All Am new to the Dogtag Cert server. Am testing it out for my company. Please I need direction on how to change the number of years of validity for the Security Domain Certificate Authority Certificate. After the installation and setup I found the CA Signing Certificate has only 2 years validity. Even after trying to change it through the profile and re-running the setup I still ended up with 720 days certificate. Can anybody help and point me in the right the direction. Thanks in advance for your help. Ide -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julius.Adewumi at gdc4s.com Wed Jan 13 16:35:43 2010 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Wed, 13 Jan 2010 09:35:43 -0700 Subject: [Pki-users] CA Validity In-Reply-To: <5ef5c0c61001111606q1fde0f5dq5896d65ba94bdcb5@mail.gmail.com> References: <5ef5c0c61001111606q1fde0f5dq5896d65ba94bdcb5@mail.gmail.com> Message-ID: <150446754087724BA4B8F287083846B205FD579B@AZ25EXM04.gddsi.com> The default can be changed inside the config file caCert.profile located somewhere (/var/lib/rhpki-ca/conf ???). The line reads 2.default.param.range=720 which you can change and then restart your CA. I used RedHat CA and not the dogtag version therefore the path and field names may differ from what I quoted. From: Julius Adewumi @GDC4S.com ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Uzor Ide Sent: Monday, January 11, 2010 5:07 PM To: pki-users at redhat.com Subject: [Pki-users] CA Validity Hi All Am new to the Dogtag Cert server. Am testing it out for my company. Please I need direction on how to change the number of years of validity for the Security Domain Certificate Authority Certificate. After the installation and setup I found the CA Signing Certificate has only 2 years validity. Even after trying to change it through the profile and re-running the setup I still ended up with 720 days certificate. Can anybody help and point me in the right the direction. Thanks in advance for your help. Ide -------------- next part -------------- An HTML attachment was scrubbed... URL: From mathieu.peresse at gmail.com Thu Jan 14 16:08:45 2010 From: mathieu.peresse at gmail.com (Mathieu Peresse) Date: Thu, 14 Jan 2010 17:08:45 +0100 Subject: [Pki-users] Fedora Package Message-ID: Hi all, I'm new to dogtag, and I tried to install the PKI on a Fedora 11 system (fresh install). However, I encountered the following problems when installing pki-ca (yum install pki-ca): - Yum POSTINSTALL script invoking pkicreate complained about a file not being found: /usr/share/java/ca.jar. It turned out that the file was loc -- ? bient?t, Mathieu Peresse ::Contact:: +33 6 86 40 69 10 mathieu.peresse at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mathieu.peresse at gmail.com Thu Jan 14 16:19:46 2010 From: mathieu.peresse at gmail.com (Mathieu Peresse) Date: Thu, 14 Jan 2010 17:19:46 +0100 Subject: [Pki-users] Fedora Package In-Reply-To: References: Message-ID: Please disregard previous message and consider this one :) --------------------------------------------------------------------------------------------- Hi all, I'm new to dogtag, and I tried to install the PKI on a Fedora 11 system (fresh install). However, I encountered the following problems when installing pki-ca (yum install pki-ca): - yum POSTINSTALL script invoking pkicreate complained about a file not being found: /usr/share/java/ca.jar. It turned out that the file was located in /usr/share/java/pki-ca/ca/ca.jar -> Had to ln -s them together... - pkicreate invoking "pki-cad" but the file is not present in the system nor in the RPM archive (it is on the SVN though). -> Had to copy from SVN to system. - pki-cad sourcing file /var/lib/pki/ca/conf/tomcat5.conf complains about "pkiarch" "pkiname" and "pkiflavor" not being present (this check has been removed from the SVN too...). -> Had to remove references to this files... Do you guys plan to release more consistent packages in the near future, or am I missing something in the install process ? Also, the documentation to build from the SVN tree seems to be obsolete, is there any documentation on the new build system ? Thanks a lot, Mathieu. On Thu, Jan 14, 2010 at 5:08 PM, Mathieu Peresse wrote: > Hi all, > > I'm new to dogtag, and I tried to install the PKI on a Fedora 11 system > (fresh install). > > However, I encountered the following problems when installing pki-ca (yum > install pki-ca): > > - Yum POSTINSTALL script invoking pkicreate complained about a file not > being found: /usr/share/java/ca.jar. > It turned out that the file was loc > > -- > ? bient?t, > > Mathieu Peresse > > ::Contact:: > +33 6 86 40 69 10 > mathieu.peresse at gmail.com > -- ? bient?t, Mathieu Peresse ::Contact:: +33 6 86 40 69 10 mathieu.peresse at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From James.Wright at sma.co.uk Thu Jan 14 17:36:24 2010 From: James.Wright at sma.co.uk (James Wright) Date: Thu, 14 Jan 2010 17:36:24 -0000 Subject: [Pki-users] CA validity period Message-ID: <8DB53B035169A64AA167034B1D65B49C0105B6AE@venus.sma-consult.com> Hi This may be a couple of stupid questions but here goes: 1. How do I set the validity period for the first self signed CA certificate to be more than the default 2 years? 2. when the CA certificate expires will I need to renew all my end user certificates or just renew my CA certificate? Thanks James -------------------------------------------------------------------- This message and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions presented in this message are solely those of the author and do not necessarily represent those of SMA Financial Ltd. Access to this message by anyone else is unauthorised. If you are not the intended recipient or the person responsible for delivering to the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. If you have received this message in error please notify SMA Financial Ltd or contact the sender. Finally, the recipient should check this message and any attachments for the presence of viruses. SMA Financial Ltd accepts no liability for any damage caused by any virus transmitted by this message. http://www.sma.co.uk/email-disclaimer -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Thu Jan 14 17:53:49 2010 From: msauton at redhat.com (Marc Sauton) Date: Thu, 14 Jan 2010 09:53:49 -0800 Subject: [Pki-users] CA validity period In-Reply-To: <8DB53B035169A64AA167034B1D65B49C0105B6AE@venus.sma-consult.com> References: <8DB53B035169A64AA167034B1D65B49C0105B6AE@venus.sma-consult.com> Message-ID: <4B4F5A2D.7030907@redhat.com> On 01/14/2010 09:36 AM, James Wright wrote: > > Hi > > This may be a couple of stupid questions but here goes: > > 1. How do I set the validity period for the first self signed CA > certificate to be more than the default 2 years? > http://www.redhat.com/docs/manuals/cert-system/8.0/admin/Admin_Guide.pdf for validity constraints and for a CA profile: /var/lib/pki-/profiles/ca/caCACert.cfg near policyset.caCertSet.2.constraint.class_id=validityConstraintImpl > > 2. when the CA certificate expires will I need to renew all my end > user certificates or just renew my CA certificate? > always renew a CA cert in advance, otherwise trust chain can no longer be verified. renewal can only happen on a valid cert, before expiration, otherwise this is a re-issuance. > > Thanks > > James > > -------------------------------------------------------------------- > This message and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. > > Any views or opinions presented in this message are solely those of the author and do not necessarily represent those of SMA Financial Ltd. > > Access to this message by anyone else is unauthorised. If you are not the intended recipient or the person responsible for delivering to the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. > > If you have received this message in error please notify SMA Financial Ltd or contact the sender. > > Finally, the recipient should check this message and any attachments for the presence of viruses. SMA Financial Ltd accepts no liability for any damage caused by any virus transmitted by this message. > > http://www.sma.co.uk/email-disclaimer > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6650 bytes Desc: S/MIME Cryptographic Signature URL: From James.Wright at sma.co.uk Thu Jan 14 18:01:56 2010 From: James.Wright at sma.co.uk (James Wright) Date: Thu, 14 Jan 2010 18:01:56 -0000 Subject: [Pki-users] CA validity period Message-ID: <8DB53B035169A64AA167034B1D65B49C0327CE0D@venus.sma-consult.com> Thanks for the fast response I try it tomorrow James ----- Original Message ----- From: Marc Sauton To: James Wright Cc: pki-users at redhat.com Sent: Thu Jan 14 17:53:49 2010 Subject: Re: [Pki-users] CA validity period On 01/14/2010 09:36 AM, James Wright wrote: > > Hi > > This may be a couple of stupid questions but here goes: > > 1. How do I set the validity period for the first self signed CA > certificate to be more than the default 2 years? > http://www.redhat.com/docs/manuals/cert-system/8.0/admin/Admin_Guide.pdf for validity constraints and for a CA profile: /var/lib/pki-/profiles/ca/caCACert.cfg near policyset.caCertSet.2.constraint.class_id=validityConstraintImpl > > 2. when the CA certificate expires will I need to renew all my end > user certificates or just renew my CA certificate? > always renew a CA cert in advance, otherwise trust chain can no longer be verified. renewal can only happen on a valid cert, before expiration, otherwise this is a re-issuance. > > Thanks > > James > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------------------------------------------------------------- This message and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions presented in this message are solely those of the author and do not necessarily represent those of SMA Financial Ltd. Access to this message by anyone else is unauthorised. If you are not the intended recipient or the person responsible for delivering to the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. If you have received this message in error please notify SMA Financial Ltd or contact the sender. Finally, the recipient should check this message and any attachments for the presence of viruses. SMA Financial Ltd accepts no liability for any damage caused by any virus transmitted by this message. http://www.sma.co.uk/email-disclaimer From James.Wright at sma.co.uk Fri Jan 15 17:14:09 2010 From: James.Wright at sma.co.uk (James Wright) Date: Fri, 15 Jan 2010 17:14:09 -0000 Subject: [Pki-users] Missing files in Fedora 11 Message-ID: <8DB53B035169A64AA167034B1D65B49C0105B6AF@venus.sma-consult.com> Hi I seem to be having the same problem as another user https://www.redhat.com/archives/pki-users/2010-January/msg00005.html in that the file ca.jar and pki-cad are missing. I know I can work round the problem using the SVN but is there a reason for the missing files, do I have to install another package before pki-ca. Thanks James -------------------------------------------------------------------- This message and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions presented in this message are solely those of the author and do not necessarily represent those of SMA Financial Ltd. Access to this message by anyone else is unauthorised. If you are not the intended recipient or the person responsible for delivering to the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. If you have received this message in error please notify SMA Financial Ltd or contact the sender. Finally, the recipient should check this message and any attachments for the presence of viruses. SMA Financial Ltd accepts no liability for any damage caused by any virus transmitted by this message. http://www.sma.co.uk/email-disclaimer -------------- next part -------------- An HTML attachment was scrubbed... URL: From mharmsen at redhat.com Fri Jan 15 22:35:14 2010 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 15 Jan 2010 14:35:14 -0800 Subject: [Pki-users] Fedora Package In-Reply-To: References: Message-ID: <4B50EDA2.3040007@redhat.com> Mathieu Peresse wrote: > Please disregard previous message and consider this one :) > --------------------------------------------------------------------------------------------- > > Hi all, > > I'm new to dogtag, and I tried to install the PKI on a Fedora 11 > system (fresh install). > > However, I encountered the following problems when installing pki-ca > (yum install pki-ca): > > - yum POSTINSTALL script invoking pkicreate complained about a file > not being found: /usr/share/java/ca.jar. > It turned out that the file was located in > /usr/share/java/pki-ca/ca/ca.jar > -> Had to ln -s them together... > > - pkicreate invoking "pki-cad" but the file is not present in the > system nor in the RPM archive (it is on the SVN though). > -> Had to copy from SVN to system. > > - pki-cad sourcing file /var/lib/pki/ca/conf/tomcat5.conf complains > about "pkiarch" "pkiname" and "pkiflavor" not being present (this > check has been removed from the SVN too...). > -> Had to remove references to this files... > > Do you guys plan to release more consistent packages in the near > future, or am I missing something in the install process ? > > Also, the documentation to build from the SVN tree seems to be > obsolete, is there any documentation on the new build system ? > > Thanks a lot, > > Mathieu. > Mathieu, It sounds as if you may have installed Dogtag 1.2 (the most recent packages on the Dogtag site), and then perhaps checked out subversion, and attempted to replace specific packages (perhaps using pki-setup 1.3 with pki-ca 1.2)? The errors that you are seeing are a result of ongoing development on the Dogtag Subversion TIP (currently referred to as 1.3) to comply with Fedora packaging requirements: * 1.2 - /usr/share/java/pki-ca/ca/ca.jar; 1.3 - /usr/share/java/ca.jar * 1.3 - removed most of the pki "helper" scripts (e. g. - 'pkiarch', 'pkiname', and 'pkiflavor', etc.) * 1.2 - individual instances had their own instance named start/stop scripts (owned by the instance itself); 1.3 - provides a single master script (e. g. - pki-cad) which controls starting/stopping ALL instances of that subsystem type and is owned by the associated top-level PKI subsystem (this is currently being implemented for ALL Dogtag subsystems) * by default, 1.2 automatically creates a default instance upon installation of the top-level package (e. g. - pki-ca); 1.3 requires creation of an instance utilizing the pkicreate tool (which is part of the pki-setup package) --- we continue to provide code which allows removal of legacy 1.2 instances, but creation of 1.3 instances all utilize the associated 1.3 implementation It is our hope that the 1.3 release will be accepted into a future version of Fedora, at which time these changes will be documented on the Dogtag Wiki. As there are numerous ways of building and installing (individually, collectively, yum repos, SRPMS, etc.), to make certain that there isn't any problem, I might suggest when performing a yum install of 1.2, to use the associated 1.2.0 SRPMS for the related source code. If utilizing Subversion from the TIP, be certain to update ALL packages, as the 1.3 release will differ substantially from the 1.2 release. As always, we attempt to keep the TIP buildable and installable, although we do apologize for any confusion. Thanks, -- Matt > On Thu, Jan 14, 2010 at 5:08 PM, Mathieu Peresse > > wrote: > > Hi all, > > I'm new to dogtag, and I tried to install the PKI on a Fedora 11 > system (fresh install). > > However, I encountered the following problems when installing > pki-ca (yum install pki-ca): > > - Yum POSTINSTALL script invoking pkicreate complained about a > file not being found: /usr/share/java/ca.jar. > It turned out that the file was loc > > -- > ? bient?t, > > Mathieu Peresse > > ::Contact:: > +33 6 86 40 69 10 > mathieu.peresse at gmail.com > > > > > -- > ? bient?t, > > Mathieu Peresse > > ::Contact:: > +33 6 86 40 69 10 > mathieu.peresse at gmail.com > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6654 bytes Desc: S/MIME Cryptographic Signature URL: From James.Wright at sma.co.uk Mon Jan 18 09:20:23 2010 From: James.Wright at sma.co.uk (James Wright) Date: Mon, 18 Jan 2010 09:20:23 -0000 Subject: [Pki-users] Fedora Package Message-ID: <8DB53B035169A64AA167034B1D65B49C0105B6B0@venus.sma-consult.com> Hi I am experiencing the problem installing from a fresh install of Fedora 11 and following the procedure at the Dogtag website no SVN involved. The package installed is pki-ca noarch 1.2.0-4.fc11 Thanks James From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Matthew Harmsen Sent: 15 January 2010 22:35 To: pki-users at redhat.com Subject: Re: [Pki-users] Fedora Package Mathieu Peresse wrote: Please disregard previous message and consider this one :) --------------------------------------------------------------------------------------------- Hi all, I'm new to dogtag, and I tried to install the PKI on a Fedora 11 system (fresh install). However, I encountered the following problems when installing pki-ca (yum install pki-ca): - yum POSTINSTALL script invoking pkicreate complained about a file not being found: /usr/share/java/ca.jar. It turned out that the file was located in /usr/share/java/pki-ca/ca/ca.jar -> Had to ln -s them together... - pkicreate invoking "pki-cad" but the file is not present in the system nor in the RPM archive (it is on the SVN though). -> Had to copy from SVN to system. - pki-cad sourcing file /var/lib/pki/ca/conf/tomcat5.conf complains about "pkiarch" "pkiname" and "pkiflavor" not being present (this check has been removed from the SVN too...). -> Had to remove references to this files... Do you guys plan to release more consistent packages in the near future, or am I missing something in the install process ? Also, the documentation to build from the SVN tree seems to be obsolete, is there any documentation on the new build system ? Thanks a lot, Mathieu. Mathieu, It sounds as if you may have installed Dogtag 1.2 (the most recent packages on the Dogtag site), and then perhaps checked out subversion, and attempted to replace specific packages (perhaps using pki-setup 1.3 with pki-ca 1.2)? The errors that you are seeing are a result of ongoing development on the Dogtag Subversion TIP (currently referred to as 1.3) to comply with Fedora packaging requirements: * 1.2 - /usr/share/java/pki-ca/ca/ca.jar; 1.3 - /usr/share/java/ca.jar * 1.3 - removed most of the pki "helper" scripts (e. g. - 'pkiarch', 'pkiname', and 'pkiflavor', etc.) * 1.2 - individual instances had their own instance named start/stop scripts (owned by the instance itself); 1.3 - provides a single master script (e. g. - pki-cad) which controls starting/stopping ALL instances of that subsystem type and is owned by the associated top-level PKI subsystem (this is currently being implemented for ALL Dogtag subsystems) * by default, 1.2 automatically creates a default instance upon installation of the top-level package (e. g. - pki-ca); 1.3 requires creation of an instance utilizing the pkicreate tool (which is part of the pki-setup package) --- we continue to provide code which allows removal of legacy 1.2 instances, but creation of 1.3 instances all utilize the associated 1.3 implementation It is our hope that the 1.3 release will be accepted into a future version of Fedora, at which time these changes will be documented on the Dogtag Wiki. As there are numerous ways of building and installing (individually, collectively, yum repos, SRPMS, etc.), to make certain that there isn't any problem, I might suggest when performing a yum install of 1.2, to use the associated 1.2.0 SRPMS for the related source code. If utilizing Subversion from the TIP, be certain to update ALL packages, as the 1.3 release will differ substantially from the 1.2 release. As always, we attempt to keep the TIP buildable and installable, although we do apologize for any confusion. Thanks, -- Matt On Thu, Jan 14, 2010 at 5:08 PM, Mathieu Peresse wrote: Hi all, I'm new to dogtag, and I tried to install the PKI on a Fedora 11 system (fresh install). However, I encountered the following problems when installing pki-ca (yum install pki-ca): - Yum POSTINSTALL script invoking pkicreate complained about a file not being found: /usr/share/java/ca.jar. It turned out that the file was loc -- ? bient?t, Mathieu Peresse ::Contact:: +33 6 86 40 69 10 mathieu.peresse at gmail.com -- ? bient?t, Mathieu Peresse ::Contact:: +33 6 86 40 69 10 mathieu.peresse at gmail.com _____ _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -------------------------------------------------------------------- This message and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions presented in this message are solely those of the author and do not necessarily represent those of SMA Financial Ltd. Access to this message by anyone else is unauthorised. If you are not the intended recipient or the person responsible for delivering to the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. If you have received this message in error please notify SMA Financial Ltd or contact the sender. Finally, the recipient should check this message and any attachments for the presence of viruses. SMA Financial Ltd accepts no liability for any damage caused by any virus transmitted by this message. http://www.sma.co.uk/email-disclaimer -------------- next part -------------- An HTML attachment was scrubbed... URL: From James.Wright at sma.co.uk Mon Jan 18 09:31:55 2010 From: James.Wright at sma.co.uk (James Wright) Date: Mon, 18 Jan 2010 09:31:55 -0000 Subject: [Pki-users] Fedora Package Message-ID: <8DB53B035169A64AA167034B1D65B49C0327CE16@venus.sma-consult.com> Hi I have been looking in to this and it look like some dependences are being installed from the repo updates which use version 1.3 From: James Wright Sent: 18 January 2010 09:20 To: 'Matthew Harmsen'; pki-users at redhat.com Subject: RE: [Pki-users] Fedora Package Hi I am experiencing the problem installing from a fresh install of Fedora 11 and following the procedure at the Dogtag website no SVN involved. The package installed is pki-ca noarch 1.2.0-4.fc11 Thanks James From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Matthew Harmsen Sent: 15 January 2010 22:35 To: pki-users at redhat.com Subject: Re: [Pki-users] Fedora Package Mathieu Peresse wrote: Please disregard previous message and consider this one :) --------------------------------------------------------------------------------------------- Hi all, I'm new to dogtag, and I tried to install the PKI on a Fedora 11 system (fresh install). However, I encountered the following problems when installing pki-ca (yum install pki-ca): - yum POSTINSTALL script invoking pkicreate complained about a file not being found: /usr/share/java/ca.jar. It turned out that the file was located in /usr/share/java/pki-ca/ca/ca.jar -> Had to ln -s them together... - pkicreate invoking "pki-cad" but the file is not present in the system nor in the RPM archive (it is on the SVN though). -> Had to copy from SVN to system. - pki-cad sourcing file /var/lib/pki/ca/conf/tomcat5.conf complains about "pkiarch" "pkiname" and "pkiflavor" not being present (this check has been removed from the SVN too...). -> Had to remove references to this files... Do you guys plan to release more consistent packages in the near future, or am I missing something in the install process ? Also, the documentation to build from the SVN tree seems to be obsolete, is there any documentation on the new build system ? Thanks a lot, Mathieu. Mathieu, It sounds as if you may have installed Dogtag 1.2 (the most recent packages on the Dogtag site), and then perhaps checked out subversion, and attempted to replace specific packages (perhaps using pki-setup 1.3 with pki-ca 1.2)? The errors that you are seeing are a result of ongoing development on the Dogtag Subversion TIP (currently referred to as 1.3) to comply with Fedora packaging requirements: * 1.2 - /usr/share/java/pki-ca/ca/ca.jar; 1.3 - /usr/share/java/ca.jar * 1.3 - removed most of the pki "helper" scripts (e. g. - 'pkiarch', 'pkiname', and 'pkiflavor', etc.) * 1.2 - individual instances had their own instance named start/stop scripts (owned by the instance itself); 1.3 - provides a single master script (e. g. - pki-cad) which controls starting/stopping ALL instances of that subsystem type and is owned by the associated top-level PKI subsystem (this is currently being implemented for ALL Dogtag subsystems) * by default, 1.2 automatically creates a default instance upon installation of the top-level package (e. g. - pki-ca); 1.3 requires creation of an instance utilizing the pkicreate tool (which is part of the pki-setup package) --- we continue to provide code which allows removal of legacy 1.2 instances, but creation of 1.3 instances all utilize the associated 1.3 implementation It is our hope that the 1.3 release will be accepted into a future version of Fedora, at which time these changes will be documented on the Dogtag Wiki. As there are numerous ways of building and installing (individually, collectively, yum repos, SRPMS, etc.), to make certain that there isn't any problem, I might suggest when performing a yum install of 1.2, to use the associated 1.2.0 SRPMS for the related source code. If utilizing Subversion from the TIP, be certain to update ALL packages, as the 1.3 release will differ substantially from the 1.2 release. As always, we attempt to keep the TIP buildable and installable, although we do apologize for any confusion. Thanks, -- Matt On Thu, Jan 14, 2010 at 5:08 PM, Mathieu Peresse wrote: Hi all, I'm new to dogtag, and I tried to install the PKI on a Fedora 11 system (fresh install). However, I encountered the following problems when installing pki-ca (yum install pki-ca): - Yum POSTINSTALL script invoking pkicreate complained about a file not being found: /usr/share/java/ca.jar. It turned out that the file was loc -- ? bient?t, Mathieu Peresse ::Contact:: +33 6 86 40 69 10 mathieu.peresse at gmail.com -- ? bient?t, Mathieu Peresse ::Contact:: +33 6 86 40 69 10 mathieu.peresse at gmail.com _____ _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -------------------------------------------------------------------- This message and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions presented in this message are solely those of the author and do not necessarily represent those of SMA Financial Ltd. Access to this message by anyone else is unauthorised. If you are not the intended recipient or the person responsible for delivering to the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. If you have received this message in error please notify SMA Financial Ltd or contact the sender. Finally, the recipient should check this message and any attachments for the presence of viruses. SMA Financial Ltd accepts no liability for any damage caused by any virus transmitted by this message. http://www.sma.co.uk/email-disclaimer -------------- next part -------------- An HTML attachment was scrubbed... URL: From rafal.kaminski at blstream.com Mon Jan 25 10:09:32 2010 From: rafal.kaminski at blstream.com (=?UTF-8?B?UmFmYcWCIEthbWnFhHNraQ==?=) Date: Mon, 25 Jan 2010 11:09:32 +0100 Subject: [Pki-users] Problem with 389-ds install Message-ID: <4B5D6DDC.8060306@blstream.com> Hi, Few months ago - in november I installed pki-ca, pki-ra and 389-ds. All worked fine. Now I install new server and when I install 389-ds I can't do setup-ds-admin.pl. I have that problem: -bash-4.0# setup-ds-admin.pl Can't locate Util.pm in @INC (@INC contains: /usr/lib/dirsrv/perl /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.10.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.10.0/i386-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/lib/perl5/site_perl .) at /usr/lib/dirsrv/perl/AdminUtil.pm line 41. BEGIN failed--compilation aborted at /usr/lib/dirsrv/perl/AdminUtil.pm line 41. Compilation failed in require at /usr/sbin/setup-ds-admin.pl line 30. BEGIN failed--compilation aborted at /usr/sbin/setup-ds-admin.pl line 30. I know - that is pm (perl lib) problem. But somebody know why that problem is now and in the past wasn't. I install all from tutorial on dogtag. Br for response. Rafal Kaminski From andrew.commons at bigpond.com Thu Jan 28 04:35:42 2010 From: andrew.commons at bigpond.com (Andrew Commons) Date: Thu, 28 Jan 2010 15:05:42 +1030 Subject: [Pki-users] Fedora Package Message-ID: <000301ca9fd3$59d94ed0$0d8bec70$@commons@bigpond.com> Same problem with clean F11 install and pulling from the 1.2 repo. Any workarounds available? Cheers, Andrew From andrew.commons at bigpond.com Thu Jan 28 09:53:14 2010 From: andrew.commons at bigpond.com (Andrew Commons) Date: Thu, 28 Jan 2010 20:23:14 +1030 Subject: [Pki-users] Fedora Package Message-ID: <000d01ca9fff$b5c342b0$2149c810$@commons@bigpond.com> James Wright wrote: > I have been looking in to this and it look like some dependences are being installed from the repo updates which use version 1.3 A number of Dogtag packages showed up in the standard Fedora set of packages that you can manipulate with the Add/Remove Software interface. I initially thought these _were_ the complete Dogtag application and installed the lot. It was only after some considerable period rummaging around trying to get it to work that I realised it was not the complete application and removed the whole lot. I subsequently followed the manual installation method which added the pki repo to the global list bringing all the other packages into the GUI giving a mix of 1.2 and 1.3 packages. Perhaps this is at the root of all this? Cheers, Andrew From kchamart at redhat.com Thu Jan 28 10:35:14 2010 From: kchamart at redhat.com (Kashyap Chamarthy) Date: Thu, 28 Jan 2010 16:05:14 +0530 Subject: [Pki-users] Fedora Package In-Reply-To: <000d01ca9fff$b5c342b0$2149c810$@commons@bigpond.com> References: <000d01ca9fff$b5c342b0$2149c810$@commons@bigpond.com> Message-ID: <4B616862.8070806@redhat.com> On 01/28/2010 03:23 PM, Andrew Commons wrote: > James Wright wrote: > >> I have been looking in to this and it look like some dependences are being > installed from the repo updates which use version 1.3 > > A number of Dogtag packages showed up in the standard Fedora set of packages > that you can manipulate with the Add/Remove Software interface. I initially > thought these _were_ the complete Dogtag application and installed the lot. > It was only after some considerable period rummaging around trying to get it > to work that I realised it was not the complete application and removed the > whole lot. I subsequently followed the manual installation method which > added the pki repo to the global list bringing all the other packages into > the GUI giving a mix of 1.2 and 1.3 packages. > > Perhaps this is at the root of all this? Hi - This is how I got the dogtag CA working on a Fedora-12(fully updated). Note: Currently not all dependencies are pushed to stable repository. Fedora updates-testing repository _must_ be enabled to have smooth 'yum install pki-ca' - the below worked for me: * update your F-12 system * Install 389-ds and setup a DS instance. * Enable your Fedora updates testing repository under here /etc/yum.repos.d/fedora-updates-testing.repo [or] * You can directly try to install pki-ca from the cli using the below #yum install pki-ca --enablerepo=updates-testing * Once installed go ahead and configure the CA instance and restart /etc/init.d/pki-cad hope that helps, kashyap > > > Cheers, > Andrew > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From kchamart at redhat.com Thu Jan 28 10:38:50 2010 From: kchamart at redhat.com (Kashyap Chamarthy) Date: Thu, 28 Jan 2010 16:08:50 +0530 Subject: [Pki-users] Fedora Package In-Reply-To: <4B616862.8070806@redhat.com> References: <000d01ca9fff$b5c342b0$2149c810$@commons@bigpond.com> <4B616862.8070806@redhat.com> Message-ID: <4B61693A.80407@redhat.com> On 01/28/2010 04:05 PM, Kashyap Chamarthy wrote: > On 01/28/2010 03:23 PM, Andrew Commons wrote: >> James Wright wrote: >> >>> I have been looking in to this and it look like some dependences are >>> being >> installed from the repo updates which use version 1.3 >> >> A number of Dogtag packages showed up in the standard Fedora set of >> packages >> that you can manipulate with the Add/Remove Software interface. I >> initially >> thought these _were_ the complete Dogtag application and installed the >> lot. >> It was only after some considerable period rummaging around trying to >> get it >> to work that I realised it was not the complete application and >> removed the >> whole lot. I subsequently followed the manual installation method which >> added the pki repo to the global list bringing all the other packages >> into >> the GUI giving a mix of 1.2 and 1.3 packages. >> >> Perhaps this is at the root of all this? > > Hi > > - This is how I got the dogtag CA working on a Fedora-12(fully updated). > > Note: Currently not all dependencies are pushed to stable repository. > Fedora updates-testing repository _must_ be enabled to have smooth 'yum > install pki-ca' > > - the below worked for me: > > * update your F-12 system > * Install 389-ds and setup a DS instance. > * Enable your Fedora updates testing repository under here > > /etc/yum.repos.d/fedora-updates-testing.repo > > [or] > > * You can directly try to install pki-ca from the cli using the below > #yum install pki-ca --enablerepo=updates-testing forgot to mention, * run 'pkicreate' as root to create a CA instance (see the 'pkicreate' help for more..) > > * Once installed go ahead and configure the CA instance and restart > /etc/init.d/pki-cad > > > hope that helps, > > kashyap > >> >> >> Cheers, >> Andrew >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From andrew.commons at bigpond.com Fri Jan 29 08:19:24 2010 From: andrew.commons at bigpond.com (Andrew Commons) Date: Fri, 29 Jan 2010 18:49:24 +1030 Subject: [Pki-users] Fedora Package In-Reply-To: <4B61693A.80407@redhat.com> References: <000d01ca9fff$b5c342b0$2149c810$@commons@bigpond.com> <4B616862.8070806@redhat.com> <4B61693A.80407@redhat.com> Message-ID: <004601caa0bb$c4514770$4cf3d650$@commons@bigpond.com> Kashyap, I can confirm that your method works on F11 as well. I would add an extra step after the pki-ca install, namely disabling the updates-testing repo to avoid updates to other packages. Many thanks for the help. Cheers, Andrew From kchamart at redhat.com Fri Jan 29 08:46:43 2010 From: kchamart at redhat.com (Kashyap Chamarthy) Date: Fri, 29 Jan 2010 14:16:43 +0530 Subject: [Pki-users] Fedora Package In-Reply-To: <004601caa0bb$c4514770$4cf3d650$@commons@bigpond.com> References: <000d01ca9fff$b5c342b0$2149c810$@commons@bigpond.com> <4B616862.8070806@redhat.com> <4B61693A.80407@redhat.com> <004601caa0bb$c4514770$4cf3d650$@commons@bigpond.com> Message-ID: <4B62A073.9040906@redhat.com> On 01/29/2010 01:49 PM, Andrew Commons wrote: > Kashyap, > > I can confirm that your method works on F11 as well. nice. > > I would add an extra step after the pki-ca install, namely disabling the > updates-testing repo to avoid updates to other packages. Agreed. /kashyap > > Many thanks for the help. > > Cheers, > Andrew > > From andrew.commons at bigpond.com Fri Jan 29 11:52:16 2010 From: andrew.commons at bigpond.com (Andrew Commons) Date: Fri, 29 Jan 2010 22:22:16 +1030 Subject: [Pki-users] RA Wizard failing Message-ID: <004f01caa0d9$811dc640$835952c0$@commons@bigpond.com> I am getting a fatal server error running the RA Wizard at the Internal Database step when I click Next. The last few lines in the log that seem associated with that page are: Fri Jan 29 22:02:22 CST 2010 - RA wizard: in handler Fri Jan 29 22:02:22 CST 2010 - RA wizard: uri='/ra/admin/console/config/wizard' Fri Jan 29 22:02:22 CST 2010 - RA wizard: http parameter name='p' value='5' Fri Jan 29 22:02:22 CST 2010 - RA wizard: http parameter name='op' value='next' Fri Jan 29 22:02:22 CST 2010 - RA wizard: before argparsing Fri Jan 29 22:02:22 CST 2010 - RA wizard: setting up test objects Fri Jan 29 22:02:22 CST 2010 - RA wizard: found 2 certtags These lines are repeated if I use the Back Arrow to return to the page. Clicking Next again does not add anything to the log after that. The system is Fedora 11. The pki-ra install was performed with the "Test Updates" repositories enabled since this was required to get the CA up and running. The pkicreate command used to setup the RA was: pkicreate -pki_instance_root=/var/lib -pki_instance_name=pki-ra -subsystem_type=ra -secure_port=12889 -non_clientauth_secure_port=12890 -unsecure_port=12888 -user=pkiuser -group=pkiuser -redirect conf=/etc/pki-ra -redirect logs=/var/log/pki-ra -verbose Which is the RA example out of the pkicreate help. The command used to setup the CA was the example command as well. The CA Config Wizard was fine and the CA seems to be functioning. Any suggestions? Cheers, Andrew From jmagne at redhat.com Fri Jan 29 17:37:52 2010 From: jmagne at redhat.com (John Magne) Date: Fri, 29 Jan 2010 12:37:52 -0500 (EST) Subject: [Pki-users] RA Wizard failing In-Reply-To: <004f01caa0d9$811dc640$835952c0$@commons@bigpond.com> Message-ID: <1153092304.589321264786672448.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> Those lines are not much to go on. At least for me :) If you could perhaps look in the log file directory to see if there are any clues in any of other log files present. This should be /var/lib/pki-ra/logs I believe. Also, in your pkicreate command you are using the redirect switch which might not be needed since you are using the default file locations. This should not be an issue though. ----- Original Message ----- From: "Andrew Commons" To: pki-users at redhat.com Sent: Friday, January 29, 2010 3:52:16 AM GMT -08:00 US/Canada Pacific Subject: [Pki-users] RA Wizard failing I am getting a fatal server error running the RA Wizard at the Internal Database step when I click Next. The last few lines in the log that seem associated with that page are: Fri Jan 29 22:02:22 CST 2010 - RA wizard: in handler Fri Jan 29 22:02:22 CST 2010 - RA wizard: uri='/ra/admin/console/config/wizard' Fri Jan 29 22:02:22 CST 2010 - RA wizard: http parameter name='p' value='5' Fri Jan 29 22:02:22 CST 2010 - RA wizard: http parameter name='op' value='next' Fri Jan 29 22:02:22 CST 2010 - RA wizard: before argparsing Fri Jan 29 22:02:22 CST 2010 - RA wizard: setting up test objects Fri Jan 29 22:02:22 CST 2010 - RA wizard: found 2 certtags These lines are repeated if I use the Back Arrow to return to the page. Clicking Next again does not add anything to the log after that. The system is Fedora 11. The pki-ra install was performed with the "Test Updates" repositories enabled since this was required to get the CA up and running. The pkicreate command used to setup the RA was: pkicreate -pki_instance_root=/var/lib -pki_instance_name=pki-ra -subsystem_type=ra -secure_port=12889 -non_clientauth_secure_port=12890 -unsecure_port=12888 -user=pkiuser -group=pkiuser -redirect conf=/etc/pki-ra -redirect logs=/var/log/pki-ra -verbose Which is the RA example out of the pkicreate help. The command used to setup the CA was the example command as well. The CA Config Wizard was fine and the CA seems to be functioning. Any suggestions? Cheers, Andrew _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From andrew.commons at bigpond.com Sat Jan 30 11:26:30 2010 From: andrew.commons at bigpond.com (Andrew Commons) Date: Sat, 30 Jan 2010 21:56:30 +1030 Subject: [Pki-users] RA Wizard failing In-Reply-To: <1153092304.589321264786672448.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> References: <004f01caa0d9$811dc640$835952c0$@commons@bigpond.com> <1153092304.589321264786672448.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> Message-ID: <001b01caa19f$11d76040$358620c0$@commons@bigpond.com> John, Maybe this might help a bit more: [Fri Jan 29 22:02:22 2010] [error] [client 192.168.0.9] install_driver(SQLite) failed: Can't locate DBD/SQLite.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.10.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.10.0/i386-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/lib/perl5/site_perl . /var/lib/pki-ra /var/lib/pki-ra/lib/perl) at (eval 152) line 3.\nPerhaps the DBD::SQLite perl module hasn't been fully installed,\nor perhaps the capitalisation of 'SQLite' isn't right.\nAvailable drivers: DBM, ExampleP, File, Gofer, Proxy, Sponge.\n at /var/lib/pki-ra/lib/perl/PKI/RA/DatabasePanel.pm line 79\n, referer: https://xxxxxx.yyyyy.zzzzzz:12890/ra/admin/console/config/wizard That looks like 'Ouch!' to me :) It would appear that package perl-DBD-SQLite should be a dependency? I will install it and recreate everything. Is removing the pki-ra directory and all its contents going to be enough to roll back the configuration? Cheers, Andrew -----Original Message----- From: John Magne [mailto:jmagne at redhat.com] Sent: Saturday, 30 January 2010 4:08 AM To: Andrew Commons Cc: pki-users at redhat.com Subject: Re: [Pki-users] RA Wizard failing Those lines are not much to go on. At least for me :) If you could perhaps look in the log file directory to see if there are any clues in any of other log files present. This should be /var/lib/pki-ra/logs I believe. Also, in your pkicreate command you are using the redirect switch which might not be needed since you are using the default file locations. This should not be an issue though. ----- Original Message ----- From: "Andrew Commons" To: pki-users at redhat.com Sent: Friday, January 29, 2010 3:52:16 AM GMT -08:00 US/Canada Pacific Subject: [Pki-users] RA Wizard failing I am getting a fatal server error running the RA Wizard at the Internal Database step when I click Next. The last few lines in the log that seem associated with that page are: Fri Jan 29 22:02:22 CST 2010 - RA wizard: in handler Fri Jan 29 22:02:22 CST 2010 - RA wizard: uri='/ra/admin/console/config/wizard' Fri Jan 29 22:02:22 CST 2010 - RA wizard: http parameter name='p' value='5' Fri Jan 29 22:02:22 CST 2010 - RA wizard: http parameter name='op' value='next' Fri Jan 29 22:02:22 CST 2010 - RA wizard: before argparsing Fri Jan 29 22:02:22 CST 2010 - RA wizard: setting up test objects Fri Jan 29 22:02:22 CST 2010 - RA wizard: found 2 certtags These lines are repeated if I use the Back Arrow to return to the page. Clicking Next again does not add anything to the log after that. The system is Fedora 11. The pki-ra install was performed with the "Test Updates" repositories enabled since this was required to get the CA up and running. The pkicreate command used to setup the RA was: pkicreate -pki_instance_root=/var/lib -pki_instance_name=pki-ra -subsystem_type=ra -secure_port=12889 -non_clientauth_secure_port=12890 -unsecure_port=12888 -user=pkiuser -group=pkiuser -redirect conf=/etc/pki-ra -redirect logs=/var/log/pki-ra -verbose Which is the RA example out of the pkicreate help. The command used to setup the CA was the example command as well. The CA Config Wizard was fine and the CA seems to be functioning. Any suggestions? Cheers, Andrew _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users