From ehimawan at gmail.com Tue May 4 14:52:13 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Tue, 4 May 2010 09:52:13 -0500 Subject: [Pki-users] Customizing Subject Name Input Attributes Message-ID: Hi, For our in-house application. I would like to add "Locallity", "State", and other attributes in my issued certificate. I would like to prompt the user witht the set of attributes that he/she needs to provide. For reducing user error, I would like to accomplish this through the Subject Name Input. However, I could not add new attributes nor remove unwanted attributes from this input. Does anybody know how to add/remove attributes on the Subject name Input? Thanks, Erwin -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevinu at redhat.com Wed May 5 22:22:06 2010 From: kevinu at redhat.com (Kevin Unthank) Date: Wed, 05 May 2010 15:22:06 -0700 Subject: [Pki-users] Dogtag Version 1.3 release Message-ID: <4BE1EF8E.6080108@redhat.com> We are pleased to announce the availability of both 32-bit and 64-bit versions of Dogtag Certificate System 1.3 for Fedora 11, Fedora 12 Fedora 13 and EPEL packages for RHEL 5.5. The new release is now included in the standard EPEL and Fedora repositories allowing the packages to be installed on Fedora without configuring additional package repositories and on Red Hat Enterprise Linux systems that are configured to use the EPEL repositories. * See the Release Notes for more information: http://pki.fedoraproject.org/wiki/PKI_Release_Notes From arshad.noor at strongauth.com Wed May 5 22:31:51 2010 From: arshad.noor at strongauth.com (Arshad Noor) Date: Wed, 05 May 2010 15:31:51 -0700 Subject: [Pki-users] Dogtag Version 1.3 release In-Reply-To: <4BE1EF8E.6080108@redhat.com> References: <4BE1EF8E.6080108@redhat.com> Message-ID: <4BE1F1D7.5050907@strongauth.com> Congratulations, Kevin. However, I notice that the documentation says the following to install the CA: yum install pki-ca Yet, this package is unavailable/not-visible on the EPEL repository: http://download.fedora.redhat.com/pub/epel/5Server/x86_64/ How does one install from the EPEL repository if there is no pki-ca RPM? Thanks. Arshad Noor StrongAuth, Inc. Kevin Unthank wrote: > We are pleased to announce the availability of both 32-bit and 64-bit > versions of Dogtag Certificate System 1.3 for Fedora 11, Fedora 12 > Fedora 13 and EPEL packages for RHEL 5.5. > > The new release is now included in the standard EPEL and Fedora > repositories allowing the packages to be installed on Fedora without > configuring additional package repositories and on Red Hat Enterprise > Linux systems that are configured to use the EPEL repositories. > > * See the Release Notes for more information: > http://pki.fedoraproject.org/wiki/PKI_Release_Notes > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From kevinu at redhat.com Wed May 5 23:03:27 2010 From: kevinu at redhat.com (Kevin Unthank) Date: Wed, 05 May 2010 16:03:27 -0700 Subject: [Pki-users] Dogtag Version 1.3 release In-Reply-To: <4BE1F1D7.5050907@strongauth.com> References: <4BE1EF8E.6080108@redhat.com> <4BE1F1D7.5050907@strongauth.com> Message-ID: <4BE1F93F.6080003@redhat.com> Hi Arshad, The packages should have appeared in the epel channels by now. Sometimes the process does take a few days. The packages are staged in the testing epel channel http://download.fedora.redhat.com/pub/epel/testing/5Server/x86_64/ So, I recommend using that channel for a few days until I can figure out why the packages haven't shown up. The download page http://pki.fedoraproject.org/wiki/PKI_Download on the wiki has some good instructions for installation including the use of: yum --enablerepo=epel-testing install dogtag-pki Cheers, Kev On 05/05/2010 03:31 PM, Arshad Noor wrote: > Congratulations, Kevin. > > However, I notice that the documentation says the following to > install the CA: > > yum install pki-ca > > Yet, this package is unavailable/not-visible on the EPEL > repository: > > http://download.fedora.redhat.com/pub/epel/5Server/x86_64/ > > How does one install from the EPEL repository if there is no > pki-ca RPM? > > Thanks. > > Arshad Noor > StrongAuth, Inc. > > > Kevin Unthank wrote: >> We are pleased to announce the availability of both 32-bit and 64-bit >> versions of Dogtag Certificate System 1.3 for Fedora 11, Fedora 12 >> Fedora 13 and EPEL packages for RHEL 5.5. >> >> The new release is now included in the standard EPEL and Fedora >> repositories allowing the packages to be installed on Fedora without >> configuring additional package repositories and on Red Hat Enterprise >> Linux systems that are configured to use the EPEL repositories. >> >> * See the Release Notes for more information: >> http://pki.fedoraproject.org/wiki/PKI_Release_Notes >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users From arshad.noor at strongauth.com Thu May 6 01:03:30 2010 From: arshad.noor at strongauth.com (Arshad Noor) Date: Wed, 05 May 2010 18:03:30 -0700 Subject: [Pki-users] Utimaco HSM "Not Found" problem In-Reply-To: <4BD887D7.9040206@nthpermutation.com> References: <4BC7B428.7060808@strongauth.com> <4BC7C11D.9060209@nthpermutation.com> <4BD0A32F.7060800@strongauth.com> <4BD0B1BC.3020304@redhat.com> <4BD0BA3F.6000608@strongauth.com> <4BD0C4AC.2010904@redhat.com> <4BD0C63A.9060400@strongauth.com> <4BD0D0F7.7080305@strongauth.com> <4BD0DDE4.50600@redhat.com> <4BD0DF4C.8010708@strongauth.com> <4BD0E154.20304@redhat.com> <4BD0E23C.3070608@strongauth.com> <4BD5C47B.5010605@strongauth.com> <4BD5C4FE.6030902@redhat.com> <4BD65001.3070102@redhat.com> <4BD78408.9050105@nthpermutation.com> <4BD78681.90602@strongauth.com> <4BD794AF.3030401@nthpermutation.com> <4BD79960.3060400@nthpermutation.com> <4BD7A043.9090104@strongauth.com> <4BD7A1FA.8000703@nthpermutation.com> <4BD7A5BA.1070404@strongauth.com> <4BD887D7.9040206@nthpermutation.com> Message-ID: <4BE21562.5050804@strongauth.com> After much struggling, I finally changed SE Linux settings to "permissive" and the HSM is now visible and usable. The PKCS11 config file from Utimaco (cs2_pkcs11.ini) also needed to be in the /etc folder for JSS+NSS to see the HSM. While this got the CA installed, I've run into an issue that seems to be unresolved from a thread back in Nov 2009: https://www.redhat.com/archives/pki-users/2009-November/msg00017.html Bugzilla apparently has the fix and the server.xml has the right values for clientAuth, but the bad MAC error keeps appearing for every HTTPS page in my test installation. Is there any resolution to John Dorovski's problem? His last message remains unanswered. Thanks. Arshad Noor StrongAuth, Inc. From gtoems at gmail.com Thu May 6 06:32:48 2010 From: gtoems at gmail.com (Henry GM) Date: Thu, 6 May 2010 13:32:48 +0700 Subject: [Pki-users] dog tag and openldap Message-ID: Dear all, i have a lot user at my openldap and want all of my user existing have userCertificate so i can download using phpldapadmin. Is there any way to store certificate to existing user at openldap? or Dog tag can stores/publish certificate to openldap Rgds, Henry Gultom. -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Thu May 6 15:27:59 2010 From: awnuk at redhat.com (Andrew Wnuk) Date: Thu, 06 May 2010 08:27:59 -0700 Subject: [Pki-users] dog tag and openldap In-Reply-To: References: Message-ID: <4BE2DFFF.60109@redhat.com> Henry, Certificate publishing is explained at http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Publishing.html. Thanks, Andrew On 05/05/10 23:32, Henry GM wrote: > Dear all, > i have a lot user at my openldap and want all of my user existing have > userCertificate so i can download using phpldapadmin. > Is there any way to store certificate to existing user at openldap? or > Dog tag can stores/publish certificate to openldap > > Rgds, > Henry Gultom. > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gtoems at gmail.com Fri May 7 05:07:44 2010 From: gtoems at gmail.com (Henry GM) Date: Fri, 7 May 2010 12:07:44 +0700 Subject: [Pki-users] pki-ra port 12890 not up Message-ID: Dear all, Why pki-ra port not up after i install using yum --enablerepo=epel-testing install pki-ra ? For pki-ca,pki-kra,pki-ocsp,pki-tps install and start configuration running well and port up. [2010-05-07 11:47:05] [debug] Processing PKI files and symbolic links for '/var/lib/pki-ra' ... [2010-05-07 11:47:05] [debug] Processing PKI security databases for '/var/lib/pki-ra' ... [2010-05-07 11:47:07] [debug] Processing PKI security modules for '/var/lib/pki-ra' ... [2010-05-07 11:47:07] [debug] Attempting to add hardware security modules to system if applicable ... [2010-05-07 11:47:07] [debug] module name: lunasa lib: /usr/lunasa/lib/libCryptoki2.so DOES NOT EXIST! [2010-05-07 11:47:07] [debug] module name: nfast lib: /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST! [2010-05-07 11:47:07] [debug] Restorecon file context for /usr/share/pki [2010-05-07 11:47:07] [debug] Restorecon file context for /var/lib/pki-ra [2010-05-07 11:47:08] [debug] Restorecon file context for /var/log/pki-ra [2010-05-07 11:47:08] [debug] Restorecon /etc/pki-ra [2010-05-07 11:47:08] [debug] Restorecon file context for /usr/sbin/httpd.worker [2010-05-07 11:47:08] [debug] Setting selinux context pki_ra_port_t for 12890 PKI instance creation completed ... Stopping pki-ra: httpd (no pid file) not running [ OK ] ============================== Starting pki-ra: ............................... [ OK ] pki-ra pid file exists but is empty Before proceeding with the configuration, make sure the firewall settings of this machine permit proper access to this subsystem. Please start the configuration by accessing: https://mydomain.com:12890/ra/admin/console/config/login?pin=jGRSfY5xWWyMuxO2cSke After configuration, the server can be operated by the command: /sbin/service pki-rad restart pki-ra from /var/log/pki-ra/error.log i got messages : /usr/sbin/httpd.worker: symbol lookup error: /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/Apache2/ServerUtil/ServerUtil.so: undefined symbol: ap_get_server_banner perl -v This is perl, v5.8.8 built for i386-linux-thread-multi How to fix that ? Rgds, Henry G. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevinu at redhat.com Fri May 7 16:31:47 2010 From: kevinu at redhat.com (Kevin Unthank) Date: Fri, 07 May 2010 09:31:47 -0700 Subject: [Pki-users] pki-ra port 12890 not up In-Reply-To: References: Message-ID: <4BE44073.7030205@redhat.com> Hi Henry, What version on mod_nss do you have? We have not tested the dogtag 1.3 pki-ra and pki-tps subsystems on RHEL/Centos because they require a later version (1.0.8) of mod_nss than the standard. Details on this and other issues can be found on the wiki: http://pki.fedoraproject.org/wiki/PKI_Known_Issues You might be able to make it work by forcing and install of the fedora 12 mod_nss libraries onto your RHEL/Centos box Cheers, Kev On 05/06/2010 10:07 PM, Henry GM wrote: > Dear all, > > Why pki-ra port not up after i install using yum > --enablerepo=epel-testing install pki-ra ? > For pki-ca,pki-kra,pki-ocsp,pki-tps install and start configuration > running well and port up. > > [2010-05-07 11:47:05] [debug] Processing PKI files and symbolic links > for '/var/lib/pki-ra' ... > [2010-05-07 11:47:05] [debug] Processing PKI security databases for > '/var/lib/pki-ra' ... > [2010-05-07 11:47:07] [debug] Processing PKI security modules for > '/var/lib/pki-ra' ... > [2010-05-07 11:47:07] [debug] Attempting to add hardware security > modules to system if applicable ... > [2010-05-07 11:47:07] [debug] module name: lunasa lib: > /usr/lunasa/lib/libCryptoki2.so DOES NOT EXIST! > [2010-05-07 11:47:07] [debug] module name: nfast lib: > /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST! > [2010-05-07 11:47:07] [debug] Restorecon file context for /usr/share/pki > [2010-05-07 11:47:07] [debug] Restorecon file context for /var/lib/pki-ra > [2010-05-07 11:47:08] [debug] Restorecon file context for /var/log/pki-ra > [2010-05-07 11:47:08] [debug] Restorecon /etc/pki-ra > [2010-05-07 11:47:08] [debug] Restorecon file context for > /usr/sbin/httpd.worker > [2010-05-07 11:47:08] [debug] Setting selinux context pki_ra_port_t for > 12890 > > PKI instance creation completed ... > > Stopping pki-ra: httpd (no pid file) not running > [ OK ] > ============================== > Starting pki-ra: ............................... [ OK ] > > pki-ra pid file exists but is empty > Before proceeding with the configuration, make sure > the firewall settings of this machine permit proper > access to this subsystem. > > Please start the configuration by accessing: > > https://mydomain.com:12890/ra/admin/console/config/login?pin=jGRSfY5xWWyMuxO2cSke > > After configuration, the server can be operated by the command: > > /sbin/service pki-rad restart pki-ra > > from /var/log/pki-ra/error.log i got messages : > /usr/sbin/httpd.worker: symbol lookup error: > /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/Apache2/ServerUtil/ServerUtil.so: > undefined symbol: ap_get_server_banner > > perl -v > This is perl, v5.8.8 built for i386-linux-thread-multi > > How to fix that ? > > Rgds, > Henry G. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From arshad.noor at strongauth.com Fri May 7 16:41:25 2010 From: arshad.noor at strongauth.com (Arshad Noor) Date: Fri, 07 May 2010 09:41:25 -0700 Subject: [Pki-users] Bad MAC error (was Utimaco HSM "Not Found" problem) In-Reply-To: <4BE21562.5050804@strongauth.com> References: <4BC7B428.7060808@strongauth.com> <4BC7C11D.9060209@nthpermutation.com> <4BD0A32F.7060800@strongauth.com> <4BD0B1BC.3020304@redhat.com> <4BD0BA3F.6000608@strongauth.com> <4BD0C4AC.2010904@redhat.com> <4BD0C63A.9060400@strongauth.com> <4BD0D0F7.7080305@strongauth.com> <4BD0DDE4.50600@redhat.com> <4BD0DF4C.8010708@strongauth.com> <4BD0E154.20304@redhat.com> <4BD0E23C.3070608@strongauth.com> <4BD5C47B.5010605@strongauth.com> <4BD5C4FE.6030902@redhat.com> <4BD65001.3070102@redhat.com> <4BD78408.9050105@nthpermutation.com> <4BD78681.90602@strongauth.com> <4BD794AF.3030401@nthpermutation.com> <4BD79960.3060400@nthpermutation.com> <4BD7A043.9090104@strongauth.com> <4BD7A1FA.8000703@nthpermutation.com> <4BD7A5BA.1070404@strongauth.com> <4BD887D7.9040206@nthpermutation.com> <4BE21562.5050804@strongauth.com> Message-ID: <4BE442B5.3080304@strongauth.com> Any suggestions or hints on how to move forward with this? Thanks. Arshad Noor StrongAuth, Inc. Arshad Noor wrote: > I've run into an issue that > seems to be unresolved from a thread back in Nov 2009: > > https://www.redhat.com/archives/pki-users/2009-November/msg00017.html > > Bugzilla apparently has the fix and the server.xml has the right > values for clientAuth, but the bad MAC error keeps appearing for > every HTTPS page in my test installation. > > Is there any resolution to John Dorovski's problem? His last > message remains unanswered. From gtoems at gmail.com Fri May 7 23:19:04 2010 From: gtoems at gmail.com (Henry GM) Date: Sat, 08 May 2010 06:19:04 +0700 Subject: [Pki-users] pki-ra port 12890 not up In-Reply-To: <4BE44073.7030205@redhat.com> References: <4BE44073.7030205@redhat.com> Message-ID: <4BE49FE8.9020306@gmail.com> Kevin, Thanks for advise, i was upgrade the default mod_nss 1.0.3-8.el5 for Centos 5 with http://yum.aclub.net/pub/linux/centos/5/umask/umask.repo so at my centos have mod_nss.i386 0:1.0.7-umask.4 This not working now with pki-ra As you advice to replace using mod_nss-1.0.8-2.fc12.i686.rpm i already try it and got problem because rpmlib(FileDigests) <= 4.6.0-1 is needed by mod_nss-1.0.8-2.fc12.i686 rpmlib(PayloadIsXz) <= 5.2-1 is needed by mod_nss-1.0.8-2.fc12.i686.... i cant find sources for rpmlib or rpm-devel.. maybe i must change centos 5.4 to fedora 12. or any idea to make mod_nss-1.0.8-2.fc12.i686 work for centos 5.4 ? Rgds, Henry Gultom with the On 5/7/2010 11:31 PM, Kevin Unthank wrote: > Hi Henry, > > What version on mod_nss do you have? We have not tested the dogtag 1.3 > pki-ra and pki-tps subsystems on RHEL/Centos because they require a > later version (1.0.8) of mod_nss than the standard. > > Details on this and other issues can be found on the wiki: > http://pki.fedoraproject.org/wiki/PKI_Known_Issues > > You might be able to make it work by forcing and install of the > fedora 12 mod_nss libraries onto your RHEL/Centos box > > Cheers, > Kev > > > On 05/06/2010 10:07 PM, Henry GM wrote: >> Dear all, >> >> Why pki-ra port not up after i install using yum >> --enablerepo=epel-testing install pki-ra ? >> For pki-ca,pki-kra,pki-ocsp,pki-tps install and start configuration >> running well and port up. >> >> [2010-05-07 11:47:05] [debug] Processing PKI files and symbolic links >> for '/var/lib/pki-ra' ... >> [2010-05-07 11:47:05] [debug] Processing PKI security databases for >> '/var/lib/pki-ra' ... >> [2010-05-07 11:47:07] [debug] Processing PKI security modules for >> '/var/lib/pki-ra' ... >> [2010-05-07 11:47:07] [debug] Attempting to add hardware security >> modules to system if applicable ... >> [2010-05-07 11:47:07] [debug] module name: lunasa lib: >> /usr/lunasa/lib/libCryptoki2.so DOES NOT EXIST! >> [2010-05-07 11:47:07] [debug] module name: nfast lib: >> /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST! >> [2010-05-07 11:47:07] [debug] Restorecon file context for /usr/share/pki >> [2010-05-07 11:47:07] [debug] Restorecon file context for >> /var/lib/pki-ra >> [2010-05-07 11:47:08] [debug] Restorecon file context for >> /var/log/pki-ra >> [2010-05-07 11:47:08] [debug] Restorecon /etc/pki-ra >> [2010-05-07 11:47:08] [debug] Restorecon file context for >> /usr/sbin/httpd.worker >> [2010-05-07 11:47:08] [debug] Setting selinux context pki_ra_port_t for >> 12890 >> >> PKI instance creation completed ... >> >> Stopping pki-ra: httpd (no pid file) not running >> [ OK ] >> ============================== >> Starting pki-ra: ............................... [ OK ] >> >> pki-ra pid file exists but is empty >> Before proceeding with the configuration, make sure >> the firewall settings of this machine permit proper >> access to this subsystem. >> >> Please start the configuration by accessing: >> >> https://mydomain.com:12890/ra/admin/console/config/login?pin=jGRSfY5xWWyMuxO2cSke >> >> >> After configuration, the server can be operated by the command: >> >> /sbin/service pki-rad restart pki-ra >> >> from /var/log/pki-ra/error.log i got messages : >> /usr/sbin/httpd.worker: symbol lookup error: >> /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/Apache2/ServerUtil/ServerUtil.so: >> >> undefined symbol: ap_get_server_banner >> >> perl -v >> This is perl, v5.8.8 built for i386-linux-thread-multi >> >> How to fix that ? >> >> Rgds, >> Henry G. From mharmsen at redhat.com Fri May 7 23:40:43 2010 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 07 May 2010 16:40:43 -0700 Subject: [Pki-users] pki-ra port 12890 not up In-Reply-To: <4BE49FE8.9020306@gmail.com> References: <4BE44073.7030205@redhat.com> <4BE49FE8.9020306@gmail.com> Message-ID: <4BE4A4FB.5000006@redhat.com> On 05/07/10 16:19, Henry GM wrote: > Kevin, > > Thanks for advise, > i was upgrade the default mod_nss 1.0.3-8.el5 for Centos 5 with > http://yum.aclub.net/pub/linux/centos/5/umask/umask.repo > so at my centos have mod_nss.i386 0:1.0.7-umask.4 This not working > now with pki-ra > As you advice to replace using mod_nss-1.0.8-2.fc12.i686.rpm i already > try it and got problem > because rpmlib(FileDigests) <= 4.6.0-1 is needed by > mod_nss-1.0.8-2.fc12.i686 rpmlib(PayloadIsXz) <= 5.2-1 is needed by > mod_nss-1.0.8-2.fc12.i686.... > i cant find sources for rpmlib or rpm-devel.. > maybe i must change centos 5.4 to fedora 12. or any idea to make > mod_nss-1.0.8-2.fc12.i686 work for centos 5.4 ? > > Rgds, > Henry Gultom > Henry, Not sure if this will help or not, but I have provided RHEL 5 convenience builds of the proper version of 'mod_nss' at http://pki.fedoraproject.org/wiki/PKI_Download#Dogtag_Certificate_System_1.3_and_later. -- Matt > > with the > On 5/7/2010 11:31 PM, Kevin Unthank wrote: >> Hi Henry, >> >> What version on mod_nss do you have? We have not tested the dogtag 1.3 >> pki-ra and pki-tps subsystems on RHEL/Centos because they require a >> later version (1.0.8) of mod_nss than the standard. >> >> Details on this and other issues can be found on the wiki: >> http://pki.fedoraproject.org/wiki/PKI_Known_Issues >> >> You might be able to make it work by forcing and install of the >> fedora 12 mod_nss libraries onto your RHEL/Centos box >> >> Cheers, >> Kev >> >> >> On 05/06/2010 10:07 PM, Henry GM wrote: >>> Dear all, >>> >>> Why pki-ra port not up after i install using yum >>> --enablerepo=epel-testing install pki-ra ? >>> For pki-ca,pki-kra,pki-ocsp,pki-tps install and start configuration >>> running well and port up. >>> >>> [2010-05-07 11:47:05] [debug] Processing PKI files and symbolic links >>> for '/var/lib/pki-ra' ... >>> [2010-05-07 11:47:05] [debug] Processing PKI security databases for >>> '/var/lib/pki-ra' ... >>> [2010-05-07 11:47:07] [debug] Processing PKI security modules for >>> '/var/lib/pki-ra' ... >>> [2010-05-07 11:47:07] [debug] Attempting to add hardware security >>> modules to system if applicable ... >>> [2010-05-07 11:47:07] [debug] module name: lunasa lib: >>> /usr/lunasa/lib/libCryptoki2.so DOES NOT EXIST! >>> [2010-05-07 11:47:07] [debug] module name: nfast lib: >>> /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST! >>> [2010-05-07 11:47:07] [debug] Restorecon file context for >>> /usr/share/pki >>> [2010-05-07 11:47:07] [debug] Restorecon file context for >>> /var/lib/pki-ra >>> [2010-05-07 11:47:08] [debug] Restorecon file context for >>> /var/log/pki-ra >>> [2010-05-07 11:47:08] [debug] Restorecon /etc/pki-ra >>> [2010-05-07 11:47:08] [debug] Restorecon file context for >>> /usr/sbin/httpd.worker >>> [2010-05-07 11:47:08] [debug] Setting selinux context pki_ra_port_t for >>> 12890 >>> >>> PKI instance creation completed ... >>> >>> Stopping pki-ra: httpd (no pid file) not running >>> [ OK ] >>> ============================== >>> Starting pki-ra: ............................... [ OK ] >>> >>> pki-ra pid file exists but is empty >>> Before proceeding with the configuration, make sure >>> the firewall settings of this machine permit proper >>> access to this subsystem. >>> >>> Please start the configuration by accessing: >>> >>> https://mydomain.com:12890/ra/admin/console/config/login?pin=jGRSfY5xWWyMuxO2cSke >>> >>> >>> After configuration, the server can be operated by the command: >>> >>> /sbin/service pki-rad restart pki-ra >>> >>> from /var/log/pki-ra/error.log i got messages : >>> /usr/sbin/httpd.worker: symbol lookup error: >>> /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/Apache2/ServerUtil/ServerUtil.so: >>> >>> undefined symbol: ap_get_server_banner >>> >>> perl -v >>> This is perl, v5.8.8 built for i386-linux-thread-multi >>> >>> How to fix that ? >>> >>> Rgds, >>> Henry G. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6654 bytes Desc: S/MIME Cryptographic Signature URL: From gtoems at gmail.com Sat May 8 03:54:19 2010 From: gtoems at gmail.com (Henry GM) Date: Sat, 08 May 2010 10:54:19 +0700 Subject: [Pki-users] pki-ra port 12890 not up In-Reply-To: <4BE4A4FB.5000006@redhat.com> References: <4BE44073.7030205@redhat.com> <4BE49FE8.9020306@gmail.com> <4BE4A4FB.5000006@redhat.com> Message-ID: <4BE4E06B.7070008@gmail.com> On 5/8/2010 6:40 AM, Matthew Harmsen wrote: > On 05/07/10 16:19, Henry GM wrote: >> Kevin, >> >> Thanks for advise, >> i was upgrade the default mod_nss 1.0.3-8.el5 for Centos 5 with >> http://yum.aclub.net/pub/linux/centos/5/umask/umask.repo >> so at my centos have mod_nss.i386 0:1.0.7-umask.4 This not working >> now with pki-ra >> As you advice to replace using mod_nss-1.0.8-2.fc12.i686.rpm i >> already try it and got problem >> because rpmlib(FileDigests) <= 4.6.0-1 is needed by >> mod_nss-1.0.8-2.fc12.i686 rpmlib(PayloadIsXz) <= 5.2-1 is needed by >> mod_nss-1.0.8-2.fc12.i686.... >> i cant find sources for rpmlib or rpm-devel.. >> maybe i must change centos 5.4 to fedora 12. or any idea to make >> mod_nss-1.0.8-2.fc12.i686 work for centos 5.4 ? >> >> Rgds, >> Henry Gultom >> > Henry, > > Not sure if this will help or not, but I have provided RHEL 5 > convenience builds of the proper version of 'mod_nss' at > http://pki.fedoraproject.org/wiki/PKI_Download#Dogtag_Certificate_System_1.3_and_later. > > > -- Matt Really help Matt, Its work now,so im not reload my centos to fedora #wget -c http://pki.fedoraproject.org/pki/download/pki/1.3.0/el5/RPMS/i386/mod_nss-1.0.8-2.el5idm.i386.rpm #rpm -ivh mod_nss-1.0.8-2.el5idm.i386.rpm #rpm -qa mod_nss mod_nss-1.0.8-2.el5idm after install and pkicreate, pki-ra port 12890 show up now,this case solve. Thanks Kevin and Matt, Henry Gultom, From ckannan at redhat.com Tue May 11 00:23:08 2010 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Mon, 10 May 2010 17:23:08 -0700 Subject: [Pki-users] Bad MAC error (was Utimaco HSM "Not Found" problem) In-Reply-To: <4BE442B5.3080304@strongauth.com> References: <4BC7B428.7060808@strongauth.com> <4BC7C11D.9060209@nthpermutation.com> <4BD0A32F.7060800@strongauth.com> <4BD0B1BC.3020304@redhat.com> <4BD0BA3F.6000608@strongauth.com> <4BD0C4AC.2010904@redhat.com> <4BD0C63A.9060400@strongauth.com> <4BD0D0F7.7080305@strongauth.com> <4BD0DDE4.50600@redhat.com> <4BD0DF4C.8010708@strongauth.com> <4BD0E154.20304@redhat.com> <4BD0E23C.3070608@strongauth.com> <4BD5C47B.5010605@strongauth.com> <4BD5C4FE.6030902@redhat.com> <4BD65001.3070102@redhat.com> <4BD78408.9050105@nthpermutation.com> <4BD78681.90602@strongauth.com> <4BD794AF.3030401@nthpermutation.com> <4BD79960.3060400@nthpermutation.com> <4BD7A043.9090104@strongauth.com> <4BD7A1FA.8000703@nthpermutation.com> <4BD7A5BA.1070404@strongauth.com> <4BD887D7.9040206@nthpermutation.com> <4BE21562.5050804@strongauth.com> <4BE442B5.3080304@strongauth.com> Message-ID: <4BE8A36C.10608@redhat.com> On 05/07/2010 09:41 AM, Arshad Noor wrote: > Any suggestions or hints on how to move forward with this? We have never tried with this utimaco hsm unit. So ... can you provide some more info along these lines .. - pki-ca install logs, ca debug logs, server configuration files - at the time when u hit the bad mac - ssltap reports, hsm pkcs11 debug logs etc.. thanks, --Chandra > Thanks. > > Arshad Noor > StrongAuth, Inc. > > Arshad Noor wrote: > >> I've run into an issue that >> seems to be unresolved from a thread back in Nov 2009: >> >> https://www.redhat.com/archives/pki-users/2009-November/msg00017.html >> >> Bugzilla apparently has the fix and the server.xml has the right >> values for clientAuth, but the bad MAC error keeps appearing for >> every HTTPS page in my test installation. >> >> Is there any resolution to John Dorovski's problem? His last >> message remains unanswered. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From gtoems at gmail.com Thu May 20 14:53:57 2010 From: gtoems at gmail.com (Henry GM) Date: Thu, 20 May 2010 21:53:57 +0700 Subject: [Pki-users] smart card support Message-ID: What kind smart card has implement/support using ESC Dog Tag beside Axalto Cyberflex egate 32k ? its support using STARCOS? SPK2.3 with Dog Tag smart card manager? Rgds, Henry Gultom -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevinu at redhat.com Thu May 20 20:34:09 2010 From: kevinu at redhat.com (Kevin Unthank) Date: Thu, 20 May 2010 13:34:09 -0700 Subject: [Pki-users] smart card support In-Reply-To: References: Message-ID: <4BF59CC1.40400@redhat.com> Hi Henry In theory, any Javacard 2.1 / Global Platform 2.0.1 compliant smart card should work. In reality, due to subtle differences in standards implementations the only cards that we are certain will work are the ones we test with. From the RHCS8 release notes: 3.4. Supported Smart Cards The Enterprise Security Client supports Global Platform 2.0.1-compliant smart cards and JavaCard 2.1 or higher. The Certificate System subsystems have been tested using the following tokens: * Gemalto TOP IM FIPS CY2 64K token, both as a smart card and GemPCKey USB form factor key * Gemalto Cyberflex e-gate 32K token (Red Hat Enterprise Linux only) * Safenet 330J Java smart card Smart card testing was conducted using the SCM SCR331 CCID reader. The only card manager applet supported with Certificate System is the CoolKey applet which ships with Red Hat Enterprise Linux 5.3. Cheers, Kev On 05/20/2010 07:53 AM, Henry GM wrote: > What kind smart card has implement/support using ESC Dog Tag beside > Axalto Cyberflex egate 32k ? > its support using STARCOS? SPK2.3 with Dog Tag smart card manager? > > Rgds, > Henry Gultom > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From ehimawan at gmail.com Fri May 21 00:51:35 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Thu, 20 May 2010 19:51:35 -0500 Subject: [Pki-users] SCEP Authentication Message-ID: I would like to configure my DCS's SCEP operation for manual approval, in which the router uses SCEP to submit the request and the CA agent will manually approve the request and to modify the request (if needed). Does anybody has any idea how to configure the DCS CA? I am thinking to clone the caRouterCert profile. I am not sure what to specify to enable agent to approve the incoming request. Am I in the right direction? Thanks, Erwin -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Fri May 21 16:38:14 2010 From: awnuk at redhat.com (Andrew Wnuk) Date: Fri, 21 May 2010 09:38:14 -0700 Subject: [Pki-users] SCEP Authentication In-Reply-To: References: Message-ID: <4BF6B6F6.9000204@redhat.com> On 05/20/10 17:51, Erwin Himawan wrote: > I would like to configure my DCS's SCEP operation for manual approval, > in which the router uses SCEP to submit the request and the CA agent > will manually approve the request and to modify the request (if needed). > > Does anybody has any idea how to configure the DCS CA? > > I am thinking to clone the caRouterCert profile. I am not sure what > to specify to enable agent to approve the incoming request. > Am I in the right direction? You could try to modify caRouterCert profile by replacing auth.instance_id=raCertAuth with auth.instance_id= Adding new profile requires extending profile list in CS.cfg. > > Thanks, > Erwin > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ehimawan at gmail.com Fri May 21 18:48:18 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Fri, 21 May 2010 13:48:18 -0500 Subject: [Pki-users] SCEP Authentication In-Reply-To: <4BF6B6F6.9000204@redhat.com> References: <4BF6B6F6.9000204@redhat.com> Message-ID: Andrew, Thanks for your suggestion. I change the value of auth.instance_id in the caRouterCert profile to be "empty" (i.e. no value) per your suggestion. I could verify through the debug file that the CA accepts this empty value when I run my SCEP test again. The snippet of the debug file: Found profile=caRouterCert Retrieving Authenticator no Authenticator Found >> this log suggests that the changes takes into effect Despite that no Authenticator is Found, the CA does not put the request in the agent queue. The CA issues the SCEP client a certificate. Now, when I check this particular requests through the CA-agent web interface; i.e. (List Request, Request Type: Show All Request, Request Status: Show All Request), I noticed that the request was completed. Although the CA marks this request as completed, this request does not show its associated issued certificate, despite of the fact that the SCEP client is issued a certificate. When I further explore this "completed request", this is what I got: Request: Status: complete Type: enrollment Subject Public Key: Algorithm: undefined Public Key: undefined Issued Cert: Error: certificate not issued Any idea why the CA behaves this way? Is it expected? Thanks, Erwin On Fri, May 21, 2010 at 11:38 AM, Andrew Wnuk wrote: > On 05/20/10 17:51, Erwin Himawan wrote: > > I would like to configure my DCS's SCEP operation for manual approval, in > which the router uses SCEP to submit the request and the CA agent will > manually approve the request and to modify the request (if needed). > > Does anybody has any idea how to configure the DCS CA? > > I am thinking to clone the caRouterCert profile. I am not sure what to > specify to enable agent to approve the incoming request. > Am I in the right direction? > > > You could try to modify caRouterCert profile by replacing > auth.instance_id=raCertAuth > with > auth.instance_id= > Adding new profile requires extending profile list in CS.cfg. > > > Thanks, > Erwin > > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Fri May 21 22:49:33 2010 From: awnuk at redhat.com (Andrew Wnuk) Date: Fri, 21 May 2010 15:49:33 -0700 Subject: [Pki-users] SCEP Authentication In-Reply-To: References: <4BF6B6F6.9000204@redhat.com> Message-ID: <4BF70DFD.3030907@redhat.com> Erwin, Could you open a bug including all details? Thank you, Andrew On 05/21/10 11:48, Erwin Himawan wrote: > Andrew, > > Thanks for your suggestion. I change the value of auth.instance_id in > the caRouterCert profile to be "empty" (i.e. no value) per your > suggestion. > > I could verify through the debug file that the CA accepts this empty > value when I run my SCEP test again. > The snippet of the debug file: > > Found profile=caRouterCert > Retrieving Authenticator > no Authenticator Found >> this log suggests that the changes takes > into effect > > Despite that no Authenticator is Found, the CA does not put the > request in the agent queue. > The CA issues the SCEP client a certificate. > > Now, when I check this particular requests through the CA-agent web > interface; i.e. (List Request, Request Type: Show All Request, Request > Status: Show All Request), I noticed that the request was completed. > > Although the CA marks this request as completed, this request does not > show its associated issued certificate, despite of the fact that the > SCEP client is issued a certificate. When I further explore this > "completed request", this is what I got: > > Request: > Status: complete > Type: enrollment > > Subject Public Key: > Algorithm: undefined > Public Key: undefined > > Issued Cert: > Error: certificate not issued > > > Any idea why the CA behaves this way? Is it expected? > > Thanks, > Erwin > > On Fri, May 21, 2010 at 11:38 AM, Andrew Wnuk > wrote: > > On 05/20/10 17:51, Erwin Himawan wrote: >> I would like to configure my DCS's SCEP operation for manual >> approval, in which the router uses SCEP to submit the request and >> the CA agent will manually approve the request and to modify the >> request (if needed). >> >> Does anybody has any idea how to configure the DCS CA? >> >> I am thinking to clone the caRouterCert profile. I am not sure >> what to specify to enable agent to approve the incoming request. >> Am I in the right direction? > > You could try to modify caRouterCert profile by replacing > auth.instance_id=raCertAuth > with > auth.instance_id= > Adding new profile requires extending profile list in CS.cfg. > >> >> Thanks, >> Erwin >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: