From alexander.w.jung at gmail.com  Wed Nov 10 10:02:25 2010
From: alexander.w.jung at gmail.com (Alexander Jung)
Date: Wed, 10 Nov 2010 11:02:25 +0100
Subject: [Pki-users] connect dogtag to a existing Key in a luna HSM ?
Message-ID: <AANLkTi=7irbf6_nz5y_7aze-P++4Y8M2fn1+e-T-3U2R@mail.gmail.com>

Hello,

we have a Microsoft CA that we'd like to migrate to a dogtag instance.

We built a few tools to import all the requests and certificates from
the Microsoft CA into a LDAP-Server used by the dogtag - this works so
far.

The CA key for the Microsoft CA has been generated in a Safenet Luna
K3 HSM and cannot be extracted from there, so we'll have to connect
the dogtag to this key in our HSM.

How can we do that ?

Mit freundlichen Gr??en,

Alexander Jung



From cfu at redhat.com  Wed Nov 10 17:14:55 2010
From: cfu at redhat.com (Christina Fu)
Date: Wed, 10 Nov 2010 09:14:55 -0800
Subject: [Pki-users] connect dogtag to a existing Key in a luna HSM ?
In-Reply-To: <AANLkTi=7irbf6_nz5y_7aze-P++4Y8M2fn1+e-T-3U2R@mail.gmail.com>
References: <AANLkTi=7irbf6_nz5y_7aze-P++4Y8M2fn1+e-T-3U2R@mail.gmail.com>
Message-ID: <4CDAD30F.1060208@redhat.com>

I use modutil to add crypto modules to the nss dbs like this:

shut down server
# cd <dogtag instance dir>/alias
# modutil -certdb . -nocertdb -add lunasa -libfile 
/usr/lunasa/lib/libCryptoki2.so
then you can list it:
# modutil -dbdir . -list

to test see the cert before you config more on the server, use certutil 
like this:
# certutil -d . -L -n "<nickname of your cert>"

Once you are sure it's hooked up correctly, modify your config with 
right token name, nickname etc.
I think the rest should be on migration or admin guide you can search.
Then you need to reissue your other system certs by using this CA's 
signing cert.

Hope this helps.
Christina

On 11/10/2010 02:02 AM, Alexander Jung wrote:
> Hello,
>
> we have a Microsoft CA that we'd like to migrate to a dogtag instance.
>
> We built a few tools to import all the requests and certificates from
> the Microsoft CA into a LDAP-Server used by the dogtag - this works so
> far.
>
> The CA key for the Microsoft CA has been generated in a Safenet Luna
> K3 HSM and cannot be extracted from there, so we'll have to connect
> the dogtag to this key in our HSM.
>
> How can we do that ?
>
> Mit freundlichen Gr??en,
>
> Alexander Jung
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>    


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5998 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pki-users/attachments/20101110/9a8ef3ab/attachment.p7s>

From cfu at redhat.com  Wed Nov 10 17:18:48 2010
From: cfu at redhat.com (Christina Fu)
Date: Wed, 10 Nov 2010 09:18:48 -0800
Subject: [Pki-users] connect dogtag to a existing Key in a luna HSM ?
In-Reply-To: <4CDAD30F.1060208@redhat.com>
References: <AANLkTi=7irbf6_nz5y_7aze-P++4Y8M2fn1+e-T-3U2R@mail.gmail.com>
	<4CDAD30F.1060208@redhat.com>
Message-ID: <4CDAD3F8.7070203@redhat.com>

On 11/10/2010 09:14 AM, Christina Fu wrote:
> I use modutil to add crypto modules to the nss dbs like this:
>
> shut down server
> # cd <dogtag instance dir>/alias
> # modutil -certdb . -nocertdb -add lunasa -libfile 
> /usr/lunasa/lib/libCryptoki2.so
> then you can list it:
> # modutil -dbdir . -list
>
> to test see the cert before you config more on the server, use 
> certutil like this:
> # certutil -d . -L -n "<nickname of your cert>"

correction, you need -h for certutil to access the token:
# certutil -d . -h <token name> -L -n "<nickname of your cert>

>
> Once you are sure it's hooked up correctly, modify your config with 
> right token name, nickname etc.
> I think the rest should be on migration or admin guide you can search.
> Then you need to reissue your other system certs by using this CA's 
> signing cert.
>
> Hope this helps.
> Christina
>
> On 11/10/2010 02:02 AM, Alexander Jung wrote:
>> Hello,
>>
>> we have a Microsoft CA that we'd like to migrate to a dogtag instance.
>>
>> We built a few tools to import all the requests and certificates from
>> the Microsoft CA into a LDAP-Server used by the dogtag - this works so
>> far.
>>
>> The CA key for the Microsoft CA has been generated in a Safenet Luna
>> K3 HSM and cannot be extracted from there, so we'll have to connect
>> the dogtag to this key in our HSM.
>>
>> How can we do that ?
>>
>> Mit freundlichen Gr??en,
>>
>> Alexander Jung
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>    

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20101110/f0724e70/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5998 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pki-users/attachments/20101110/f0724e70/attachment.p7s>

From fabeisageek at googlemail.com  Thu Nov 11 07:56:53 2010
From: fabeisageek at googlemail.com (Fabian Bertholm)
Date: Thu, 11 Nov 2010 08:56:53 +0100
Subject: [Pki-users] Dogtag TPS wizard - java.lang.NullPointerException on
	last button
Message-ID: <AANLkTinKVMdM5_Y=SfofMn1S4=m4Xi2ynb__sOfwWSmY@mail.gmail.com>

Hi guys,

I've done a Dogtag PKI Testsetup on a Fedora 13 system.
I really got to the last button on the last wizard and it failed.

I am currently stuck and hope someone can point out where I can search
for the problem.

I stand at the last page of the TPS setup wizard (Import Administrator
Certificate), I click on next and I get an internal server error.
This is the content of the debug file at /var/log/pki-tps/

Thu Nov 11 08:37:47 CET 2010 - TPS wizard: update returns status '1'
Thu Nov 11 08:37:47 CET 2010 - TPS wizard: about to find out about sub panel
Thu Nov 11 08:37:47 CET 2010 - TPS wizard: no sub panel and is not subpanel
Thu Nov 11 08:37:47 CET 2010 - TPS wizard: after looking into about sub panel
Thu Nov 11 08:37:48 CET 2010 - DonePanel: display
Thu Nov 11 08:37:48 CET 2010 - DonePanel: register_tps at
https://pki-server1:9544
Thu Nov 11 08:37:48 CET 2010 - DonePanel: subsystem CA
uri=/ca/admin/ca/registerUser
Thu Nov 11 08:37:48 CET 2010 - DonePanel: Connecting to Security Domain
Thu Nov 11 08:37:48 CET 2010 - DonePanel: Security Domain Info
https://pki-server1:9544
Thu Nov 11 08:37:49 CET 2010 - ReqCertInfo: update got token name =
NSS Certificate DB
Thu Nov 11 08:37:49 CET 2010 - DonePanel: Connecting
Thu Nov 11 08:37:52 CET 2010 - req = HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Length: 234
Date: Thu, 11 Nov 2010 07:37:52 GMT
Connection: close

<HTML>
<BODY BGCOLOR=white>
<P>
The Certificate System has encountered an unrecoverable error.
<P>
Error Message:<BR>
<I>java.lang.NullPointerException</I>
<P>
Please contact your local administrator for assistance.
</BODY>
</HTML>


Subject: CN=pki-server1,OU=pki-subca,O=ST Test SubCA 1 Domain
Issuer : CN=Certificate Authority,OU=pki-subca,O=ST Test SubCA 1 Domain
bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1

Thu Nov 11 08:37:52 CET 2010 - DonePanel: result
Thu Nov 11 08:37:53 CET 2010 - DonePanel: register_tps at
https://pki-server1:13443
Thu Nov 11 08:37:53 CET 2010 - DonePanel: subsystem TKS
uri=/tks/admin/tks/registerUser
Thu Nov 11 08:37:53 CET 2010 - DonePanel: Connecting to Security Domain
Thu Nov 11 08:37:54 CET 2010 - DonePanel: Security Domain Info
https://pki-server1:13443
Thu Nov 11 08:37:54 CET 2010 - ReqCertInfo: update got token name =
NSS Certificate DB
Thu Nov 11 08:37:55 CET 2010 - DonePanel: Connecting
Thu Nov 11 08:37:56 CET 2010 - req =
Thu Nov 11 08:37:56 CET 2010 - DonePanel: result
Thu Nov 11 08:37:56 CET 2010 - DonePanel: KRA available

best regards
Fabian



From ckannan at redhat.com  Thu Nov 11 14:28:19 2010
From: ckannan at redhat.com (Chandrasekar Kannan)
Date: Thu, 11 Nov 2010 06:28:19 -0800
Subject: [Pki-users] Dogtag TPS wizard - java.lang.NullPointerException
 on	last button
In-Reply-To: <AANLkTinKVMdM5_Y=SfofMn1S4=m4Xi2ynb__sOfwWSmY@mail.gmail.com>
References: <AANLkTinKVMdM5_Y=SfofMn1S4=m4Xi2ynb__sOfwWSmY@mail.gmail.com>
Message-ID: <4CDBFD83.5020504@redhat.com>

On 11/10/2010 11:56 PM, Fabian Bertholm wrote:
> Hi guys,
>
> I've done a Dogtag PKI Testsetup on a Fedora 13 system.
> I really got to the last button on the last wizard and it failed.
>
> I am currently stuck and hope someone can point out where I can search
> for the problem.
>
> I stand at the last page of the TPS setup wizard (Import Administrator
> Certificate), I click on next and I get an internal server error.
> This is the content of the debug file at /var/log/pki-tps/
>
> Thu Nov 11 08:37:47 CET 2010 - TPS wizard: update returns status '1'
> Thu Nov 11 08:37:47 CET 2010 - TPS wizard: about to find out about sub panel
> Thu Nov 11 08:37:47 CET 2010 - TPS wizard: no sub panel and is not subpanel
> Thu Nov 11 08:37:47 CET 2010 - TPS wizard: after looking into about sub panel
> Thu Nov 11 08:37:48 CET 2010 - DonePanel: display
> Thu Nov 11 08:37:48 CET 2010 - DonePanel: register_tps at
> https://pki-server1:9544
> Thu Nov 11 08:37:48 CET 2010 - DonePanel: subsystem CA
> uri=/ca/admin/ca/registerUser
> Thu Nov 11 08:37:48 CET 2010 - DonePanel: Connecting to Security Domain
> Thu Nov 11 08:37:48 CET 2010 - DonePanel: Security Domain Info
> https://pki-server1:9544
> Thu Nov 11 08:37:49 CET 2010 - ReqCertInfo: update got token name =
> NSS Certificate DB
> Thu Nov 11 08:37:49 CET 2010 - DonePanel: Connecting
> Thu Nov 11 08:37:52 CET 2010 - req = HTTP/1.1 200 OK
> Server: Apache-Coyote/1.1
> Content-Type: text/html
> Content-Length: 234
> Date: Thu, 11 Nov 2010 07:37:52 GMT
> Connection: close
>
> <HTML>
> <BODY BGCOLOR=white>
> <P>
> The Certificate System has encountered an unrecoverable error.
> <P>
> Error Message:<BR>
> <I>java.lang.NullPointerException</I>
> <P>
> Please contact your local administrator for assistance.
> </BODY>
> </HTML>

Can you paste the corresponding ca,tks,kra - debug logs ?


>
> Subject: CN=pki-server1,OU=pki-subca,O=ST Test SubCA 1 Domain
> Issuer : CN=Certificate Authority,OU=pki-subca,O=ST Test SubCA 1 Domain
> bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1
>
> Thu Nov 11 08:37:52 CET 2010 - DonePanel: result
> Thu Nov 11 08:37:53 CET 2010 - DonePanel: register_tps at
> https://pki-server1:13443
> Thu Nov 11 08:37:53 CET 2010 - DonePanel: subsystem TKS
> uri=/tks/admin/tks/registerUser
> Thu Nov 11 08:37:53 CET 2010 - DonePanel: Connecting to Security Domain
> Thu Nov 11 08:37:54 CET 2010 - DonePanel: Security Domain Info
> https://pki-server1:13443
> Thu Nov 11 08:37:54 CET 2010 - ReqCertInfo: update got token name =
> NSS Certificate DB
> Thu Nov 11 08:37:55 CET 2010 - DonePanel: Connecting
> Thu Nov 11 08:37:56 CET 2010 - req =
> Thu Nov 11 08:37:56 CET 2010 - DonePanel: result
> Thu Nov 11 08:37:56 CET 2010 - DonePanel: KRA available
>
> best regards
> Fabian
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users



From fabeisageek at googlemail.com  Thu Nov 11 15:49:45 2010
From: fabeisageek at googlemail.com (Fabian Bertholm)
Date: Thu, 11 Nov 2010 16:49:45 +0100
Subject: [Pki-users] Dogtag TPS wizard - java.lang.NullPointerException
 on last button
In-Reply-To: <4CDBFD83.5020504@redhat.com>
References: <AANLkTinKVMdM5_Y=SfofMn1S4=m4Xi2ynb__sOfwWSmY@mail.gmail.com>
	<4CDBFD83.5020504@redhat.com>
Message-ID: <AANLkTik9Uw5VoEmXJZ07tFMmZLFi5qRN0UUgicMjHDCo@mail.gmail.com>

Hi,

I tried a second time. Here is the log of the ca and from the tps.
I skipped pki-kra and pki-tks because there are no log entries after
the startup and no errors on startup.
Ath the ca thre is the line:
[11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser: exception
thrown: java.lang.NullPointerException
Wher does this come from?

best regards,
Fabian

pki-subca/debug:
<next button pressed>
[11/Nov/2010:16:25:46][http-9545-Processor24]: CMSServlet:service()
uri = /ca/admin/ca/getDomainXML
[11/Nov/2010:16:25:46][http-9545-Processor24]: CMSServlet:
caGetDomainXML start to service.
[11/Nov/2010:16:25:46][http-9545-Processor24]: GetDomainXML: processing...
[11/Nov/2010:16:25:46][http-9545-Processor24]: LdapBoundConnFactory: init
[11/Nov/2010:16:25:46][http-9545-Processor24]:
LdapBoundConnFactory:doCloning true
[11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init()
[11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init begins
[11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init:
prompt is Internal LDAP Database
[11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init: try
getting from memory cache
[11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init: got
password from memory
[11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init:
password found for prompt.
[11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: password
ok: store in memory cache
[11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init ends
[11/Nov/2010:16:25:46][http-9545-Processor24]: init: before
makeConnection errorIfDown is false
[11/Nov/2010:16:25:46][http-9545-Processor24]: makeConnection: errorIfDown false
[11/Nov/2010:16:25:46][http-9545-Processor24]: Established LDAP
connection using basic authentication to host localhost port 389 as
cn=Directory Manager
[11/Nov/2010:16:25:46][http-9545-Processor24]: initializing with
mininum 3 and maximum 15 connections to host localhost port 389,
secure connection, false, authentication type 1
[11/Nov/2010:16:25:46][http-9545-Processor24]: increasing minimum
connections by 3
[11/Nov/2010:16:25:46][http-9545-Processor24]: new total available connections 3
[11/Nov/2010:16:25:46][http-9545-Processor24]: new number of connections 3
[11/Nov/2010:16:25:46][http-9545-Processor24]: getConn: mNumConns now 2
[11/Nov/2010:16:25:46][http-9545-Processor24]: Releasing ldap connection
[11/Nov/2010:16:25:46][http-9545-Processor24]: returnConn: mNumConns now 3
[11/Nov/2010:16:25:46][http-9545-Processor24]: CMSServlet: curDate=Thu
Nov 11 16:25:46 CET 2010 id=caGetDomainXML time=546
[11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet:service()
uri = /ca/admin/ca/registerUser
[11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service()
param name='certificate' value=''
[11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service()
param name='name' value='Token Processing Subsystem'
[11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service()
param name='auth_hostname' value='pki-server1'
[11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service()
param name='uid' value='TPS-pki-server1-7889'
[11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service()
param name='auth_port' value='9544'
[11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service()
param name='xmlOutput' value='true'
[11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service()
param name='sessionID' value='326321180524051384'
[11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet:
caRegisterUser start to service.
[11/Nov/2010:16:25:50][http-9544-Processor21]: UpdateUpdater: processing...
[11/Nov/2010:16:25:50][http-9544-Processor21]: IP: 192.168.253.35
[11/Nov/2010:16:25:50][http-9544-Processor21]: AuthMgrName: TokenAuth
[11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet: no client
certificate found
[11/Nov/2010:16:25:50][http-9544-Processor21]: TokenAuthentication: start
[11/Nov/2010:16:25:50][http-9544-Processor21]: TokenAuthentication:
content=sessionID=326321180524051384&hostname=192.168.253.35
[11/Nov/2010:16:25:50][http-9544-Processor24]: CMSServlet:service()
uri = /ca/ee/ca/tokenAuthenticate
[11/Nov/2010:16:25:50][http-9544-Processor24]: CMSServlet::service()
param name='hostname' value='192.168.253.35'
[11/Nov/2010:16:25:50][http-9544-Processor24]: CMSServlet::service()
param name='sessionID' value='326321180524051384'
[11/Nov/2010:16:25:50][http-9544-Processor24]: CMSServlet:
caTokenAuthenticate start to service.
[11/Nov/2010:16:25:50][http-9544-Processor24]: TokenAuthentication:
sessionId=326321180524051384
[11/Nov/2010:16:25:50][http-9544-Processor24]: TokenAuthentication:
givenHost=192.168.253.35
[11/Nov/2010:16:25:50][http-9544-Processor24]: TokenAuthentication:
checking session in the session table
[11/Nov/2010:16:25:50][http-9544-Processor24]: CMSEngine:
getPasswordStore(): password store initialized before.
[11/Nov/2010:16:25:50][http-9544-Processor24]: CMSEngine:
getPasswordStore(): password store initialized.
[11/Nov/2010:16:25:51][http-9544-Processor24]: TokenAuthentication:
found session
[11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine:
getPasswordStore(): password store initialized before.
[11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine:
getPasswordStore(): password store initialized.
[11/Nov/2010:16:25:51][http-9544-Processor24]: TokenAuthentication:
hostname and givenHost matched
[11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine:
getPasswordStore(): password store initialized before.
[11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine:
getPasswordStore(): password store initialized.
[11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine:
getPasswordStore(): password store initialized before.
[11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine:
getPasswordStore(): password store initialized.
[11/Nov/2010:16:25:52][http-9544-Processor24]: TokenAuthenticate
successfully authenticate
[11/Nov/2010:16:25:52][http-9544-Processor24]: CMSServlet: curDate=Thu
Nov 11 16:25:52 CET 2010 id=caTokenAuthenticate time=1292
[11/Nov/2010:16:25:52][http-9544-Processor21]: TokenAuthentication: status=0
[11/Nov/2010:16:25:52][http-9544-Processor21]: SessionContext.USER_ID
admin SessionContext.GROUP_ID Enterprise TPS Administrators
[11/Nov/2010:16:25:52][http-9544-Processor21]: TokenAuthentication:
authenticated uid=admin, gid=Enterprise TPS Administrators
[11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: userid=null
[11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: in auditSubjectID
[11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet:
auditSubjectID auditContext {locale=de_DE, groupid=Enterprise TPS
Administrators, userid=admin, ipAddress=192.168.253.35,
authManagerId=TokenAuth}
[11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet
auditSubjectID: subjectID: admin
[11/Nov/2010:16:25:52][http-9544-Processor21]:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_SUCCESS][SubjectID=admin][Outcome=Success][AuthMgr=TokenAuth]
authentication success

[11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser
authentication successful.
[11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: in auditSubjectID
[11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet:
auditSubjectID auditContext {locale=de_DE, groupid=Enterprise TPS
Administrators, userid=admin, ipAddress=192.168.253.35,
authManagerId=TokenAuth}
[11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet
auditSubjectID: subjectID: admin
[11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: in auditGroupID
[11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet:
auditGroupID auditContext {locale=de_DE, groupid=Enterprise TPS
Administrators, userid=admin, ipAddress=192.168.253.35,
authManagerId=TokenAuth}
[11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet
auditGroupID: groupID: Enterprise TPS Administrators
[11/Nov/2010:16:25:52][http-9544-Processor21]: checkACLS(): ACLEntry
expressions= group="Enterprise CA Administrators" || group="Enterprise
KRA Administrators" || group="Enterprise RA Administrators" ||
group="Enterprise OCSP Administrators" || group="Enterprise TKS
Administrators" || group="Enterprise TPS Administrators"
[11/Nov/2010:16:25:52][http-9544-Processor21]: evaluating expressions:
group="Enterprise CA Administrators" || group="Enterprise KRA
Administrators" || group="Enterprise RA Administrators" ||
group="Enterprise OCSP Administrators" || group="Enterprise TKS
Administrators" || group="Enterprise TPS Administrators"
[11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
evaluate: uid=admin value="Enterprise CA Administrators"
[11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
evaluate: authToken gid=Enterprise TPS Administrators
[11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression:
group="Enterprise CA Administrators" to be false
[11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
evaluate: uid=admin value="Enterprise KRA Administrators"
[11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
evaluate: authToken gid=Enterprise TPS Administrators
[11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression:
group="Enterprise KRA Administrators" to be false
[11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
evaluate: uid=admin value="Enterprise RA Administrators"
[11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
evaluate: authToken gid=Enterprise TPS Administrators
[11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression:
group="Enterprise RA Administrators" to be false
[11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
evaluate: uid=admin value="Enterprise OCSP Administrators"
[11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
evaluate: authToken gid=Enterprise TPS Administrators
[11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression:
group="Enterprise OCSP Administrators" to be false
[11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
evaluate: uid=admin value="Enterprise TKS Administrators"
[11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
evaluate: authToken gid=Enterprise TPS Administrators
[11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression:
group="Enterprise TKS Administrators" to be false
[11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
evaluate: uid=admin value="Enterprise TPS Administrators"
[11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
evaluate: authToken gid=Enterprise TPS Administrators
[11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression:
group="Enterprise TPS Administrators" to be true
[11/Nov/2010:16:25:52][http-9544-Processor21]: DirAclAuthz: authorization passed
[11/Nov/2010:16:25:52][http-9544-Processor21]:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=admin][Outcome=Success][aclResource=certServer.ca.registerUser][Op=modify]
authorization success

[11/Nov/2010:16:25:52][http-9544-Processor21]: getConn: mNumConns now 2
[11/Nov/2010:16:25:52][http-9544-Processor21]: returnConn: mNumConns now 3
[11/Nov/2010:16:25:52][http-9544-Processor21]:
SignedAuditEventFactory: create()
message=[AuditEvent=ROLE_ASSUME][SubjectID=Enterprise TPS
Administrators][Outcome=Success][Role=Certificate Manager Agents,
Administrators, Security Domain Administrators, Enterprise CA
Administrators, Enterprise KRA Administrators, Enterprise OCSP
Administrators, Enterprise TKS Administrators, Enterprise RA
Administrators, Enterprise TPS Administrators] assume privileged role

[11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser
authorization successful.
[11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser got
uid=TPS-pki-server1-7889
[11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser got
name=Token Processing Subsystem
[11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser got certsString=
[11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser: exception
thrown: java.lang.NullPointerException
[11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser NOT found
user by cert
[11/Nov/2010:16:25:52][http-9544-Processor21]: getConn: mNumConns now 2
[11/Nov/2010:16:25:52][http-9544-Processor21]: returnConn: mNumConns now 3
[11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser found user
by uid TPS-pki-server1-7889
[11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser error
java.lang.NullPointerException
[11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: curDate=Thu
Nov 11 16:25:52 CET 2010 id=caRegisterUser time=1685

pki-tps/debug:
Thu Nov 11 16:25:48 CET 2010 - DonePanel: display
Thu Nov 11 16:25:48 CET 2010 - DonePanel: register_tps at
https://pki-server1:9544
Thu Nov 11 16:25:48 CET 2010 - DonePanel: subsystem CA
uri=/ca/admin/ca/registerUser
Thu Nov 11 16:25:48 CET 2010 - DonePanel: Connecting to Security Domain
Thu Nov 11 16:25:48 CET 2010 - DonePanel: Security Domain Info
https://pki-server1:9544
Thu Nov 11 16:25:49 CET 2010 - ReqCertInfo: update got token name =
NSS Certificate DB
Thu Nov 11 16:25:50 CET 2010 - DonePanel: Connecting
Thu Nov 11 16:25:52 CET 2010 - req = HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Content-Length: 126
Date: Thu, 11 Nov 2010 15:25:52 GMT
Connection: close

<?xml version="1.0"
encoding="UTF-8"?><XMLResponse><Status>1</Status><Error>Error:
Certificate malformed</Error></XMLResponse>
Subject: CN=pki-server1,OU=pki-subca,O=ST Test SubCA 1 Domain
Issuer : CN=Certificate Authority,OU=pki-subca,O=ST Test SubCA 1 Domain
bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1

Thu Nov 11 16:25:53 CET 2010 - DonePanel: result
<XMLResponse><Status>1</Status><Error>Error: Certificate
malformed</Error></XMLResponse>
Thu Nov 11 16:25:53 CET 2010 - DonePanel: register_tps at
https://pki-server1:13443
Thu Nov 11 16:25:53 CET 2010 - DonePanel: subsystem TKS
uri=/tks/admin/tks/registerUser
Thu Nov 11 16:25:54 CET 2010 - ReqCertInfo: update got token name =
NSS Certificate DB
Thu Nov 11 16:25:54 CET 2010 - DonePanel: Connecting
Thu Nov 11 16:25:55 CET 2010 - req =
Thu Nov 11 16:25:55 CET 2010 - DonePanel: result
Thu Nov 11 16:25:55 CET 2010 - DonePanel: KRA available
Thu Nov 11 16:25:55 CET 2010 - DonePanel: register_tps at
https://pki-server1:10443
Thu Nov 11 16:25:55 CET 2010 - DonePanel: subsystem KRA
uri=/kra/admin/kra/registerUser
Thu Nov 11 16:25:56 CET 2010 - DonePanel: Connecting to Security Domain
Thu Nov 11 16:25:56 CET 2010 - DonePanel: Security Domain Info
https://pki-server1:10443
Thu Nov 11 16:25:56 CET 2010 - ReqCertInfo: update got token name =
NSS Certificate DB
Thu Nov 11 16:25:56 CET 2010 - DonePanel: Connecting
Thu Nov 11 16:25:58 CET 2010 - req =
Thu Nov 11 16:25:58 CET 2010 - DonePanel: result
Thu Nov 11 16:25:58 CET 2010 - DonePanel: Connecting to KRA

pki-tps/error_log:
[Thu Nov 11 16:25:41 2010] [info] Initial (No.1) HTTPS request
received for child 59 (server 192
.168.253.35:7890)
sh: host:https://pki-server1:9543/-: No such file or directory
GET /ca/admin/ca/getDomainXML HTTP/1.0

port: 9545
addr='pki-server1'
family='2'
-- SSL3: Server Certificate Validated.
PR_Write wrote 42 bytes from bigBuf
bytes: [GET /ca/admin/ca/getDomainXML HTTP/1.0

]
do_writes shutting down send socket
do_writes exiting with (failure = 0)
connection 1 read 2541 bytes (2541 total).
these bytes read:
connection 1 read 2541 bytes total. -----------------------------
[Thu Nov 11 16:25:48 2010] -e: Use of uninitialized value $status in
string eq at /var/lib/pki-tps/lib/perl/PKI/TPS/DonePanel.pm line 289.
certutil: Could not find cert: subsystemCert cert-pki-tps0
: File not found.



From jmagne at redhat.com  Thu Nov 11 18:20:40 2010
From: jmagne at redhat.com (Jack Magne)
Date: Thu, 11 Nov 2010 10:20:40 -0800
Subject: [Pki-users] Dogtag TPS wizard - java.lang.NullPointerException
 on last button
In-Reply-To: <AANLkTik9Uw5VoEmXJZ07tFMmZLFi5qRN0UUgicMjHDCo@mail.gmail.com>
References: <AANLkTinKVMdM5_Y=SfofMn1S4=m4Xi2ynb__sOfwWSmY@mail.gmail.com>	<4CDBFD83.5020504@redhat.com>
	<AANLkTik9Uw5VoEmXJZ07tFMmZLFi5qRN0UUgicMjHDCo@mail.gmail.com>
Message-ID: <4CDC33F8.6060703@redhat.com>

On 11/11/2010 07:49 AM, Fabian Bertholm wrote:
> Hi,
>
> I tried a second time. Here is the log of the ca and from the tps.
> I skipped pki-kra and pki-tks because there are no log entries after
> the startup and no errors on startup.
> Ath the ca thre is the line:
> [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser: exception
> thrown: java.lang.NullPointerException
> Wher does this come from?
>
> best regards,
> Fabian
>
> pki-subca/debug:
> <next button pressed>
> [11/Nov/2010:16:25:46][http-9545-Processor24]: CMSServlet:service()
> uri = /ca/admin/ca/getDomainXML
> [11/Nov/2010:16:25:46][http-9545-Processor24]: CMSServlet:
> caGetDomainXML start to service.
> [11/Nov/2010:16:25:46][http-9545-Processor24]: GetDomainXML: processing...
> [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapBoundConnFactory: init
> [11/Nov/2010:16:25:46][http-9545-Processor24]:
> LdapBoundConnFactory:doCloning true
> [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init()
> [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init begins
> [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init:
> prompt is Internal LDAP Database
> [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init: try
> getting from memory cache
> [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init: got
> password from memory
> [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init:
> password found for prompt.
> [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: password
> ok: store in memory cache
> [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init ends
> [11/Nov/2010:16:25:46][http-9545-Processor24]: init: before
> makeConnection errorIfDown is false
> [11/Nov/2010:16:25:46][http-9545-Processor24]: makeConnection: errorIfDown false
> [11/Nov/2010:16:25:46][http-9545-Processor24]: Established LDAP
> connection using basic authentication to host localhost port 389 as
> cn=Directory Manager
> [11/Nov/2010:16:25:46][http-9545-Processor24]: initializing with
> mininum 3 and maximum 15 connections to host localhost port 389,
> secure connection, false, authentication type 1
> [11/Nov/2010:16:25:46][http-9545-Processor24]: increasing minimum
> connections by 3
> [11/Nov/2010:16:25:46][http-9545-Processor24]: new total available connections 3
> [11/Nov/2010:16:25:46][http-9545-Processor24]: new number of connections 3
> [11/Nov/2010:16:25:46][http-9545-Processor24]: getConn: mNumConns now 2
> [11/Nov/2010:16:25:46][http-9545-Processor24]: Releasing ldap connection
> [11/Nov/2010:16:25:46][http-9545-Processor24]: returnConn: mNumConns now 3
> [11/Nov/2010:16:25:46][http-9545-Processor24]: CMSServlet: curDate=Thu
> Nov 11 16:25:46 CET 2010 id=caGetDomainXML time=546
> [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet:service()
> uri = /ca/admin/ca/registerUser
> [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service()
> param name='certificate' value=''
> [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service()
> param name='name' value='Token Processing Subsystem'
> [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service()
> param name='auth_hostname' value='pki-server1'
> [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service()
> param name='uid' value='TPS-pki-server1-7889'
> [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service()
> param name='auth_port' value='9544'
> [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service()
> param name='xmlOutput' value='true'
> [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service()
> param name='sessionID' value='326321180524051384'
> [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet:
> caRegisterUser start to service.
> [11/Nov/2010:16:25:50][http-9544-Processor21]: UpdateUpdater: processing...
> [11/Nov/2010:16:25:50][http-9544-Processor21]: IP: 192.168.253.35
> [11/Nov/2010:16:25:50][http-9544-Processor21]: AuthMgrName: TokenAuth
> [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet: no client
> certificate found
> [11/Nov/2010:16:25:50][http-9544-Processor21]: TokenAuthentication: start
> [11/Nov/2010:16:25:50][http-9544-Processor21]: TokenAuthentication:
> content=sessionID=326321180524051384&hostname=192.168.253.35
> [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSServlet:service()
> uri = /ca/ee/ca/tokenAuthenticate
> [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSServlet::service()
> param name='hostname' value='192.168.253.35'
> [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSServlet::service()
> param name='sessionID' value='326321180524051384'
> [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSServlet:
> caTokenAuthenticate start to service.
> [11/Nov/2010:16:25:50][http-9544-Processor24]: TokenAuthentication:
> sessionId=326321180524051384
> [11/Nov/2010:16:25:50][http-9544-Processor24]: TokenAuthentication:
> givenHost=192.168.253.35
> [11/Nov/2010:16:25:50][http-9544-Processor24]: TokenAuthentication:
> checking session in the session table
> [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSEngine:
> getPasswordStore(): password store initialized before.
> [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSEngine:
> getPasswordStore(): password store initialized.
> [11/Nov/2010:16:25:51][http-9544-Processor24]: TokenAuthentication:
> found session
> [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine:
> getPasswordStore(): password store initialized before.
> [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine:
> getPasswordStore(): password store initialized.
> [11/Nov/2010:16:25:51][http-9544-Processor24]: TokenAuthentication:
> hostname and givenHost matched
> [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine:
> getPasswordStore(): password store initialized before.
> [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine:
> getPasswordStore(): password store initialized.
> [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine:
> getPasswordStore(): password store initialized before.
> [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine:
> getPasswordStore(): password store initialized.
> [11/Nov/2010:16:25:52][http-9544-Processor24]: TokenAuthenticate
> successfully authenticate
> [11/Nov/2010:16:25:52][http-9544-Processor24]: CMSServlet: curDate=Thu
> Nov 11 16:25:52 CET 2010 id=caTokenAuthenticate time=1292
> [11/Nov/2010:16:25:52][http-9544-Processor21]: TokenAuthentication: status=0
> [11/Nov/2010:16:25:52][http-9544-Processor21]: SessionContext.USER_ID
> admin SessionContext.GROUP_ID Enterprise TPS Administrators
> [11/Nov/2010:16:25:52][http-9544-Processor21]: TokenAuthentication:
> authenticated uid=admin, gid=Enterprise TPS Administrators
> [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: userid=null
> [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: in auditSubjectID
> [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet:
> auditSubjectID auditContext {locale=de_DE, groupid=Enterprise TPS
> Administrators, userid=admin, ipAddress=192.168.253.35,
> authManagerId=TokenAuth}
> [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet
> auditSubjectID: subjectID: admin
> [11/Nov/2010:16:25:52][http-9544-Processor21]:
> SignedAuditEventFactory: create()
> message=[AuditEvent=AUTH_SUCCESS][SubjectID=admin][Outcome=Success][AuthMgr=TokenAuth]
> authentication success
>
> [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser
> authentication successful.
> [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: in auditSubjectID
> [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet:
> auditSubjectID auditContext {locale=de_DE, groupid=Enterprise TPS
> Administrators, userid=admin, ipAddress=192.168.253.35,
> authManagerId=TokenAuth}
> [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet
> auditSubjectID: subjectID: admin
> [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: in auditGroupID
> [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet:
> auditGroupID auditContext {locale=de_DE, groupid=Enterprise TPS
> Administrators, userid=admin, ipAddress=192.168.253.35,
> authManagerId=TokenAuth}
> [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet
> auditGroupID: groupID: Enterprise TPS Administrators
> [11/Nov/2010:16:25:52][http-9544-Processor21]: checkACLS(): ACLEntry
> expressions= group="Enterprise CA Administrators" || group="Enterprise
> KRA Administrators" || group="Enterprise RA Administrators" ||
> group="Enterprise OCSP Administrators" || group="Enterprise TKS
> Administrators" || group="Enterprise TPS Administrators"
> [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluating expressions:
> group="Enterprise CA Administrators" || group="Enterprise KRA
> Administrators" || group="Enterprise RA Administrators" ||
> group="Enterprise OCSP Administrators" || group="Enterprise TKS
> Administrators" || group="Enterprise TPS Administrators"
> [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
> evaluate: uid=admin value="Enterprise CA Administrators"
> [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
> evaluate: authToken gid=Enterprise TPS Administrators
> [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression:
> group="Enterprise CA Administrators" to be false
> [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
> evaluate: uid=admin value="Enterprise KRA Administrators"
> [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
> evaluate: authToken gid=Enterprise TPS Administrators
> [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression:
> group="Enterprise KRA Administrators" to be false
> [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
> evaluate: uid=admin value="Enterprise RA Administrators"
> [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
> evaluate: authToken gid=Enterprise TPS Administrators
> [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression:
> group="Enterprise RA Administrators" to be false
> [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
> evaluate: uid=admin value="Enterprise OCSP Administrators"
> [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
> evaluate: authToken gid=Enterprise TPS Administrators
> [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression:
> group="Enterprise OCSP Administrators" to be false
> [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
> evaluate: uid=admin value="Enterprise TKS Administrators"
> [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
> evaluate: authToken gid=Enterprise TPS Administrators
> [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression:
> group="Enterprise TKS Administrators" to be false
> [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
> evaluate: uid=admin value="Enterprise TPS Administrators"
> [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator:
> evaluate: authToken gid=Enterprise TPS Administrators
> [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression:
> group="Enterprise TPS Administrators" to be true
> [11/Nov/2010:16:25:52][http-9544-Processor21]: DirAclAuthz: authorization passed
> [11/Nov/2010:16:25:52][http-9544-Processor21]:
> SignedAuditEventFactory: create()
> message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=admin][Outcome=Success][aclResource=certServer.ca.registerUser][Op=modify]
> authorization success
>
> [11/Nov/2010:16:25:52][http-9544-Processor21]: getConn: mNumConns now 2
> [11/Nov/2010:16:25:52][http-9544-Processor21]: returnConn: mNumConns now 3
> [11/Nov/2010:16:25:52][http-9544-Processor21]:
> SignedAuditEventFactory: create()
> message=[AuditEvent=ROLE_ASSUME][SubjectID=Enterprise TPS
> Administrators][Outcome=Success][Role=Certificate Manager Agents,
> Administrators, Security Domain Administrators, Enterprise CA
> Administrators, Enterprise KRA Administrators, Enterprise OCSP
> Administrators, Enterprise TKS Administrators, Enterprise RA
> Administrators, Enterprise TPS Administrators] assume privileged role
>
> [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser
> authorization successful.
> [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser got
> uid=TPS-pki-server1-7889
> [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser got
> name=Token Processing Subsystem
> [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser got certsString=
> [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser: exception
> thrown: java.lang.NullPointerException
> [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser NOT found
> user by cert
> [11/Nov/2010:16:25:52][http-9544-Processor21]: getConn: mNumConns now 2
> [11/Nov/2010:16:25:52][http-9544-Processor21]: returnConn: mNumConns now 3
> [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser found user
> by uid TPS-pki-server1-7889
> [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser error
> java.lang.NullPointerException
> [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: curDate=Thu
> Nov 11 16:25:52 CET 2010 id=caRegisterUser time=1685
>
> pki-tps/debug:
> Thu Nov 11 16:25:48 CET 2010 - DonePanel: display
> Thu Nov 11 16:25:48 CET 2010 - DonePanel: register_tps at
> https://pki-server1:9544
> Thu Nov 11 16:25:48 CET 2010 - DonePanel: subsystem CA
> uri=/ca/admin/ca/registerUser
> Thu Nov 11 16:25:48 CET 2010 - DonePanel: Connecting to Security Domain
> Thu Nov 11 16:25:48 CET 2010 - DonePanel: Security Domain Info
> https://pki-server1:9544
> Thu Nov 11 16:25:49 CET 2010 - ReqCertInfo: update got token name =
> NSS Certificate DB
> Thu Nov 11 16:25:50 CET 2010 - DonePanel: Connecting
> Thu Nov 11 16:25:52 CET 2010 - req = HTTP/1.1 200 OK
> Server: Apache-Coyote/1.1
> Content-Type: application/xml
> Content-Length: 126
> Date: Thu, 11 Nov 2010 15:25:52 GMT
> Connection: close
>
> <?xml version="1.0"
> encoding="UTF-8"?><XMLResponse><Status>1</Status><Error>Error:
> Certificate malformed</Error></XMLResponse>
> Subject: CN=pki-server1,OU=pki-subca,O=ST Test SubCA 1 Domain
> Issuer : CN=Certificate Authority,OU=pki-subca,O=ST Test SubCA 1 Domain
> bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1
>
> Thu Nov 11 16:25:53 CET 2010 - DonePanel: result
> <XMLResponse><Status>1</Status><Error>Error: Certificate
> malformed</Error></XMLResponse>
> Thu Nov 11 16:25:53 CET 2010 - DonePanel: register_tps at
> https://pki-server1:13443
> Thu Nov 11 16:25:53 CET 2010 - DonePanel: subsystem TKS
> uri=/tks/admin/tks/registerUser
> Thu Nov 11 16:25:54 CET 2010 - ReqCertInfo: update got token name =
> NSS Certificate DB
> Thu Nov 11 16:25:54 CET 2010 - DonePanel: Connecting
> Thu Nov 11 16:25:55 CET 2010 - req =
> Thu Nov 11 16:25:55 CET 2010 - DonePanel: result
> Thu Nov 11 16:25:55 CET 2010 - DonePanel: KRA available
> Thu Nov 11 16:25:55 CET 2010 - DonePanel: register_tps at
> https://pki-server1:10443
> Thu Nov 11 16:25:55 CET 2010 - DonePanel: subsystem KRA
> uri=/kra/admin/kra/registerUser
> Thu Nov 11 16:25:56 CET 2010 - DonePanel: Connecting to Security Domain
> Thu Nov 11 16:25:56 CET 2010 - DonePanel: Security Domain Info
> https://pki-server1:10443
> Thu Nov 11 16:25:56 CET 2010 - ReqCertInfo: update got token name =
> NSS Certificate DB
> Thu Nov 11 16:25:56 CET 2010 - DonePanel: Connecting
> Thu Nov 11 16:25:58 CET 2010 - req =
> Thu Nov 11 16:25:58 CET 2010 - DonePanel: result
> Thu Nov 11 16:25:58 CET 2010 - DonePanel: Connecting to KRA
>
> pki-tps/error_log:
> [Thu Nov 11 16:25:41 2010] [info] Initial (No.1) HTTPS request
> received for child 59 (server 192
> .168.253.35:7890)
> sh: host:https://pki-server1:9543/-: No such file or directory
> GET /ca/admin/ca/getDomainXML HTTP/1.0
>
> port: 9545
> addr='pki-server1'
> family='2'
> -- SSL3: Server Certificate Validated.
> PR_Write wrote 42 bytes from bigBuf
> bytes: [GET /ca/admin/ca/getDomainXML HTTP/1.0
>
> ]
> do_writes shutting down send socket
> do_writes exiting with (failure = 0)
> connection 1 read 2541 bytes (2541 total).
> these bytes read:
> connection 1 read 2541 bytes total. -----------------------------
> [Thu Nov 11 16:25:48 2010] -e: Use of uninitialized value $status in
> string eq at /var/lib/pki-tps/lib/perl/PKI/TPS/DonePanel.pm line 289.
> certutil: Could not find cert: subsystemCert cert-pki-tps0
> : File not found.
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>    
Hi:

It looks like the CA is expecting a certificate blob that should have 
been generated by the tps installer and sent to the ca.

Couple things that may help: You might take a look in the log file:  
/var/lib/pki-tps/error_log. Also make sure you have access to 
/usr/bin/certutil utility.



From fabeisageek at googlemail.com  Fri Nov 12 10:40:34 2010
From: fabeisageek at googlemail.com (Fabian Bertholm)
Date: Fri, 12 Nov 2010 11:40:34 +0100
Subject: [Pki-users] Dogtag TPS wizard - java.lang.NullPointerException
 on last button
In-Reply-To: <4CDC33F8.6060703@redhat.com>
References: <AANLkTinKVMdM5_Y=SfofMn1S4=m4Xi2ynb__sOfwWSmY@mail.gmail.com>
	<4CDBFD83.5020504@redhat.com>
	<AANLkTik9Uw5VoEmXJZ07tFMmZLFi5qRN0UUgicMjHDCo@mail.gmail.com>
	<4CDC33F8.6060703@redhat.com>
Message-ID: <AANLkTi=8ozntqnJxTtJgXGJuGdWyubZuMN+WZMX5LzQy@mail.gmail.com>

Hi,

I stepped back with my VM to a clean state and tried and debugged it again.
It seems that the reported exception resultet from an unclean state of
the system after the first bug.
The initial point were it all stops is at the DonePanel.pm:169
[Wed Nov 10 18:10:55 2010] -e: Use of uninitialized value $content in
concatenation (.) or string at
/var/lib/pki-tps/lib/perl/PKI/TPS/DonePanel.pm line 169.

I have debugged a little bit into the code and I can see that this
line is called three times.
The first call gets a cert from the ca, this seems working now for the
first time! When I try to do the same call again with the shell I get
the same Java exception as before. The next two calls try to get a
certificate from the tks und the kra. These calls to sslget fail. I
copied out the call and when using the shell by hand it looks like
this on kra and tks:

exit after PR_Write bigBuf with error -5938:

When opening the secure agent port with firefox this fails too.
Nevertheless pkiconsole on the TKS and KRA instances seems to be ok
for me.

/usr/bin/sslget -e "uid=TPS-pki-server1-7889&name=Token Processing
Subsystem&certificate=%0AMIIDxDCCAqygAwIBAgIBGTANBgkqhkiG9w0BAQsFADBcMSYwJAYDVQQKEx1hZHN0%0D%0AZWMgU1QgVGVzdCBTdWJDQSAxIERvbWFpbjESMBAGA1UECxMJcGtpLXN1YmNhMR4w%0D%0AHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTAxMTEwMTY1ODM5WhcN%0D%0AMTIxMDMwMTU0MzQyWjBeMSYwJAYDVQQKEx1hZHN0ZWMgU1QgVGVzdCBTdWJDQSAx%0D%0AIERvbWFpbjEQMA4GA1UECxMHcGtpLXRwczEiMCAGA1UEAxMZVFBTIFN1YnN5c3Rl%0D%0AbSBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3Q%0D%0AcZLS9BEd8jRONyQFB31ouHbO0xB2Y6ligvf6r3yQLDwwyuMrqIG%2FvHdSngFSyMUT%0D%0AHBZ7c%2FZnVi%2BK%2FgTbMVc0OBH%2FdH9PT%2FCCxGZ6zKWTCQJXbGk2imCe%2FKkYzd1XwBAc%0D%0AHrrarptqUv1IUX9NMPMlhjHZBvZ19HsC2QOHD4RaNGSlOWSKJDuXFqi2xEJsA1hH%0D%0AN0CkGaRmoRZYxZu6mgiH4lIl0xJ%2FbIC5rhi6bspzovudSEKGgn%2B35b57UvYi0RRG%0D%0AwOx1%2FYyNYXrWKEte0MiXqNORIW89aexx0eMUK4eTOeZFCEgiQcSBT2AWOIN9Z6HM%0D%0AtGrUVWrfwF3tUsEy69sCAwEAAaOBjjCBizAfBgNVHSMEGDAWgBSrCUp6f0Motmdc%0D%0A8dyKBDh3I4DEcjBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAGGJ2h0dHA6Ly9h%0D%0AZHMtdGVjLXBraS1zZXJ2ZXIxOjk1ODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAw%0D%0AEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAEMX6VF9lBWt%0D%0AiD9DLa2sD%2Faq5ZC8tGWIdSzdOXG3289Y%2BlFfySNQV7xSLZ5sqjOl0KtKGs6vBZUw%0D%0Apb2wgdlb8yaZH9cDiZYPvxeQMQIv5VykUpffMrXNJ8jbHDxdZzL9ugJj67sesOG8%0D%0AHUfAVYEkToxCesYiA0pH1tA22s2UZoQz9IdVKAkMh%2FLE0HU%2FI8gN7cda5c4oI1x0%0D%0Azt%2BV0INU8NbWTMhC5z0hEYdhMSS3d4zMX1%2BYqL%2BCjCqViRQOwjq4pqux8YLqmlkh%0D%0A2bfI2qLYZTUnd0Hlx9ZG107kGQu4aBVxnrNHGa3vuySmv6tUIjfkmuo3BN9uTg2y%0D%0A1tj7Fc76%2FDA%3D&xmlOutput=true&sessionID=4612580003447971825&auth_hostname=pki-server1&auth_port=9544"
-d "/var/lib/pki-tps/alias" -p "618281087997" -v -n "Server-Cert
cert-pki-tps" -r "/kra/admin/kra/registerUser" pki-server1:10443
POST /kra/admin/kra/registerUser HTTP/1.0
Content-Length: 1624
Content-Type: application/x-www-form-urlencoded

uid=TPS-pki-server1-7889&name=Token Processing
Subsystem&certificate=%0AMIIDxDCCAqygAwIBAgIBGTANBgkqhkiG9w0BAQsFADBcMSYwJAYDVQQKEx1hZHN0%0D%0AZWMgU1QgVGVzdCBTdWJDQSAxIERvbWFpbjESMBAGA1UECxMJcGtpLXN1YmNhMR4w%0D%0AHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTAxMTEwMTY1ODM5WhcN%0D%0AMTIxMDMwMTU0MzQyWjBeMSYwJAYDVQQKEx1hZHN0ZWMgU1QgVGVzdCBTdWJDQSAx%0D%0AIERvbWFpbjEQMA4GA1UECxMHcGtpLXRwczEiMCAGA1UEAxMZVFBTIFN1YnN5c3Rl%0D%0AbSBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3Q%0D%0AcZLS9BEd8jRONyQFB31ouHbO0xB2Y6ligvf6r3yQLDwwyuMrqIG%2FvHdSngFSyMUT%0D%0AHBZ7c%2FZnVi%2BK%2FgTbMVc0OBH%2FdH9PT%2FCCxGZ6zKWTCQJXbGk2imCe%2FKkYzd1XwBAc%0D%0AHrrarptqUv1IUX9NMPMlhjHZBvZ19HsC2QOHD4RaNGSlOWSKJDuXFqi2xEJsA1hH%0D%0AN0CkGaRmoRZYxZu6mgiH4lIl0xJ%2FbIC5rhi6bspzovudSEKGgn%2B35b57UvYi0RRG%0D%0AwOx1%2FYyNYXrWKEte0MiXqNORIW89aexx0eMUK4eTOeZFCEgiQcSBT2AWOIN9Z6HM%0D%0AtGrUVWrfwF3tUsEy69sCAwEAAaOBjjCBizAfBgNVHSMEGDAWgBSrCUp6f0Motmdc%0D%0A8dyKBDh3I4DEcjBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAGGJ2h0dHA6Ly9h%0D%0AZHMtdGVjLXBraS1zZXJ2ZXIxOjk1ODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAw%0D%0AEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAEMX6VF9lBWt%0D%0AiD9DLa2sD%2Faq5ZC8tGWIdSzdOXG3289Y%2BlFfySNQV7xSLZ5sqjOl0KtKGs6vBZUw%0D%0Apb2wgdlb8yaZH9cDiZYPvxeQMQIv5VykUpffMrXNJ8jbHDxdZzL9ugJj67sesOG8%0D%0AHUfAVYEkToxCesYiA0pH1tA22s2UZoQz9IdVKAkMh%2FLE0HU%2FI8gN7cda5c4oI1x0%0D%0Azt%2BV0INU8NbWTMhC5z0hEYdhMSS3d4zMX1%2BYqL%2BCjCqViRQOwjq4pqux8YLqmlkh%0D%0A2bfI2qLYZTUnd0Hlx9ZG107kGQu4aBVxnrNHGa3vuySmv6tUIjfkmuo3BN9uTg2y%0D%0A1tj7Fc76%2FDA%3D&xmlOutput=true&sessionID=4612580003447971825&auth_hostname=pki-server1&auth_port=9544port:
10443
addr='pki-server1'
family='2'
exit after PR_Write bigBuf with error -5938:



From harshanahnd at gmail.com  Mon Nov 15 06:27:57 2010
From: harshanahnd at gmail.com (Harshana Porawagama)
Date: Mon, 15 Nov 2010 11:57:57 +0530
Subject: [Pki-users] Cloning a Dogtag CS 1.3 on Fedora13
Message-ID: <AANLkTikVp8wS4PkhqDJGBkzR497361D5j5+qq-XULBof@mail.gmail.com>

Hi,

I have been trying a create a clone of a Certificate system. I the cloning
machine when configuring the Internal Databases, it waits indefinitely
without giving a result. When I checked the errors log which is in
"/var/log/dirsrv/slapd-<instance>/errors" it is giving the following error.

[15/Nov/2010:11:33:08 +051800] NSMMReplicationPlugin -
agmt="cn=cloneAgreement1-cac.test.lk-pki-ca" (ca:389): Replica has a
different generation ID than the local data.

Does anybody know how to fix this issue?

The whole log file is attached.

-- 
Best Regards,
Harshana
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20101115/3b2a5fae/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: errors
Type: application/octet-stream
Size: 13302 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20101115/3b2a5fae/attachment.obj>

From kchamart at redhat.com  Mon Nov 15 06:43:23 2010
From: kchamart at redhat.com (Kashyap Chamarthy)
Date: Mon, 15 Nov 2010 12:13:23 +0530
Subject: [Pki-users] Cloning a Dogtag CS 1.3 on Fedora13
In-Reply-To: <AANLkTikVp8wS4PkhqDJGBkzR497361D5j5+qq-XULBof@mail.gmail.com>
References: <AANLkTikVp8wS4PkhqDJGBkzR497361D5j5+qq-XULBof@mail.gmail.com>
Message-ID: <4CE0D68B.1000809@redhat.com>

On 11/15/2010 11:57 AM, Harshana Porawagama wrote:
> Hi,
>
> I have been trying a create a clone of a Certificate system. I the
> cloning machine when configuring the Internal Databases, it waits
> indefinitely without giving a result. When I checked the errors log
> which is in "/var/log/dirsrv/slapd-<instance>/errors" it is giving the
> following error.

Are you using a separate  slapd-instance for clone-CA ?

/kashyap

>
> [15/Nov/2010:11:33:08 +051800] NSMMReplicationPlugin -
> agmt="cn=cloneAgreement1-cac.test.lk-pki-ca" (ca:389): Replica has a
> different generation ID than the local data.
>
> Does anybody know how to fix this issue?
>
> The whole log file is attached.
>
> --
> Best Regards,
> Harshana
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users



From harshanahnd at gmail.com  Mon Nov 15 07:31:47 2010
From: harshanahnd at gmail.com (Harshana Porawagama)
Date: Mon, 15 Nov 2010 13:01:47 +0530
Subject: [Pki-users] Cloning a Dogtag CS 1.3 on Fedora13
In-Reply-To: <4CE0D68B.1000809@redhat.com>
References: <AANLkTikVp8wS4PkhqDJGBkzR497361D5j5+qq-XULBof@mail.gmail.com>
	<4CE0D68B.1000809@redhat.com>
Message-ID: <AANLkTikHCLqgj9g2uEKW1soT=kz7tJWiz6sS9M2puzt7@mail.gmail.com>

On Mon, Nov 15, 2010 at 12:13 PM, Kashyap Chamarthy <kchamart at redhat.com>wrote:

> On 11/15/2010 11:57 AM, Harshana Porawagama wrote:
>
>> Hi,
>>
>> I have been trying a create a clone of a Certificate system. I the
>> cloning machine when configuring the Internal Databases, it waits
>> indefinitely without giving a result. When I checked the errors log
>> which is in "/var/log/dirsrv/slapd-<instance>/errors" it is giving the
>> following error.
>>
>
> Are you using a separate  slapd-instance for clone-CA ?
>
Yes.


>
> /kashyap
>
>
>> [15/Nov/2010:11:33:08 +051800] NSMMReplicationPlugin -
>> agmt="cn=cloneAgreement1-cac.test.lk-pki-ca" (ca:389): Replica has a
>> different generation ID than the local data.
>>
>> Does anybody know how to fix this issue?
>>
>> The whole log file is attached.
>>
>> --
>> Best Regards,
>> Harshana
>>
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
>


-- 
Best Regards,
Harshana
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20101115/55347bf2/attachment.htm>

From msauton at redhat.com  Mon Nov 15 17:39:51 2010
From: msauton at redhat.com (Marc Sauton)
Date: Mon, 15 Nov 2010 09:39:51 -0800
Subject: [Pki-users] Cloning a Dogtag CS 1.3 on Fedora13
In-Reply-To: <AANLkTikHCLqgj9g2uEKW1soT=kz7tJWiz6sS9M2puzt7@mail.gmail.com>
References: <AANLkTikVp8wS4PkhqDJGBkzR497361D5j5+qq-XULBof@mail.gmail.com>	<4CE0D68B.1000809@redhat.com>
	<AANLkTikHCLqgj9g2uEKW1soT=kz7tJWiz6sS9M2puzt7@mail.gmail.com>
Message-ID: <4CE17067.5040808@redhat.com>

On 11/14/2010 11:31 PM, Harshana Porawagama wrote:
>
>
> On Mon, Nov 15, 2010 at 12:13 PM, Kashyap Chamarthy 
> <kchamart at redhat.com <mailto:kchamart at redhat.com>> wrote:
>
>     On 11/15/2010 11:57 AM, Harshana Porawagama wrote:
>
>         Hi,
>
>         I have been trying a create a clone of a Certificate system. I the
>         cloning machine when configuring the Internal Databases, it waits
>         indefinitely without giving a result. When I checked the
>         errors log
>         which is in "/var/log/dirsrv/slapd-<instance>/errors" it is
>         giving the
>         following error.
>
>
>     Are you using a separate  slapd-instance for clone-CA ?
>
> Yes.
It likely means that for some reason the LDAP replica was not 
initialized, something unexpected probably happened during the web 
configuration wizard, was not completed (or re-done?), which is not 
supposed to happen.
You may want to review your CA's debug and install logs as well as the 
ns-slapd's logs to get some hint/detail.
>
>
>     /kashyap
>
>
>         [15/Nov/2010:11:33:08 +051800] NSMMReplicationPlugin -
>         agmt="cn=cloneAgreement1-cac.test.lk-pki-ca" (ca:389): Replica
>         has a
>         different generation ID than the local data.
>
>         Does anybody know how to fix this issue?
>
>         The whole log file is attached.
>
>         --
>         Best Regards,
>         Harshana
>
>
>
>
>         _______________________________________________
>         Pki-users mailing list
>         Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>         https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
>
>
> -- 
> Best Regards,
> Harshana
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20101115/bff84cae/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6014 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pki-users/attachments/20101115/bff84cae/attachment.p7s>

From harshanahnd at gmail.com  Tue Nov 16 04:30:26 2010
From: harshanahnd at gmail.com (Harshana Porawagama)
Date: Tue, 16 Nov 2010 10:00:26 +0530
Subject: [Pki-users] Cloning a Dogtag CS 1.3 on Fedora13
In-Reply-To: <4CE17067.5040808@redhat.com>
References: <AANLkTikVp8wS4PkhqDJGBkzR497361D5j5+qq-XULBof@mail.gmail.com>
	<4CE0D68B.1000809@redhat.com>
	<AANLkTikHCLqgj9g2uEKW1soT=kz7tJWiz6sS9M2puzt7@mail.gmail.com>
	<4CE17067.5040808@redhat.com>
Message-ID: <AANLkTim23_kuhkdGrY=t7AKoocucKPirA+WCYpJyYNOu@mail.gmail.com>

Hi,

Infact I was able to resolve the error referring to the following
conversation,

https://www.redhat.com/archives/pki-users/2009-May/msg00004.html

I used FQDN instead of localhost when connecting to the internal database.
That resolved the replication error.

Thanks,
Harshana



On Mon, Nov 15, 2010 at 11:09 PM, Marc Sauton <msauton at redhat.com> wrote:

>  On 11/14/2010 11:31 PM, Harshana Porawagama wrote:
>
>
>
> On Mon, Nov 15, 2010 at 12:13 PM, Kashyap Chamarthy <kchamart at redhat.com>wrote:
>
>> On 11/15/2010 11:57 AM, Harshana Porawagama wrote:
>>
>>> Hi,
>>>
>>> I have been trying a create a clone of a Certificate system. I the
>>> cloning machine when configuring the Internal Databases, it waits
>>> indefinitely without giving a result. When I checked the errors log
>>> which is in "/var/log/dirsrv/slapd-<instance>/errors" it is giving the
>>> following error.
>>>
>>
>>  Are you using a separate  slapd-instance for clone-CA ?
>>
> Yes.
>
> It likely means that for some reason the LDAP replica was not initialized,
> something unexpected probably happened during the web configuration wizard,
> was not completed (or re-done?), which is not supposed to happen.
> You may want to review your CA's debug and install logs as well as the
> ns-slapd's logs to get some hint/detail.
>
>
>> /kashyap
>>
>>
>>> [15/Nov/2010:11:33:08 +051800] NSMMReplicationPlugin -
>>> agmt="cn=cloneAgreement1-cac.test.lk-pki-ca" (ca:389): Replica has a
>>> different generation ID than the local data.
>>>
>>> Does anybody know how to fix this issue?
>>>
>>> The whole log file is attached.
>>>
>>> --
>>> Best Regards,
>>> Harshana
>>>
>>>
>>>
>>>
>>>  _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>
>>
>
>
> --
> Best Regards,
> Harshana
>
>
>
> _______________________________________________
> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>
>
>


-- 
Best Regards,
Harshana
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20101116/f497e9f9/attachment.htm>

From alexander.w.jung at gmail.com  Tue Nov 16 12:51:11 2010
From: alexander.w.jung at gmail.com (Alexander Jung)
Date: Tue, 16 Nov 2010 13:51:11 +0100
Subject: [Pki-users] connect dogtag to a existing Key in a luna HSM ?
In-Reply-To: <4CDAD3F8.7070203@redhat.com>
References: <AANLkTi=7irbf6_nz5y_7aze-P++4Y8M2fn1+e-T-3U2R@mail.gmail.com>
	<4CDAD30F.1060208@redhat.com> <4CDAD3F8.7070203@redhat.com>
Message-ID: <AANLkTinciGw6tb0cRUgQhGvM8ZRHSgDovivVbtSryaSC@mail.gmail.com>

Hi,

i already did it as you suggested, but could not see any certificates
with certutil -L -d . -h lunasa.

The reason was that the Microsoft CA did not store its certificate in
the Luna HSM, but only its public and private key. Importing the
cerificate solved this. Now the certificates and their keys are
visible and usable in the dogtag pki.

yours,

Alexander Jung



From alexander.w.jung at gmail.com  Tue Nov 16 15:07:12 2010
From: alexander.w.jung at gmail.com (Alexander Jung)
Date: Tue, 16 Nov 2010 16:07:12 +0100
Subject: [Pki-users] connect dogtag to a existing Key in a luna HSM ?
In-Reply-To: <AANLkTinciGw6tb0cRUgQhGvM8ZRHSgDovivVbtSryaSC@mail.gmail.com>
References: <AANLkTi=7irbf6_nz5y_7aze-P++4Y8M2fn1+e-T-3U2R@mail.gmail.com>
	<4CDAD30F.1060208@redhat.com> <4CDAD3F8.7070203@redhat.com>
	<AANLkTinciGw6tb0cRUgQhGvM8ZRHSgDovivVbtSryaSC@mail.gmail.com>
Message-ID: <AANLkTikK55wa_9_az_Nu21S88pFWqB+2hZxKpgz0ButD@mail.gmail.com>

Hi,

i just learned another item: jss matches the cert and the privkey by
matching CKA_ID, not CKA_LABEL...

Yours,

Alexander Jung