From alexander.w.jung at gmail.com Wed Nov 10 10:02:25 2010 From: alexander.w.jung at gmail.com (Alexander Jung) Date: Wed, 10 Nov 2010 11:02:25 +0100 Subject: [Pki-users] connect dogtag to a existing Key in a luna HSM ? Message-ID: Hello, we have a Microsoft CA that we'd like to migrate to a dogtag instance. We built a few tools to import all the requests and certificates from the Microsoft CA into a LDAP-Server used by the dogtag - this works so far. The CA key for the Microsoft CA has been generated in a Safenet Luna K3 HSM and cannot be extracted from there, so we'll have to connect the dogtag to this key in our HSM. How can we do that ? Mit freundlichen Gr??en, Alexander Jung From cfu at redhat.com Wed Nov 10 17:14:55 2010 From: cfu at redhat.com (Christina Fu) Date: Wed, 10 Nov 2010 09:14:55 -0800 Subject: [Pki-users] connect dogtag to a existing Key in a luna HSM ? In-Reply-To: References: Message-ID: <4CDAD30F.1060208@redhat.com> I use modutil to add crypto modules to the nss dbs like this: shut down server # cd /alias # modutil -certdb . -nocertdb -add lunasa -libfile /usr/lunasa/lib/libCryptoki2.so then you can list it: # modutil -dbdir . -list to test see the cert before you config more on the server, use certutil like this: # certutil -d . -L -n "" Once you are sure it's hooked up correctly, modify your config with right token name, nickname etc. I think the rest should be on migration or admin guide you can search. Then you need to reissue your other system certs by using this CA's signing cert. Hope this helps. Christina On 11/10/2010 02:02 AM, Alexander Jung wrote: > Hello, > > we have a Microsoft CA that we'd like to migrate to a dogtag instance. > > We built a few tools to import all the requests and certificates from > the Microsoft CA into a LDAP-Server used by the dogtag - this works so > far. > > The CA key for the Microsoft CA has been generated in a Safenet Luna > K3 HSM and cannot be extracted from there, so we'll have to connect > the dogtag to this key in our HSM. > > How can we do that ? > > Mit freundlichen Gr??en, > > Alexander Jung > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5998 bytes Desc: S/MIME Cryptographic Signature URL: From cfu at redhat.com Wed Nov 10 17:18:48 2010 From: cfu at redhat.com (Christina Fu) Date: Wed, 10 Nov 2010 09:18:48 -0800 Subject: [Pki-users] connect dogtag to a existing Key in a luna HSM ? In-Reply-To: <4CDAD30F.1060208@redhat.com> References: <4CDAD30F.1060208@redhat.com> Message-ID: <4CDAD3F8.7070203@redhat.com> On 11/10/2010 09:14 AM, Christina Fu wrote: > I use modutil to add crypto modules to the nss dbs like this: > > shut down server > # cd /alias > # modutil -certdb . -nocertdb -add lunasa -libfile > /usr/lunasa/lib/libCryptoki2.so > then you can list it: > # modutil -dbdir . -list > > to test see the cert before you config more on the server, use > certutil like this: > # certutil -d . -L -n "" correction, you need -h for certutil to access the token: # certutil -d . -h -L -n " > > Once you are sure it's hooked up correctly, modify your config with > right token name, nickname etc. > I think the rest should be on migration or admin guide you can search. > Then you need to reissue your other system certs by using this CA's > signing cert. > > Hope this helps. > Christina > > On 11/10/2010 02:02 AM, Alexander Jung wrote: >> Hello, >> >> we have a Microsoft CA that we'd like to migrate to a dogtag instance. >> >> We built a few tools to import all the requests and certificates from >> the Microsoft CA into a LDAP-Server used by the dogtag - this works so >> far. >> >> The CA key for the Microsoft CA has been generated in a Safenet Luna >> K3 HSM and cannot be extracted from there, so we'll have to connect >> the dogtag to this key in our HSM. >> >> How can we do that ? >> >> Mit freundlichen Gr??en, >> >> Alexander Jung >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5998 bytes Desc: S/MIME Cryptographic Signature URL: From fabeisageek at googlemail.com Thu Nov 11 07:56:53 2010 From: fabeisageek at googlemail.com (Fabian Bertholm) Date: Thu, 11 Nov 2010 08:56:53 +0100 Subject: [Pki-users] Dogtag TPS wizard - java.lang.NullPointerException on last button Message-ID: Hi guys, I've done a Dogtag PKI Testsetup on a Fedora 13 system. I really got to the last button on the last wizard and it failed. I am currently stuck and hope someone can point out where I can search for the problem. I stand at the last page of the TPS setup wizard (Import Administrator Certificate), I click on next and I get an internal server error. This is the content of the debug file at /var/log/pki-tps/ Thu Nov 11 08:37:47 CET 2010 - TPS wizard: update returns status '1' Thu Nov 11 08:37:47 CET 2010 - TPS wizard: about to find out about sub panel Thu Nov 11 08:37:47 CET 2010 - TPS wizard: no sub panel and is not subpanel Thu Nov 11 08:37:47 CET 2010 - TPS wizard: after looking into about sub panel Thu Nov 11 08:37:48 CET 2010 - DonePanel: display Thu Nov 11 08:37:48 CET 2010 - DonePanel: register_tps at https://pki-server1:9544 Thu Nov 11 08:37:48 CET 2010 - DonePanel: subsystem CA uri=/ca/admin/ca/registerUser Thu Nov 11 08:37:48 CET 2010 - DonePanel: Connecting to Security Domain Thu Nov 11 08:37:48 CET 2010 - DonePanel: Security Domain Info https://pki-server1:9544 Thu Nov 11 08:37:49 CET 2010 - ReqCertInfo: update got token name = NSS Certificate DB Thu Nov 11 08:37:49 CET 2010 - DonePanel: Connecting Thu Nov 11 08:37:52 CET 2010 - req = HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 234 Date: Thu, 11 Nov 2010 07:37:52 GMT Connection: close

The Certificate System has encountered an unrecoverable error.

Error Message:
java.lang.NullPointerException

Please contact your local administrator for assistance. Subject: CN=pki-server1,OU=pki-subca,O=ST Test SubCA 1 Domain Issuer : CN=Certificate Authority,OU=pki-subca,O=ST Test SubCA 1 Domain bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1 Thu Nov 11 08:37:52 CET 2010 - DonePanel: result Thu Nov 11 08:37:53 CET 2010 - DonePanel: register_tps at https://pki-server1:13443 Thu Nov 11 08:37:53 CET 2010 - DonePanel: subsystem TKS uri=/tks/admin/tks/registerUser Thu Nov 11 08:37:53 CET 2010 - DonePanel: Connecting to Security Domain Thu Nov 11 08:37:54 CET 2010 - DonePanel: Security Domain Info https://pki-server1:13443 Thu Nov 11 08:37:54 CET 2010 - ReqCertInfo: update got token name = NSS Certificate DB Thu Nov 11 08:37:55 CET 2010 - DonePanel: Connecting Thu Nov 11 08:37:56 CET 2010 - req = Thu Nov 11 08:37:56 CET 2010 - DonePanel: result Thu Nov 11 08:37:56 CET 2010 - DonePanel: KRA available best regards Fabian From ckannan at redhat.com Thu Nov 11 14:28:19 2010 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Thu, 11 Nov 2010 06:28:19 -0800 Subject: [Pki-users] Dogtag TPS wizard - java.lang.NullPointerException on last button In-Reply-To: References: Message-ID: <4CDBFD83.5020504@redhat.com> On 11/10/2010 11:56 PM, Fabian Bertholm wrote: > Hi guys, > > I've done a Dogtag PKI Testsetup on a Fedora 13 system. > I really got to the last button on the last wizard and it failed. > > I am currently stuck and hope someone can point out where I can search > for the problem. > > I stand at the last page of the TPS setup wizard (Import Administrator > Certificate), I click on next and I get an internal server error. > This is the content of the debug file at /var/log/pki-tps/ > > Thu Nov 11 08:37:47 CET 2010 - TPS wizard: update returns status '1' > Thu Nov 11 08:37:47 CET 2010 - TPS wizard: about to find out about sub panel > Thu Nov 11 08:37:47 CET 2010 - TPS wizard: no sub panel and is not subpanel > Thu Nov 11 08:37:47 CET 2010 - TPS wizard: after looking into about sub panel > Thu Nov 11 08:37:48 CET 2010 - DonePanel: display > Thu Nov 11 08:37:48 CET 2010 - DonePanel: register_tps at > https://pki-server1:9544 > Thu Nov 11 08:37:48 CET 2010 - DonePanel: subsystem CA > uri=/ca/admin/ca/registerUser > Thu Nov 11 08:37:48 CET 2010 - DonePanel: Connecting to Security Domain > Thu Nov 11 08:37:48 CET 2010 - DonePanel: Security Domain Info > https://pki-server1:9544 > Thu Nov 11 08:37:49 CET 2010 - ReqCertInfo: update got token name = > NSS Certificate DB > Thu Nov 11 08:37:49 CET 2010 - DonePanel: Connecting > Thu Nov 11 08:37:52 CET 2010 - req = HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > Content-Type: text/html > Content-Length: 234 > Date: Thu, 11 Nov 2010 07:37:52 GMT > Connection: close > > > >

> The Certificate System has encountered an unrecoverable error. >

> Error Message:
> java.lang.NullPointerException >

> Please contact your local administrator for assistance. > > Can you paste the corresponding ca,tks,kra - debug logs ? > > Subject: CN=pki-server1,OU=pki-subca,O=ST Test SubCA 1 Domain > Issuer : CN=Certificate Authority,OU=pki-subca,O=ST Test SubCA 1 Domain > bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1 > > Thu Nov 11 08:37:52 CET 2010 - DonePanel: result > Thu Nov 11 08:37:53 CET 2010 - DonePanel: register_tps at > https://pki-server1:13443 > Thu Nov 11 08:37:53 CET 2010 - DonePanel: subsystem TKS > uri=/tks/admin/tks/registerUser > Thu Nov 11 08:37:53 CET 2010 - DonePanel: Connecting to Security Domain > Thu Nov 11 08:37:54 CET 2010 - DonePanel: Security Domain Info > https://pki-server1:13443 > Thu Nov 11 08:37:54 CET 2010 - ReqCertInfo: update got token name = > NSS Certificate DB > Thu Nov 11 08:37:55 CET 2010 - DonePanel: Connecting > Thu Nov 11 08:37:56 CET 2010 - req = > Thu Nov 11 08:37:56 CET 2010 - DonePanel: result > Thu Nov 11 08:37:56 CET 2010 - DonePanel: KRA available > > best regards > Fabian > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From fabeisageek at googlemail.com Thu Nov 11 15:49:45 2010 From: fabeisageek at googlemail.com (Fabian Bertholm) Date: Thu, 11 Nov 2010 16:49:45 +0100 Subject: [Pki-users] Dogtag TPS wizard - java.lang.NullPointerException on last button In-Reply-To: <4CDBFD83.5020504@redhat.com> References: <4CDBFD83.5020504@redhat.com> Message-ID: Hi, I tried a second time. Here is the log of the ca and from the tps. I skipped pki-kra and pki-tks because there are no log entries after the startup and no errors on startup. Ath the ca thre is the line: [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser: exception thrown: java.lang.NullPointerException Wher does this come from? best regards, Fabian pki-subca/debug: [11/Nov/2010:16:25:46][http-9545-Processor24]: CMSServlet:service() uri = /ca/admin/ca/getDomainXML [11/Nov/2010:16:25:46][http-9545-Processor24]: CMSServlet: caGetDomainXML start to service. [11/Nov/2010:16:25:46][http-9545-Processor24]: GetDomainXML: processing... [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapBoundConnFactory: init [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapBoundConnFactory:doCloning true [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init() [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init begins [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init: prompt is Internal LDAP Database [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init: try getting from memory cache [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init: got password from memory [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init: password found for prompt. [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: password ok: store in memory cache [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init ends [11/Nov/2010:16:25:46][http-9545-Processor24]: init: before makeConnection errorIfDown is false [11/Nov/2010:16:25:46][http-9545-Processor24]: makeConnection: errorIfDown false [11/Nov/2010:16:25:46][http-9545-Processor24]: Established LDAP connection using basic authentication to host localhost port 389 as cn=Directory Manager [11/Nov/2010:16:25:46][http-9545-Processor24]: initializing with mininum 3 and maximum 15 connections to host localhost port 389, secure connection, false, authentication type 1 [11/Nov/2010:16:25:46][http-9545-Processor24]: increasing minimum connections by 3 [11/Nov/2010:16:25:46][http-9545-Processor24]: new total available connections 3 [11/Nov/2010:16:25:46][http-9545-Processor24]: new number of connections 3 [11/Nov/2010:16:25:46][http-9545-Processor24]: getConn: mNumConns now 2 [11/Nov/2010:16:25:46][http-9545-Processor24]: Releasing ldap connection [11/Nov/2010:16:25:46][http-9545-Processor24]: returnConn: mNumConns now 3 [11/Nov/2010:16:25:46][http-9545-Processor24]: CMSServlet: curDate=Thu Nov 11 16:25:46 CET 2010 id=caGetDomainXML time=546 [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet:service() uri = /ca/admin/ca/registerUser [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service() param name='certificate' value='' [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service() param name='name' value='Token Processing Subsystem' [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service() param name='auth_hostname' value='pki-server1' [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service() param name='uid' value='TPS-pki-server1-7889' [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service() param name='auth_port' value='9544' [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service() param name='xmlOutput' value='true' [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service() param name='sessionID' value='326321180524051384' [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet: caRegisterUser start to service. [11/Nov/2010:16:25:50][http-9544-Processor21]: UpdateUpdater: processing... [11/Nov/2010:16:25:50][http-9544-Processor21]: IP: 192.168.253.35 [11/Nov/2010:16:25:50][http-9544-Processor21]: AuthMgrName: TokenAuth [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet: no client certificate found [11/Nov/2010:16:25:50][http-9544-Processor21]: TokenAuthentication: start [11/Nov/2010:16:25:50][http-9544-Processor21]: TokenAuthentication: content=sessionID=326321180524051384&hostname=192.168.253.35 [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSServlet:service() uri = /ca/ee/ca/tokenAuthenticate [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSServlet::service() param name='hostname' value='192.168.253.35' [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSServlet::service() param name='sessionID' value='326321180524051384' [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSServlet: caTokenAuthenticate start to service. [11/Nov/2010:16:25:50][http-9544-Processor24]: TokenAuthentication: sessionId=326321180524051384 [11/Nov/2010:16:25:50][http-9544-Processor24]: TokenAuthentication: givenHost=192.168.253.35 [11/Nov/2010:16:25:50][http-9544-Processor24]: TokenAuthentication: checking session in the session table [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSEngine: getPasswordStore(): password store initialized before. [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSEngine: getPasswordStore(): password store initialized. [11/Nov/2010:16:25:51][http-9544-Processor24]: TokenAuthentication: found session [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine: getPasswordStore(): password store initialized before. [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine: getPasswordStore(): password store initialized. [11/Nov/2010:16:25:51][http-9544-Processor24]: TokenAuthentication: hostname and givenHost matched [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine: getPasswordStore(): password store initialized before. [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine: getPasswordStore(): password store initialized. [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine: getPasswordStore(): password store initialized before. [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine: getPasswordStore(): password store initialized. [11/Nov/2010:16:25:52][http-9544-Processor24]: TokenAuthenticate successfully authenticate [11/Nov/2010:16:25:52][http-9544-Processor24]: CMSServlet: curDate=Thu Nov 11 16:25:52 CET 2010 id=caTokenAuthenticate time=1292 [11/Nov/2010:16:25:52][http-9544-Processor21]: TokenAuthentication: status=0 [11/Nov/2010:16:25:52][http-9544-Processor21]: SessionContext.USER_ID admin SessionContext.GROUP_ID Enterprise TPS Administrators [11/Nov/2010:16:25:52][http-9544-Processor21]: TokenAuthentication: authenticated uid=admin, gid=Enterprise TPS Administrators [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: userid=null [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: in auditSubjectID [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: auditSubjectID auditContext {locale=de_DE, groupid=Enterprise TPS Administrators, userid=admin, ipAddress=192.168.253.35, authManagerId=TokenAuth} [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet auditSubjectID: subjectID: admin [11/Nov/2010:16:25:52][http-9544-Processor21]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=admin][Outcome=Success][AuthMgr=TokenAuth] authentication success [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser authentication successful. [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: in auditSubjectID [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: auditSubjectID auditContext {locale=de_DE, groupid=Enterprise TPS Administrators, userid=admin, ipAddress=192.168.253.35, authManagerId=TokenAuth} [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet auditSubjectID: subjectID: admin [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: in auditGroupID [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: auditGroupID auditContext {locale=de_DE, groupid=Enterprise TPS Administrators, userid=admin, ipAddress=192.168.253.35, authManagerId=TokenAuth} [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet auditGroupID: groupID: Enterprise TPS Administrators [11/Nov/2010:16:25:52][http-9544-Processor21]: checkACLS(): ACLEntry expressions= group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluating expressions: group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: evaluate: uid=admin value="Enterprise CA Administrators" [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: evaluate: authToken gid=Enterprise TPS Administrators [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression: group="Enterprise CA Administrators" to be false [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: evaluate: uid=admin value="Enterprise KRA Administrators" [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: evaluate: authToken gid=Enterprise TPS Administrators [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression: group="Enterprise KRA Administrators" to be false [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: evaluate: uid=admin value="Enterprise RA Administrators" [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: evaluate: authToken gid=Enterprise TPS Administrators [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression: group="Enterprise RA Administrators" to be false [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: evaluate: uid=admin value="Enterprise OCSP Administrators" [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: evaluate: authToken gid=Enterprise TPS Administrators [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression: group="Enterprise OCSP Administrators" to be false [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: evaluate: uid=admin value="Enterprise TKS Administrators" [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: evaluate: authToken gid=Enterprise TPS Administrators [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression: group="Enterprise TKS Administrators" to be false [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: evaluate: uid=admin value="Enterprise TPS Administrators" [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: evaluate: authToken gid=Enterprise TPS Administrators [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression: group="Enterprise TPS Administrators" to be true [11/Nov/2010:16:25:52][http-9544-Processor21]: DirAclAuthz: authorization passed [11/Nov/2010:16:25:52][http-9544-Processor21]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=admin][Outcome=Success][aclResource=certServer.ca.registerUser][Op=modify] authorization success [11/Nov/2010:16:25:52][http-9544-Processor21]: getConn: mNumConns now 2 [11/Nov/2010:16:25:52][http-9544-Processor21]: returnConn: mNumConns now 3 [11/Nov/2010:16:25:52][http-9544-Processor21]: SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=Enterprise TPS Administrators][Outcome=Success][Role=Certificate Manager Agents, Administrators, Security Domain Administrators, Enterprise CA Administrators, Enterprise KRA Administrators, Enterprise OCSP Administrators, Enterprise TKS Administrators, Enterprise RA Administrators, Enterprise TPS Administrators] assume privileged role [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser authorization successful. [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser got uid=TPS-pki-server1-7889 [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser got name=Token Processing Subsystem [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser got certsString= [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser: exception thrown: java.lang.NullPointerException [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser NOT found user by cert [11/Nov/2010:16:25:52][http-9544-Processor21]: getConn: mNumConns now 2 [11/Nov/2010:16:25:52][http-9544-Processor21]: returnConn: mNumConns now 3 [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser found user by uid TPS-pki-server1-7889 [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser error java.lang.NullPointerException [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: curDate=Thu Nov 11 16:25:52 CET 2010 id=caRegisterUser time=1685 pki-tps/debug: Thu Nov 11 16:25:48 CET 2010 - DonePanel: display Thu Nov 11 16:25:48 CET 2010 - DonePanel: register_tps at https://pki-server1:9544 Thu Nov 11 16:25:48 CET 2010 - DonePanel: subsystem CA uri=/ca/admin/ca/registerUser Thu Nov 11 16:25:48 CET 2010 - DonePanel: Connecting to Security Domain Thu Nov 11 16:25:48 CET 2010 - DonePanel: Security Domain Info https://pki-server1:9544 Thu Nov 11 16:25:49 CET 2010 - ReqCertInfo: update got token name = NSS Certificate DB Thu Nov 11 16:25:50 CET 2010 - DonePanel: Connecting Thu Nov 11 16:25:52 CET 2010 - req = HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/xml Content-Length: 126 Date: Thu, 11 Nov 2010 15:25:52 GMT Connection: close 1Error: Certificate malformed Subject: CN=pki-server1,OU=pki-subca,O=ST Test SubCA 1 Domain Issuer : CN=Certificate Authority,OU=pki-subca,O=ST Test SubCA 1 Domain bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1 Thu Nov 11 16:25:53 CET 2010 - DonePanel: result 1Error: Certificate malformed Thu Nov 11 16:25:53 CET 2010 - DonePanel: register_tps at https://pki-server1:13443 Thu Nov 11 16:25:53 CET 2010 - DonePanel: subsystem TKS uri=/tks/admin/tks/registerUser Thu Nov 11 16:25:54 CET 2010 - ReqCertInfo: update got token name = NSS Certificate DB Thu Nov 11 16:25:54 CET 2010 - DonePanel: Connecting Thu Nov 11 16:25:55 CET 2010 - req = Thu Nov 11 16:25:55 CET 2010 - DonePanel: result Thu Nov 11 16:25:55 CET 2010 - DonePanel: KRA available Thu Nov 11 16:25:55 CET 2010 - DonePanel: register_tps at https://pki-server1:10443 Thu Nov 11 16:25:55 CET 2010 - DonePanel: subsystem KRA uri=/kra/admin/kra/registerUser Thu Nov 11 16:25:56 CET 2010 - DonePanel: Connecting to Security Domain Thu Nov 11 16:25:56 CET 2010 - DonePanel: Security Domain Info https://pki-server1:10443 Thu Nov 11 16:25:56 CET 2010 - ReqCertInfo: update got token name = NSS Certificate DB Thu Nov 11 16:25:56 CET 2010 - DonePanel: Connecting Thu Nov 11 16:25:58 CET 2010 - req = Thu Nov 11 16:25:58 CET 2010 - DonePanel: result Thu Nov 11 16:25:58 CET 2010 - DonePanel: Connecting to KRA pki-tps/error_log: [Thu Nov 11 16:25:41 2010] [info] Initial (No.1) HTTPS request received for child 59 (server 192 .168.253.35:7890) sh: host:https://pki-server1:9543/-: No such file or directory GET /ca/admin/ca/getDomainXML HTTP/1.0 port: 9545 addr='pki-server1' family='2' -- SSL3: Server Certificate Validated. PR_Write wrote 42 bytes from bigBuf bytes: [GET /ca/admin/ca/getDomainXML HTTP/1.0 ] do_writes shutting down send socket do_writes exiting with (failure = 0) connection 1 read 2541 bytes (2541 total). these bytes read: connection 1 read 2541 bytes total. ----------------------------- [Thu Nov 11 16:25:48 2010] -e: Use of uninitialized value $status in string eq at /var/lib/pki-tps/lib/perl/PKI/TPS/DonePanel.pm line 289. certutil: Could not find cert: subsystemCert cert-pki-tps0 : File not found. From jmagne at redhat.com Thu Nov 11 18:20:40 2010 From: jmagne at redhat.com (Jack Magne) Date: Thu, 11 Nov 2010 10:20:40 -0800 Subject: [Pki-users] Dogtag TPS wizard - java.lang.NullPointerException on last button In-Reply-To: References: <4CDBFD83.5020504@redhat.com> Message-ID: <4CDC33F8.6060703@redhat.com> On 11/11/2010 07:49 AM, Fabian Bertholm wrote: > Hi, > > I tried a second time. Here is the log of the ca and from the tps. > I skipped pki-kra and pki-tks because there are no log entries after > the startup and no errors on startup. > Ath the ca thre is the line: > [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser: exception > thrown: java.lang.NullPointerException > Wher does this come from? > > best regards, > Fabian > > pki-subca/debug: > > [11/Nov/2010:16:25:46][http-9545-Processor24]: CMSServlet:service() > uri = /ca/admin/ca/getDomainXML > [11/Nov/2010:16:25:46][http-9545-Processor24]: CMSServlet: > caGetDomainXML start to service. > [11/Nov/2010:16:25:46][http-9545-Processor24]: GetDomainXML: processing... > [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapBoundConnFactory: init > [11/Nov/2010:16:25:46][http-9545-Processor24]: > LdapBoundConnFactory:doCloning true > [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init() > [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init begins > [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init: > prompt is Internal LDAP Database > [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init: try > getting from memory cache > [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init: got > password from memory > [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init: > password found for prompt. > [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: password > ok: store in memory cache > [11/Nov/2010:16:25:46][http-9545-Processor24]: LdapAuthInfo: init ends > [11/Nov/2010:16:25:46][http-9545-Processor24]: init: before > makeConnection errorIfDown is false > [11/Nov/2010:16:25:46][http-9545-Processor24]: makeConnection: errorIfDown false > [11/Nov/2010:16:25:46][http-9545-Processor24]: Established LDAP > connection using basic authentication to host localhost port 389 as > cn=Directory Manager > [11/Nov/2010:16:25:46][http-9545-Processor24]: initializing with > mininum 3 and maximum 15 connections to host localhost port 389, > secure connection, false, authentication type 1 > [11/Nov/2010:16:25:46][http-9545-Processor24]: increasing minimum > connections by 3 > [11/Nov/2010:16:25:46][http-9545-Processor24]: new total available connections 3 > [11/Nov/2010:16:25:46][http-9545-Processor24]: new number of connections 3 > [11/Nov/2010:16:25:46][http-9545-Processor24]: getConn: mNumConns now 2 > [11/Nov/2010:16:25:46][http-9545-Processor24]: Releasing ldap connection > [11/Nov/2010:16:25:46][http-9545-Processor24]: returnConn: mNumConns now 3 > [11/Nov/2010:16:25:46][http-9545-Processor24]: CMSServlet: curDate=Thu > Nov 11 16:25:46 CET 2010 id=caGetDomainXML time=546 > [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet:service() > uri = /ca/admin/ca/registerUser > [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service() > param name='certificate' value='' > [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service() > param name='name' value='Token Processing Subsystem' > [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service() > param name='auth_hostname' value='pki-server1' > [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service() > param name='uid' value='TPS-pki-server1-7889' > [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service() > param name='auth_port' value='9544' > [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service() > param name='xmlOutput' value='true' > [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet::service() > param name='sessionID' value='326321180524051384' > [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet: > caRegisterUser start to service. > [11/Nov/2010:16:25:50][http-9544-Processor21]: UpdateUpdater: processing... > [11/Nov/2010:16:25:50][http-9544-Processor21]: IP: 192.168.253.35 > [11/Nov/2010:16:25:50][http-9544-Processor21]: AuthMgrName: TokenAuth > [11/Nov/2010:16:25:50][http-9544-Processor21]: CMSServlet: no client > certificate found > [11/Nov/2010:16:25:50][http-9544-Processor21]: TokenAuthentication: start > [11/Nov/2010:16:25:50][http-9544-Processor21]: TokenAuthentication: > content=sessionID=326321180524051384&hostname=192.168.253.35 > [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSServlet:service() > uri = /ca/ee/ca/tokenAuthenticate > [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSServlet::service() > param name='hostname' value='192.168.253.35' > [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSServlet::service() > param name='sessionID' value='326321180524051384' > [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSServlet: > caTokenAuthenticate start to service. > [11/Nov/2010:16:25:50][http-9544-Processor24]: TokenAuthentication: > sessionId=326321180524051384 > [11/Nov/2010:16:25:50][http-9544-Processor24]: TokenAuthentication: > givenHost=192.168.253.35 > [11/Nov/2010:16:25:50][http-9544-Processor24]: TokenAuthentication: > checking session in the session table > [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSEngine: > getPasswordStore(): password store initialized before. > [11/Nov/2010:16:25:50][http-9544-Processor24]: CMSEngine: > getPasswordStore(): password store initialized. > [11/Nov/2010:16:25:51][http-9544-Processor24]: TokenAuthentication: > found session > [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine: > getPasswordStore(): password store initialized before. > [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine: > getPasswordStore(): password store initialized. > [11/Nov/2010:16:25:51][http-9544-Processor24]: TokenAuthentication: > hostname and givenHost matched > [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine: > getPasswordStore(): password store initialized before. > [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine: > getPasswordStore(): password store initialized. > [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine: > getPasswordStore(): password store initialized before. > [11/Nov/2010:16:25:51][http-9544-Processor24]: CMSEngine: > getPasswordStore(): password store initialized. > [11/Nov/2010:16:25:52][http-9544-Processor24]: TokenAuthenticate > successfully authenticate > [11/Nov/2010:16:25:52][http-9544-Processor24]: CMSServlet: curDate=Thu > Nov 11 16:25:52 CET 2010 id=caTokenAuthenticate time=1292 > [11/Nov/2010:16:25:52][http-9544-Processor21]: TokenAuthentication: status=0 > [11/Nov/2010:16:25:52][http-9544-Processor21]: SessionContext.USER_ID > admin SessionContext.GROUP_ID Enterprise TPS Administrators > [11/Nov/2010:16:25:52][http-9544-Processor21]: TokenAuthentication: > authenticated uid=admin, gid=Enterprise TPS Administrators > [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: userid=null > [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: in auditSubjectID > [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: > auditSubjectID auditContext {locale=de_DE, groupid=Enterprise TPS > Administrators, userid=admin, ipAddress=192.168.253.35, > authManagerId=TokenAuth} > [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet > auditSubjectID: subjectID: admin > [11/Nov/2010:16:25:52][http-9544-Processor21]: > SignedAuditEventFactory: create() > message=[AuditEvent=AUTH_SUCCESS][SubjectID=admin][Outcome=Success][AuthMgr=TokenAuth] > authentication success > > [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser > authentication successful. > [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: in auditSubjectID > [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: > auditSubjectID auditContext {locale=de_DE, groupid=Enterprise TPS > Administrators, userid=admin, ipAddress=192.168.253.35, > authManagerId=TokenAuth} > [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet > auditSubjectID: subjectID: admin > [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: in auditGroupID > [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: > auditGroupID auditContext {locale=de_DE, groupid=Enterprise TPS > Administrators, userid=admin, ipAddress=192.168.253.35, > authManagerId=TokenAuth} > [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet > auditGroupID: groupID: Enterprise TPS Administrators > [11/Nov/2010:16:25:52][http-9544-Processor21]: checkACLS(): ACLEntry > expressions= group="Enterprise CA Administrators" || group="Enterprise > KRA Administrators" || group="Enterprise RA Administrators" || > group="Enterprise OCSP Administrators" || group="Enterprise TKS > Administrators" || group="Enterprise TPS Administrators" > [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluating expressions: > group="Enterprise CA Administrators" || group="Enterprise KRA > Administrators" || group="Enterprise RA Administrators" || > group="Enterprise OCSP Administrators" || group="Enterprise TKS > Administrators" || group="Enterprise TPS Administrators" > [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: > evaluate: uid=admin value="Enterprise CA Administrators" > [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: > evaluate: authToken gid=Enterprise TPS Administrators > [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression: > group="Enterprise CA Administrators" to be false > [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: > evaluate: uid=admin value="Enterprise KRA Administrators" > [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: > evaluate: authToken gid=Enterprise TPS Administrators > [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression: > group="Enterprise KRA Administrators" to be false > [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: > evaluate: uid=admin value="Enterprise RA Administrators" > [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: > evaluate: authToken gid=Enterprise TPS Administrators > [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression: > group="Enterprise RA Administrators" to be false > [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: > evaluate: uid=admin value="Enterprise OCSP Administrators" > [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: > evaluate: authToken gid=Enterprise TPS Administrators > [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression: > group="Enterprise OCSP Administrators" to be false > [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: > evaluate: uid=admin value="Enterprise TKS Administrators" > [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: > evaluate: authToken gid=Enterprise TPS Administrators > [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression: > group="Enterprise TKS Administrators" to be false > [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: > evaluate: uid=admin value="Enterprise TPS Administrators" > [11/Nov/2010:16:25:52][http-9544-Processor21]: GroupAccessEvaluator: > evaluate: authToken gid=Enterprise TPS Administrators > [11/Nov/2010:16:25:52][http-9544-Processor21]: evaluated expression: > group="Enterprise TPS Administrators" to be true > [11/Nov/2010:16:25:52][http-9544-Processor21]: DirAclAuthz: authorization passed > [11/Nov/2010:16:25:52][http-9544-Processor21]: > SignedAuditEventFactory: create() > message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=admin][Outcome=Success][aclResource=certServer.ca.registerUser][Op=modify] > authorization success > > [11/Nov/2010:16:25:52][http-9544-Processor21]: getConn: mNumConns now 2 > [11/Nov/2010:16:25:52][http-9544-Processor21]: returnConn: mNumConns now 3 > [11/Nov/2010:16:25:52][http-9544-Processor21]: > SignedAuditEventFactory: create() > message=[AuditEvent=ROLE_ASSUME][SubjectID=Enterprise TPS > Administrators][Outcome=Success][Role=Certificate Manager Agents, > Administrators, Security Domain Administrators, Enterprise CA > Administrators, Enterprise KRA Administrators, Enterprise OCSP > Administrators, Enterprise TKS Administrators, Enterprise RA > Administrators, Enterprise TPS Administrators] assume privileged role > > [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser > authorization successful. > [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser got > uid=TPS-pki-server1-7889 > [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser got > name=Token Processing Subsystem > [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser got certsString= > [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser: exception > thrown: java.lang.NullPointerException > [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser NOT found > user by cert > [11/Nov/2010:16:25:52][http-9544-Processor21]: getConn: mNumConns now 2 > [11/Nov/2010:16:25:52][http-9544-Processor21]: returnConn: mNumConns now 3 > [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser found user > by uid TPS-pki-server1-7889 > [11/Nov/2010:16:25:52][http-9544-Processor21]: RegisterUser error > java.lang.NullPointerException > [11/Nov/2010:16:25:52][http-9544-Processor21]: CMSServlet: curDate=Thu > Nov 11 16:25:52 CET 2010 id=caRegisterUser time=1685 > > pki-tps/debug: > Thu Nov 11 16:25:48 CET 2010 - DonePanel: display > Thu Nov 11 16:25:48 CET 2010 - DonePanel: register_tps at > https://pki-server1:9544 > Thu Nov 11 16:25:48 CET 2010 - DonePanel: subsystem CA > uri=/ca/admin/ca/registerUser > Thu Nov 11 16:25:48 CET 2010 - DonePanel: Connecting to Security Domain > Thu Nov 11 16:25:48 CET 2010 - DonePanel: Security Domain Info > https://pki-server1:9544 > Thu Nov 11 16:25:49 CET 2010 - ReqCertInfo: update got token name = > NSS Certificate DB > Thu Nov 11 16:25:50 CET 2010 - DonePanel: Connecting > Thu Nov 11 16:25:52 CET 2010 - req = HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > Content-Type: application/xml > Content-Length: 126 > Date: Thu, 11 Nov 2010 15:25:52 GMT > Connection: close > > encoding="UTF-8"?>1Error: > Certificate malformed > Subject: CN=pki-server1,OU=pki-subca,O=ST Test SubCA 1 Domain > Issuer : CN=Certificate Authority,OU=pki-subca,O=ST Test SubCA 1 Domain > bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1 > > Thu Nov 11 16:25:53 CET 2010 - DonePanel: result > 1Error: Certificate > malformed > Thu Nov 11 16:25:53 CET 2010 - DonePanel: register_tps at > https://pki-server1:13443 > Thu Nov 11 16:25:53 CET 2010 - DonePanel: subsystem TKS > uri=/tks/admin/tks/registerUser > Thu Nov 11 16:25:54 CET 2010 - ReqCertInfo: update got token name = > NSS Certificate DB > Thu Nov 11 16:25:54 CET 2010 - DonePanel: Connecting > Thu Nov 11 16:25:55 CET 2010 - req = > Thu Nov 11 16:25:55 CET 2010 - DonePanel: result > Thu Nov 11 16:25:55 CET 2010 - DonePanel: KRA available > Thu Nov 11 16:25:55 CET 2010 - DonePanel: register_tps at > https://pki-server1:10443 > Thu Nov 11 16:25:55 CET 2010 - DonePanel: subsystem KRA > uri=/kra/admin/kra/registerUser > Thu Nov 11 16:25:56 CET 2010 - DonePanel: Connecting to Security Domain > Thu Nov 11 16:25:56 CET 2010 - DonePanel: Security Domain Info > https://pki-server1:10443 > Thu Nov 11 16:25:56 CET 2010 - ReqCertInfo: update got token name = > NSS Certificate DB > Thu Nov 11 16:25:56 CET 2010 - DonePanel: Connecting > Thu Nov 11 16:25:58 CET 2010 - req = > Thu Nov 11 16:25:58 CET 2010 - DonePanel: result > Thu Nov 11 16:25:58 CET 2010 - DonePanel: Connecting to KRA > > pki-tps/error_log: > [Thu Nov 11 16:25:41 2010] [info] Initial (No.1) HTTPS request > received for child 59 (server 192 > .168.253.35:7890) > sh: host:https://pki-server1:9543/-: No such file or directory > GET /ca/admin/ca/getDomainXML HTTP/1.0 > > port: 9545 > addr='pki-server1' > family='2' > -- SSL3: Server Certificate Validated. > PR_Write wrote 42 bytes from bigBuf > bytes: [GET /ca/admin/ca/getDomainXML HTTP/1.0 > > ] > do_writes shutting down send socket > do_writes exiting with (failure = 0) > connection 1 read 2541 bytes (2541 total). > these bytes read: > connection 1 read 2541 bytes total. ----------------------------- > [Thu Nov 11 16:25:48 2010] -e: Use of uninitialized value $status in > string eq at /var/lib/pki-tps/lib/perl/PKI/TPS/DonePanel.pm line 289. > certutil: Could not find cert: subsystemCert cert-pki-tps0 > : File not found. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > Hi: It looks like the CA is expecting a certificate blob that should have been generated by the tps installer and sent to the ca. Couple things that may help: You might take a look in the log file: /var/lib/pki-tps/error_log. Also make sure you have access to /usr/bin/certutil utility. From fabeisageek at googlemail.com Fri Nov 12 10:40:34 2010 From: fabeisageek at googlemail.com (Fabian Bertholm) Date: Fri, 12 Nov 2010 11:40:34 +0100 Subject: [Pki-users] Dogtag TPS wizard - java.lang.NullPointerException on last button In-Reply-To: <4CDC33F8.6060703@redhat.com> References: <4CDBFD83.5020504@redhat.com> <4CDC33F8.6060703@redhat.com> Message-ID: Hi, I stepped back with my VM to a clean state and tried and debugged it again. It seems that the reported exception resultet from an unclean state of the system after the first bug. The initial point were it all stops is at the DonePanel.pm:169 [Wed Nov 10 18:10:55 2010] -e: Use of uninitialized value $content in concatenation (.) or string at /var/lib/pki-tps/lib/perl/PKI/TPS/DonePanel.pm line 169. I have debugged a little bit into the code and I can see that this line is called three times. The first call gets a cert from the ca, this seems working now for the first time! When I try to do the same call again with the shell I get the same Java exception as before. The next two calls try to get a certificate from the tks und the kra. These calls to sslget fail. I copied out the call and when using the shell by hand it looks like this on kra and tks: exit after PR_Write bigBuf with error -5938: When opening the secure agent port with firefox this fails too. Nevertheless pkiconsole on the TKS and KRA instances seems to be ok for me. /usr/bin/sslget -e "uid=TPS-pki-server1-7889&name=Token Processing Subsystem&certificate=%0AMIIDxDCCAqygAwIBAgIBGTANBgkqhkiG9w0BAQsFADBcMSYwJAYDVQQKEx1hZHN0%0D%0AZWMgU1QgVGVzdCBTdWJDQSAxIERvbWFpbjESMBAGA1UECxMJcGtpLXN1YmNhMR4w%0D%0AHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTAxMTEwMTY1ODM5WhcN%0D%0AMTIxMDMwMTU0MzQyWjBeMSYwJAYDVQQKEx1hZHN0ZWMgU1QgVGVzdCBTdWJDQSAx%0D%0AIERvbWFpbjEQMA4GA1UECxMHcGtpLXRwczEiMCAGA1UEAxMZVFBTIFN1YnN5c3Rl%0D%0AbSBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3Q%0D%0AcZLS9BEd8jRONyQFB31ouHbO0xB2Y6ligvf6r3yQLDwwyuMrqIG%2FvHdSngFSyMUT%0D%0AHBZ7c%2FZnVi%2BK%2FgTbMVc0OBH%2FdH9PT%2FCCxGZ6zKWTCQJXbGk2imCe%2FKkYzd1XwBAc%0D%0AHrrarptqUv1IUX9NMPMlhjHZBvZ19HsC2QOHD4RaNGSlOWSKJDuXFqi2xEJsA1hH%0D%0AN0CkGaRmoRZYxZu6mgiH4lIl0xJ%2FbIC5rhi6bspzovudSEKGgn%2B35b57UvYi0RRG%0D%0AwOx1%2FYyNYXrWKEte0MiXqNORIW89aexx0eMUK4eTOeZFCEgiQcSBT2AWOIN9Z6HM%0D%0AtGrUVWrfwF3tUsEy69sCAwEAAaOBjjCBizAfBgNVHSMEGDAWgBSrCUp6f0Motmdc%0D%0A8dyKBDh3I4DEcjBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAGGJ2h0dHA6Ly9h%0D%0AZHMtdGVjLXBraS1zZXJ2ZXIxOjk1ODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAw%0D%0AEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAEMX6VF9lBWt%0D%0AiD9DLa2sD%2Faq5ZC8tGWIdSzdOXG3289Y%2BlFfySNQV7xSLZ5sqjOl0KtKGs6vBZUw%0D%0Apb2wgdlb8yaZH9cDiZYPvxeQMQIv5VykUpffMrXNJ8jbHDxdZzL9ugJj67sesOG8%0D%0AHUfAVYEkToxCesYiA0pH1tA22s2UZoQz9IdVKAkMh%2FLE0HU%2FI8gN7cda5c4oI1x0%0D%0Azt%2BV0INU8NbWTMhC5z0hEYdhMSS3d4zMX1%2BYqL%2BCjCqViRQOwjq4pqux8YLqmlkh%0D%0A2bfI2qLYZTUnd0Hlx9ZG107kGQu4aBVxnrNHGa3vuySmv6tUIjfkmuo3BN9uTg2y%0D%0A1tj7Fc76%2FDA%3D&xmlOutput=true&sessionID=4612580003447971825&auth_hostname=pki-server1&auth_port=9544" -d "/var/lib/pki-tps/alias" -p "618281087997" -v -n "Server-Cert cert-pki-tps" -r "/kra/admin/kra/registerUser" pki-server1:10443 POST /kra/admin/kra/registerUser HTTP/1.0 Content-Length: 1624 Content-Type: application/x-www-form-urlencoded uid=TPS-pki-server1-7889&name=Token Processing Subsystem&certificate=%0AMIIDxDCCAqygAwIBAgIBGTANBgkqhkiG9w0BAQsFADBcMSYwJAYDVQQKEx1hZHN0%0D%0AZWMgU1QgVGVzdCBTdWJDQSAxIERvbWFpbjESMBAGA1UECxMJcGtpLXN1YmNhMR4w%0D%0AHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTAxMTEwMTY1ODM5WhcN%0D%0AMTIxMDMwMTU0MzQyWjBeMSYwJAYDVQQKEx1hZHN0ZWMgU1QgVGVzdCBTdWJDQSAx%0D%0AIERvbWFpbjEQMA4GA1UECxMHcGtpLXRwczEiMCAGA1UEAxMZVFBTIFN1YnN5c3Rl%0D%0AbSBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3Q%0D%0AcZLS9BEd8jRONyQFB31ouHbO0xB2Y6ligvf6r3yQLDwwyuMrqIG%2FvHdSngFSyMUT%0D%0AHBZ7c%2FZnVi%2BK%2FgTbMVc0OBH%2FdH9PT%2FCCxGZ6zKWTCQJXbGk2imCe%2FKkYzd1XwBAc%0D%0AHrrarptqUv1IUX9NMPMlhjHZBvZ19HsC2QOHD4RaNGSlOWSKJDuXFqi2xEJsA1hH%0D%0AN0CkGaRmoRZYxZu6mgiH4lIl0xJ%2FbIC5rhi6bspzovudSEKGgn%2B35b57UvYi0RRG%0D%0AwOx1%2FYyNYXrWKEte0MiXqNORIW89aexx0eMUK4eTOeZFCEgiQcSBT2AWOIN9Z6HM%0D%0AtGrUVWrfwF3tUsEy69sCAwEAAaOBjjCBizAfBgNVHSMEGDAWgBSrCUp6f0Motmdc%0D%0A8dyKBDh3I4DEcjBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAGGJ2h0dHA6Ly9h%0D%0AZHMtdGVjLXBraS1zZXJ2ZXIxOjk1ODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAw%0D%0AEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAEMX6VF9lBWt%0D%0AiD9DLa2sD%2Faq5ZC8tGWIdSzdOXG3289Y%2BlFfySNQV7xSLZ5sqjOl0KtKGs6vBZUw%0D%0Apb2wgdlb8yaZH9cDiZYPvxeQMQIv5VykUpffMrXNJ8jbHDxdZzL9ugJj67sesOG8%0D%0AHUfAVYEkToxCesYiA0pH1tA22s2UZoQz9IdVKAkMh%2FLE0HU%2FI8gN7cda5c4oI1x0%0D%0Azt%2BV0INU8NbWTMhC5z0hEYdhMSS3d4zMX1%2BYqL%2BCjCqViRQOwjq4pqux8YLqmlkh%0D%0A2bfI2qLYZTUnd0Hlx9ZG107kGQu4aBVxnrNHGa3vuySmv6tUIjfkmuo3BN9uTg2y%0D%0A1tj7Fc76%2FDA%3D&xmlOutput=true&sessionID=4612580003447971825&auth_hostname=pki-server1&auth_port=9544port: 10443 addr='pki-server1' family='2' exit after PR_Write bigBuf with error -5938: From harshanahnd at gmail.com Mon Nov 15 06:27:57 2010 From: harshanahnd at gmail.com (Harshana Porawagama) Date: Mon, 15 Nov 2010 11:57:57 +0530 Subject: [Pki-users] Cloning a Dogtag CS 1.3 on Fedora13 Message-ID: Hi, I have been trying a create a clone of a Certificate system. I the cloning machine when configuring the Internal Databases, it waits indefinitely without giving a result. When I checked the errors log which is in "/var/log/dirsrv/slapd-/errors" it is giving the following error. [15/Nov/2010:11:33:08 +051800] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-cac.test.lk-pki-ca" (ca:389): Replica has a different generation ID than the local data. Does anybody know how to fix this issue? The whole log file is attached. -- Best Regards, Harshana -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: errors Type: application/octet-stream Size: 13302 bytes Desc: not available URL: From kchamart at redhat.com Mon Nov 15 06:43:23 2010 From: kchamart at redhat.com (Kashyap Chamarthy) Date: Mon, 15 Nov 2010 12:13:23 +0530 Subject: [Pki-users] Cloning a Dogtag CS 1.3 on Fedora13 In-Reply-To: References: Message-ID: <4CE0D68B.1000809@redhat.com> On 11/15/2010 11:57 AM, Harshana Porawagama wrote: > Hi, > > I have been trying a create a clone of a Certificate system. I the > cloning machine when configuring the Internal Databases, it waits > indefinitely without giving a result. When I checked the errors log > which is in "/var/log/dirsrv/slapd-/errors" it is giving the > following error. Are you using a separate slapd-instance for clone-CA ? /kashyap > > [15/Nov/2010:11:33:08 +051800] NSMMReplicationPlugin - > agmt="cn=cloneAgreement1-cac.test.lk-pki-ca" (ca:389): Replica has a > different generation ID than the local data. > > Does anybody know how to fix this issue? > > The whole log file is attached. > > -- > Best Regards, > Harshana > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From harshanahnd at gmail.com Mon Nov 15 07:31:47 2010 From: harshanahnd at gmail.com (Harshana Porawagama) Date: Mon, 15 Nov 2010 13:01:47 +0530 Subject: [Pki-users] Cloning a Dogtag CS 1.3 on Fedora13 In-Reply-To: <4CE0D68B.1000809@redhat.com> References: <4CE0D68B.1000809@redhat.com> Message-ID: On Mon, Nov 15, 2010 at 12:13 PM, Kashyap Chamarthy wrote: > On 11/15/2010 11:57 AM, Harshana Porawagama wrote: > >> Hi, >> >> I have been trying a create a clone of a Certificate system. I the >> cloning machine when configuring the Internal Databases, it waits >> indefinitely without giving a result. When I checked the errors log >> which is in "/var/log/dirsrv/slapd-/errors" it is giving the >> following error. >> > > Are you using a separate slapd-instance for clone-CA ? > Yes. > > /kashyap > > >> [15/Nov/2010:11:33:08 +051800] NSMMReplicationPlugin - >> agmt="cn=cloneAgreement1-cac.test.lk-pki-ca" (ca:389): Replica has a >> different generation ID than the local data. >> >> Does anybody know how to fix this issue? >> >> The whole log file is attached. >> >> -- >> Best Regards, >> Harshana >> >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > -- Best Regards, Harshana -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Mon Nov 15 17:39:51 2010 From: msauton at redhat.com (Marc Sauton) Date: Mon, 15 Nov 2010 09:39:51 -0800 Subject: [Pki-users] Cloning a Dogtag CS 1.3 on Fedora13 In-Reply-To: References: <4CE0D68B.1000809@redhat.com> Message-ID: <4CE17067.5040808@redhat.com> On 11/14/2010 11:31 PM, Harshana Porawagama wrote: > > > On Mon, Nov 15, 2010 at 12:13 PM, Kashyap Chamarthy > > wrote: > > On 11/15/2010 11:57 AM, Harshana Porawagama wrote: > > Hi, > > I have been trying a create a clone of a Certificate system. I the > cloning machine when configuring the Internal Databases, it waits > indefinitely without giving a result. When I checked the > errors log > which is in "/var/log/dirsrv/slapd-/errors" it is > giving the > following error. > > > Are you using a separate slapd-instance for clone-CA ? > > Yes. It likely means that for some reason the LDAP replica was not initialized, something unexpected probably happened during the web configuration wizard, was not completed (or re-done?), which is not supposed to happen. You may want to review your CA's debug and install logs as well as the ns-slapd's logs to get some hint/detail. > > > /kashyap > > > [15/Nov/2010:11:33:08 +051800] NSMMReplicationPlugin - > agmt="cn=cloneAgreement1-cac.test.lk-pki-ca" (ca:389): Replica > has a > different generation ID than the local data. > > Does anybody know how to fix this issue? > > The whole log file is attached. > > -- > Best Regards, > Harshana > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > -- > Best Regards, > Harshana > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6014 bytes Desc: S/MIME Cryptographic Signature URL: From harshanahnd at gmail.com Tue Nov 16 04:30:26 2010 From: harshanahnd at gmail.com (Harshana Porawagama) Date: Tue, 16 Nov 2010 10:00:26 +0530 Subject: [Pki-users] Cloning a Dogtag CS 1.3 on Fedora13 In-Reply-To: <4CE17067.5040808@redhat.com> References: <4CE0D68B.1000809@redhat.com> <4CE17067.5040808@redhat.com> Message-ID: Hi, Infact I was able to resolve the error referring to the following conversation, https://www.redhat.com/archives/pki-users/2009-May/msg00004.html I used FQDN instead of localhost when connecting to the internal database. That resolved the replication error. Thanks, Harshana On Mon, Nov 15, 2010 at 11:09 PM, Marc Sauton wrote: > On 11/14/2010 11:31 PM, Harshana Porawagama wrote: > > > > On Mon, Nov 15, 2010 at 12:13 PM, Kashyap Chamarthy wrote: > >> On 11/15/2010 11:57 AM, Harshana Porawagama wrote: >> >>> Hi, >>> >>> I have been trying a create a clone of a Certificate system. I the >>> cloning machine when configuring the Internal Databases, it waits >>> indefinitely without giving a result. When I checked the errors log >>> which is in "/var/log/dirsrv/slapd-/errors" it is giving the >>> following error. >>> >> >> Are you using a separate slapd-instance for clone-CA ? >> > Yes. > > It likely means that for some reason the LDAP replica was not initialized, > something unexpected probably happened during the web configuration wizard, > was not completed (or re-done?), which is not supposed to happen. > You may want to review your CA's debug and install logs as well as the > ns-slapd's logs to get some hint/detail. > > >> /kashyap >> >> >>> [15/Nov/2010:11:33:08 +051800] NSMMReplicationPlugin - >>> agmt="cn=cloneAgreement1-cac.test.lk-pki-ca" (ca:389): Replica has a >>> different generation ID than the local data. >>> >>> Does anybody know how to fix this issue? >>> >>> The whole log file is attached. >>> >>> -- >>> Best Regards, >>> Harshana >>> >>> >>> >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >> >> > > > -- > Best Regards, > Harshana > > > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > -- Best Regards, Harshana -------------- next part -------------- An HTML attachment was scrubbed... URL: From alexander.w.jung at gmail.com Tue Nov 16 12:51:11 2010 From: alexander.w.jung at gmail.com (Alexander Jung) Date: Tue, 16 Nov 2010 13:51:11 +0100 Subject: [Pki-users] connect dogtag to a existing Key in a luna HSM ? In-Reply-To: <4CDAD3F8.7070203@redhat.com> References: <4CDAD30F.1060208@redhat.com> <4CDAD3F8.7070203@redhat.com> Message-ID: Hi, i already did it as you suggested, but could not see any certificates with certutil -L -d . -h lunasa. The reason was that the Microsoft CA did not store its certificate in the Luna HSM, but only its public and private key. Importing the cerificate solved this. Now the certificates and their keys are visible and usable in the dogtag pki. yours, Alexander Jung From alexander.w.jung at gmail.com Tue Nov 16 15:07:12 2010 From: alexander.w.jung at gmail.com (Alexander Jung) Date: Tue, 16 Nov 2010 16:07:12 +0100 Subject: [Pki-users] connect dogtag to a existing Key in a luna HSM ? In-Reply-To: References: <4CDAD30F.1060208@redhat.com> <4CDAD3F8.7070203@redhat.com> Message-ID: Hi, i just learned another item: jss matches the cert and the privkey by matching CKA_ID, not CKA_LABEL... Yours, Alexander Jung