From nathanael at gnat.ca Thu Jan 19 18:26:57 2012 From: nathanael at gnat.ca (Nathanael D. Noblet) Date: Thu, 19 Jan 2012 11:26:57 -0700 Subject: [Pki-users] Usage Clarification Message-ID: <4F186071.9070207@gnat.ca> Hello, So I'm rather new to pki-dogtag. I've installed it on a VM to try out since we are developing a product that requires a number of certificates but none of them need to be signed by a trusted browser CA like verisign. We currently are using puppet and func which generate their own certificate requests and get signed by system that has generated its own certificate. We are also looking at issuing certificates for systems like yum to retrieve updates from servers which would also check for client certificates etc. This brings me to my two questions. #1 - given the above, is dog tag able to deal with these certificates (I am so far under the impression that indeed it can) #2 - How does one request a certificate from the installed pki-ca? Reading http://tinyurl.com/7vujpqa [1] implies that the system/person requesting a certificate would submit some form of authentication. Whether this be LDAP, PIN-based or certificate based. Can I not simply have the certificate manager tell me of pending certificate requests? I don't expect any device to request a certificate without me knowing it needs one an initiating the process somehow, so the added authentication seems un-needed in my case. At the moment I'm used to puppet or func you have a puppetca function that can tell me the certificate signing requests pending approval, is this workflow fundamentally different than dogtag? [1] http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/7.3/html/Administration_Guide/Administration_Guide-Certificate_Manager.html -- Nathanael d. Noblet t 403.875.4613 From helm at fionn.es.net Thu Jan 19 18:45:49 2012 From: helm at fionn.es.net (Mike Helm) Date: Thu, 19 Jan 2012 10:45:49 -0800 Subject: [Pki-users] Usage Clarification In-Reply-To: Your message of "Thu, 19 Jan 2012 11:26:57 MST." <4F186071.9070207@gnat.ca> Message-ID: <201201191845.q0JIjsxR017490@fionn.es.net> What is func? Is it this? https://fedorahosted.org/func/ > #1 - given the above, is dog tag able to deal with these certificates (I > am so far under the impression that indeed it can) Deal with - what do you mean? Do you mean, process requests and provide a certificate that these apps can understand? (If so the answer is probably yes; we use certs in many services, but we don't happen to use puppet or func, altho I would like to). > #2 - How does one request a certificate from the installed pki-ca? There are a couple possibilities. You can essentially screen scrape & script the posting of the requests to the request interface. You can use the RA and either adapt some of the existing scripts in the RA or just focus on the submission portion of the RA and build an appropriate request. Usually, you have to adjust the profile to do the right thing - to expect the right variables from the PUT url. You can adapt the XML interface (I think - haven't explored that). > > requesting a certificate would submit some form of authentication. They could be authenticated or not. The RA would allow you to use whatever authentication you wanted - eg you could accept any request from designated IP addresses, or network masks, or you could probably use OAuth or Kerberos, or something else entirely. Or you could leave the requests to queue up unauthenticated & have an agent verify the requests before manually issuing them. Other possibilities exist probably. > don't expect any device to request a certificate without me knowing it > needs one an initiating the process somehow, so the added authentication > seems un-needed in my case. > At the moment I'm used to puppet or func you have a puppetca function > that can tell me the certificate signing requests pending approval, is > this workflow fundamentally different than dogtag? I don't know puppet or what sounds like its internal CA (puppetca) so I couldn't be sure how it works. You should get a response back from either the dogtag CA or RA that something happened to the request (accepted/approved/rejected/error) and you can act on that returned value. How flexible the app is would determine how useful that message will be. Usual disclaimers - I could be wrong! Thanks, ==mwh Michael Helm ESnet/LBNL From nathanael at gnat.ca Thu Jan 19 19:13:53 2012 From: nathanael at gnat.ca (Nathanael D. Noblet) Date: Thu, 19 Jan 2012 12:13:53 -0700 Subject: [Pki-users] Usage Clarification In-Reply-To: <201201191845.q0JIjsxR017490@fionn.es.net> References: <201201191845.q0JIjsxR017490@fionn.es.net> Message-ID: <4F186B71.6020806@gnat.ca> On 01/19/2012 11:45 AM, Mike Helm wrote: > What is func? > > Is it this? > > https://fedorahosted.org/func/ Yes. >> #1 - given the above, is dog tag able to deal with these certificates (I >> am so far under the impression that indeed it can) > > Deal with - what do you mean? Do you mean, process requests and provide > a certificate that these apps can understand? (If so the answer is probably > yes; we use certs in many services, but we don't happen to use puppet or > func, altho I would like to). Yeah, that's what I was asking. I'm fairly new to the intricacies of certificates, I've used them for https, but when looking at certificates for https based websites, and the certs used for/by puppet there were numerous differences. I presume though that most of the differences are in the certificate creation process, and not the signing. > >> #2 - How does one request a certificate from the installed pki-ca? > > There are a couple possibilities. You can essentially screen scrape& > script the posting of the requests to the request interface. > > You can use the RA and either adapt some of the existing scripts in the RA or > just focus on the submission portion of the RA and build an appropriate > request. Usually, you have to adjust the profile to do the right thing - > to expect the right variables from the PUT url. > > You can adapt the XML interface (I think - haven't explored that). >> >> requesting a certificate would submit some form of authentication. > > They could be authenticated or not. The RA would allow you to use > whatever authentication you wanted - eg you could accept any request > from designated IP addresses, or network masks, or you could probably > use OAuth or Kerberos, or something else entirely. > > Or you could leave the requests to queue up unauthenticated& have > an agent verify the requests before manually issuing them. > > Other possibilities exist probably. Great, that's some good information. >> don't expect any device to request a certificate without me knowing it >> needs one an initiating the process somehow, so the added authentication >> seems un-needed in my case. > >> At the moment I'm used to puppet or func you have a puppetca function >> that can tell me the certificate signing requests pending approval, is >> this workflow fundamentally different than dogtag? > > I don't know puppet or what sounds like its internal CA (puppetca) so I couldn't > be sure how it works. You should get a response back from either the dogtag > CA or RA that something happened to the request (accepted/approved/rejected/error) > and you can act on that returned value. How flexible the app is would > determine how useful that message will be. > > Usual disclaimers - I could be wrong! So an additional issue, once I configured the CA, it gives me a link to a page that has XXXXXX Certificate System and lists "SSL End Users Services" as well as "Agent Services". All I did was go through the setup of the CA service. If I click on either of those, I get a white blank screen. I have no idea how to debug this, I can't seem to find any error messages in /var/log/pki-ca to even point me anywhere, when I do request those pages, *nothing* shows up in any of the many log files in that directory. Any pointers? The urls are: https://hostname:9445/ca/services which has links to: https://hostname:9444/ca/ee/ca https://hostname:9443/ca/agent/ca Pointers would be much appreciated. -- Nathanael d. Noblet t 403.875.4613 From mmercier at gmail.com Thu Jan 19 19:35:55 2012 From: mmercier at gmail.com (Mike Mercier) Date: Thu, 19 Jan 2012 14:35:55 -0500 Subject: [Pki-users] Usage Clarification In-Reply-To: <4F186B71.6020806@gnat.ca> References: <201201191845.q0JIjsxR017490@fionn.es.net> <4F186B71.6020806@gnat.ca> Message-ID: Hi, > So an additional issue, once I configured the CA, it gives me a link to a > page that has XXXXXX Certificate System and lists "SSL End Users Services" > as well as "Agent Services". All I did was go through the setup of the CA > service. If I click on either of those, I get a white blank screen. I have > no idea how to debug this, I can't seem to find any error messages in > /var/log/pki-ca to even point me anywhere, when I do request those pages, > *nothing* shows up in any of the many log files in that directory. Any > pointers? I have had the same experience using dogtag on CentOS 6.x. I have successful installations on CentOS 5.x Mike From nathanael at gnat.ca Thu Jan 19 19:40:26 2012 From: nathanael at gnat.ca (Nathanael D. Noblet) Date: Thu, 19 Jan 2012 12:40:26 -0700 Subject: [Pki-users] Usage Clarification In-Reply-To: References: <201201191845.q0JIjsxR017490@fionn.es.net> <4F186B71.6020806@gnat.ca> Message-ID: <4F1871AA.6040306@gnat.ca> On 01/19/2012 12:35 PM, Mike Mercier wrote: > Hi, > > >> So an additional issue, once I configured the CA, it gives me a link to a >> page that has XXXXXX Certificate System and lists "SSL End Users Services" >> as well as "Agent Services". All I did was go through the setup of the CA >> service. If I click on either of those, I get a white blank screen. I have >> no idea how to debug this, I can't seem to find any error messages in >> /var/log/pki-ca to even point me anywhere, when I do request those pages, >> *nothing* shows up in any of the many log files in that directory. Any >> pointers? > > I have had the same experience using dogtag on CentOS 6.x. I have > successful installations on CentOS 5.x Do you happen to know the cause? Or have a bug # someplace for it? -- Nathanael d. Noblet t 403.875.4613 From msauton at redhat.com Thu Jan 19 19:45:13 2012 From: msauton at redhat.com (Marc Sauton) Date: Thu, 19 Jan 2012 11:45:13 -0800 Subject: [Pki-users] Usage Clarification In-Reply-To: <4F1871AA.6040306@gnat.ca> References: <201201191845.q0JIjsxR017490@fionn.es.net> <4F186B71.6020806@gnat.ca> <4F1871AA.6040306@gnat.ca> Message-ID: <4F1872C9.9050002@redhat.com> On 01/19/2012 11:40 AM, Nathanael D. Noblet wrote: > On 01/19/2012 12:35 PM, Mike Mercier wrote: >> Hi, >> >> >>> So an additional issue, once I configured the CA, it gives me a link >>> to a >>> page that has XXXXXX Certificate System and lists "SSL End Users >>> Services" >>> as well as "Agent Services". All I did was go through the setup of >>> the CA >>> service. If I click on either of those, I get a white blank screen. >>> I have >>> no idea how to debug this, I can't seem to find any error messages in >>> /var/log/pki-ca to even point me anywhere, when I do request those >>> pages, >>> *nothing* shows up in any of the many log files in that directory. Any >>> pointers? >> >> I have had the same experience using dogtag on CentOS 6.x. I have >> successful installations on CentOS 5.x > > Do you happen to know the cause? Or have a bug # someplace for it? > "Agent" services require client auth, sounds like the client cert may not have been presented. M. From msauton at redhat.com Thu Jan 19 19:47:05 2012 From: msauton at redhat.com (Marc Sauton) Date: Thu, 19 Jan 2012 11:47:05 -0800 Subject: [Pki-users] Usage Clarification In-Reply-To: <4F186B71.6020806@gnat.ca> References: <201201191845.q0JIjsxR017490@fionn.es.net> <4F186B71.6020806@gnat.ca> Message-ID: <4F187339.4010703@redhat.com> On 01/19/2012 11:13 AM, Nathanael D. Noblet wrote: > On 01/19/2012 11:45 AM, Mike Helm wrote: >> What is func? >> >> Is it this? >> >> https://fedorahosted.org/func/ > > Yes. > > >>> #1 - given the above, is dog tag able to deal with these >>> certificates (I >>> am so far under the impression that indeed it can) >> >> Deal with - what do you mean? Do you mean, process requests and provide >> a certificate that these apps can understand? (If so the answer is >> probably >> yes; we use certs in many services, but we don't happen to use puppet or >> func, altho I would like to). > > Yeah, that's what I was asking. I'm fairly new to the intricacies of > certificates, I've used them for https, but when looking at > certificates for https based websites, and the certs used for/by > puppet there were numerous differences. I presume though that most of > the differences are in the certificate creation process, and not the > signing. > >> >>> #2 - How does one request a certificate from the installed pki-ca? >> >> There are a couple possibilities. You can essentially screen scrape& >> script the posting of the requests to the request interface. >> >> You can use the RA and either adapt some of the existing scripts in >> the RA or >> just focus on the submission portion of the RA and build an appropriate >> request. Usually, you have to adjust the profile to do the right >> thing - >> to expect the right variables from the PUT url. >> >> You can adapt the XML interface (I think - haven't explored that). >>> >>> requesting a certificate would submit some form of authentication. >> >> They could be authenticated or not. The RA would allow you to use >> whatever authentication you wanted - eg you could accept any request >> from designated IP addresses, or network masks, or you could probably >> use OAuth or Kerberos, or something else entirely. >> >> Or you could leave the requests to queue up unauthenticated& have >> an agent verify the requests before manually issuing them. >> >> Other possibilities exist probably. > > Great, that's some good information. > > >>> don't expect any device to request a certificate without me knowing it >>> needs one an initiating the process somehow, so the added >>> authentication >>> seems un-needed in my case. >> >>> At the moment I'm used to puppet or func you have a puppetca function >>> that can tell me the certificate signing requests pending approval, is >>> this workflow fundamentally different than dogtag? >> >> I don't know puppet or what sounds like its internal CA (puppetca) so >> I couldn't >> be sure how it works. You should get a response back from either the >> dogtag >> CA or RA that something happened to the request >> (accepted/approved/rejected/error) >> and you can act on that returned value. How flexible the app is would >> determine how useful that message will be. >> >> Usual disclaimers - I could be wrong! > > > So an additional issue, once I configured the CA, it gives me a link > to a page that has XXXXXX Certificate System and lists "SSL End Users > Services" as well as "Agent Services". All I did was go through the > setup of the CA service. If I click on either of those, I get a white > blank screen. I have no idea how to debug this, I can't seem to find > any error messages in /var/log/pki-ca to even point me anywhere, when > I do request those pages, *nothing* shows up in any of the many log > files in that directory. Any pointers? > > The urls are: > > https://hostname:9445/ca/services > > which has links to: > > https://hostname:9444/ca/ee/ca > https://hostname:9443/ca/agent/ca > > Pointers would be much appreciated. > You can get request status using HTTP or HTTPS from the "ee" / "end entity" interface, HTTPS with client authentication for agent interface. To get the forms, the path are like enrolling for a SSL server cert using the profile caServerCert from HTTPS no client auth interface https://...:9444/ca/ee/ca/profileSelect?profileId=caServerCert for a given request: https://...:9444/ca/ee/ca/checkRequest.html using client auth for an "agent" https://...:9443/ca/agent/ca/profileReview?requestId=x I suggest to see the 8.1 online doc (not 7.3 like referenced earlier) http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/index.html if e-mail notifications are needed for some enrollment and issuance events, see: http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Notifications.html#Types_of_Automated_Notifications There is some information in the web.xml file, located for example at /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml see http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/removing-unused-web.xml.html The XML API will likely be updated and documented later upstream or as part of common criteria. M. From mmercier at gmail.com Thu Jan 19 19:53:40 2012 From: mmercier at gmail.com (Mike Mercier) Date: Thu, 19 Jan 2012 14:53:40 -0500 Subject: [Pki-users] Usage Clarification In-Reply-To: <4F1871AA.6040306@gnat.ca> References: <201201191845.q0JIjsxR017490@fionn.es.net> <4F186B71.6020806@gnat.ca> <4F1871AA.6040306@gnat.ca> Message-ID: Hi, > > Do you happen to know the cause? Or have a bug # someplace for it? I don't know the cause or have a bug number. AFAIK, it has only been available for download on CentOS 6.x for the last couple of weeks. The last time I looked many optional parts of the dogtag system were still missing (pki-ra, pki-ocsp, etc). Mike From barry.jelbert at solnetsolutions.co.nz Thu Jan 19 21:00:36 2012 From: barry.jelbert at solnetsolutions.co.nz (barry.jelbert at solnetsolutions.co.nz) Date: Fri, 20 Jan 2012 10:00:36 +1300 Subject: [Pki-users] AUTO: Barry Jelbert is out of the office (returning 30/01/2012) Message-ID: <23996_1327006836_4F188474_23996_21268_1_OF81B7DC38.08F09A18-ONCC25798A.00736978-CC25798A.00736978@solnetsolutions.co.nz> I am out of the office until 30/01/2012. During this time, please contact either the Support team (support at solnetsolutions.co.nz), or Stewart Gebbie (stewart.gebbie at solnetsolutions.co.nz). Note: This is an automated response to your message "Pki-users Digest, Vol 46, Issue 1" sent on 20/01/2012 8:46:55 a.m.. This is the only notification you will receive while this person is away. Attention: This email may contain information intended for the sole use of the original recipient. Please respect this when sharing or disclosing this email's contents with any third party. If you believe you have received this email in error, please delete it and notify the sender or postmaster at solnetsolutions.co.nz as soon as possible. The content of this email does not necessarily reflect the views of Solnet Solutions Ltd. From dan.whitmire at sonshineaccess.com Sat Jan 21 18:02:32 2012 From: dan.whitmire at sonshineaccess.com (Dan Whitmire) Date: Sat, 21 Jan 2012 12:02:32 -0600 Subject: [Pki-users] VelocityServlet: Error processing the template Message-ID: <4F1AFDB8.6010404@sonshineaccess.com> Has anyone received the error "VelocityServlet: Error processing the template" when configuring the TKS subsystem? I'm on Fedora 15 using Firefox 9. Am I missing something or is something not up and running? Thanks for any assistance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Mon Jan 23 16:42:34 2012 From: msauton at redhat.com (Marc Sauton) Date: Mon, 23 Jan 2012 08:42:34 -0800 Subject: [Pki-users] VelocityServlet: Error processing the template In-Reply-To: <4F1AFDB8.6010404@sonshineaccess.com> References: <4F1AFDB8.6010404@sonshineaccess.com> Message-ID: <4F1D8DFA.2010805@redhat.com> On 01/21/2012 10:02 AM, Dan Whitmire wrote: > Has anyone received the error "VelocityServlet: Error processing the > template" when configuring the TKS subsystem? I'm on Fedora 15 using > Firefox 9. Am I missing something or is something not up and > running? Thanks for any assistance. > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users Yes, but this is a somehow generic message, this does not tell much, could be key size mismatch, or hash, hw token, client or server libraries, or other. You may want to post here sanitized output of the matching catalina.out and debug logs when this is happening, if possible. Which step of the TKS configuration are you in when this is happening? Thanks, M. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mharmsen at redhat.com Tue Jan 24 01:15:28 2012 From: mharmsen at redhat.com (Matthew Harmsen) Date: Mon, 23 Jan 2012 17:15:28 -0800 Subject: [Pki-users] Usage Clarification In-Reply-To: <4F1871AA.6040306@gnat.ca> References: <201201191845.q0JIjsxR017490@fionn.es.net> <4F186B71.6020806@gnat.ca> <4F1871AA.6040306@gnat.ca> Message-ID: <4F1E0630.4030609@redhat.com> On 01/19/12 11:40, Nathanael D. Noblet wrote: > On 01/19/2012 12:35 PM, Mike Mercier wrote: >> Hi, >> >> >>> So an additional issue, once I configured the CA, it gives me a link >>> to a >>> page that has XXXXXX Certificate System and lists "SSL End Users >>> Services" >>> as well as "Agent Services". All I did was go through the setup of >>> the CA >>> service. If I click on either of those, I get a white blank screen. >>> I have >>> no idea how to debug this, I can't seem to find any error messages in >>> /var/log/pki-ca to even point me anywhere, when I do request those >>> pages, >>> *nothing* shows up in any of the many log files in that directory. Any >>> pointers? >> >> I have had the same experience using dogtag on CentOS 6.x. I have >> successful installations on CentOS 5.x > > Do you happen to know the cause? Or have a bug # someplace for it? > I don't know the cause or have a bug number. AFAIK, it has only been > available for download on CentOS 6.x for the last couple of weeks. > The last time I looked many optional parts of the dogtag system were > still missing (pki-ra, pki-ocsp, etc). > > Nathanael and Mike, I have documented a potential solution to these issues at the following location on the wiki: * http://pki.fedoraproject.org/wiki/PKI_Known_Issues#Miscellaneous Hope this helps, -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From dan.whitmire at sonshineaccess.com Wed Jan 25 01:02:38 2012 From: dan.whitmire at sonshineaccess.com (Dan Whitmire) Date: Tue, 24 Jan 2012 19:02:38 -0600 Subject: [Pki-users] Pki-users Digest, Vol 46, Issue 4 In-Reply-To: References: Message-ID: <4F1F54AE.7040009@sonshineaccess.com> On 01/23/2012 11:00 AM, pki-users-request at redhat.com wrote: > Send Pki-users mailing list submissions to > pki-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/pki-users > or, via email, send a message with subject or body 'help' to > pki-users-request at redhat.com > > You can reach the person managing the list at > pki-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Pki-users digest..." > > > Today's Topics: > > 1. Re: VelocityServlet: Error processing the template (Marc Sauton) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 23 Jan 2012 08:42:34 -0800 > From: Marc Sauton > To: Dan Whitmire > Cc: pki-users at redhat.com > Subject: Re: [Pki-users] VelocityServlet: Error processing the > template > Message-ID:<4F1D8DFA.2010805 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" > > On 01/21/2012 10:02 AM, Dan Whitmire wrote: >> Has anyone received the error "VelocityServlet: Error processing the >> template" when configuring the TKS subsystem? I'm on Fedora 15 using >> Firefox 9. Am I missing something or is something not up and >> running? Thanks for any assistance. >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > Yes, but this is a somehow generic message, this does not tell much, > could be key size mismatch, or hash, hw token, client or server > libraries, or other. > You may want to post here sanitized output of the matching catalina.out > and debug logs when this is happening, if possible. > Which step of the TKS configuration are you in when this is happening? > Thanks, > M. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > ------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > End of Pki-users Digest, Vol 46, Issue 4 > **************************************** I decided to reboot the system and restart the applications. The problem went away. It may have been an anomaly with all the things I was attempting to do. Thanks.