From riccardo.brunetti at to.infn.it Tue May 15 13:56:49 2012 From: riccardo.brunetti at to.infn.it (Torino) Date: Tue, 15 May 2012 15:56:49 +0200 Subject: [Pki-users] Problem with Subject Alternative Name Extension In-Reply-To: <6097BEF1-A97A-4FA0-AA39-31EB8B6A4A2F@to.infn.it> References: <4F686A13.8060801@gtri.gatech.edu> <6097BEF1-A97A-4FA0-AA39-31EB8B6A4A2F@to.infn.it> Message-ID: <4FB260A1.8030008@to.infn.it> Il 20/03/12 12 15:27, Riccardo Brunetti ha scritto: > > Thanks Joshua for the prompt reply and answer. > I used the User Supplied Extension Default and it works. > > Thank you very much again > > Best Regards > Riccardo > > Riccardo Brunetti > INFN-Torino > Tel: +390116707295 > riccardo.brunetti at to.infn.it > > > > > On 20/mar/2012 12, at 12:29, Joshua Roys wrote: > >> On 03/20/2012 06:54 AM, Riccardo Brunetti wrote: >>> >>> Dear pki-users. >>> >>> I'm trying to setup a pki-ca instance to produce X509 certificates >>> which include a Subject Alternative Name Extension with the >>> following attributes: >>> >>> Criticality = not critical >>> Type = RFC822Name >>> Value = the email of the requestor. >>> >>> I'm using the Signed CMC-Authenticated User Certificate Enrollment >>> profile and this is the relevant section of my >>> /var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg file: >>> >>> policyset.cmcUserCertSet.8.constraint.class_id=extensionConstraintImpl >>> policyset.cmcUserCertSet.8.constraint.name=Extension Constraint >>> policyset.cmcUserCertSet.8.constraint.params.extCritical=false >>> policyset.cmcUserCertSet.8.constraint.params.extOID=2.5.29.17 >>> policyset.cmcUserCertSet.8.default.class_id=subjectAltNameExtDefaultImpl >>> policyset.cmcUserCertSet.8.default.name=Subject Alternative Name >>> Extension Default >>> policyset.cmcUserCertSet.8.default.params.subjAltExtGNEnable_0=true >>> policyset.cmcUserCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ >>> policyset.cmcUserCertSet.8.default.params.subjAltExtType_0=RFC822Name >>> policyset.cmcUserCertSet.8.default.params.subjAltNameExtCritical=false >>> policyset.cmcUserCertSet.8.default.params.subjAltNameNumGNs=1 >>> >>> The input certificate request is generated using certutil and >>> CMCEnroll and the command used is the following: >>> >>> certutil -R -g 2048 -s "" -7"" >>> -d ?? >>> >>> The certificate is generated, but the extension is not populated >>> with the email address and I always get: >>> >>> Identifier: Subject Alternative Name - 2.5.29.17 >>> Critical: no >>> Value: >>> RFC822Name: $request.requestor_email$ >>> >> >> Hello, >> >> In short, the email is not being looked at because >> $request.requestor_email$ is created through the WebUI through an >> input box (Requestor Email). See [1] for some more variables. You >> may want to configure the caFullCMCUserCert to copy all subjAltNames >> in the input to the output certificate using the User Supplied >> Extension Default (with 2.5.29.17 as the argument): >> "This default populates a User-Supplied Extension (2.5.29.17) to the >> request." >> >> Josh >> >> [1] >> http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_Names.html#tab.Variables_Used_to_Populate_Certificates >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > Dear Pki-users. I'm having the same problem when trying to generate user certificates using the web user interface provided by the RA subsystem. In short, when I request a user certificate using the "User Enrollment" link in the RA web interface, I'm presented a form in which I enter the UID, Full Name, Site ID and email. The certificate which is produced after the RA agent approves the request contains again an extension like: Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: RFC822Name: $request.requestor_email$ The email is contained in the DN of the certificate, which is not what I want. I tried to modify the profile caDualRAuserCert, changing the policy 8 as Josh suggested above, but the answer is that the extension is not found. Do you have some suggestions? Thanks a lot Riccardo -- ------------------- Riccardo Brunetti INFN - Torino Tel: +390116707295 Skype: rbrunetti ------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jamil.Nimeh at viasat.com Tue May 22 23:05:23 2012 From: Jamil.Nimeh at viasat.com (Nimeh, Jamil) Date: Tue, 22 May 2012 23:05:23 +0000 Subject: [Pki-users] SCEP: Invalid OID in CertRep signerInfo when using SHA-2 Message-ID: <6A95FA630FB5124C886BAD159CDBA1F011A2A711@wdc1exchmbxp05.hq.corp.viasat.com> Hello all, I have come across what looks like a bug in SCEP responses from the CA when using SHA-256 and SHA-512. The problem appears to be the OID that is given in the digestAlgorithm field of the signerInfo portion of the PKCS#7 signature. For CertRep messages using MD5 and SHA-1 the OID is correct and matches the single OID in the digestAlgorithms list from the SignedData segment. In the case of SHA-256 and SHA-512, it appears that the second to the last octet in the two digests (0x2) is missing. For SHA-256 the OID in the signerInfo is "2.16.840.1.101.3.4.1" (it should be ...3.4.2.1). For SHA-512 the OID given is "2.16.840.1.101.3.4.3"when it should end "...3.4.2.3" When attempting to verify the digest using NSS'SEC_PKCS7VerifySignature() / SEC_PKCS7VerifyDetachedSignature() it fails, and I believe it also fails with similar calls under OpenSSL. There's a mention of the latter on the Dogtag SCEP/SSCEP page under the heading "SSCEP Error". I believe this error is due to this OID discrepancy. I've been looking in the Dogtag source and the JSS Javadocs to see where this OID might be coming from. Everything I've looked at where OIDs for SHA-2 algorithms are concerned have the right bytes, so I've been unable to pinpoint where the OID is coming from. I can provide sample CertRep messages with the odd OIDs in there if desired. A sample signerInfo from a SHA-256 CertRep failure message from dumpasn1 is below: Currently Running: Fedora Core 15 updated to the latest as of 5/17/2012 pki-core (and other rpms) 9.0.19-1 nss-* 3.13.4-2 jss-4.2.6.24 nspr-4.9-2 (I've also seen this behavior with pki-core 9.0.17 and its corresponding packages as well) I did go looking through the mailing lists and bugzilla to see if this issue had been found and didn't see anything. If I did overlook it then please accept my apologies. I'm currently working around the problem by using SHA-1, but I'd really like to be able to use the stronger digest algorithms if possible. If anyone knows how to get that working I'd appreciate it. Thanks, Jamil SAMPLE CertRep Fail signerInfo using SHA-256: 60 623: SET { 64 619: SEQUENCE { 68 1: INTEGER 1 71 72: SEQUENCE { 73 67: SEQUENCE { 75 16: SET { 77 14: SEQUENCE { 79 3: OBJECT IDENTIFIER organizationName (2 5 4 10) : (X.520 DN component) 84 7: PrintableString 'TESTPKI' : } : } 93 15: SET { 95 13: SEQUENCE { 97 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) : (X.520 DN component) 102 6: PrintableString 'pki-ca' : } : } 110 30: SET { 112 28: SEQUENCE { 114 3: OBJECT IDENTIFIER commonName (2 5 4 3) : (X.520 DN component) 119 21: PrintableString 'Certificate Authority' : } : } : } 142 1: INTEGER 1 : } 145 12: SEQUENCE { 147 8: OBJECT IDENTIFIER aes (2 16 840 1 101 3 4 1) : (NIST Algorithm) 157 0: NULL : } 159 250: [0] { 162 17: SEQUENCE { 164 10: OBJECT IDENTIFIER messageType (2 16 840 1 113733 1 9 2) : (Verisign PKCS #7 attribute) 176 3: SET { 178 1: PrintableString '3' : } : } 181 17: SEQUENCE { 183 10: OBJECT IDENTIFIER pkiStatus (2 16 840 1 113733 1 9 3) : (Verisign PKCS #7 attribute) 195 3: SET { 197 1: PrintableString '2' : } : } 200 17: SEQUENCE { 202 10: OBJECT IDENTIFIER failInfo (2 16 840 1 113733 1 9 4) : (Verisign PKCS #7 attribute) 214 3: SET { 216 1: PrintableString '2' : } : } 219 24: SEQUENCE { 221 9: OBJECT IDENTIFIER contentType (1 2 840 113549 1 9 3) : (PKCS #9) 232 11: SET { 234 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) : (PKCS #7) : } : } 245 32: SEQUENCE { 247 10: OBJECT IDENTIFIER senderNonce (2 16 840 1 113733 1 9 5) : (Verisign PKCS #7 attribute) 259 18: SET { 261 16: OCTET STRING : A9 7A AB 92 86 A8 C6 FB A7 AA 59 C8 D8 85 5B 8F : } : } 279 32: SEQUENCE { 281 10: OBJECT IDENTIFIER : recipientNonce (2 16 840 1 113733 1 9 6) : (Verisign PKCS #7 attribute) 293 18: SET { 295 16: OCTET STRING : BD 5F 02 CC D5 5A 25 34 84 00 78 E2 6B 54 D3 7A : } : } 313 47: SEQUENCE { 315 9: OBJECT IDENTIFIER messageDigest (1 2 840 113549 1 9 4) : (PKCS #9) 326 34: SET { 328 32: OCTET STRING : E3 B0 C4 42 98 FC 1C 14 9A FB F4 C8 99 6F B9 24 : 27 AE 41 E4 64 9B 93 4C A4 95 99 1B 78 52 B8 55 : } : } 362 48: SEQUENCE { 364 10: OBJECT IDENTIFIER transID (2 16 840 1 113733 1 9 7) : (Verisign PKCS #7 attribute) 376 34: SET { 378 32: PrintableString '856F90890192FFE9A321C83CB56169AA' : } : } : } 412 13: SEQUENCE { 414 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) : (PKCS #1) 425 0: NULL : } 427 256: OCTET STRING : 6C 5E EA E3 6E 5B 5D E9 41 72 20 83 33 48 1B 7D : 3F 5F 1F A6 C3 D3 5D D5 F3 D3 57 E7 A7 7C 65 D1 : 25 39 C0 A3 13 E2 63 10 79 28 55 2C 35 51 E0 0F : 63 7B F1 C4 F2 56 E1 63 37 78 01 C1 84 38 44 94 : 46 8F 54 89 E0 FB C1 50 F5 15 9F CA B4 1E A7 68 : C1 DE 96 3C AB 79 33 B8 44 44 F2 A1 0B 03 2A FD : 06 51 5D A1 C6 71 61 50 67 44 C4 94 01 5F 21 1F : EE CF 4B 8D 79 7F 89 45 0D 32 37 AC BE B2 21 A5 : [ Another 128 bytes skipped ] : } : } : } : } : } -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Wed May 23 17:59:36 2012 From: awnuk at redhat.com (Andrew Wnuk) Date: Wed, 23 May 2012 10:59:36 -0700 Subject: [Pki-users] SCEP: Invalid OID in CertRep signerInfo when using SHA-2 In-Reply-To: <6A95FA630FB5124C886BAD159CDBA1F011A2A711@wdc1exchmbxp05.hq.corp.viasat.com> References: <6A95FA630FB5124C886BAD159CDBA1F011A2A711@wdc1exchmbxp05.hq.corp.viasat.com> Message-ID: <4FBD2588.6090306@redhat.com> On 05/22/2012 04:05 PM, Nimeh, Jamil wrote: > Hello all, > > I have come across what looks like a bug in SCEP responses from the CA > when using SHA-256 and SHA-512. > > The problem appears to be the OID that is given in the digestAlgorithm > field of the signerInfo portion of the PKCS#7 signature. For CertRep > messages using MD5 and SHA-1 the OID is correct and matches the single > OID in the digestAlgorithms list from the SignedData segment. In the > case of SHA-256 and SHA-512, it appears that the second to the last > octet in the two digests (0x2) is missing. For SHA-256 the OID in the > signerInfo is "2.16.840.1.101.3.4.1" (it should be ...3.4.2.1). For > SHA-512 the OID given is "2.16.840.1.101.3.4.3"when it should end > "...3.4.2.3" > > When attempting to verify the digest using > NSS'SEC_PKCS7VerifySignature() / SEC_PKCS7VerifyDetachedSignature() it > fails, and I believe it also fails with similar calls under OpenSSL. > There's a mention of the latter on the Dogtag SCEP/SSCEP page under > the heading "SSCEP Error". I believe this error is due to this OID > discrepancy. > > I've been looking in the Dogtag source and the JSS Javadocs to see > where this OID might be coming from. Everything I've looked at where > OIDs for SHA-2 algorithms are concerned have the right bytes, so I've > been unable to pinpoint where the OID is coming from. > > I can provide sample CertRep messages with the odd OIDs in there if > desired. A sample signerInfo from a SHA-256 CertRep failure message > from dumpasn1 is below: > > Currently Running: > Fedora Core 15 updated to the latest as of 5/17/2012 > pki-core (and other rpms) 9.0.19-1 > nss-* 3.13.4-2 > jss-4.2.6.24 > nspr-4.9-2 > > (I've also seen this behavior with pki-core 9.0.17 and its > corresponding packages as well) > > I did go looking through the mailing lists and bugzilla to see if this > issue had been found and didn't see anything. If I did overlook it > then please accept my apologies. I'm currently working around the > problem by using SHA-1, but I'd really like to be able to use the > stronger digest algorithms if possible. If anyone knows how to get > that working I'd appreciate it. > > Thanks, > Jamil Hi Jamil, I'll be glad to review this issue. Could open a bugzilla bug? Thanks, Andrew > > SAMPLE CertRep Fail signerInfo using SHA-256: > > > 60 623: SET { > 64 619: SEQUENCE { > 68 1: INTEGER 1 > 71 72: SEQUENCE { > 73 67: SEQUENCE { > 75 16: SET { > 77 14: SEQUENCE { > 79 3: OBJECT IDENTIFIER organizationName (2 5 4 10) > : (X.520 DN component) > 84 7: PrintableString 'TESTPKI' > : } > : } > 93 15: SET { > 95 13: SEQUENCE { > 97 3: OBJECT IDENTIFIER organizationalUnitName > (2 5 4 11) > > : (X.520 DN component) > 102 6: PrintableString 'pki-ca' > : } > : } > 110 30: SET { > 112 28: SEQUENCE { > 114 3: OBJECT IDENTIFIER commonName (2 5 4 3) > : (X.520 DN component) > 119 21: PrintableString 'Certificate Authority' > : } > : } > : } > 142 1: INTEGER 1 > : } > 145 12: SEQUENCE { > 147 8: OBJECT IDENTIFIER aes (2 16 840 1 101 3 4 1) > : (NIST Algorithm) > 157 0: NULL > : } > 159 250: [0] { > 162 17: SEQUENCE { > 164 10: OBJECT IDENTIFIER messageType (2 16 840 1 > 113733 1 9 2) > > : (Verisign PKCS #7 attribute) > 176 3: SET { > 178 1: PrintableString '3' > : } > : } > 181 17: SEQUENCE { > 183 10: OBJECT IDENTIFIER pkiStatus (2 16 840 1 > 113733 1 9 3) > : (Verisign PKCS #7 attribute) > 195 3: SET { > 197 1: PrintableString '2' > : } > : } > 200 17: SEQUENCE { > 202 10: OBJECT IDENTIFIER failInfo (2 16 840 1 113733 > 1 9 4) > : (Verisign PKCS #7 attribute) > 214 3: SET { > 216 1: PrintableString '2' > : } > : } > 219 24: SEQUENCE { > 221 9: OBJECT IDENTIFIER contentType (1 2 840 113549 > 1 9 3) > : (PKCS #9) > 232 11: SET { > 234 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) > : (PKCS #7) > : } > : } > 245 32: SEQUENCE { > 247 10: OBJECT IDENTIFIER senderNonce (2 16 840 1 > 113733 1 9 5) > > : (Verisign PKCS #7 attribute) > 259 18: SET { > 261 16: OCTET STRING > : A9 7A AB 92 86 A8 C6 FB A7 AA 59 C8 D8 85 > 5B 8F > : } > : } > 279 32: SEQUENCE { > 281 10: OBJECT IDENTIFIER > : recipientNonce (2 16 840 1 113733 1 9 6) > : (Verisign PKCS #7 attribute) > 293 18: SET { > 295 16: OCTET STRING > : BD 5F 02 CC D5 5A 25 34 84 00 78 E2 6B 54 > D3 7A > : } > : } > 313 47: SEQUENCE { > 315 9: OBJECT IDENTIFIER messageDigest (1 2 840 > 113549 1 9 4) > : (PKCS #9) > 326 34: SET { > 328 32: OCTET STRING > : E3 B0 C4 42 98 FC 1C 14 9A FB F4 C8 99 6F > B9 24 > : 27 AE 41 E4 64 9B 93 4C A4 95 99 1B 78 52 > B8 55 > : } > : } > 362 48: SEQUENCE { > 364 10: OBJECT IDENTIFIER transID (2 16 840 1 113733 > 1 9 7) > : (Verisign PKCS #7 attribute) > 376 34: SET { > 378 32: PrintableString > '856F90890192FFE9A321C83CB56169AA' > : } > : } > : } > 412 13: SEQUENCE { > 414 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 > 1 1 1) > : (PKCS #1) > 425 0: NULL > : } > 427 256: OCTET STRING > : 6C 5E EA E3 6E 5B 5D E9 41 72 20 83 33 48 1B 7D > : 3F 5F 1F A6 C3 D3 5D D5 F3 D3 57 E7 A7 7C 65 D1 > : 25 39 C0 A3 13 E2 63 10 79 28 55 2C 35 51 E0 0F > : 63 7B F1 C4 F2 56 E1 63 37 78 01 C1 84 38 44 94 > : 46 8F 54 89 E0 FB C1 50 F5 15 9F CA B4 1E A7 68 > : C1 DE 96 3C AB 79 33 B8 44 44 F2 A1 0B 03 2A FD > : 06 51 5D A1 C6 71 61 50 67 44 C4 94 01 5F 21 1F > : EE CF 4B 8D 79 7F 89 45 0D 32 37 AC BE B2 21 A5 > : [ Another 128 bytes skipped ] > : } > : } > : } > : } > : } > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From riccardo.brunetti at to.infn.it Thu May 24 12:34:27 2012 From: riccardo.brunetti at to.infn.it (Riccardo Brunetti) Date: Thu, 24 May 2012 14:34:27 +0200 Subject: [Pki-users] Problems with Luna PCI HSM and dogtag 1.3 Message-ID: <4FBE2AD3.1040505@to.infn.it> Dear pki-users. We are setting up a CA subsystem using dogtag 1.3 on CentOS-5.8 and a HSM Luna PCI3000 (SafeNet). The HSM card seems to be correctly installed in the system and, using the command line utilities, we could create a partition on the HSM to store the crypto data. Unfortunately, when I run pkicreate and then the configuration wizard in order to configure the CA subsystem, the HSM modules seems not to be detected and the system still uses the software "NSS Internal PKCS #11 Module". I also tried to manually load the pkcs#11 module using the command: # modutil -dbdir /var/lib/igi-ca/alias -nocertdb -add lunapci -libfile /usr/lunapci/lib/libCryptoki2_64.so and the output of the list command is the following: # modutil -dbdir /var/lib/igi-ca/alias -list Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. lunapci library name: /usr/lunapci/lib/libCryptoki2_64.so slots: 1 slot attached status: loaded slot: Viper PCI Card token: turintest ----------------------------------------------------------- Moreover this is the output of TokenInfo command: # TokenInfo /var/lib/igi-ca/alias/ Database Path: /var/lib/igi-ca/alias/ Found external module 'NSS Internal PKCS #11 Module' Found external module 'lunapci' Found external token 'turintest' Despite all of that, when the configuration wizard comes to the "Key Store" page the module is not listed. I then tried to include it manually in the CS.cfg file: preop.configModules.module0.commonName=lunapci preop.configModules.module0.imagePath=../img/clearpixel.gif preop.configModules.module0.userFriendlyName=lunapci and in this case it is listed but in Status "Not Found" How can I solve this issue? Do you have some suggestions? Thank you very much R. Brunetti From cfu at redhat.com Thu May 24 21:49:43 2012 From: cfu at redhat.com (Christina Fu) Date: Thu, 24 May 2012 14:49:43 -0700 Subject: [Pki-users] Problems with Luna PCI HSM and dogtag 1.3 In-Reply-To: <4FBE2AD3.1040505@to.infn.it> References: <4FBE2AD3.1040505@to.infn.it> Message-ID: <4FBEACF7.9060306@redhat.com> I have not worked on a Luna PCI HSM, but did you try the following to see if it provides you with any clue on the status of the token? modutil -dbdir /var/lib/igi-ca/alias -list lunapci And another suggestion is to add the token/password in the password.conf file before you start the configuration. Christina On 05/24/2012 05:34 AM, Riccardo Brunetti wrote: > > Dear pki-users. > We are setting up a CA subsystem using dogtag 1.3 on CentOS-5.8 and a > HSM Luna PCI3000 (SafeNet). > The HSM card seems to be correctly installed in the system and, using > the command line utilities, we could create a partition on the HSM to > store the crypto data. > > Unfortunately, when I run pkicreate and then the configuration wizard > in order to configure the CA subsystem, the HSM modules seems not to > be detected and the system still uses the software "NSS Internal PKCS > #11 Module". > > I also tried to manually load the pkcs#11 module using the command: > > # modutil -dbdir /var/lib/igi-ca/alias -nocertdb -add lunapci -libfile > /usr/lunapci/lib/libCryptoki2_64.so > > and the output of the list command is the following: > > # modutil -dbdir /var/lib/igi-ca/alias -list > > Listing of PKCS #11 Modules > ----------------------------------------------------------- > 1. NSS Internal PKCS #11 Module > slots: 2 slots attached > status: loaded > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > > 2. lunapci > library name: /usr/lunapci/lib/libCryptoki2_64.so > slots: 1 slot attached > status: loaded > > slot: Viper PCI Card > token: turintest > ----------------------------------------------------------- > > Moreover this is the output of TokenInfo command: > > # TokenInfo /var/lib/igi-ca/alias/ > > Database Path: /var/lib/igi-ca/alias/ > Found external module 'NSS Internal PKCS #11 Module' > Found external module 'lunapci' > Found external token 'turintest' > > Despite all of that, when the configuration wizard comes to the "Key > Store" page the module is not listed. > I then tried to include it manually in the CS.cfg file: > > preop.configModules.module0.commonName=lunapci > preop.configModules.module0.imagePath=../img/clearpixel.gif > preop.configModules.module0.userFriendlyName=lunapci > > and in this case it is listed but in Status "Not Found" > > How can I solve this issue? Do you have some suggestions? > > Thank you very much > R. Brunetti > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From nalinda at techcert.lk Wed May 30 10:28:49 2012 From: nalinda at techcert.lk (Nalinda Herath) Date: Wed, 30 May 2012 15:58:49 +0530 Subject: [Pki-users] reset pkiconsole password [for CA server] Message-ID: <4FC5F661.70301@techcert.lk> Dear All, Is there a possibility to reset the pkiconsole password for the default "admin" user? I'm referring to the pkiconsole for the CA instance. (not the console for the Directory Server) Nalinda -- ---- Nalinda Herath Information Security Engineer TechCERT / A Division of LK Domain Registry, 545/4, De Soysa Rd., Molpe, Moratuwa 10400, Sri Lanka Mobile: +94 77 7303905 Office: +94 11 4216062 Fax: +94 11 2650805 Web: www.techcert.lk =====HELPING YOU SECURE YOUR INFORMATION ASSETS===== -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2619 bytes Desc: S/MIME Cryptographic Signature URL: From riccardo.brunetti at to.infn.it Wed May 30 13:13:04 2012 From: riccardo.brunetti at to.infn.it (Torino) Date: Wed, 30 May 2012 15:13:04 +0200 Subject: [Pki-users] Problems with Luna PCI HSM and dogtag 1.3 In-Reply-To: <4FBEACF7.9060306@redhat.com> References: <4FBE2AD3.1040505@to.infn.it> <4FBEACF7.9060306@redhat.com> Message-ID: <4FC61CE0.5030606@to.infn.it> Il 24/05/12 21 23:49, Christina Fu ha scritto: > I have not worked on a Luna PCI HSM, but did you try the following to > see if it provides you with any clue on the status of the token? > modutil -dbdir /var/lib/igi-ca/alias -list lunapci > > And another suggestion is to add the token/password in the > password.conf file before you start the configuration. > > Christina > > On 05/24/2012 05:34 AM, Riccardo Brunetti wrote: >> >> Dear pki-users. >> We are setting up a CA subsystem using dogtag 1.3 on CentOS-5.8 and a >> HSM Luna PCI3000 (SafeNet). >> The HSM card seems to be correctly installed in the system and, using >> the command line utilities, we could create a partition on the HSM to >> store the crypto data. >> >> Unfortunately, when I run pkicreate and then the configuration wizard >> in order to configure the CA subsystem, the HSM modules seems not to >> be detected and the system still uses the software "NSS Internal PKCS >> #11 Module". >> >> I also tried to manually load the pkcs#11 module using the command: >> >> # modutil -dbdir /var/lib/igi-ca/alias -nocertdb -add lunapci >> -libfile /usr/lunapci/lib/libCryptoki2_64.so >> >> and the output of the list command is the following: >> >> # modutil -dbdir /var/lib/igi-ca/alias -list >> >> Listing of PKCS #11 Modules >> ----------------------------------------------------------- >> 1. NSS Internal PKCS #11 Module >> slots: 2 slots attached >> status: loaded >> >> slot: NSS Internal Cryptographic Services >> token: NSS Generic Crypto Services >> >> slot: NSS User Private Key and Certificate Services >> token: NSS Certificate DB >> >> 2. lunapci >> library name: /usr/lunapci/lib/libCryptoki2_64.so >> slots: 1 slot attached >> status: loaded >> >> slot: Viper PCI Card >> token: turintest >> ----------------------------------------------------------- >> >> Moreover this is the output of TokenInfo command: >> >> # TokenInfo /var/lib/igi-ca/alias/ >> >> Database Path: /var/lib/igi-ca/alias/ >> Found external module 'NSS Internal PKCS #11 Module' >> Found external module 'lunapci' >> Found external token 'turintest' >> >> Despite all of that, when the configuration wizard comes to the "Key >> Store" page the module is not listed. >> I then tried to include it manually in the CS.cfg file: >> >> preop.configModules.module0.commonName=lunapci >> preop.configModules.module0.imagePath=../img/clearpixel.gif >> preop.configModules.module0.userFriendlyName=lunapci >> >> and in this case it is listed but in Status "Not Found" >> >> How can I solve this issue? Do you have some suggestions? >> >> Thank you very much >> R. Brunetti >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users Dear Christina. Thank you very much for your suggestions. It was actually a problem with the HSM activating password. Now dogtag sees the module and uses it. Thanks a lot once again. Best Regards R. Brunetti -- ------------------- Riccardo Brunetti INFN - Torino Tel: +390116707295 Skype: rbrunetti ------------------- From alee at redhat.com Wed May 30 13:25:39 2012 From: alee at redhat.com (Ade Lee) Date: Wed, 30 May 2012 09:25:39 -0400 Subject: [Pki-users] reset pkiconsole password [for CA server] In-Reply-To: <4FC5F661.70301@techcert.lk> References: <4FC5F661.70301@techcert.lk> Message-ID: <1338384339.3069.12.camel@aleeredhat.laptop> In the CA console, there is a tab for managing Users and Groups. http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Creating_a_New_Group.html#Creating_Users-for-a-ca-ocsp-drm-or-tks You can select and modify the admin user (or any other user) from there. Ade On Wed, 2012-05-30 at 15:58 +0530, Nalinda Herath wrote: > Dear All, > > Is there a possibility to reset the pkiconsole password for the default > "admin" user? I'm referring to the pkiconsole for the CA instance. (not > the console for the Directory Server) > > Nalinda > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From nalinda at techcert.lk Wed May 30 15:52:44 2012 From: nalinda at techcert.lk (Nalinda Herath) Date: Wed, 30 May 2012 21:22:44 +0530 Subject: [Pki-users] reset pkiconsole password [for CA server] In-Reply-To: <1338384339.3069.12.camel@aleeredhat.laptop> References: <4FC5F661.70301@techcert.lk> <1338384339.3069.12.camel@aleeredhat.laptop> Message-ID: <4FC6424C.3090603@techcert.lk> Thank you for the response. But what I forgot to tell was, I have lost the password for the admin user. And the system doesn't have any other user other than admin. Nalinda On 05/30/2012 06:55 PM, Ade Lee wrote: > In the CA console, there is a tab for managing Users and Groups. > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Creating_a_New_Group.html#Creating_Users-for-a-ca-ocsp-drm-or-tks > > You can select and modify the admin user (or any other user) from there. > > Ade > > On Wed, 2012-05-30 at 15:58 +0530, Nalinda Herath wrote: >> Dear All, >> >> Is there a possibility to reset the pkiconsole password for the default >> "admin" user? I'm referring to the pkiconsole for the CA instance. (not >> the console for the Directory Server) >> >> Nalinda >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > -- ---- Nalinda Herath Information Security Engineer TechCERT / A Division of LK Domain Registry, 545/4, De Soysa Rd., Molpe, Moratuwa 10400, Sri Lanka Mobile: +94 77 7303905 Office: +94 11 4216062 Fax: +94 11 2650805 Web: www.techcert.lk =====HELPING YOU SECURE YOUR INFORMATION ASSETS===== -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2619 bytes Desc: S/MIME Cryptographic Signature URL: From cfu at redhat.com Wed May 30 17:08:00 2012 From: cfu at redhat.com (Christina Fu) Date: Wed, 30 May 2012 10:08:00 -0700 Subject: [Pki-users] reset pkiconsole password [for CA server] In-Reply-To: <4FC6424C.3090603@techcert.lk> References: <4FC5F661.70301@techcert.lk> <1338384339.3069.12.camel@aleeredhat.laptop> <4FC6424C.3090603@techcert.lk> Message-ID: <4FC653F0.7020006@redhat.com> All CS role users are stored in the ldap. You could use ldapmodify to change it, provided you have the directory manager password. Christina On 05/30/2012 08:52 AM, Nalinda Herath wrote: > Thank you for the response. > > But what I forgot to tell was, I have lost the password for the admin > user. And the system doesn't have any other user other than admin. > > Nalinda > > > On 05/30/2012 06:55 PM, Ade Lee wrote: >> In the CA console, there is a tab for managing Users and Groups. >> http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Creating_a_New_Group.html#Creating_Users-for-a-ca-ocsp-drm-or-tks >> >> You can select and modify the admin user (or any other user) from there. >> >> Ade >> >> On Wed, 2012-05-30 at 15:58 +0530, Nalinda Herath wrote: >>> Dear All, >>> >>> Is there a possibility to reset the pkiconsole password for the default >>> "admin" user? I'm referring to the pkiconsole for the CA instance. (not >>> the console for the Directory Server) >>> >>> Nalinda >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >> > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From nalinda at techcert.lk Thu May 31 06:55:42 2012 From: nalinda at techcert.lk (Nalinda Herath) Date: Thu, 31 May 2012 12:25:42 +0530 Subject: [Pki-users] reset pkiconsole password [for CA server] In-Reply-To: <4FC653F0.7020006@redhat.com> References: <4FC5F661.70301@techcert.lk> <1338384339.3069.12.camel@aleeredhat.laptop> <4FC6424C.3090603@techcert.lk> <4FC653F0.7020006@redhat.com> Message-ID: <4FC715EE.60507@techcert.lk> Thank you for the response. I have the directory manager password. Could you please help me to reset the admin password via ldapmodify utility. Regards, Nalinda On 05/30/2012 10:38 PM, Christina Fu wrote: > All CS role users are stored in the ldap. You could use ldapmodify to > change it, provided you have the directory manager password. > > Christina > > On 05/30/2012 08:52 AM, Nalinda Herath wrote: >> Thank you for the response. >> >> But what I forgot to tell was, I have lost the password for the admin >> user. And the system doesn't have any other user other than admin. >> >> Nalinda >> >> >> On 05/30/2012 06:55 PM, Ade Lee wrote: >>> In the CA console, there is a tab for managing Users and Groups. >>> http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Creating_a_New_Group.html#Creating_Users-for-a-ca-ocsp-drm-or-tks >>> >>> You can select and modify the admin user (or any other user) from there. >>> >>> Ade >>> >>> On Wed, 2012-05-30 at 15:58 +0530, Nalinda Herath wrote: >>>> Dear All, >>>> >>>> Is there a possibility to reset the pkiconsole password for the default >>>> "admin" user? I'm referring to the pkiconsole for the CA instance. (not >>>> the console for the Directory Server) >>>> >>>> Nalinda >>>> >>>> _______________________________________________ >>>> Pki-users mailing list >>>> Pki-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/pki-users >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -- ---- Nalinda Herath Information Security Engineer TechCERT / A Division of LK Domain Registry, 545/4, De Soysa Rd., Molpe, Moratuwa 10400, Sri Lanka Mobile: +94 77 7303905 Office: +94 11 4216062 Fax: +94 11 2650805 Web: www.techcert.lk =====HELPING YOU SECURE YOUR INFORMATION ASSETS===== -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2619 bytes Desc: S/MIME Cryptographic Signature URL: From msauton at redhat.com Thu May 31 14:26:50 2012 From: msauton at redhat.com (Marc Sauton) Date: Thu, 31 May 2012 07:26:50 -0700 Subject: [Pki-users] reset pkiconsole password [for CA server] In-Reply-To: <4FC715EE.60507@techcert.lk> References: <4FC5F661.70301@techcert.lk> <1338384339.3069.12.camel@aleeredhat.laptop> <4FC6424C.3090603@techcert.lk> <4FC653F0.7020006@redhat.com> <4FC715EE.60507@techcert.lk> Message-ID: <4FC77FAA.2090707@redhat.com> The admin entry has a DN similar to this form dn: uid=admin,ou=people,dc=-pki-ca Bind as the directory manager to read or modify the userpassword attribute I added an example of detailed steps in a "knowledge based" article at https://access.redhat.com/knowledge/articles/133053 M. On 05/30/2012 11:55 PM, Nalinda Herath wrote: > Thank you for the response. > > I have the directory manager password. Could you please help me to > reset the admin password via ldapmodify utility. > > Regards, > Nalinda > > > On 05/30/2012 10:38 PM, Christina Fu wrote: >> All CS role users are stored in the ldap. You could use ldapmodify >> to change it, provided you have the directory manager password. >> >> Christina >> >> On 05/30/2012 08:52 AM, Nalinda Herath wrote: >>> Thank you for the response. >>> >>> But what I forgot to tell was, I have lost the password for the admin >>> user. And the system doesn't have any other user other than admin. >>> >>> Nalinda >>> >>> >>> On 05/30/2012 06:55 PM, Ade Lee wrote: >>>> In the CA console, there is a tab for managing Users and Groups. >>>> http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Creating_a_New_Group.html#Creating_Users-for-a-ca-ocsp-drm-or-tks >>>> >>>> You can select and modify the admin user (or any other user) from there. >>>> >>>> Ade >>>> >>>> On Wed, 2012-05-30 at 15:58 +0530, Nalinda Herath wrote: >>>>> Dear All, >>>>> >>>>> Is there a possibility to reset the pkiconsole password for the default >>>>> "admin" user? I'm referring to the pkiconsole for the CA instance. (not >>>>> the console for the Directory Server) >>>>> >>>>> Nalinda >>>>> >>>>> _______________________________________________ >>>>> Pki-users mailing list >>>>> Pki-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/pki-users >>> >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > > -- > ---- > Nalinda Herath > Information Security Engineer > TechCERT / A Division of LK Domain Registry, > 545/4, De Soysa Rd., Molpe, > Moratuwa 10400, > Sri Lanka > > Mobile: +94 77 7303905 > Office: +94 11 4216062 > Fax: +94 11 2650805 > Web:www.techcert.lk > > =====HELPING YOU SECURE YOUR INFORMATION ASSETS===== > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: