From sbaa at vip.qq.com Thu May 2 09:24:47 2013 From: sbaa at vip.qq.com (=?gb18030?B?97z3w8Oo?=) Date: Thu, 2 May 2013 17:24:47 +0800 Subject: [Pki-users] =?gb18030?b?u9i4tKO6ILvYuLSjuiC72Li0o7ogICJTZWN1cml0?= =?gb18030?q?yDomain_HTTPSAdmin_URL_not_found_=22?= Message-ID: Hi Alee some update I try another scep client sscep (https://github.com/certnanny/sscep) got the same result: ./sscep: server returned status code 500 ./sscep: mime_err: HTTP/1.1 500 Internal Server Error Date: Thu, 02 May 2013 09:13:20 GMT Server: Apache Content-Length: 333 Connection: close Content-Type: text/html; charset=iso-8859-1

Software error:

Could not find pkiclient.xml in /var/lib/pki-ra/docroot/ee/scep/ at /var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi line 81.

For help, please send mail to the webmaster (you at example.com), giving this error message and the time and date of the error.

./sscep: wrong (or missing) MIME content type ./sscep: error while sending message I am not sure what version is stable and recommended. Thanks Sbaa ------------------ ???? ------------------ ???: "???"; ????: 2013?4?30?(???) ??2:33 ???: "alee"; ??: "Pki-users"; ??: ??? ??? ??? [Pki-users] "SecurityDomain HTTPSAdmin URL not found " Hi Alee I used firefox's keymanager plugin to do some simple test. Just connect to RA server and click next and next ,then encontered this error. But I did't go through any source about pkiclient.cgi ,so I 'm not sure where introduce the file pkiclient.xml. another question, If the client request can choose some file which used by server cgi internally, is there any security risk? Best Regards sbaa ------------------ ???? ------------------ ???: "alee"; ????: 2013?4?30?(???) ??1:06 ???: "???"; ??: "Pki-users"; ??: Re: ??? ??? [Pki-users] "SecurityDomain HTTPSAdmin URL not found " I don't see anything in the code about pkiclient.xml. Can you detail exactly what you did to test SCEP? Thanks, Ade On Sun, 2013-04-28 at 15:13 +0800, ??? wrote: > Hi Alee > > > Thank you, I finished the configuration for RA server by disable > SElinux > But when I test the SCEP feature, I got such error: > In error log: > [Sun Apr 28 03:05:56.891164 2013] [:error] [pid 1822:tid > 140696560207616] [Sun Apr 28 03:05:56 2013] -e: Could not find > pkiclient.xml in /var/lib/pki-ra/docroot/ee/scep/ > at /var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi line 81.\n > > > on firefox: > Software error: > Could not find pkiclient.xml in /var/lib/pki-ra/docroot/ee/scep/ at /var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi line 81. > > For help, please send mail to the webmaster (you at example.com), giving > this error message and the time and date of the error. > > > > > Thanks > sbaa > ------------------ ???? ------------------ > ???: "alee"; > ????: 2013?4?28?(???) ??2:00 > ???: "???"; > ??: "Pki-users"; > ??: Re: ??? [Pki-users] "SecurityDomain HTTPS Admin URL not found > " > > > I ran into the same problem: > > The one you want is https://localhost.domain:8443 > > I resolved this by setting selinux in permissive mode. I will file a > bug against selinux policy on Monday. > > Ade > > On Sun, 2013-04-28 at 02:27 +0800, ??? wrote: > > Hi alee > > > > > > I tried following urls > > > > > > https://localhost.localdomain:8443 > > https://localhost.localdomain:8443/ca > > http://localhost.localdomain:8080 > > http://localhost.localdomain:8080/ca > > > > > > but all failed. > > > > > > and i found some info in error log (/var/log/pki-ra/error_log ) > > GET /ca/admin/ca/getStatus HTTP/1.0 > > > > > > port: 8443 > > addr='localhost.localdomain' > > family='2' > > IP='127.0.0.1' > > exit after PR_Connect with error -5985: > > GET /ca/admin/ca/getStatus HTTP/1.0 > > > > > > port: 9445 > > addr='localhost.localdomain' > > family='2' > > IP='127.0.0.1' > > exit after PR_Connect with error -5961: > > > > > > ------------------ ???? ------------------ > > ???: "Ade Lee"; > > ????: 2013?4?28?(???) ??1:04 > > ???: "???"; > > ??: "Pki-users"; > > ??: Re: [Pki-users] "Security Domain HTTPS Admin URL not found " > > > > > > What value are you putting in for your security domain? > > > > Ade > > On Sat, 2013-04-27 at 23:39 +0800, ??? wrote: > > > Hi All > > > I'am a new user of dogtag. > > > I try the latest build 10.0.2. > > > I install ca server success,but when I configure a ra subsystem, > > > > > > > > > url : > > > https://localhost.localdomain:12890/ra/admin/console/config/wizard > > > > > > > > > it alwarys show error "Security Domain HTTPS Admin URL not found" > > and > > > " Create a New Security Domai" cannot be choose. > > > any ideas? > > > > > > > > > thanks > > > > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > . > > > > > . > . -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbaa at vip.qq.com Thu May 2 11:17:07 2013 From: sbaa at vip.qq.com (=?gb18030?B?97z3w8Oo?=) Date: Thu, 2 May 2013 19:17:07 +0800 Subject: [Pki-users] =?gb18030?b?u9i4tKO6ILvYuLSjuiC72Li0o7ogICJTZWN1cml0?= =?gb18030?q?yDomain_HTTPSAdmin_URL_not_found_=22_=28solved=29?= Message-ID: Hi Alee I take some time to debug the perl cgi. I found the error caused by decode method after I change it, it works. /sscep enroll -f sscep.conf -E 3des -S sha1 .... CN's of request and certificate matched! ./sscep: writing cert -----BEGIN CERTIFICATE----- MIIC8DCCAdigAwIBAgIBCjANBgkqhkiG9w0BAQsFADBHMSQwIgYDVQQKExtsb2Nh bGRvbWFpbiBTZWN1cml0eSBEb21haW4xHzAdBgNVBAMTFkNBIFNpZ25pbmcgQ2Vy dGlmaWNhdGUwHhcNMTMwNTAyMTEwOTAwWhcNMTUwNDIyMTEwOTAwWjAXMRUwEwYD VQQDEwwxMC42NC43OS4yMzQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOAV TYAh2vWcLWys4AMGEs9qbUeg/IkG9R944fHnaR9+uwqA+cZVNwmOl/Qwvk3GINiS JQKlhR1wxf4AHeCACtfN7fk+ckjOngx+PN4GLGwZyTAPSWEFCK7vzGqrFWyqAibL eeKzhhXiWkoHqQYkOoboAKY2OEvHuwKDod5xT3q/AgMBAAGjgZowgZcwHwYDVR0j BBgwFoAUs0FtabRcZ2tq6VfsBCXKQKzoWsAwRQYIKwYBBQUHAQEEOTA3MDUGCCsG AQUFBzABhilodHRwOi8vbG9jYWxob3N0LmxvY2FsZG9tYWluOjgwODAvY2Evb2Nz cDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MA0GCSqGSIb3DQEBCwUAA4IBAQBzRKjf0ebDVjhIOuYFhbE/Htful4oLtCcQI2sZ xjr9uWUITEVZNCWONUJ2pZKT+9KefE8zCjRd8tliyKjUZOO4VYpO+TDfe4KsQMSe 2Lrd35g35iUXOhqi2IVXLjQT6mdEWuYKwIGRl98pyoLMz9MZKbLdnrGkhYZHxA9n EMds+7VmYdw3orZDaD4UmMqZL6FfNazjTKK1VlOWDL75QeVGGv9lNXbWqB+EUAZp U0mc/dip2R3wZRwygHE7cKs/lvheI9GkoQYLSLWzKcS2M2JiSOiwrEfi+zMWF71O DRbD6S2b8tl8k/f9WCwgLgKisw3TKRyJV+FLb5LdapE7lMQi -----END CERTIFICATE----- ./sscep: certificate written as ./local.crt sorry , I didn't change the default value according to (http://pki.fedoraproject.org/wiki/SCEP_in_Dogtag#SSCEP_Configuration) Because first time I use firefox's keymanager. Thanks very much! sbaa ------------------ ???? ------------------ ???: "???"; ????: 2013?5?2?(???) ??5:24 ???: "alee"; ??: "Pki-users"; ??: ??? ??? ??? [Pki-users] "SecurityDomain HTTPSAdmin URL not found " Hi Alee some update I try another scep client sscep (https://github.com/certnanny/sscep) got the same result: ./sscep: server returned status code 500 ./sscep: mime_err: HTTP/1.1 500 Internal Server Error Date: Thu, 02 May 2013 09:13:20 GMT Server: Apache Content-Length: 333 Connection: close Content-Type: text/html; charset=iso-8859-1

Software error:

Could not find pkiclient.xml in /var/lib/pki-ra/docroot/ee/scep/ at /var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi line 81.

For help, please send mail to the webmaster (you at example.com), giving this error message and the time and date of the error.

./sscep: wrong (or missing) MIME content type ./sscep: error while sending message I am not sure what version is stable and recommended. Thanks Sbaa ------------------ ???? ------------------ ???: "???"; ????: 2013?4?30?(???) ??2:33 ???: "alee"; ??: "Pki-users"; ??: ??? ??? ??? [Pki-users] "SecurityDomain HTTPSAdmin URL not found " Hi Alee I used firefox's keymanager plugin to do some simple test. Just connect to RA server and click next and next ,then encontered this error. But I did't go through any source about pkiclient.cgi ,so I 'm not sure where introduce the file pkiclient.xml. another question, If the client request can choose some file which used by server cgi internally, is there any security risk? Best Regards sbaa ------------------ ???? ------------------ ???: "alee"; ????: 2013?4?30?(???) ??1:06 ???: "???"; ??: "Pki-users"; ??: Re: ??? ??? [Pki-users] "SecurityDomain HTTPSAdmin URL not found " I don't see anything in the code about pkiclient.xml. Can you detail exactly what you did to test SCEP? Thanks, Ade On Sun, 2013-04-28 at 15:13 +0800, ??? wrote: > Hi Alee > > > Thank you, I finished the configuration for RA server by disable > SElinux > But when I test the SCEP feature, I got such error: > In error log: > [Sun Apr 28 03:05:56.891164 2013] [:error] [pid 1822:tid > 140696560207616] [Sun Apr 28 03:05:56 2013] -e: Could not find > pkiclient.xml in /var/lib/pki-ra/docroot/ee/scep/ > at /var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi line 81.\n > > > on firefox: > Software error: > Could not find pkiclient.xml in /var/lib/pki-ra/docroot/ee/scep/ at /var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi line 81. > > For help, please send mail to the webmaster (you at example.com), giving > this error message and the time and date of the error. > > > > > Thanks > sbaa > ------------------ ???? ------------------ > ???: "alee"; > ????: 2013?4?28?(???) ??2:00 > ???: "???"; > ??: "Pki-users"; > ??: Re: ??? [Pki-users] "SecurityDomain HTTPS Admin URL not found > " > > > I ran into the same problem: > > The one you want is https://localhost.domain:8443 > > I resolved this by setting selinux in permissive mode. I will file a > bug against selinux policy on Monday. > > Ade > > On Sun, 2013-04-28 at 02:27 +0800, ??? wrote: > > Hi alee > > > > > > I tried following urls > > > > > > https://localhost.localdomain:8443 > > https://localhost.localdomain:8443/ca > > http://localhost.localdomain:8080 > > http://localhost.localdomain:8080/ca > > > > > > but all failed. > > > > > > and i found some info in error log (/var/log/pki-ra/error_log ) > > GET /ca/admin/ca/getStatus HTTP/1.0 > > > > > > port: 8443 > > addr='localhost.localdomain' > > family='2' > > IP='127.0.0.1' > > exit after PR_Connect with error -5985: > > GET /ca/admin/ca/getStatus HTTP/1.0 > > > > > > port: 9445 > > addr='localhost.localdomain' > > family='2' > > IP='127.0.0.1' > > exit after PR_Connect with error -5961: > > > > > > ------------------ ???? ------------------ > > ???: "Ade Lee"; > > ????: 2013?4?28?(???) ??1:04 > > ???: "???"; > > ??: "Pki-users"; > > ??: Re: [Pki-users] "Security Domain HTTPS Admin URL not found " > > > > > > What value are you putting in for your security domain? > > > > Ade > > On Sat, 2013-04-27 at 23:39 +0800, ??? wrote: > > > Hi All > > > I'am a new user of dogtag. > > > I try the latest build 10.0.2. > > > I install ca server success,but when I configure a ra subsystem, > > > > > > > > > url : > > > https://localhost.localdomain:12890/ra/admin/console/config/wizard > > > > > > > > > it alwarys show error "Security Domain HTTPS Admin URL not found" > > and > > > " Create a New Security Domai" cannot be choose. > > > any ideas? > > > > > > > > > thanks > > > > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > . > > > > > . > . -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Fri May 3 02:09:29 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 02 May 2013 22:09:29 -0400 Subject: [Pki-users] Announcing the release of Dogtag 10.0.2 Message-ID: <1367546969.7810.35.camel@aleeredhat.laptop> The Dogtag team is proud to announce the second errata build for Dogtag v10.0.0. Builds are available for Fedora 18 and Fedora 19 in the updates-testing repo. Please try it out and provide karma to move them to the F18 and F19 stable repos. Daily developer builds for Fedora 17, 18 and 19 are available at http://nkinder.fedorapeople.org/dogtag-devel/fedora/ == Build Versions == pki-core-10.0.2-2 pki-ra-10.0.2-2 pki-tps-10.0.2-2 dogtag-pki-10.0.2-1 dogtag-pki-theme-10.0.2-1 pki-console-10.0.2-2 == Highlights since Dogtag v. 10.0.1 == * A new Python client framework has been written to connect to the restful interface on the java subsystems. This interface was used for some installation functionality and will continue to be expanded. * pkispawn and pkidestroy were modified to use the new Python client framework and the dependency on jython was eliminated. * The installation interfaces were changed so that most of the installation interactions take place over the admin interface. * New command line parameters have been added to pkidestroy to provide the username and password of the security domain administrator to update the security domain. Formerly, no credentials were required because we used the subsystem certificate of the subsystem for authentication. The new method provides better auditing as to exactly who is de-registering and removing a subsystem. As such, use of the new options is recommended, and will be made mandatory in a future release. * Although it is possible to run Dogtag 9 style instances on Dogtag 10, these instances do not have the required configuration to expose the RESTful interface. A new servlet has been added to return 501 (Not implemented) on these instances when the REST URLs are accessed. This is only applicable on Fedora 18 (See Fedora 19 note below). * A new interactive mode has been added to pkispawn and pkidestroy. In this mode, users are prompted for details in order to set up the most basic servers. Any customizations would still need to be done through configuration files. Interactive mode is an excellent way for users to set up a server and become familiar with Dogtag. * Support has been added for the random generation of serial numbers for certificates issued. More details about this feature and how to enable it can be found here: http://pki.fedoraproject.org/wiki/Random_Certificate_Serial_Numbers * Nonces are used in Dogtag to prevent cross-site request forgery and replay attack, but they were stored in a global list. To prevent possible collisions with other user's nonces, they are now stored in each user's session. * Previously, session IDs were generated using /dev/random, which may block under certain circumstances, making server startup slow. To avoid this, the server configuration has been changed to use PKCS11PRNG provided by JSS. * A new upgrade framework has been added to allow instances to be automatically upgraded when new packages are installed. This framework will be used to eventually remove the need for migrations between releases. The upgrade scripts are invoked by postinstall scriptlets in the pki-base and pki-server packages. On completing an upgrade, users should check the upgrade logs in /var/log/pki/pki-upgrade-*.log and /var/log/pki/pki-server-upgrade-*.log for any errors. The upgrade scripts (pki-upgrade and pki-server-upgrade) can also be run manually. Additional troubleshooting information can be found at: http://pki.fedoraproject.org/wiki/Upgrade * New CLI has been added to simplify client certificate management including importing and trusting CA certificates. * Previously, the pki CLI tool used the same parameter (-w) to specify both user and client certificate database passwords. The CLI has been modified to use a new parameter (-c) for the database password, and -w for the user password. * Multiple additional fixes to pkispawn, pkidestroy, pki and their man pages. == Notes on Fedora 19 == Fedora 19 does not provide tomcat 6. Dogtag 9 style instances will therefore no longer work on Fedora 19. These instances need to be migrated to Dogtag 10. To prevent inadvertently disabling Dogtag instances, code has been added to prevent upgrades to Fedora 19 if Dogtag 9 instances exist. Details on how to upgrade Dogtag 9 instances and workarounds can be found at: http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_10 == Detailed Changes since Dogtag v. 10.0.1 == akoneru (23): #191 Map REST exceptions to HTTP status codes #217 CLI should display message on operations that complete with error #290 Add hints to option descriptions for cert-find cli command #383 Extend coverity tests to scan other subsystems (TPS, etc.) #452 Dogtag 10: Fix minor RA and TPS Configuration Wizard Panel issues #465 Verify 'pki_backup_keys=True' if 'pki_backup_password'is set #470 Prevent concurrent execution of pkispawn/pkidestroy #471 Update man pages for interactive pkispawn/pkidestroy #493 interpolation in pkispawn scripts should not apply to passwords #502 Change pkidestroy "-w" option to require a password file #507 Mark pki.conf as configuration file in RPM spec #509 man page for pkispawn should be modified to specify pki_ca_signing_subject_dn when setting up subordinate CA #514 Clean up pkispawn output #521 Separate python deployment engine from python deployment scriptlets source code #525 Incorrect info in pkispawn man page #536 Catch keyboard interrupt #542 Remove all "respawn()" logic from "pkispawn" #543 Incorrect user-show usage. #549 PKCS10Client tool throws java exception NoClassDefFoundError #563 Use timeout in configuration script #566 Mask sensitive parameters in archived config #592 pkispawn not reporting the error message when exceptions are thrown #593 Error caused by JSON Configuration result decoding when installing CA clone alee (9): #232 add python binding for pkispawn/ pkidestroy #419 REST interface for cert requests #532 refactor pkispawn to use new python client #546 Upgrade script for clone installation #564 Rename base/deploy to base/server #589 dependency needed for java-atk-wrapper in f19 #578 Rest API does not work on d9 -> d10 upgrade instances #590 pki-base needs to deliver /var/log/pki #597 Create 10.0.2 builds awnuk (7): #569 Port support for random certificate serial numbers to Dogtag 10 #570 Port patch allowing to support random certificate serial numbers for system certificates to Dogtag 10 #579 Port patch allowing to clone CA with random serial number enabled. #580 Port patch allowing to restart CA clone during configuration change to random serial numbers. #584 Port patch including system certificates with random serial numbers in the certificate counter. BZ 955784 - Correct Javascript inability to handle big numbers BZ 951501 - Coorects key IDs miscalculated by Javascript cfu (6): BZ 929043 - serverCert.profile with SAN results in SubjectAltNameException BZ 927545 - Transport Cert signing Algorithm doesn't show ECC Signing Algorithm BZ 904289 - Add ECC Support to Certificate Profiles BZ 902952 - RFE: Revocation routing with TPS and multiple non-cloned CAs BZ 903401 - TMS: RSA token enrollment failed : public key decode error #362 CMC ECC edewata (24) #190 REST interface for user-group membership. #291 Fix forma of validityUnit option in cert-find command #380 default install: part 2 #472 pkispawn should test DS info #473 pkispawn should test security domain info #474 Session-based nonces #476 Limit username & password authentication #477 Annotation for authentication methods #491 Prompt CLI user on certificate warnings. #497 Date format for cert-find #498 [RFE] Add dates to cert-find output #500 validityCount option returns 500 error #501 Add cert status option to cert-find #503 Dogtag 10: Security Domain Issues #511 Add cert-request-show command. #520 CLI returns 0 on error #523 Add CLI option to capture HTTP data #524 Tomcat blocks during startup #535 python-requests compatibility problem #541 Use FQDN instead of localhost in CLI #544 Implement upgrade framework #545 Upgrade script for random number generator #553 pki.conf needs to be delivered by pki-base #598 Upgrade script for JNI_JAR_DIR jmagne (1): #587 ipa-server-install crashes due to sslget error mharmsen (7): #409 Add pkispawn option to not copy the UI pieces (gifs, templates). #488 Dogtag 10: Fix cli 'cert-find' clientAuth issue #517 Clean up theme dependencies #518 Remove UI dependencies from pkispawn #602 pkiconsole cannot find 'jss4.jar' on Fedora 19 BZ 947524 - Clone installation does not work over NAT BZ 919476 - pkispawn crashes due to dangling symlink to jss4.jar From sbaa at vip.qq.com Fri May 3 10:20:59 2013 From: sbaa at vip.qq.com (=?gb18030?B?97z3w8Oo?=) Date: Fri, 3 May 2013 18:20:59 +0800 Subject: [Pki-users] iphone's scep function with dogtag Message-ID: Hi All Who tried the SCEP feature with iphone? I tested on iphone 4s, it return "invalid response". Thanks sbaa -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Fri May 3 13:49:19 2013 From: jdennis at redhat.com (John Dennis) Date: Fri, 03 May 2013 09:49:19 -0400 Subject: [Pki-users] [Pki-announce] Announcing the release of Dogtag 10.0.2 In-Reply-To: <1367546969.7810.35.camel@aleeredhat.laptop> References: <1367546969.7810.35.camel@aleeredhat.laptop> Message-ID: <5183C05F.1070300@redhat.com> On 05/02/2013 10:09 PM, Ade Lee wrote: > The Dogtag team is proud to announce the second errata build for > Dogtag v10.0.0. Just wanted to say the CS team is doing great work. Thanks for all these improvements! John -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From thomas.moyer at ll.mit.edu Fri May 3 13:57:01 2013 From: thomas.moyer at ll.mit.edu (Moyer, Thomas - 0558 - MITLL) Date: Fri, 3 May 2013 09:57:01 -0400 Subject: [Pki-users] Announcing the release of Dogtag 10.0.2 In-Reply-To: <1367546969.7810.35.camel@aleeredhat.laptop> Message-ID: Is there documentation on the REST interface that I can look at? I've found some examples, but nothing that outlines everything. Also, does the Python client framework support querying for certificates, or is it just for the initial deployment? Thanks! -Tom On 5/2/13 10:09 PM, "Ade Lee" wrote: >The Dogtag team is proud to announce the second errata build for >Dogtag v10.0.0. > >Builds are available for Fedora 18 and Fedora 19 in the updates-testing >repo. Please try it out and provide karma to move them to the F18 and >F19 stable repos. > >Daily developer builds for Fedora 17, 18 and 19 are available at >http://nkinder.fedorapeople.org/dogtag-devel/fedora/ > >== Build Versions == >pki-core-10.0.2-2 >pki-ra-10.0.2-2 >pki-tps-10.0.2-2 >dogtag-pki-10.0.2-1 >dogtag-pki-theme-10.0.2-1 >pki-console-10.0.2-2 > >== Highlights since Dogtag v. 10.0.1 == >* A new Python client framework has been written to connect to the >restful interface on the java subsystems. This interface was used >for some installation functionality and will continue to be expanded. > >* pkispawn and pkidestroy were modified to use the new Python client >framework and the dependency on jython was eliminated. > >* The installation interfaces were changed so that most of the >installation interactions take place over the admin interface. > >* New command line parameters have been added to pkidestroy to provide >the username and password of the security domain administrator to update >the security domain. Formerly, no credentials were required because we >used the subsystem certificate of the subsystem for authentication. The >new method provides better auditing as to exactly who is de-registering >and removing a subsystem. As such, use of the new options is >recommended, and will be made mandatory in a future release. > >* Although it is possible to run Dogtag 9 style instances on Dogtag 10, >these instances do not have the required configuration to expose the >RESTful interface. A new servlet has been added to return 501 (Not >implemented) on these instances when the REST URLs are accessed. This >is only applicable on Fedora 18 (See Fedora 19 note below). > >* A new interactive mode has been added to pkispawn and pkidestroy. In >this mode, users are prompted for details in order to set up the most >basic servers. Any customizations would still need to be done through >configuration files. Interactive mode is an excellent way for users to >set up a server and become familiar with Dogtag. > >* Support has been added for the random generation of serial numbers for >certificates issued. More details about this feature and how to enable >it can be found here: >http://pki.fedoraproject.org/wiki/Random_Certificate_Serial_Numbers > > >* Nonces are used in Dogtag to prevent cross-site request forgery and >replay attack, but they were stored in a global list. To prevent >possible collisions with other user's nonces, they are now stored in >each user's session. > >* Previously, session IDs were generated using /dev/random, which may >block under certain circumstances, making server startup slow. To avoid >this, the server configuration has been changed to use PKCS11PRNG >provided by JSS. > >* A new upgrade framework has been added to allow instances to be >automatically upgraded when new packages are installed. This framework >will be used to eventually remove the need for migrations between >releases. The upgrade scripts are invoked by postinstall scriptlets in >the pki-base and pki-server packages. On completing an upgrade, users >should check the upgrade logs in /var/log/pki/pki-upgrade-*.log >and /var/log/pki/pki-server-upgrade-*.log for any errors. The upgrade >scripts (pki-upgrade and pki-server-upgrade) can also be run manually. >Additional troubleshooting information can be found at: >http://pki.fedoraproject.org/wiki/Upgrade > >* New CLI has been added to simplify client certificate management >including importing and trusting CA certificates. > >* Previously, the pki CLI tool used the same parameter (-w) to specify >both user and client certificate database passwords. The CLI has been >modified to use a new parameter (-c) for the database password, and -w >for the user password. > >* Multiple additional fixes to pkispawn, pkidestroy, pki and their man >pages. > >== Notes on Fedora 19 == >Fedora 19 does not provide tomcat 6. Dogtag 9 style instances will >therefore no longer work on Fedora 19. These instances need to be >migrated to Dogtag 10. > >To prevent inadvertently disabling Dogtag instances, code has been added >to prevent upgrades to Fedora 19 if Dogtag 9 instances exist. Details >on how to upgrade Dogtag 9 instances and workarounds can be found at: >http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_1 >0 > >== Detailed Changes since Dogtag v. 10.0.1 == > >akoneru (23): >#191 Map REST exceptions to HTTP status codes >#217 CLI should display message on operations that complete with error >#290 Add hints to option descriptions for cert-find cli command >#383 Extend coverity tests to scan other subsystems (TPS, etc.) >#452 Dogtag 10: Fix minor RA and TPS Configuration Wizard Panel issues >#465 Verify 'pki_backup_keys=True' if 'pki_backup_password'is set >#470 Prevent concurrent execution of pkispawn/pkidestroy >#471 Update man pages for interactive pkispawn/pkidestroy >#493 interpolation in pkispawn scripts should not apply to passwords >#502 Change pkidestroy "-w" option to require a password file >#507 Mark pki.conf as configuration file in RPM spec >#509 man page for pkispawn should be modified to specify > pki_ca_signing_subject_dn when setting up subordinate CA >#514 Clean up pkispawn output >#521 Separate python deployment engine from python deployment > scriptlets source code >#525 Incorrect info in pkispawn man page >#536 Catch keyboard interrupt >#542 Remove all "respawn()" logic from "pkispawn" >#543 Incorrect user-show usage. >#549 PKCS10Client tool throws java exception NoClassDefFoundError >#563 Use timeout in configuration script >#566 Mask sensitive parameters in archived config >#592 pkispawn not reporting the error message when exceptions are thrown >#593 Error caused by JSON Configuration result decoding when installing > CA clone > >alee (9): >#232 add python binding for pkispawn/ pkidestroy >#419 REST interface for cert requests >#532 refactor pkispawn to use new python client >#546 Upgrade script for clone installation >#564 Rename base/deploy to base/server >#589 dependency needed for java-atk-wrapper in f19 >#578 Rest API does not work on d9 -> d10 upgrade instances >#590 pki-base needs to deliver /var/log/pki >#597 Create 10.0.2 builds > >awnuk (7): >#569 Port support for random certificate serial numbers to Dogtag 10 >#570 Port patch allowing to support random certificate serial numbers > for system certificates to Dogtag 10 >#579 Port patch allowing to clone CA with random serial number enabled. >#580 Port patch allowing to restart CA clone during configuration > change to random serial numbers. >#584 Port patch including system certificates with random serial > numbers in the certificate counter. >BZ 955784 - Correct Javascript inability to handle big numbers >BZ 951501 - Coorects key IDs miscalculated by Javascript > > >cfu (6): >BZ 929043 - serverCert.profile with SAN results in >SubjectAltNameException >BZ 927545 - Transport Cert signing Algorithm doesn't show ECC Signing >Algorithm >BZ 904289 - Add ECC Support to Certificate Profiles >BZ 902952 - RFE: Revocation routing with TPS and multiple non-cloned CAs >BZ 903401 - TMS: RSA token enrollment failed : public key decode error >#362 CMC ECC > >edewata (24) >#190 REST interface for user-group membership. >#291 Fix forma of validityUnit option in cert-find command >#380 default install: part 2 >#472 pkispawn should test DS info >#473 pkispawn should test security domain info >#474 Session-based nonces >#476 Limit username & password authentication >#477 Annotation for authentication methods >#491 Prompt CLI user on certificate warnings. >#497 Date format for cert-find >#498 [RFE] Add dates to cert-find output >#500 validityCount option returns 500 error >#501 Add cert status option to cert-find >#503 Dogtag 10: Security Domain Issues >#511 Add cert-request-show command. >#520 CLI returns 0 on error >#523 Add CLI option to capture HTTP data >#524 Tomcat blocks during startup >#535 python-requests compatibility problem >#541 Use FQDN instead of localhost in CLI >#544 Implement upgrade framework >#545 Upgrade script for random number generator >#553 pki.conf needs to be delivered by pki-base >#598 Upgrade script for JNI_JAR_DIR > >jmagne (1): >#587 ipa-server-install crashes due to sslget error > >mharmsen (7): >#409 Add pkispawn option to not copy the UI pieces (gifs, templates). >#488 Dogtag 10: Fix cli 'cert-find' clientAuth issue >#517 Clean up theme dependencies >#518 Remove UI dependencies from pkispawn >#602 pkiconsole cannot find 'jss4.jar' on Fedora 19 >BZ 947524 - Clone installation does not work over NAT >BZ 919476 - pkispawn crashes due to dangling symlink to jss4.jar > > >_______________________________________________ >Pki-users mailing list >Pki-users at redhat.com >https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5142 bytes Desc: not available URL: From awnuk at redhat.com Fri May 3 16:55:40 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Fri, 03 May 2013 09:55:40 -0700 Subject: [Pki-users] iphone's scep function with dogtag In-Reply-To: References: Message-ID: <5183EC0C.6050808@redhat.com> On 05/03/2013 03:20 AM, ??? wrote: > Hi All > > Who tried the SCEP feature with iphone? > I tested on iphone 4s, it return "invalid response". > > > Thanks > sbaa > Could you provide more details? Thank you, Andrew From alee at redhat.com Fri May 3 16:57:07 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 03 May 2013 12:57:07 -0400 Subject: [Pki-users] Announcing the release of Dogtag 10.0.2 In-Reply-To: References: Message-ID: <1367600227.28606.23.camel@aleeredhat.laptop> Hi, We're working on some more substantial documentation, and maybe some javadocs. In the meantime, there is some information on a wiki page: http://pki.fedoraproject.org/wiki/REST In particular, there is a section called "Current Implementation", which has links to the relevant files in the code. If you look at the resource files, you'll see exactly which calls and URLs have been implemented. http://pki.fedoraproject.org/wiki/RESTEasy has more details on how to interpret the files. The java client framework is - by definition - complete, because Resteasy provides a client framework. The Python client framework will be expanded to include all operations very soon. For now, it just covers initial deployment operations. FreeIPA has implemented some python code to do things like listing and querying certs and requests though in Python. On Fri, 2013-05-03 at 09:57 -0400, Moyer, Thomas - 0558 - MITLL wrote: > Is there documentation on the REST interface that I can look at? I've > found some examples, but nothing that outlines everything. > > Also, does the Python client framework support querying for certificates, > or is it just for the initial deployment? > > Thanks! > > -Tom > > On 5/2/13 10:09 PM, "Ade Lee" wrote: > > >The Dogtag team is proud to announce the second errata build for > >Dogtag v10.0.0. > > > >Builds are available for Fedora 18 and Fedora 19 in the updates-testing > >repo. Please try it out and provide karma to move them to the F18 and > >F19 stable repos. > > > >Daily developer builds for Fedora 17, 18 and 19 are available at > >http://nkinder.fedorapeople.org/dogtag-devel/fedora/ > > > >== Build Versions == > >pki-core-10.0.2-2 > >pki-ra-10.0.2-2 > >pki-tps-10.0.2-2 > >dogtag-pki-10.0.2-1 > >dogtag-pki-theme-10.0.2-1 > >pki-console-10.0.2-2 > > > >== Highlights since Dogtag v. 10.0.1 == > >* A new Python client framework has been written to connect to the > >restful interface on the java subsystems. This interface was used > >for some installation functionality and will continue to be expanded. > > > >* pkispawn and pkidestroy were modified to use the new Python client > >framework and the dependency on jython was eliminated. > > > >* The installation interfaces were changed so that most of the > >installation interactions take place over the admin interface. > > > >* New command line parameters have been added to pkidestroy to provide > >the username and password of the security domain administrator to update > >the security domain. Formerly, no credentials were required because we > >used the subsystem certificate of the subsystem for authentication. The > >new method provides better auditing as to exactly who is de-registering > >and removing a subsystem. As such, use of the new options is > >recommended, and will be made mandatory in a future release. > > > >* Although it is possible to run Dogtag 9 style instances on Dogtag 10, > >these instances do not have the required configuration to expose the > >RESTful interface. A new servlet has been added to return 501 (Not > >implemented) on these instances when the REST URLs are accessed. This > >is only applicable on Fedora 18 (See Fedora 19 note below). > > > >* A new interactive mode has been added to pkispawn and pkidestroy. In > >this mode, users are prompted for details in order to set up the most > >basic servers. Any customizations would still need to be done through > >configuration files. Interactive mode is an excellent way for users to > >set up a server and become familiar with Dogtag. > > > >* Support has been added for the random generation of serial numbers for > >certificates issued. More details about this feature and how to enable > >it can be found here: > >http://pki.fedoraproject.org/wiki/Random_Certificate_Serial_Numbers > > > > > >* Nonces are used in Dogtag to prevent cross-site request forgery and > >replay attack, but they were stored in a global list. To prevent > >possible collisions with other user's nonces, they are now stored in > >each user's session. > > > >* Previously, session IDs were generated using /dev/random, which may > >block under certain circumstances, making server startup slow. To avoid > >this, the server configuration has been changed to use PKCS11PRNG > >provided by JSS. > > > >* A new upgrade framework has been added to allow instances to be > >automatically upgraded when new packages are installed. This framework > >will be used to eventually remove the need for migrations between > >releases. The upgrade scripts are invoked by postinstall scriptlets in > >the pki-base and pki-server packages. On completing an upgrade, users > >should check the upgrade logs in /var/log/pki/pki-upgrade-*.log > >and /var/log/pki/pki-server-upgrade-*.log for any errors. The upgrade > >scripts (pki-upgrade and pki-server-upgrade) can also be run manually. > >Additional troubleshooting information can be found at: > >http://pki.fedoraproject.org/wiki/Upgrade > > > >* New CLI has been added to simplify client certificate management > >including importing and trusting CA certificates. > > > >* Previously, the pki CLI tool used the same parameter (-w) to specify > >both user and client certificate database passwords. The CLI has been > >modified to use a new parameter (-c) for the database password, and -w > >for the user password. > > > >* Multiple additional fixes to pkispawn, pkidestroy, pki and their man > >pages. > > > >== Notes on Fedora 19 == > >Fedora 19 does not provide tomcat 6. Dogtag 9 style instances will > >therefore no longer work on Fedora 19. These instances need to be > >migrated to Dogtag 10. > > > >To prevent inadvertently disabling Dogtag instances, code has been added > >to prevent upgrades to Fedora 19 if Dogtag 9 instances exist. Details > >on how to upgrade Dogtag 9 instances and workarounds can be found at: > >http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_1 > >0 > > > >== Detailed Changes since Dogtag v. 10.0.1 == > > > >akoneru (23): > >#191 Map REST exceptions to HTTP status codes > >#217 CLI should display message on operations that complete with error > >#290 Add hints to option descriptions for cert-find cli command > >#383 Extend coverity tests to scan other subsystems (TPS, etc.) > >#452 Dogtag 10: Fix minor RA and TPS Configuration Wizard Panel issues > >#465 Verify 'pki_backup_keys=True' if 'pki_backup_password'is set > >#470 Prevent concurrent execution of pkispawn/pkidestroy > >#471 Update man pages for interactive pkispawn/pkidestroy > >#493 interpolation in pkispawn scripts should not apply to passwords > >#502 Change pkidestroy "-w" option to require a password file > >#507 Mark pki.conf as configuration file in RPM spec > >#509 man page for pkispawn should be modified to specify > > pki_ca_signing_subject_dn when setting up subordinate CA > >#514 Clean up pkispawn output > >#521 Separate python deployment engine from python deployment > > scriptlets source code > >#525 Incorrect info in pkispawn man page > >#536 Catch keyboard interrupt > >#542 Remove all "respawn()" logic from "pkispawn" > >#543 Incorrect user-show usage. > >#549 PKCS10Client tool throws java exception NoClassDefFoundError > >#563 Use timeout in configuration script > >#566 Mask sensitive parameters in archived config > >#592 pkispawn not reporting the error message when exceptions are thrown > >#593 Error caused by JSON Configuration result decoding when installing > > CA clone > > > >alee (9): > >#232 add python binding for pkispawn/ pkidestroy > >#419 REST interface for cert requests > >#532 refactor pkispawn to use new python client > >#546 Upgrade script for clone installation > >#564 Rename base/deploy to base/server > >#589 dependency needed for java-atk-wrapper in f19 > >#578 Rest API does not work on d9 -> d10 upgrade instances > >#590 pki-base needs to deliver /var/log/pki > >#597 Create 10.0.2 builds > > > >awnuk (7): > >#569 Port support for random certificate serial numbers to Dogtag 10 > >#570 Port patch allowing to support random certificate serial numbers > > for system certificates to Dogtag 10 > >#579 Port patch allowing to clone CA with random serial number enabled. > >#580 Port patch allowing to restart CA clone during configuration > > change to random serial numbers. > >#584 Port patch including system certificates with random serial > > numbers in the certificate counter. > >BZ 955784 - Correct Javascript inability to handle big numbers > >BZ 951501 - Coorects key IDs miscalculated by Javascript > > > > > >cfu (6): > >BZ 929043 - serverCert.profile with SAN results in > >SubjectAltNameException > >BZ 927545 - Transport Cert signing Algorithm doesn't show ECC Signing > >Algorithm > >BZ 904289 - Add ECC Support to Certificate Profiles > >BZ 902952 - RFE: Revocation routing with TPS and multiple non-cloned CAs > >BZ 903401 - TMS: RSA token enrollment failed : public key decode error > >#362 CMC ECC > > > >edewata (24) > >#190 REST interface for user-group membership. > >#291 Fix forma of validityUnit option in cert-find command > >#380 default install: part 2 > >#472 pkispawn should test DS info > >#473 pkispawn should test security domain info > >#474 Session-based nonces > >#476 Limit username & password authentication > >#477 Annotation for authentication methods > >#491 Prompt CLI user on certificate warnings. > >#497 Date format for cert-find > >#498 [RFE] Add dates to cert-find output > >#500 validityCount option returns 500 error > >#501 Add cert status option to cert-find > >#503 Dogtag 10: Security Domain Issues > >#511 Add cert-request-show command. > >#520 CLI returns 0 on error > >#523 Add CLI option to capture HTTP data > >#524 Tomcat blocks during startup > >#535 python-requests compatibility problem > >#541 Use FQDN instead of localhost in CLI > >#544 Implement upgrade framework > >#545 Upgrade script for random number generator > >#553 pki.conf needs to be delivered by pki-base > >#598 Upgrade script for JNI_JAR_DIR > > > >jmagne (1): > >#587 ipa-server-install crashes due to sslget error > > > >mharmsen (7): > >#409 Add pkispawn option to not copy the UI pieces (gifs, templates). > >#488 Dogtag 10: Fix cli 'cert-find' clientAuth issue > >#517 Clean up theme dependencies > >#518 Remove UI dependencies from pkispawn > >#602 pkiconsole cannot find 'jss4.jar' on Fedora 19 > >BZ 947524 - Clone installation does not work over NAT > >BZ 919476 - pkispawn crashes due to dangling symlink to jss4.jar > > > > > >_______________________________________________ > >Pki-users mailing list > >Pki-users at redhat.com > >https://www.redhat.com/mailman/listinfo/pki-users > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From thomas.moyer at ll.mit.edu Fri May 3 18:26:08 2013 From: thomas.moyer at ll.mit.edu (Moyer, Thomas - 0558 - MITLL) Date: Fri, 3 May 2013 14:26:08 -0400 Subject: [Pki-users] Announcing the release of Dogtag 10.0.2 In-Reply-To: <1367600227.28606.23.camel@aleeredhat.laptop> Message-ID: That is what I needed. Thanks! -Tom -- Thomas Moyer, Ph.D. 58: Cyber Systems and Technology http://www.ll.mit.edu/CST 244 Wood St, Lexington, MA 02420 (781) 981-1374 Office: C-385H On 5/3/13 12:57 PM, "Ade Lee" wrote: >Hi, > >We're working on some more substantial documentation, and maybe some >javadocs. In the meantime, there is some information on a wiki page: > >http://pki.fedoraproject.org/wiki/REST > >In particular, there is a section called "Current Implementation", which >has links to the relevant files in the code. If you look at the >resource files, you'll see exactly which calls and URLs have been >implemented. > >http://pki.fedoraproject.org/wiki/RESTEasy has more details on how to >interpret the files. > >The java client framework is - by definition - complete, because >Resteasy provides a client framework. > >The Python client framework will be expanded to include all operations >very soon. For now, it just covers initial deployment operations. > >FreeIPA has implemented some python code to do things like listing and >querying certs and requests though in Python. > >On Fri, 2013-05-03 at 09:57 -0400, Moyer, Thomas - 0558 - MITLL wrote: >> Is there documentation on the REST interface that I can look at? I've >> found some examples, but nothing that outlines everything. >> >> Also, does the Python client framework support querying for >>certificates, >> or is it just for the initial deployment? >> >> Thanks! >> >> -Tom >> >> On 5/2/13 10:09 PM, "Ade Lee" wrote: >> >> >The Dogtag team is proud to announce the second errata build for >> >Dogtag v10.0.0. >> > >> >Builds are available for Fedora 18 and Fedora 19 in the updates-testing >> >repo. Please try it out and provide karma to move them to the F18 and >> >F19 stable repos. >> > >> >Daily developer builds for Fedora 17, 18 and 19 are available at >> >http://nkinder.fedorapeople.org/dogtag-devel/fedora/ >> > >> >== Build Versions == >> >pki-core-10.0.2-2 >> >pki-ra-10.0.2-2 >> >pki-tps-10.0.2-2 >> >dogtag-pki-10.0.2-1 >> >dogtag-pki-theme-10.0.2-1 >> >pki-console-10.0.2-2 >> > >> >== Highlights since Dogtag v. 10.0.1 == >> >* A new Python client framework has been written to connect to the >> >restful interface on the java subsystems. This interface was used >> >for some installation functionality and will continue to be expanded. >> > >> >* pkispawn and pkidestroy were modified to use the new Python client >> >framework and the dependency on jython was eliminated. >> > >> >* The installation interfaces were changed so that most of the >> >installation interactions take place over the admin interface. >> > >> >* New command line parameters have been added to pkidestroy to provide >> >the username and password of the security domain administrator to >>update >> >the security domain. Formerly, no credentials were required because we >> >used the subsystem certificate of the subsystem for authentication. >>The >> >new method provides better auditing as to exactly who is de-registering >> >and removing a subsystem. As such, use of the new options is >> >recommended, and will be made mandatory in a future release. >> > >> >* Although it is possible to run Dogtag 9 style instances on Dogtag 10, >> >these instances do not have the required configuration to expose the >> >RESTful interface. A new servlet has been added to return 501 (Not >> >implemented) on these instances when the REST URLs are accessed. This >> >is only applicable on Fedora 18 (See Fedora 19 note below). >> > >> >* A new interactive mode has been added to pkispawn and pkidestroy. In >> >this mode, users are prompted for details in order to set up the most >> >basic servers. Any customizations would still need to be done through >> >configuration files. Interactive mode is an excellent way for users >>to >> >set up a server and become familiar with Dogtag. >> > >> >* Support has been added for the random generation of serial numbers >>for >> >certificates issued. More details about this feature and how to enable >> >it can be found here: >> >http://pki.fedoraproject.org/wiki/Random_Certificate_Serial_Numbers >> > >> > >> >* Nonces are used in Dogtag to prevent cross-site request forgery and >> >replay attack, but they were stored in a global list. To prevent >> >possible collisions with other user's nonces, they are now stored in >> >each user's session. >> > >> >* Previously, session IDs were generated using /dev/random, which may >> >block under certain circumstances, making server startup slow. To avoid >> >this, the server configuration has been changed to use PKCS11PRNG >> >provided by JSS. >> > >> >* A new upgrade framework has been added to allow instances to be >> >automatically upgraded when new packages are installed. This framework >> >will be used to eventually remove the need for migrations between >> >releases. The upgrade scripts are invoked by postinstall scriptlets in >> >the pki-base and pki-server packages. On completing an upgrade, users >> >should check the upgrade logs in /var/log/pki/pki-upgrade-*.log >> >and /var/log/pki/pki-server-upgrade-*.log for any errors. The upgrade >> >scripts (pki-upgrade and pki-server-upgrade) can also be run manually. >> >Additional troubleshooting information can be found at: >> >http://pki.fedoraproject.org/wiki/Upgrade >> > >> >* New CLI has been added to simplify client certificate management >> >including importing and trusting CA certificates. >> > >> >* Previously, the pki CLI tool used the same parameter (-w) to specify >> >both user and client certificate database passwords. The CLI has been >> >modified to use a new parameter (-c) for the database password, and -w >> >for the user password. >> > >> >* Multiple additional fixes to pkispawn, pkidestroy, pki and their man >> >pages. >> > >> >== Notes on Fedora 19 == >> >Fedora 19 does not provide tomcat 6. Dogtag 9 style instances will >> >therefore no longer work on Fedora 19. These instances need to be >> >migrated to Dogtag 10. >> > >> >To prevent inadvertently disabling Dogtag instances, code has been >>added >> >to prevent upgrades to Fedora 19 if Dogtag 9 instances exist. Details >> >on how to upgrade Dogtag 9 instances and workarounds can be found at: >> >>>http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag >>>_1 >> >0 >> > >> >== Detailed Changes since Dogtag v. 10.0.1 == >> > >> >akoneru (23): >> >#191 Map REST exceptions to HTTP status codes >> >#217 CLI should display message on operations that complete with error >> >#290 Add hints to option descriptions for cert-find cli command >> >#383 Extend coverity tests to scan other subsystems (TPS, etc.) >> >#452 Dogtag 10: Fix minor RA and TPS Configuration Wizard Panel issues >> >#465 Verify 'pki_backup_keys=True' if 'pki_backup_password'is set >> >#470 Prevent concurrent execution of pkispawn/pkidestroy >> >#471 Update man pages for interactive pkispawn/pkidestroy >> >#493 interpolation in pkispawn scripts should not apply to passwords >> >#502 Change pkidestroy "-w" option to require a password file >> >#507 Mark pki.conf as configuration file in RPM spec >> >#509 man page for pkispawn should be modified to specify >> > pki_ca_signing_subject_dn when setting up subordinate CA >> >#514 Clean up pkispawn output >> >#521 Separate python deployment engine from python deployment >> > scriptlets source code >> >#525 Incorrect info in pkispawn man page >> >#536 Catch keyboard interrupt >> >#542 Remove all "respawn()" logic from "pkispawn" >> >#543 Incorrect user-show usage. >> >#549 PKCS10Client tool throws java exception NoClassDefFoundError >> >#563 Use timeout in configuration script >> >#566 Mask sensitive parameters in archived config >> >#592 pkispawn not reporting the error message when exceptions are >>thrown >> >#593 Error caused by JSON Configuration result decoding when installing >> > CA clone >> > >> >alee (9): >> >#232 add python binding for pkispawn/ pkidestroy >> >#419 REST interface for cert requests >> >#532 refactor pkispawn to use new python client >> >#546 Upgrade script for clone installation >> >#564 Rename base/deploy to base/server >> >#589 dependency needed for java-atk-wrapper in f19 >> >#578 Rest API does not work on d9 -> d10 upgrade instances >> >#590 pki-base needs to deliver /var/log/pki >> >#597 Create 10.0.2 builds >> > >> >awnuk (7): >> >#569 Port support for random certificate serial numbers to Dogtag 10 >> >#570 Port patch allowing to support random certificate serial numbers >> > for system certificates to Dogtag 10 >> >#579 Port patch allowing to clone CA with random serial number enabled. >> >#580 Port patch allowing to restart CA clone during configuration >> > change to random serial numbers. >> >#584 Port patch including system certificates with random serial >> > numbers in the certificate counter. >> >BZ 955784 - Correct Javascript inability to handle big numbers >> >BZ 951501 - Coorects key IDs miscalculated by Javascript >> > >> > >> >cfu (6): >> >BZ 929043 - serverCert.profile with SAN results in >> >SubjectAltNameException >> >BZ 927545 - Transport Cert signing Algorithm doesn't show ECC Signing >> >Algorithm >> >BZ 904289 - Add ECC Support to Certificate Profiles >> >BZ 902952 - RFE: Revocation routing with TPS and multiple non-cloned >>CAs >> >BZ 903401 - TMS: RSA token enrollment failed : public key decode error >> >#362 CMC ECC >> > >> >edewata (24) >> >#190 REST interface for user-group membership. >> >#291 Fix forma of validityUnit option in cert-find command >> >#380 default install: part 2 >> >#472 pkispawn should test DS info >> >#473 pkispawn should test security domain info >> >#474 Session-based nonces >> >#476 Limit username & password authentication >> >#477 Annotation for authentication methods >> >#491 Prompt CLI user on certificate warnings. >> >#497 Date format for cert-find >> >#498 [RFE] Add dates to cert-find output >> >#500 validityCount option returns 500 error >> >#501 Add cert status option to cert-find >> >#503 Dogtag 10: Security Domain Issues >> >#511 Add cert-request-show command. >> >#520 CLI returns 0 on error >> >#523 Add CLI option to capture HTTP data >> >#524 Tomcat blocks during startup >> >#535 python-requests compatibility problem >> >#541 Use FQDN instead of localhost in CLI >> >#544 Implement upgrade framework >> >#545 Upgrade script for random number generator >> >#553 pki.conf needs to be delivered by pki-base >> >#598 Upgrade script for JNI_JAR_DIR >> > >> >jmagne (1): >> >#587 ipa-server-install crashes due to sslget error >> > >> >mharmsen (7): >> >#409 Add pkispawn option to not copy the UI pieces (gifs, templates). >> >#488 Dogtag 10: Fix cli 'cert-find' clientAuth issue >> >#517 Clean up theme dependencies >> >#518 Remove UI dependencies from pkispawn >> >#602 pkiconsole cannot find 'jss4.jar' on Fedora 19 >> >BZ 947524 - Clone installation does not work over NAT >> >BZ 919476 - pkispawn crashes due to dangling symlink to jss4.jar >> > >> > >> >_______________________________________________ >> >Pki-users mailing list >> >Pki-users at redhat.com >> >https://www.redhat.com/mailman/listinfo/pki-users >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5142 bytes Desc: not available URL: From pkiadmin at nym.hush.com Sun May 5 10:46:35 2013 From: pkiadmin at nym.hush.com (pkiadmin at nym.hush.com) Date: Sun, 05 May 2013 12:46:35 +0200 Subject: [Pki-users] 10.0.2 CA Instllation failed on LDAP and CA chain Message-ID: <20130505104636.42EEA6F443@smtp.hushmail.com> Hello list memebers, I have been trying to get Dogtag 10.0.2 on fc18 running but pkispawn concludes with Installation Failed. Here is what I see: pkispawn -s CA -f /home/pkiadmin/CA.cfg Loading deployment configuration from /home/pkiadmin/CA.cfg. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki- tomcat/ca/deployment.cfg. Installation failed. The interactive pkispawn was also tried but this gives the same fail results. In /var/log/pki/pki-tomcat/ca/system I see the following: 6650.localhost-startStop-1 - [05/May/2013:10:33:53 CEST] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS#11 certificate 6650.localhost-startStop-1 - [05/May/2013:10:33:53 CEST] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value In /var/log/pki/pki-tomcat/catalina.out I see the above 2 errors preceded by CMS WARNING: FAILURE: In /etc/pki/default.cfg I put pki_ds_hostname=hostname and made sure the pki_ds_port was correct. Oh yes, the remote DS389 was running and accessible. When I look at services there is a pki-tomcatd at pki-tomcat running and I can restart it without problems. I can alo get to the "End USer Services" page on 8080. None of the other ports connect. Thanks in advance. From sbaa at vip.qq.com Mon May 6 05:42:26 2013 From: sbaa at vip.qq.com (=?gb18030?B?97z3w8Oo?=) Date: Mon, 6 May 2013 13:42:26 +0800 Subject: [Pki-users] =?gb18030?b?u9i4tKO6aXBob25lJ3Mgc2NlcCBmdW5jdGlvbiB3?= =?gb18030?q?ith_dogtag?= Message-ID: Hi All More details: I made a profile include SCEP settings,apply to iphone 4s. During the installation, it try to enroll the cert and report such error "invalid response" The scep server was tested by SSCEP client. Thanks ------------------ ???? ------------------ ???: "???"; ????: 2013?5?3?(???) ??6:20 ???: "Pki-users"; ??: iphone's scep function with dogtag Hi All Who tried the SCEP feature with iphone? I tested on iphone 4s, it return "invalid response". Thanks sbaa -------------- next part -------------- An HTML attachment was scrubbed... URL: From fabeisageek at googlemail.com Mon May 6 07:33:53 2013 From: fabeisageek at googlemail.com (Fabian Bertholm) Date: Mon, 6 May 2013 09:33:53 +0200 Subject: [Pki-users] End-Of-Life Gemalto TOP IM FIPS CY2 (Cyberflex Access 64k v2) Message-ID: Hi, I got a message from my smartard dealer that the Gemalto TOP IM FIPS CY2 (Cyberflex Access 64k v2) ist now EOL. Which other smartcard is officially supported? I need something with at least 64k. Anyone with an idea? best regards Fabian -------------- next part -------------- An HTML attachment was scrubbed... URL: From chrisb at csr.net Mon May 6 12:50:18 2013 From: chrisb at csr.net (Buckingham) Date: Mon, 06 May 2013 14:50:18 +0200 Subject: [Pki-users] Addendum: 10.0.2 CA Instllation failed on LDAP and CA chain Message-ID: <20130506125018.68BD110E2C8@smtp.hushmail.com> Hello, After further investigation into the failing setup/configuration, I found that /etc/pki/pki-tomcat/ca/CS.cfg has no values set for the following: authz.instance.DirAclAuthz.ldap.basedn authz.instance.DirAclAuthz.ldap.ldapconn.host authz.instance.DirAclAuthz.ldap.ldapconn.port Also authz.instance.DirAclAuthz.ldap.ldapauth.bindDN does not set the DN that I entered during interactive setup. My question is: why do these variables in the CS.cfg fail to get set during both interactinve and non-interactive installations? Regards From alee at redhat.com Mon May 6 14:08:10 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 06 May 2013 10:08:10 -0400 Subject: [Pki-users] Addendum: 10.0.2 CA Instllation failed on LDAP and CA chain In-Reply-To: <20130506125018.68BD110E2C8@smtp.hushmail.com> References: <20130506125018.68BD110E2C8@smtp.hushmail.com> Message-ID: <1367849290.17532.5.camel@aleeredhat.laptop> Those values should have been set during installation. To debug this, I need to see: rpm -q pki-server rpm -qa |grep pki cat etc/redhat-release getenforce logs under /var/log/pki/pki-tomcat I'm a little confused that you got as far as being able to start installing the TPS with the CA not installed correctly. To install a TPS, you must install a TKS first. Also, you may also install a KRA if you plan to use server side key generation. Please note also, there is currently an selinux bug that will require you to have selinux in permissive mode when installing a TPS or RA. Ade On Mon, 2013-05-06 at 14:50 +0200, Buckingham wrote: > Hello, > > After further investigation into the failing setup/configuration, I > found that /etc/pki/pki-tomcat/ca/CS.cfg has no values set for the > following: > authz.instance.DirAclAuthz.ldap.basedn > authz.instance.DirAclAuthz.ldap.ldapconn.host > authz.instance.DirAclAuthz.ldap.ldapconn.port > > Also authz.instance.DirAclAuthz.ldap.ldapauth.bindDN does not set > the DN that I entered during interactive setup. > > My question is: why do these variables in the CS.cfg fail to get > set during both interactinve and non-interactive installations? > > Regards > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From alee at redhat.com Mon May 6 14:25:28 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 06 May 2013 10:25:28 -0400 Subject: [Pki-users] 10.0.2 CA Instllation failed on LDAP and CA chain In-Reply-To: <20130505104636.42EEA6F443@smtp.hushmail.com> References: <20130505104636.42EEA6F443@smtp.hushmail.com> Message-ID: <1367850328.17532.13.camel@aleeredhat.laptop> On Sun, 2013-05-05 at 12:46 +0200, pkiadmin at nym.hush.com wrote: > Hello list memebers, > > I have been trying to get Dogtag 10.0.2 on fc18 running but > pkispawn concludes with Installation Failed. > > Here is what I see: > pkispawn -s CA -f /home/pkiadmin/CA.cfg > Loading deployment configuration from /home/pkiadmin/CA.cfg. > Installing CA into /var/lib/pki/pki-tomcat. > Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki- > tomcat/ca/deployment.cfg. > Installation failed. > > The interactive pkispawn was also tried but this gives the same > fail results. > > In /var/log/pki/pki-tomcat/ca/system I see the following: > 6650.localhost-startStop-1 - [05/May/2013:10:33:53 CEST] [3] [3] > Cannot build CA chain. Error > java.security.cert.CertificateException: Certificate is not a > PKCS#11 certificate > > 6650.localhost-startStop-1 - [05/May/2013:10:33:53 CEST] [13] [3] > authz instance DirAclAuthz initialization failed and skipped, > error=Property internaldb.ldapconn.port missing value > > In /var/log/pki/pki-tomcat/catalina.out I see the above 2 errors > preceded by CMS WARNING: FAILURE: > The errors above are benign, in that they always occur on a new installation. > In /etc/pki/default.cfg I put pki_ds_hostname=hostname and made > sure the pki_ds_port was correct. Oh yes, the remote DS389 was > running and accessible. > OK, so /etc/pki/default.cfg is not supposed to be edited. Instead, a brand new file is supposed to be created with the relevant overrides. This is because default.cfg can be overwritten in updates to pki-server. Its hard to tell what is going on based on what you have described. Please provide the following: rpm -q pki-server rpm -qa |grep pki getenforce cat /etc/redhat-release latest installation log in /var/log/pki/pkispawn-* logs in /var/log/pki/pki-tomcat You might also want to re-do the installation with the -vvv option so that there is much more debug output. Make sure to pkidestroy the old instance. > When I look at services there is a pki-tomcatd at pki-tomcat running > and I can restart it without problems. I can alo get to the "End > USer Services" page on 8080. None of the other ports connect. > > Thanks in advance. > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From jmagne at redhat.com Mon May 13 23:44:51 2013 From: jmagne at redhat.com (John Magne) Date: Mon, 13 May 2013 19:44:51 -0400 (EDT) Subject: [Pki-users] End-Of-Life Gemalto TOP IM FIPS CY2 (Cyberflex Access 64k v2) In-Reply-To: References: Message-ID: <1152290648.819654.1368488691243.JavaMail.root@redhat.com> Sorry for skipping over this. We also support the Safenet 330J SC650 for official support as of this time. ----- Original Message ----- From: "Fabian Bertholm" To: "pki-users" Sent: Monday, May 6, 2013 12:33:53 AM Subject: [Pki-users] End-Of-Life Gemalto TOP IM FIPS CY2 (Cyberflex Access 64k v2) Hi, I got a message from my smartard dealer that the Gemalto TOP IM FIPS CY2 (Cyberflex Access 64k v2) ist now EOL. Which other smartcard is officially supported? I need something with at least 64k. Anyone with an idea? best regards Fabian _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From Chris.Grijalva at soteradefense.com Thu May 16 18:22:40 2013 From: Chris.Grijalva at soteradefense.com (Chris Grijalva) Date: Thu, 16 May 2013 13:22:40 -0500 Subject: [Pki-users] Dogtag User Certs setup and OCSP Signing Message-ID: <688D8B269DCBDE44A466DC43D403624C077419AF42@pfi-mail> So far attempts to setup user certs using Dogtag CA fail, while self-signed Client Certificates work fine. The end goal is to have tomcat pass a user cert to an application, which will authenticate and bypass the initial login screen. The details, Dogtag 9.0 installed on a CentOS 6.4 server Server cert is set up correctly in the local keystore and the tomcat server.xml is configured This works correctly with a self-signed user cert, the browser requests a user cert before displaying the initial login screen. The next step is to create a truststore entry referencing Dogtag's CA certificate and user cert. Searching the web for dogtag user certs, openssl and Fedora/user documentation has not yielded any detailed User Guides or user notes. Both the Admin and Agent Guide were useful for defining admin and agent usage, but did not provide detailed information on importing a cert authority into a truststore or using the truststore to sign an X509 client certificate. Once the client certificate handshake is established, can tomcat parse the certificate or would apache mod_SSL be a better choice? Finally can/should the application use an openssl ocsp call to validate the certificate? At this point, I'm not knowledgeable enough with PKI and Dogtag to define a workable solution. Have I missed some essential documentation? Has anyone found or written any Dogtag User Notes or have references to Dogtag usage? Any recommendations would be appreciated. Chris Grijalva Configuration Management | Data Fusion & Analytics Sotera Defense Solutions, Inc. o: 512.814.0186 c: 713.291.2215 f: 512.814.0308 e: chris.grijalva at soteradefense.com w: www.soteradefense.com Potomac Fusion, LLC is now the Data Fusion & Analytics business of Sotera Defense Solutions -------------- next part -------------- An HTML attachment was scrubbed... URL: From marine64 at gmail.com Wed May 29 04:46:19 2013 From: marine64 at gmail.com (Brian Henson) Date: Wed, 29 May 2013 00:46:19 -0400 Subject: [Pki-users] (Fedora 17) PKI-RA fails to start after install Message-ID: Hello all, When I try to configure the RA subsystem after installing it I get this error. Installation information recorded in /var/log/pki-ra-install.log. [debug] run_command(/bin/systemctl restart pki-rad at pki-ra.service) [error] FAILED run_command("/bin/systemctl restart pki-rad at pki-ra.service"), exit status=1 output="Job failed. See system journal and 'systemctl status' for details." Before proceeding with the configuration, make sure the firewall settings of this machine permit proper access to this subsystem. Please start the configuration by accessing: https:// (someaddress):12890/ra/admin/console/config/login?pin=XWdsV1oDtx9qQFcybzAr After configuration, the server can be operated by the command: /bin/systemctl restart pki-rad at pki-ra.service Anyone know how to fix this? I get it for the TPS module as well. Thanks Brian Henson -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Wed May 29 16:00:35 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Wed, 29 May 2013 09:00:35 -0700 Subject: [Pki-users] (Fedora 17) PKI-RA fails to start after install In-Reply-To: References: Message-ID: <51A62623.8020309@redhat.com> On 05/28/2013 09:46 PM, Brian Henson wrote: > Hello all, > > When I try to configure the RA subsystem after installing it I get > this error. > > Installation information recorded in /var/log/pki-ra-install.log. > [debug] run_command(/bin/systemctl restart pki-rad at pki-ra.service) > [error] FAILED run_command("/bin/systemctl restart > pki-rad at pki-ra.service"), exit status=1 output="Job failed. See system > journal and 'systemctl status' for details." > Before proceeding with the configuration, make sure > the firewall settings of this machine permit proper > access to this subsystem. > > Please start the configuration by accessing: > > https://(someaddress):12890/ra/admin/console/config/login?pin=XWdsV1oDtx9qQFcybzAr > > After configuration, the server can be operated by the command: > > /bin/systemctl restart pki-rad at pki-ra.service > > > Anyone know how to fix this? I get it for the TPS module as well. > > Thanks > > Brian Henson > > Brian, Could you provide OS and server versions? Thank you, Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From marine64 at gmail.com Wed May 29 17:24:45 2013 From: marine64 at gmail.com (Brian Henson) Date: Wed, 29 May 2013 13:24:45 -0400 Subject: [Pki-users] (Fedora 17) PKI-RA fails to start after install In-Reply-To: <51A62623.8020309@redhat.com> References: <51A62623.8020309@redhat.com> Message-ID: Fedora 17 and dogtag 9 via yum On May 29, 2013 12:01 PM, "Andrew Wnuk" wrote: > > On 05/28/2013 09:46 PM, Brian Henson wrote: > > Hello all, > > When I try to configure the RA subsystem after installing it I get this > error. > > Installation information recorded in /var/log/pki-ra-install.log. > [debug] run_command(/bin/systemctl restart pki-rad at pki-ra.service) > [error] FAILED run_command("/bin/systemctl restart pki-rad at pki-ra.service"), > exit status=1 output="Job failed. See system journal and 'systemctl status' > for details." > Before proceeding with the configuration, make sure > the firewall settings of this machine permit proper > access to this subsystem. > > Please start the configuration by accessing: > > > https://(someaddress):12890/ra/admin/console/config/login?pin=XWdsV1oDtx9qQFcybzAr > > After configuration, the server can be operated by the command: > > /bin/systemctl restart pki-rad at pki-ra.service > > > Anyone know how to fix this? I get it for the TPS module as well. > > Thanks > > Brian Henson > > > > Brian, > > Could you provide OS and server versions? > > Thank you, > Andrew > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marine64 at gmail.com Thu May 30 18:34:48 2013 From: marine64 at gmail.com (Brian Henson) Date: Thu, 30 May 2013 14:34:48 -0400 Subject: [Pki-users] (Fedora 17) PKI-RA fails to start after install In-Reply-To: References: <51A62623.8020309@redhat.com> Message-ID: Any Ideas on this? I need the TPS for the smartcard support. On Wed, May 29, 2013 at 1:24 PM, Brian Henson wrote: > Fedora 17 and dogtag 9 via yum > On May 29, 2013 12:01 PM, "Andrew Wnuk" wrote: > >> >> On 05/28/2013 09:46 PM, Brian Henson wrote: >> >> Hello all, >> >> When I try to configure the RA subsystem after installing it I get this >> error. >> >> Installation information recorded in /var/log/pki-ra-install.log. >> [debug] run_command(/bin/systemctl restart pki-rad at pki-ra.service) >> [error] FAILED run_command("/bin/systemctl restart pki-rad at pki-ra.service"), >> exit status=1 output="Job failed. See system journal and 'systemctl status' >> for details." >> Before proceeding with the configuration, make sure >> the firewall settings of this machine permit proper >> access to this subsystem. >> >> Please start the configuration by accessing: >> >> >> https://(someaddress):12890/ra/admin/console/config/login?pin=XWdsV1oDtx9qQFcybzAr >> >> After configuration, the server can be operated by the command: >> >> /bin/systemctl restart pki-rad at pki-ra.service >> >> >> Anyone know how to fix this? I get it for the TPS module as well. >> >> Thanks >> >> Brian Henson >> >> >> >> Brian, >> >> Could you provide OS and server versions? >> >> Thank you, >> Andrew >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Thu May 30 20:01:28 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Thu, 30 May 2013 13:01:28 -0700 Subject: [Pki-users] (Fedora 17) PKI-RA fails to start after install In-Reply-To: References: <51A62623.8020309@redhat.com> Message-ID: <51A7B018.6050206@redhat.com> Is there anything in the log files pointing to your failure? If yes, could you provide these log entries? On 05/30/2013 11:34 AM, Brian Henson wrote: > Any Ideas on this? I need the TPS for the smartcard support. > > > On Wed, May 29, 2013 at 1:24 PM, Brian Henson > wrote: > > Fedora 17 and dogtag 9 via yum > > On May 29, 2013 12:01 PM, "Andrew Wnuk" > wrote: > > > On 05/28/2013 09:46 PM, Brian Henson wrote: >> Hello all, >> >> When I try to configure the RA subsystem after installing it >> I get this error. >> >> Installation information recorded in /var/log/pki-ra-install.log. >> [debug] run_command(/bin/systemctl restart >> pki-rad at pki-ra.service ) >> [error] FAILED run_command("/bin/systemctl restart >> pki-rad at pki-ra.service "), >> exit status=1 output="Job failed. See system journal and >> 'systemctl status' for details." >> Before proceeding with the configuration, make sure >> the firewall settings of this machine permit proper >> access to this subsystem. >> >> Please start the configuration by accessing: >> >> https://(someaddress):12890/ra/admin/console/config/login?pin=XWdsV1oDtx9qQFcybzAr >> >> >> After configuration, the server can be operated by the command: >> >> /bin/systemctl restart pki-rad at pki-ra.service >> >> >> >> Anyone know how to fix this? I get it for the TPS module as >> well. >> >> Thanks >> >> Brian Henson >> >> > > Brian, > > Could you provide OS and server versions? > > Thank you, > Andrew > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marine64 at gmail.com Fri May 31 14:53:55 2013 From: marine64 at gmail.com (Brian Henson) Date: Fri, 31 May 2013 10:53:55 -0400 Subject: [Pki-users] (Fedora 17) PKI-RA fails to start after install In-Reply-To: <51A7B018.6050206@redhat.com> References: <51A62623.8020309@redhat.com> <51A7B018.6050206@redhat.com> Message-ID: I don't mean to sound dumb but where is the logfiles? I am using the wiki install page as a guide. On Thu, May 30, 2013 at 4:01 PM, Andrew Wnuk wrote: > > Is there anything in the log files pointing to your failure? > If yes, could you provide these log entries? > > On 05/30/2013 11:34 AM, Brian Henson wrote: > > Any Ideas on this? I need the TPS for the smartcard support. > > > On Wed, May 29, 2013 at 1:24 PM, Brian Henson wrote: > >> Fedora 17 and dogtag 9 via yum >> On May 29, 2013 12:01 PM, "Andrew Wnuk" wrote: >> >>> >>> On 05/28/2013 09:46 PM, Brian Henson wrote: >>> >>> Hello all, >>> >>> When I try to configure the RA subsystem after installing it I get >>> this error. >>> >>> Installation information recorded in /var/log/pki-ra-install.log. >>> [debug] run_command(/bin/systemctl restart pki-rad at pki-ra.service) >>> [error] FAILED run_command("/bin/systemctl restart >>> pki-rad at pki-ra.service"), exit status=1 output="Job failed. See system >>> journal and 'systemctl status' for details." >>> Before proceeding with the configuration, make sure >>> the firewall settings of this machine permit proper >>> access to this subsystem. >>> >>> Please start the configuration by accessing: >>> >>> >>> https://(someaddress):12890/ra/admin/console/config/login?pin=XWdsV1oDtx9qQFcybzAr >>> >>> After configuration, the server can be operated by the command: >>> >>> /bin/systemctl restart pki-rad at pki-ra.service >>> >>> >>> Anyone know how to fix this? I get it for the TPS module as well. >>> >>> Thanks >>> >>> Brian Henson >>> >>> >>> >>> Brian, >>> >>> Could you provide OS and server versions? >>> >>> Thank you, >>> Andrew >>> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Fri May 31 21:14:06 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Fri, 31 May 2013 14:14:06 -0700 Subject: [Pki-users] (Fedora 17) PKI-RA fails to start after install In-Reply-To: References: <51A62623.8020309@redhat.com> <51A7B018.6050206@redhat.com> Message-ID: <51A9129E.1020809@redhat.com> On 05/31/2013 07:53 AM, Brian Henson wrote: > I don't mean to sound dumb but where is the logfiles? I am using the > wiki install page as a guide. Installation logs are under /var/log with names referring to subsystems like: pki-ca-install.log, pki-kra-install.log, pki-tks-install.log, pki-tks-install.log, . . . Each subsystem has its logs located under subsystem directory. For example * CA logs by default are located in /var/log/pki-ca * TPS logs by default are located in /var/log/pki-tps * . . . > > > On Thu, May 30, 2013 at 4:01 PM, Andrew Wnuk >wrote: > > > Is there anything in the log files pointing to your failure? > If yes, could you provide these log entries? > > On 05/30/2013 11:34 AM, Brian Henson wrote: >> Any Ideas on this? I need the TPS for the smartcard support. >> >> >> On Wed, May 29, 2013 at 1:24 PM, Brian Henson > >wrote: >> >> Fedora 17 and dogtag 9 via yum >> >> On May 29, 2013 12:01 PM, "Andrew Wnuk" > > wrote: >> >> >> On 05/28/2013 09:46 PM, Brian Henson wrote: >>> Hello all, >>> >>> When I try to configure the RA subsystem after >>> installing it I get this error. >>> >>> Installation information recorded in >>> /var/log/pki-ra-install.log. >>> [debug] run_command(/bin/systemctl restart >>> pki-rad at pki-ra.service ) >>> [error] FAILED run_command("/bin/systemctl restart >>> pki-rad at pki-ra.service >>> "), exit status=1 >>> output="Job failed. See system journal and 'systemctl >>> status' for details." >>> Before proceeding with the configuration, make sure >>> the firewall settings of this machine permit proper >>> access to this subsystem. >>> >>> Please start the configuration by accessing: >>> >>> https://(someaddress):12890/ra/admin/console/config/login?pin=XWdsV1oDtx9qQFcybzAr >>> >>> >>> After configuration, the server can be operated by the >>> command: >>> >>> /bin/systemctl restart pki-rad at pki-ra.service >>> >>> >>> >>> Anyone know how to fix this? I get it for the TPS module >>> as well. >>> >>> Thanks >>> >>> Brian Henson >>> >>> >> >> Brian, >> >> Could you provide OS and server versions? >> >> Thank you, >> Andrew >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marine64 at gmail.com Fri May 31 21:46:17 2013 From: marine64 at gmail.com (Brian Henson) Date: Fri, 31 May 2013 17:46:17 -0400 Subject: [Pki-users] (Fedora 17) PKI-RA fails to start after install In-Reply-To: <51A9129E.1020809@redhat.com> References: <51A62623.8020309@redhat.com> <51A7B018.6050206@redhat.com> <51A9129E.1020809@redhat.com> Message-ID: This is the only error i see in the TPS install log [2013-05-29 03:37:20] [error] FAILED run_command("/bin/systemctl restart pki-tpsd at pki-tps.service"), exit status=1 output="Job failed. See system journal and 'systemctl status' for details." and the same error(minus service name on the other service) On Fri, May 31, 2013 at 5:14 PM, Andrew Wnuk wrote: > On 05/31/2013 07:53 AM, Brian Henson wrote: > > I don't mean to sound dumb but where is the logfiles? I am using the wiki > install page as a guide. > > > Installation logs are under /var/log with names referring to subsystems > like: pki-ca-install.log, pki-kra-install.log, pki-tks-install.log, pki-tks-install.log, > . . . > > Each subsystem has its logs located under subsystem directory. > For example > > - CA logs by default are located in /var/log/pki-ca > - TPS logs by default are located in /var/log/pki-tps > - . . . > > > > > On Thu, May 30, 2013 at 4:01 PM, Andrew Wnuk wrote: > >> >> Is there anything in the log files pointing to your failure? >> If yes, could you provide these log entries? >> >> On 05/30/2013 11:34 AM, Brian Henson wrote: >> >> Any Ideas on this? I need the TPS for the smartcard support. >> >> >> On Wed, May 29, 2013 at 1:24 PM, Brian Henson wrote: >> >>> Fedora 17 and dogtag 9 via yum >>> On May 29, 2013 12:01 PM, "Andrew Wnuk" wrote: >>> >>>> >>>> On 05/28/2013 09:46 PM, Brian Henson wrote: >>>> >>>> Hello all, >>>> >>>> When I try to configure the RA subsystem after installing it I get >>>> this error. >>>> >>>> Installation information recorded in /var/log/pki-ra-install.log. >>>> [debug] run_command(/bin/systemctl restart pki-rad at pki-ra.service) >>>> [error] FAILED run_command("/bin/systemctl restart >>>> pki-rad at pki-ra.service"), exit status=1 output="Job failed. See system >>>> journal and 'systemctl status' for details." >>>> Before proceeding with the configuration, make sure >>>> the firewall settings of this machine permit proper >>>> access to this subsystem. >>>> >>>> Please start the configuration by accessing: >>>> >>>> >>>> https://(someaddress):12890/ra/admin/console/config/login?pin=XWdsV1oDtx9qQFcybzAr >>>> >>>> After configuration, the server can be operated by the command: >>>> >>>> /bin/systemctl restart pki-rad at pki-ra.service >>>> >>>> >>>> Anyone know how to fix this? I get it for the TPS module as well. >>>> >>>> Thanks >>>> >>>> Brian Henson >>>> >>>> >>>> >>>> Brian, >>>> >>>> Could you provide OS and server versions? >>>> >>>> Thank you, >>>> Andrew >>>> >>> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: