From shopereira at gmail.com Tue Feb 4 10:58:15 2014 From: shopereira at gmail.com (Sergio Pereira) Date: Tue, 4 Feb 2014 08:58:15 -0200 Subject: [Pki-users] Add info to a new OID In-Reply-To: <52E147A5.9000106@redhat.com> References: <52E07EF2.1080806@redhat.com> <52E147A5.9000106@redhat.com> Message-ID: Hi Christina, Your help was just the key to find the right answer to my question. ;-) here is what I did to accomplish what I want: policyset.set1.p6.constraint.class_id=noConstraintImpl policyset.set1.p6.constraint.name=No Constraint policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl policyset.set1.p6.default.name=Subject Alternative Name Extension Default policyset.set1.p6.default.params.subjAltExtGNEnable_0=true policyset.set1.p6.default.params.subjAltExtPattern_0=(PrintableString)2.16.76.1.3.3,$request.cnpj$ policyset.set1.p6.default.params.subjAltExtType_0=OtherName policyset.set1.p6.default.params.subjAltNameExtCritical=true policyset.set1.p6.default.params.subjAltNameNumGNs=1 worked like a charm ;-) thank you again. sp 2014-01-23 Christina Fu > Hi Sergio, > > I did wonder if what you needed was Subject Alternative Name extension > but since you said it's a "special attribute" I thought you want something > different ;-). > > SubjectAlternativeName Extension is easy to apply in Dogtag. > > First, here is info regarding SubjectAlternativeName: > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Subject_Alternative_Name_Extension_Default > > Scroll down a page or two then you will find Table B.21 Subject > Alternative Name extension Default Configuration Parameters. > This is pretty much what you need. I think what you want for "Type" is > "OIDName". > > So for example, you would have: > policyset.set1.p06.constraint.class_id=noConstraintImpl > policyset.set1.p06.constraint.name=No Constraint > policyset.set1.p06.default.class_id=subjectAltNameExtDefaultImpl > policyset.set1.p06.default.name=Subject Alternative Name Extension Default > policyset.set1.p06.default.params.subjectAltNameExtCritical=false > policyset.set1.p06.default.params.subjAltNameNumGNs=1 > policyset.set1.p06.default.params.subjAltExtType_0=OIDName > policyset.set1.p06.default.params.subjAltExtPattern_0=2.16.76.1.3.3 > policyset.set1.p06.default.params.subjAltExtGNEnable_0=true > > again, the pattern part you can change it to take it from the input once > it's working. However, unless you are in a controlled environment, it's > better to have a constraint (You can write a plugin to suit your needs). > And unless you have multiple OID's to insert, there is really no need to > take from input. > > Regarding Generic Extension, I know it should work. Maybe your value did > not match the constraint. But it's a moot point now since you are looking > for SAN. > > hope this helps, > Christina > > > On 01/23/2014 04:12 AM, Sergio Pereira wrote: > > Hi Christina, > > I really appreciate for your response and time. I did try your > suggestion but with no luck, when enrolling through web form I get the > message: "Sorry, your request has been rejected. The reason is "Request > Rejected - {0}". > Attached is a picture of a real certificate, signed by a Brazilian CA and > that is what I'm trying to accomplish using DogTag certificate system. The > OID I'm trying to write to is marked in red and its value has some sort of > Hex form (that would be the second step to be accomplished). One thing I > realized is that the OID in question is in Subject Alternative Name and not > as Generic Extension. > > thx, > sp > > > 2014/1/23 Christina Fu > >> Hi, >> >> If I understand it correctly, you just want the OID to appear in the >> cert? if so, Generic Extension might be what you are looking for: >> >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Admin_Guide/index.html#Generic_Extension_Default >> >> Here is an example of it: >> policyset.set1.p06.constraint.class_id=extensionConstraintImpl >> policyset.set1.p06.constraint.name=Extension Constraint >> policyset.set1.p06.constraint.params.extCritical=- >> policyset.set1.p06.constraint.params.extOID=2.16.76.1.3.3 >> policyset.set1.p06.default.class_id=userExtensionDefaultImpl >> policyset.set1.p06.default.name=Generic Extension Default >> policyset.set1.p06.default.params.genericExtData=bz >> policyset.set1.p06.default.params.genericExtOID=2.16.76.1.3.3 >> policyset.set1.p06.default.params.enericExtCritical=false >> >> In the above example, I just put your country OID in the profile, but I >> imagine you could change it to take it from the input. If you do so, you >> might want to lighten up on the constraint. I suggest you try the above >> hard-coded profile first just to see if the cert comes out what you are >> looking for before adding input in the profile. >> >> There is actually a bug in the GenericExtension area in regards to >> setting critical to true. I have yet to check the fix into Dogtag. Let me >> know if you do need that. >> >> BTW, regarding userExtensionDefault, it can only be used if your CSR has >> the wanted extension in the request already, so it's not going to help you. >> >> Hope this helps. >> Christina >> >> >> On 01/22/2014 02:41 AM, Sergio Pereira wrote: >> >> hi guys, >> >> I'm trying to create a certificate profile in a way to have at the end >> a certificate with a special attributes (supplied by the user through web >> enrollment form). I'm running dogtag 10.1 on Fedora 20...fresh install. I >> added a certificate profile using pkiconsole but I'm struggling in how to >> find the right Policies, Inputs and Outputs for the new profile. The OID I >> intent to write to it is the 2.16.76.1.3.3 (country specific OID). Here is >> my profile's config file: >> >> auth.instance_id= >> desc=UserCNPJ >> enable=false >> enableBy=admin >> input.CNPJ.class_id=genericInputImpl >> input.CNPJ.name=Generic Input >> input.CNPJ.params.gi_display_name0=Cadastro Nacional Pessoa Juridica >> input.CNPJ.params.gi_display_name1= >> input.CNPJ.params.gi_display_name2= >> input.CNPJ.params.gi_display_name3= >> input.CNPJ.params.gi_display_name4= >> input.CNPJ.params.gi_param_enable0=true >> input.CNPJ.params.gi_param_enable1=false >> input.CNPJ.params.gi_param_enable2=false >> input.CNPJ.params.gi_param_enable3=false >> input.CNPJ.params.gi_param_enable4=false >> input.CNPJ.params.gi_param_name0=cnpj >> input.CNPJ.params.gi_param_name1= >> input.CNPJ.params.gi_param_name2= >> input.CNPJ.params.gi_param_name3= >> input.CNPJ.params.gi_param_name4= >> input.i1.class_id=keyGenInputImpl >> input.i1.name=Key Generation Input >> input.i2.class_id=subjectNameInputImpl >> input.i2.name=Subject Name Input >> input.i3.class_id=submitterInfoInputImpl >> input.i3.name=Submitter Information Input >> input.list=i1,i2,i3,CNPJ >> input.params.gi_display_name0=Cadastro Nacional Pessoa Juridica >> input.params.gi_display_name1= >> input.params.gi_display_name2= >> input.params.gi_display_name3= >> input.params.gi_display_name4= >> input.params.gi_param_enable0=true >> input.params.gi_param_enable1=false >> input.params.gi_param_enable2=false >> input.params.gi_param_enable3=false >> input.params.gi_param_enable4=false >> input.params.gi_param_name0=cnpj >> input.params.gi_param_name1= >> input.params.gi_param_name2= >> input.params.gi_param_name3= >> input.params.gi_param_name4= >> lastModified=1390319210315 >> name=UserCNPJ >> output.list=o1 >> output.o1.class_id=certOutputImpl >> output.o1.name=Certificate Output >> policyset.list=set1 >> policyset.set1.list=p1,p2,p3,p4,p5,p06 >> policyset.set1.p06.constraint.class_id=noConstraintImpl >> policyset.set1.p06.constraint.name=No Constraint >> policyset.set1.p06.default.class_id=userExtensionDefaultImpl >> policyset.set1.p06.default.name=User Supplied Extension Default >> policyset.set1.p06.default.params.userExtOID=Comment Here... >> policyset.set1.p1.constraint.class_id=noConstraintImpl >> policyset.set1.p1.constraint.name=No Constraint >> policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl >> policyset.set1.p1.default.name=User Supplied Subject Name Default >> policyset.set1.p2.constraint.class_id=noConstraintImpl >> policyset.set1.p2.constraint.name=No Constraint >> policyset.set1.p2.default.class_id=validityDefaultImpl >> policyset.set1.p2.default.name=Validity Default >> policyset.set1.p2.default.params.range=180 >> policyset.set1.p2.default.params.startTime=0 >> policyset.set1.p3.constraint.class_id=noConstraintImpl >> policyset.set1.p3.constraint.name=No Constraint >> policyset.set1.p3.default.class_id=userKeyDefaultImpl >> policyset.set1.p3.default.name=User Supplied Key Default >> policyset.set1.p3.default.params.keyMaxLength=4096 >> policyset.set1.p3.default.params.keyMinLength=512 >> policyset.set1.p3.default.params.keyType=RSA >> policyset.set1.p4.constraint.class_id=noConstraintImpl >> policyset.set1.p4.constraint.name=No Constraint >> policyset.set1.p4.default.class_id=signingAlgDefaultImpl >> policyset.set1.p4.default.name=Signing Algorithm Default >> policyset.set1.p4.default.params.signingAlg=- >> >> policyset.set1.p4.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,,SHA512withEC >> policyset.set1.p5.constraint.class_id=noConstraintImpl >> policyset.set1.p5.constraint.name=No Constraint >> policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl >> policyset.set1.p5.default.name=Key Usage Extension Default >> policyset.set1.p5.default.params.keyUsageCritical=true >> policyset.set1.p5.default.params.keyUsageCrlSign=true >> policyset.set1.p5.default.params.keyUsageDataEncipherment=true >> policyset.set1.p5.default.params.keyUsageDecipherOnly=true >> policyset.set1.p5.default.params.keyUsageDigitalSignature=true >> policyset.set1.p5.default.params.keyUsageEncipherOnly=true >> policyset.set1.p5.default.params.keyUsageKeyAgreement=true >> policyset.set1.p5.default.params.keyUsageKeyCertSign=true >> policyset.set1.p5.default.params.keyUsageKeyEncipherment=true >> policyset.set1.p5.default.params.keyUsageNonRepudiation=true >> visible=true >> >> thx in advance, >> sergio >> >> >> _______________________________________________ >> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jindrich.dolezal at adaptivemobile.com Tue Feb 11 12:17:07 2014 From: jindrich.dolezal at adaptivemobile.com (Jindrich Dolezal) Date: Tue, 11 Feb 2014 13:17:07 +0100 Subject: [Pki-users] dogtag v10 on rhel6 Message-ID: <52FA14C3.7040201@adaptivemobile.com> hi all, i would like to install dogtag v10 on rhel6, however i cant find it among rhel6 packages. does anybody know if/when it is planned to be included? or howto run dogtag v10 on redhat. i read some articles that fedora distro already has v10, but unfortunately i have to use rhel, and ideally officially supported packages. (btw. i tried also centos 6.5 which should be rhel clone but there is just v9) thanks, jd ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** From alee at redhat.com Tue Feb 11 15:24:29 2014 From: alee at redhat.com (Ade Lee) Date: Tue, 11 Feb 2014 10:24:29 -0500 Subject: [Pki-users] dogtag v10 on rhel6 In-Reply-To: <52FA14C3.7040201@adaptivemobile.com> References: <52FA14C3.7040201@adaptivemobile.com> Message-ID: <1392132269.26029.20.camel@aleeredhat.laptop> Hi, The releases of RHCS/Dogtag are as follows: RHEL5 RHCS 8.1 RHEL6 Dogtag 9 (in support of IPA) RHEL7 Dogtag 10.0 (in support of IPA) Fedora 20 Dogtag 10.1 RHEL 7.1 Dogtag 10.2/ RHCS 9 (currently planned, subject to change) For RHEL6 and RHEL7, the packages that are included are only those required to support IPA. This basically means the CA without a UI. But you can easily obtain a UI by installing one of the theme packages from Fedora. It will be hard to install Dogtag 10 on RHEL 6, though with enough work, I suppose it could be done. One problem is that Dogtag 10 runs on tomcat 7, whereas only tomcat 6 is available in RHEL 6. If you just want a CA, the best option for running Dogtag 10 would be to run it on RHEL7 (and add the UI theme packages from Fedora 19 or 20). Ade On Tue, 2014-02-11 at 13:17 +0100, Jindrich Dolezal wrote: > hi all, > i would like to install dogtag v10 on rhel6, however i cant find it > among rhel6 packages. does anybody know if/when it is planned to be > included? or howto run dogtag v10 on redhat. > i read some articles that fedora distro already has v10, but > unfortunately i have to use rhel, and ideally officially supported packages. > (btw. i tried also centos 6.5 which should be rhel clone but there is > just v9) > > thanks, > > jd > ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From jindrich.dolezal at adaptivemobile.com Tue Feb 11 16:03:45 2014 From: jindrich.dolezal at adaptivemobile.com (Jindrich Dolezal) Date: Tue, 11 Feb 2014 17:03:45 +0100 Subject: [Pki-users] dogtag v10 on rhel6 In-Reply-To: <1392132269.26029.20.camel@aleeredhat.laptop> References: <52FA14C3.7040201@adaptivemobile.com> <1392132269.26029.20.camel@aleeredhat.laptop> Message-ID: <52FA49E1.4070303@adaptivemobile.com> hi ade, thanks a lot for the response. i wanted dogtag 10 because i wanted to use the REST api (for cert revocations). not sure if rhel7 is doable for me as i cant freely choose the distro. as far as i know dogtag 9 has some d-bus api for revocation, am i right? if so could you direct me to some related docs? thanks, jd On 02/11/2014 04:24 PM, Ade Lee wrote: > Hi, > > The releases of RHCS/Dogtag are as follows: > > RHEL5 RHCS 8.1 > RHEL6 Dogtag 9 (in support of IPA) > RHEL7 Dogtag 10.0 (in support of IPA) > Fedora 20 Dogtag 10.1 > RHEL 7.1 Dogtag 10.2/ RHCS 9 (currently planned, subject to change) > > For RHEL6 and RHEL7, the packages that are included are only those > required to support IPA. This basically means the CA without a UI. > But you can easily obtain a UI by installing one of the theme packages > from Fedora. > > It will be hard to install Dogtag 10 on RHEL 6, though with enough work, > I suppose it could be done. One problem is that Dogtag 10 runs on > tomcat 7, whereas only tomcat 6 is available in RHEL 6. > > If you just want a CA, the best option for running Dogtag 10 would be to > run it on RHEL7 (and add the UI theme packages from Fedora 19 or 20). > > Ade > > On Tue, 2014-02-11 at 13:17 +0100, Jindrich Dolezal wrote: >> hi all, >> i would like to install dogtag v10 on rhel6, however i cant find it >> among rhel6 packages. does anybody know if/when it is planned to be >> included? or howto run dogtag v10 on redhat. >> i read some articles that fedora distro already has v10, but >> unfortunately i have to use rhel, and ideally officially supported packages. >> (btw. i tried also centos 6.5 which should be rhel clone but there is >> just v9) >> >> thanks, >> >> jd >> ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** From anmajumd at cisco.com Wed Feb 12 00:06:05 2014 From: anmajumd at cisco.com (Anamitra Dutta Majumdar (anmajumd)) Date: Wed, 12 Feb 2014 00:06:05 +0000 Subject: [Pki-users] Support for Dogtag 10.1 on RHEL Message-ID: We are investigating and evaluating Dogtag 10.1 and would like to know if Dogtag 10.1 will be supported on RHEL7 or not. If so what will be the Roadmap for the support. Currently Dogtag 10.1 is supported only on Fedora versions > 20. Thanks, Anamitra -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Feb 12 12:43:03 2014 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 12 Feb 2014 07:43:03 -0500 Subject: [Pki-users] Support for Dogtag 10.1 on RHEL In-Reply-To: References: Message-ID: <52FB6C57.4080708@redhat.com> On 02/11/2014 07:06 PM, Anamitra Dutta Majumdar (anmajumd) wrote: > We are investigating and evaluating Dogtag 10.1 and would like to know > if Dogtag 10.1 will be supported on RHEL7 or not. > If so what will be the Roadmap for the support. > > Currently Dogtag 10.1 is supported only on Fedora versions > 20. > > Thanks, > Anamitra > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users Dogtag will be qualified as layered product aka RHCS on top of RHEL 7.1 or later. More Dogtag components will be merged into IPA over the course of next year+. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Oleg.Antonenko at adaptivemobile.com Thu Feb 13 11:16:50 2014 From: Oleg.Antonenko at adaptivemobile.com (Oleg Antonenko) Date: Thu, 13 Feb 2014 11:16:50 +0000 Subject: [Pki-users] Deleting revoked certificates Message-ID: <34A5A0661B86944184C25952A4F1699087670B12@Exchange-AMS.adaptivemobile.com> Hi! Could anyone point me at documentation regarding physical removal of "old" revoked certificates from the system (db)? I looked at the redhat & dogtag documentation online but didn't find any relevant info... With thanks, Oleg ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Fri Feb 14 02:07:38 2014 From: cfu at redhat.com (Christina Fu) Date: Thu, 13 Feb 2014 18:07:38 -0800 Subject: [Pki-users] Deleting revoked certificates In-Reply-To: <34A5A0661B86944184C25952A4F1699087670B12@Exchange-AMS.adaptivemobile.com> References: <34A5A0661B86944184C25952A4F1699087670B12@Exchange-AMS.adaptivemobile.com> Message-ID: <52FD7A6A.5020003@redhat.com> Oleg, Are you talking about removing certificate records from the Dogtag internal directory server? First of all, you are not supposed to remove unexpired revoked certs from the internal db as that's where CRL's are built. However, if "old" means "expired" certificates, then I imagine you could use ldapmodify to do that. You can probably write a script to do that as a cron job. You can "man ldapmodify" to see the documentation. Now, if you are talking about removing expired certs from a publishing directory, there is a job called "UnpublishExpiredJob" that can be turned on to "unpublish"(remove) them from the publishing directory for you periodically: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Setting_up_Specific_Jobs.html#Configuration_Parameters_of_unpublishExpiredCerts Hope that answered your question. Christina On 02/13/2014 03:16 AM, Oleg Antonenko wrote: > > Hi! > > Could anyone point me at documentation regarding physical removal of > "old" revoked certificates from the system (db)? > > I looked at the redhat & dogtag documentation online but didn't find > any relevant info... > > With thanks, > > Oleg > > ****************************************************************************************
This > email and any files transmitted with are confidential and intended > solely for the
use of the individual or entity to whom they are > addressed. If you have received this
email in error then please > delete it and notify the sender. Do not make a copy or forward
it > to anyone. This footnote also confirms that this email message has > been swept for the
presence of computer viruses.

Adaptive > Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, > Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson > (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, > Company No. 370343, VAT > Reg.No.IE6390343O
**************************************************************************************** > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Oleg.Antonenko at adaptivemobile.com Fri Feb 14 09:50:45 2014 From: Oleg.Antonenko at adaptivemobile.com (Oleg Antonenko) Date: Fri, 14 Feb 2014 09:50:45 +0000 Subject: [Pki-users] Deleting revoked certificates In-Reply-To: <52FD7A6A.5020003@redhat.com> References: <34A5A0661B86944184C25952A4F1699087670B12@Exchange-AMS.adaptivemobile.com> <52FD7A6A.5020003@redhat.com> Message-ID: <34A5A0661B86944184C25952A4F1699087670CA1@Exchange-AMS.adaptivemobile.com> Thanks Christina, that helps a lot! From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Christina Fu Sent: 14 February 2014 02:08 To: pki-users at redhat.com Subject: Re: [Pki-users] Deleting revoked certificates Oleg, Are you talking about removing certificate records from the Dogtag internal directory server? First of all, you are not supposed to remove unexpired revoked certs from the internal db as that's where CRL's are built. However, if "old" means "expired" certificates, then I imagine you could use ldapmodify to do that. You can probably write a script to do that as a cron job. You can "man ldapmodify" to see the documentation. Now, if you are talking about removing expired certs from a publishing directory, there is a job called "UnpublishExpiredJob" that can be turned on to "unpublish"(remove) them from the publishing directory for you periodically: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Setting_up_Specific_Jobs.html#Configuration_Parameters_of_unpublishExpiredCerts Hope that answered your question. Christina On 02/13/2014 03:16 AM, Oleg Antonenko wrote: Hi! Could anyone point me at documentation regarding physical removal of "old" revoked certificates from the system (db)? I looked at the redhat & dogtag documentation online but didn't find any relevant info... With thanks, Oleg ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: From jindrich.dolezal at adaptivemobile.com Tue Feb 18 09:51:42 2014 From: jindrich.dolezal at adaptivemobile.com (Jindrich Dolezal) Date: Tue, 18 Feb 2014 10:51:42 +0100 Subject: [Pki-users] Exporting Keys from Database Message-ID: <53032D2E.8060603@adaptivemobile.com> hi, im using dogtag 9.0. im trying to export the CA keys with the use of PKCS12Export command. in the Deploy and Install guide there is command to use: PKCS12Export -debug -d /var/lib/{instance_name}/alias -w p12pwd.txt -p internal.txt -o master.p12 where according to help -p -w -o but i always end up with: PKCS12Export debug: PKCS12Export Exception: org.mozilla.jss.util.IncorrectPasswordException what is 'file containing password for keydb' and 'file containing pkcs12 password'? i tried all combinations of passwords i used during the installation. more over during the installation i was not asked for any password to protect the keydb. so my next question is: should the passwords be in special format, like in base64, or more generally what passwords shall be used for this at all? thanks jd ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** From jindrich.dolezal at adaptivemobile.com Tue Feb 18 13:47:36 2014 From: jindrich.dolezal at adaptivemobile.com (Jindrich Dolezal) Date: Tue, 18 Feb 2014 14:47:36 +0100 Subject: [Pki-users] Cloning CA Message-ID: <53036478.8010405@adaptivemobile.com> hi, im using dogtag 9.0 (pki-ca-9.0.3) on rhel 6.2 and want to make clone. i'm following 'Deploy and Install guide' chapter 10.3. So have master ca, created clone ca and run the configuration wizard. i got to point (point 10) where i am supposed to "Import Keys and Certificates". After filling p12 file and password i ended with: " org.xml.sax.SAXParseException; lineNumber: 2; columnNumber: 15; Open quote is expected for attribute "BGCOLOR" associated with an element type "BODY"." error appearing on the page (see attached picture). Note that when i fill incorrect file or invalid passord, the wizard tells me with appropriate error (like no such file/...) but when everything is correct SAX exception appears. SAX exception also appears when i left the inputs blank and click next => therefore this step is unpassable. has anyone performed cloning with success? thanks, jd ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: importKeyError.jpeg Type: image/jpeg Size: 153161 bytes Desc: not available URL: From jindrich.dolezal at adaptivemobile.com Tue Feb 18 14:03:13 2014 From: jindrich.dolezal at adaptivemobile.com (Jindrich Dolezal) Date: Tue, 18 Feb 2014 15:03:13 +0100 Subject: [Pki-users] Cloning CA In-Reply-To: <53036478.8010405@adaptivemobile.com> References: <53036478.8010405@adaptivemobile.com> Message-ID: <53036821.3030909@adaptivemobile.com> additional info: on the master ca machine i found following in the log file: [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet:service() uri = /ca/ee/ca/updateNumberRange [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet::service() param name='type' value='request' [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet::service() param name='xmlOutput' value='true' [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet::service() param name='sessionID' value='-1411012119543770863' [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet: caUpdateNumberRange start to service. [18/Feb/2014:14:00:19][http-9444-2]: UpdateNumberRange: processing... [18/Feb/2014:14:00:19][http-9444-2]: UpdateNumberRange process: authentication starts [18/Feb/2014:14:00:19][http-9444-2]: IP: 10.10.16.73 [18/Feb/2014:14:00:19][http-9444-2]: AuthMgrName: TokenAuth [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet: no client certificate found [18/Feb/2014:14:00:19][http-9444-2]: TokenAuthentication: start [18/Feb/2014:14:00:19][http-9444-2]: TokenAuthentication: content=sessionID=-1411012119543770863&hostname=10.10.16.73 [18/Feb/2014:14:00:19][http-9444-1]: CMSServlet:service() uri = /ca/ee/ca/tokenAuthenticate [18/Feb/2014:14:00:19][http-9444-1]: CMSServlet::service() param name='hostname' value='10.10.16.73' [18/Feb/2014:14:00:19][http-9444-1]: CMSServlet::service() param name='sessionID' value='-1411012119543770863' [18/Feb/2014:14:00:19][http-9444-1]: CMSServlet: caTokenAuthenticate start to service. [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication: sessionId=-1411012119543770863 [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication: givenHost=10.10.16.73 [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication: checking session in the session table [18/Feb/2014:14:00:19][http-9444-1]: CMSEngine: getPasswordStore(): password store initialized before. [18/Feb/2014:14:00:19][http-9444-1]: CMSEngine: getPasswordStore(): password store initialized. [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication: session not found [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication authenticate failed, session id does not exist. [18/Feb/2014:14:00:19][http-9444-2]: TokenAuthentication: status=1 [18/Feb/2014:14:00:19][http-9444-2]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=TokenAuth][AttemptedCred=$Unidentified$] authentication failure On 02/18/2014 02:47 PM, Jindrich Dolezal wrote: > hi, > > im using dogtag 9.0 (pki-ca-9.0.3) on rhel 6.2 and want to make clone. > i'm following 'Deploy and Install guide' chapter 10.3. So have master > ca, created clone ca and run the configuration wizard. i got to point > (point 10) where i am supposed to "Import Keys and Certificates". > After filling p12 file and password i ended with: > > " org.xml.sax.SAXParseException; lineNumber: 2; columnNumber: 15; Open > quote is expected for attribute "BGCOLOR" associated with an element > type "BODY"." > > error appearing on the page (see attached picture). > Note that when i fill incorrect file or invalid passord, the wizard > tells me with appropriate error (like no such file/...) but when > everything is correct SAX exception appears. SAX exception also > appears when i left the inputs blank and click next => therefore this > step is unpassable. > > has anyone performed cloning with success? > > thanks, > > jd > > > ****************************************************************************************
This > email and any files transmitted with are confidential and intended > solely for the
use of the individual or entity to whom they are > addressed. If you have received this
email in error then please > delete it and notify the sender. Do not make a copy or forward
it > to anyone. This footnote also confirms that this email message has > been swept for the
presence of computer viruses.

Adaptive > Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, > Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson > (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, > Company No. 370343, VAT > Reg.No.IE6390343O
**************************************************************************************** > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: From jindrich.dolezal at adaptivemobile.com Tue Feb 18 15:49:53 2014 From: jindrich.dolezal at adaptivemobile.com (Jindrich Dolezal) Date: Tue, 18 Feb 2014 16:49:53 +0100 Subject: [Pki-users] Cloning CA In-Reply-To: <53036821.3030909@adaptivemobile.com> References: <53036478.8010405@adaptivemobile.com> <53036821.3030909@adaptivemobile.com> Message-ID: <53038121.6070405@adaptivemobile.com> so the root cause seems to be this (was bit higher in the debug log than previous post): [18/Feb/2014:15:34:58][http-9445-2]: SecurityDomainSessionTable: unable to create session entry-1411012119543770863: netscape.ldap.LDAPException: error result (21); host: value #0 invalid per syntax i found this ticket https://fedorahosted.org/pki/ticket/457 anyone knows if this was fixed or any workaround? jd On 02/18/2014 03:03 PM, Jindrich Dolezal wrote: > additional info: > on the master ca machine i found following in the log file: > > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet:service() uri = > /ca/ee/ca/updateNumberRange > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet::service() param > name='type' value='request' > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet::service() param > name='xmlOutput' value='true' > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet::service() param > name='sessionID' value='-1411012119543770863' > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet: caUpdateNumberRange > start to service. > [18/Feb/2014:14:00:19][http-9444-2]: UpdateNumberRange: processing... > [18/Feb/2014:14:00:19][http-9444-2]: UpdateNumberRange process: > authentication starts > [18/Feb/2014:14:00:19][http-9444-2]: IP: 10.10.16.73 > [18/Feb/2014:14:00:19][http-9444-2]: AuthMgrName: TokenAuth > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet: no client certificate > found > [18/Feb/2014:14:00:19][http-9444-2]: TokenAuthentication: start > [18/Feb/2014:14:00:19][http-9444-2]: TokenAuthentication: > content=sessionID=-1411012119543770863&hostname=10.10.16.73 > [18/Feb/2014:14:00:19][http-9444-1]: CMSServlet:service() uri = > /ca/ee/ca/tokenAuthenticate > [18/Feb/2014:14:00:19][http-9444-1]: CMSServlet::service() param > name='hostname' value='10.10.16.73' > [18/Feb/2014:14:00:19][http-9444-1]: CMSServlet::service() param > name='sessionID' value='-1411012119543770863' > [18/Feb/2014:14:00:19][http-9444-1]: CMSServlet: caTokenAuthenticate > start to service. > [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication: > sessionId=-1411012119543770863 > [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication: > givenHost=10.10.16.73 > [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication: checking > session in the session table > [18/Feb/2014:14:00:19][http-9444-1]: CMSEngine: getPasswordStore(): > password store initialized before. > [18/Feb/2014:14:00:19][http-9444-1]: CMSEngine: getPasswordStore(): > password store initialized. > [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication: session not > found > [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication authenticate > failed, session id does not exist. > [18/Feb/2014:14:00:19][http-9444-2]: TokenAuthentication: status=1 > [18/Feb/2014:14:00:19][http-9444-2]: SignedAuditEventFactory: create() > message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=TokenAuth][AttemptedCred=$Unidentified$] > authentication failure > > > > > On 02/18/2014 02:47 PM, Jindrich Dolezal wrote: >> hi, >> >> im using dogtag 9.0 (pki-ca-9.0.3) on rhel 6.2 and want to make >> clone. i'm following 'Deploy and Install guide' chapter 10.3. So have >> master ca, created clone ca and run the configuration wizard. i got >> to point (point 10) where i am supposed to "Import Keys and >> Certificates". After filling p12 file and password i ended with: >> >> " org.xml.sax.SAXParseException; lineNumber: 2; columnNumber: 15; >> Open quote is expected for attribute "BGCOLOR" associated with an >> element type "BODY"." >> >> error appearing on the page (see attached picture). >> Note that when i fill incorrect file or invalid passord, the wizard >> tells me with appropriate error (like no such file/...) but when >> everything is correct SAX exception appears. SAX exception also >> appears when i left the inputs blank and click next => therefore this >> step is unpassable. >> >> has anyone performed cloning with success? >> >> thanks, >> >> jd >> >> >> ****************************************************************************************
This >> email and any files transmitted with are confidential and intended >> solely for the
use of the individual or entity to whom they are >> addressed. If you have received this
email in error then please >> delete it and notify the sender. Do not make a copy or forward
it >> to anyone. This footnote also confirms that this email message has >> been swept for the
presence of computer viruses.

Adaptive >> Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, >> Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson >> (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, >> Company No. 370343, VAT >> Reg.No.IE6390343O
**************************************************************************************** >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > ****************************************************************************************
This > email and any files transmitted with are confidential and intended > solely for the
use of the individual or entity to whom they are > addressed. If you have received this
email in error then please > delete it and notify the sender. Do not make a copy or forward
it > to anyone. This footnote also confirms that this email message has > been swept for the
presence of computer viruses.

Adaptive > Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, > Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson > (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, > Company No. 370343, VAT > Reg.No.IE6390343O
**************************************************************************************** > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Tue Feb 18 15:53:09 2014 From: alee at redhat.com (Ade Lee) Date: Tue, 18 Feb 2014 10:53:09 -0500 Subject: [Pki-users] Exporting Keys from Database In-Reply-To: <53032D2E.8060603@adaptivemobile.com> References: <53032D2E.8060603@adaptivemobile.com> Message-ID: <1392738789.5381.11.camel@aleeredhat.laptop> On Tue, 2014-02-18 at 10:51 +0100, Jindrich Dolezal wrote: > hi, > im using dogtag 9.0. im trying to export the CA keys with the use of > PKCS12Export command. in the Deploy and Install guide there is command > to use: > PKCS12Export -debug -d /var/lib/{instance_name}/alias -w p12pwd.txt -p > internal.txt -o master.p12 > where according to help > -p -w password> -o > > but i always end up with: > PKCS12Export debug: PKCS12Export Exception: > org.mozilla.jss.util.IncorrectPasswordException > > what is 'file containing password for keydb' and 'file containing pkcs12 > password'? > i tried all combinations of passwords i used during the installation. > more over during the installation i was not asked for any password to > protect the keydb. > > so my next question is: should the passwords be in special format, like > in base64, or more generally what passwords shall be used for this at all? > The file containing the pkcs12 password is simply a text file with the password of your choosing in cleartext. This will be the password needed to decrypt the keys in the pkcs12 file that is being generated. The file containing the password for the keydb is simply a text file containing only the password for the certdb under /var/lib//alias in cleartext. That password is a randomly generated numeric string that was created during installation. It can be found by looking at /var/lib//conf/password.conf. The password you want is the one prefaced by internal=XXXXX. Ade > thanks > > jd > > ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From alee at redhat.com Tue Feb 18 16:00:02 2014 From: alee at redhat.com (Ade Lee) Date: Tue, 18 Feb 2014 11:00:02 -0500 Subject: [Pki-users] Cloning CA In-Reply-To: <53038121.6070405@adaptivemobile.com> References: <53036478.8010405@adaptivemobile.com> <53036821.3030909@adaptivemobile.com> <53038121.6070405@adaptivemobile.com> Message-ID: <1392739202.5381.16.camel@aleeredhat.laptop> Great finding the root cause! The problem here is that your directory server instance has syntax checking enabled. We will fix this issue in Dogtag 10. For dogtag 9, you can work around this issue by disabling syntax checking in the DB. 1. Shut down your directory server. 2 .Edit the dse.ldif and set: nsslapd-syntaxcheck: off 3. Restart your directory server. Ade On Tue, 2014-02-18 at 16:49 +0100, Jindrich Dolezal wrote: > so the root cause seems to be this (was bit higher in the debug log > than previous post): > > [18/Feb/2014:15:34:58][http-9445-2]: SecurityDomainSessionTable: > unable to create session entry-1411012119543770863: > netscape.ldap.LDAPException: error result (21); host: value #0 invalid > per syntax > > i found this ticket https://fedorahosted.org/pki/ticket/457 > > anyone knows if this was fixed or any workaround? > > jd > > > On 02/18/2014 03:03 PM, Jindrich Dolezal wrote: > > > additional info: > > on the master ca machine i found following in the log file: > > > > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet:service() uri > > = /ca/ee/ca/updateNumberRange > > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet::service() param > > name='type' value='request' > > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet::service() param > > name='xmlOutput' value='true' > > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet::service() param > > name='sessionID' value='-1411012119543770863' > > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet: caUpdateNumberRange > > start to service. > > [18/Feb/2014:14:00:19][http-9444-2]: UpdateNumberRange: > > processing... > > [18/Feb/2014:14:00:19][http-9444-2]: UpdateNumberRange process: > > authentication starts > > [18/Feb/2014:14:00:19][http-9444-2]: IP: 10.10.16.73 > > [18/Feb/2014:14:00:19][http-9444-2]: AuthMgrName: TokenAuth > > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet: no client > > certificate found > > [18/Feb/2014:14:00:19][http-9444-2]: TokenAuthentication: start > > [18/Feb/2014:14:00:19][http-9444-2]: TokenAuthentication: > > content=sessionID=-1411012119543770863&hostname=10.10.16.73 > > [18/Feb/2014:14:00:19][http-9444-1]: CMSServlet:service() uri > > = /ca/ee/ca/tokenAuthenticate > > [18/Feb/2014:14:00:19][http-9444-1]: CMSServlet::service() param > > name='hostname' value='10.10.16.73' > > [18/Feb/2014:14:00:19][http-9444-1]: CMSServlet::service() param > > name='sessionID' value='-1411012119543770863' > > [18/Feb/2014:14:00:19][http-9444-1]: CMSServlet: caTokenAuthenticate > > start to service. > > [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication: > > sessionId=-1411012119543770863 > > [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication: > > givenHost=10.10.16.73 > > [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication: checking > > session in the session table > > [18/Feb/2014:14:00:19][http-9444-1]: CMSEngine: getPasswordStore(): > > password store initialized before. > > [18/Feb/2014:14:00:19][http-9444-1]: CMSEngine: getPasswordStore(): > > password store initialized. > > [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication: session > > not found > > [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication > > authenticate failed, session id does not exist. > > [18/Feb/2014:14:00:19][http-9444-2]: TokenAuthentication: status=1 > > [18/Feb/2014:14:00:19][http-9444-2]: SignedAuditEventFactory: > > create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified > > $][Outcome=Failure][AuthMgr=TokenAuth][AttemptedCred=$Unidentified$] > > authentication failure > > > > > > > > > > On 02/18/2014 02:47 PM, Jindrich Dolezal wrote: > > > > > hi, > > > > > > im using dogtag 9.0 (pki-ca-9.0.3) on rhel 6.2 and want to make > > > clone. i'm following 'Deploy and Install guide' chapter 10.3. So > > > have master ca, created clone ca and run the configuration wizard. > > > i got to point (point 10) where i am supposed to "Import Keys and > > > Certificates". After filling p12 file and password i ended with: > > > > > > " org.xml.sax.SAXParseException; lineNumber: 2; columnNumber: 15; > > > Open quote is expected for attribute "BGCOLOR" associated with an > > > element type "BODY"." > > > > > > error appearing on the page (see attached picture). > > > Note that when i fill incorrect file or invalid passord, the > > > wizard tells me with appropriate error (like no such file/...) but > > > when everything is correct SAX exception appears. SAX exception > > > also appears when i left the inputs blank and click next => > > > therefore this step is unpassable. > > > > > > has anyone performed cloning with success? > > > > > > thanks, > > > > > > jd > > > > > > > > > ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** > > > > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** > > > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > > > ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From jindrich.dolezal at adaptivemobile.com Wed Feb 19 09:23:31 2014 From: jindrich.dolezal at adaptivemobile.com (Jindrich Dolezal) Date: Wed, 19 Feb 2014 10:23:31 +0100 Subject: [Pki-users] Clone CA configuration Message-ID: <53047813.2040701@adaptivemobile.com> hi, i created clone CA, working fine. however i had to made changes in CS.cfg and profiles manualy on cloned machine (like enabling scep support/...). from the install guide, i had a feeling that the clone would have the same configuration as master had at time of cloning: chapter 10.1.7: "Set all desired, custom configuration for a master server before configuring any clones....Any custom settings in the master instance will be included in the cloned instances at the time they are cloned (but not after). which didn't happen. its not big deal, but have i forgot something? thanks jd ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** From alee at redhat.com Wed Feb 19 14:26:44 2014 From: alee at redhat.com (Ade Lee) Date: Wed, 19 Feb 2014 09:26:44 -0500 Subject: [Pki-users] Clone CA configuration In-Reply-To: <53047813.2040701@adaptivemobile.com> References: <53047813.2040701@adaptivemobile.com> Message-ID: <1392820004.16167.5.camel@aleeredhat.laptop> Not all settings in CS.cfg are propagated from the master when setting up the clone. Its likely that your custom settings were on parameters that are not propagated over. There has been talk for awhile now about potentially moving all the CS.cfg parameters into ldap, so that they could be propagated during a cloning operation, but this is probably several releases in the future. So, no - you probably have not forgotten anything :) Ade On Wed, 2014-02-19 at 10:23 +0100, Jindrich Dolezal wrote: > hi, > i created clone CA, working fine. however i had to made changes in > CS.cfg and profiles manualy on cloned machine (like enabling scep > support/...). from the install guide, i had a feeling that the clone > would have the same configuration as master had at time of cloning: > chapter 10.1.7: "Set all desired, custom configuration for a master > server before configuring any clones....Any custom settings in the > master instance will be included in the cloned instances at the time > they are cloned (but not after). > > which didn't happen. its not big deal, but have i forgot something? > > thanks > > jd > > > ****************************************************************************************
This email and any files transmitted with are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error then please delete it and notify the sender. Do not make a copy or forward
it to anyone. This footnote also confirms that this email message has been swept for the
presence of computer viruses.

Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland
Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).
Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O
**************************************************************************************** > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users