From tjaalton at ubuntu.com Mon Jun 2 08:21:06 2014 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Mon, 02 Jun 2014 11:21:06 +0300 Subject: [Pki-users] support for tomcat8? Message-ID: <538C33F2.7010102@ubuntu.com> Hi Next Debian release will probably ship with only tomcat 8.x in the archive, so I was wondering if Dogtag needs anything special to use it? I see that Fedora still has 7.0.x. -- t From prmarino1 at gmail.com Tue Jun 3 22:49:31 2014 From: prmarino1 at gmail.com (Paul Robert Marino) Date: Tue, 3 Jun 2014 18:49:31 -0400 Subject: [Pki-users] possible bug in DogTag 10 on Fedora 20 Message-ID: I'm trying to install the RA when I try to run the following I get " # pkispawn -s RA -v Tomcat: Instance [pki-apache]: HTTP port [80]: Secure HTTP port [443]: Traceback (most recent call last): File "/usr/sbin/pkispawn", line 530, in main(sys.argv) File "/usr/sbin/pkispawn", line 148, in main parser.read_text('AJP port', config.pki_subsystem, 'pki_ajp_port') File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", line 257, in read_text default = self.pki_master_dict[key] KeyError: 'pki_ajp_port' " does any one know if this is a known bug new bug or am I using the wrong method? From mharmsen at redhat.com Tue Jun 3 23:16:30 2014 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 03 Jun 2014 16:16:30 -0700 Subject: [Pki-users] possible bug in DogTag 10 on Fedora 20 In-Reply-To: References: Message-ID: <538E574E.6090103@redhat.com> On 06/03/14 15:49, Paul Robert Marino wrote: > I'm trying to install the RA > > when I try to run the following I get > " > # pkispawn -s RA -v > Tomcat: > Instance [pki-apache]: > HTTP port [80]: > Secure HTTP port [443]: > Traceback (most recent call last): > File "/usr/sbin/pkispawn", line 530, in > main(sys.argv) > File "/usr/sbin/pkispawn", line 148, in main > parser.read_text('AJP port', config.pki_subsystem, 'pki_ajp_port') > File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", > line 257, in read_text > default = self.pki_master_dict[key] > KeyError: 'pki_ajp_port' > " > > does any one know if this is a known bug new bug or am I using the wrong method? > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users Paul, The 'pkispawn' tool only works for the Java Tomcat-based PKI subsystems - CA, KRA, OCSP, or TKS. Note that TPS instances that are currently undergoing development will also use this tool. In order to install a native Apache-based RA (or a legacy TPS) instance, you must still use the 'pkicreate' installer, and configure the instance using a browser with the GUI interface or construct the proper arguments to the 'pkisilent' configuration tool. -- Matt From prmarino1 at gmail.com Thu Jun 5 17:40:46 2014 From: prmarino1 at gmail.com (Paul Robert Marino) Date: Thu, 5 Jun 2014 13:40:46 -0400 Subject: [Pki-users] locking down specific URL's on port 8080 Message-ID: hello I am currently working on a new dogtag PKI 10 install I relized though there are 3 URL's that concern me and I would like to preven public access to them they are http://:8080/ca/ee/ca/profileSelect?profileId=, http://:8080, and http://:8080/ca/ee/ca/profileList im looking at a method mentioned here http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_Address_Filter Ive tried putting in a rule into /etc/pki/pki-tomcat/web.xml like so " Remote Address Filter org.apache.catalina.filters.RemoteAddrFilter allow 192\.168\.100\.\d+|192\.168\.200\.\d+ Remote Address Filter /ca/ee/ca/profileSelect*|/ca/ee/ca/profileSubmit*|/ca/ee/ca/profileList " note Ive changed the subnets those are not the real ones I used in my configuration. Unfortunately it doesn't seem to be working. does any one have any pointers for me or an example of what they have used for this? From prmarino1 at gmail.com Thu Jun 5 17:43:21 2014 From: prmarino1 at gmail.com (Paul Robert Marino) Date: Thu, 5 Jun 2014 13:43:21 -0400 Subject: [Pki-users] possible bug in DogTag 10 on Fedora 20 In-Reply-To: <538E574E.6090103@redhat.com> References: <538E574E.6090103@redhat.com> Message-ID: Thank You Matthew I did it the old fashion way using pkicreate like you suggested and its working. On Tue, Jun 3, 2014 at 7:16 PM, Matthew Harmsen wrote: > On 06/03/14 15:49, Paul Robert Marino wrote: >> >> I'm trying to install the RA >> >> when I try to run the following I get >> " >> # pkispawn -s RA -v >> Tomcat: >> Instance [pki-apache]: >> HTTP port [80]: >> Secure HTTP port [443]: >> Traceback (most recent call last): >> File "/usr/sbin/pkispawn", line 530, in >> main(sys.argv) >> File "/usr/sbin/pkispawn", line 148, in main >> parser.read_text('AJP port', config.pki_subsystem, 'pki_ajp_port') >> File >> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", >> line 257, in read_text >> default = self.pki_master_dict[key] >> KeyError: 'pki_ajp_port' >> " >> >> does any one know if this is a known bug new bug or am I using the wrong >> method? >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > Paul, > > The 'pkispawn' tool only works for the Java Tomcat-based PKI subsystems - > CA, KRA, OCSP, or TKS. > > Note that TPS instances that are currently undergoing development will also > use this tool. > > In order to install a native Apache-based RA (or a legacy TPS) instance, you > must still use the 'pkicreate' installer, and configure the instance using a > browser with the GUI interface or construct the proper arguments to the > 'pkisilent' configuration tool. > > -- Matt From prmarino1 at gmail.com Thu Jun 5 20:32:11 2014 From: prmarino1 at gmail.com (Paul Robert Marino) Date: Thu, 5 Jun 2014 16:32:11 -0400 Subject: [Pki-users] locking down specific URL's on port 8080 In-Reply-To: References: Message-ID: I figured it out in case any one is curious I had to create 3 filters and filter-mapping sections in one for each URL then I had to start it from /ee/ca/ notice I left the first /ca prefix off. I had to add white spacing in the url-pattern tags like so " /ee/ca/profileSelect " finally I had to put it in /var/lib/pki/pki-tomcat/ca/webapps/ca/WEB-INF/web.xml On Thu, Jun 5, 2014 at 1:40 PM, Paul Robert Marino wrote: > hello > I am currently working on a new dogtag PKI 10 install I relized > though there are 3 URL's that concern me and I would like to preven > public access to them they are > http://:8080/ca/ee/ca/profileSelect?profileId=, > http://:8080, and http://:8080/ca/ee/ca/profileList > > im looking at a method mentioned here > http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_Address_Filter > > Ive tried putting in a rule into /etc/pki/pki-tomcat/web.xml like so > " > > Remote Address Filter > org.apache.catalina.filters.RemoteAddrFilter > > allow > 192\.168\.100\.\d+|192\.168\.200\.\d+ > > > > Remote Address Filter > /ca/ee/ca/profileSelect*|/ca/ee/ca/profileSubmit*|/ca/ee/ca/profileList > > " > note Ive changed the subnets those are not the real ones I used in my > configuration. > Unfortunately it doesn't seem to be working. > > does any one have any pointers for me or an example of what they have > used for this? From prmarino1 at gmail.com Mon Jun 9 22:22:55 2014 From: prmarino1 at gmail.com (Paul Robert Marino) Date: Mon, 9 Jun 2014 18:22:55 -0400 Subject: [Pki-users] problems creating a KRA clone Message-ID: I'm in the process of creating a replica of a dogtag 10 server adn all is well sofar except for one thing I initially made a mistake in the config file for the pkispawn cloning the KRA Ive tried pkidestroy then manually deleting the database and the replication agreements in 389 server but I keep getting stuck on this. " 2014-06-09 21:53:54 pkispawn : INFO ....... constructing PKI configuration data. 2014-06-09 21:53:54 pkispawn : INFO ....... configuring PKI configuration data. 2014-06-09 21:54:04 pkispawn : ERROR ....... Exception from Java Configuration Servlet: Errors in pushing KRA connector information to the CA: com.netscape.certsrv.base.ConflictingOperationException: Attribute or value exists. 2014-06-09 21:54:04 pkispawn : DEBUG ....... Error Type: HTTPError 2014-06-09 21:54:04 pkispawn : DEBUG ....... Error Message: 500 Server Error: Internal Server Error 2014-06-09 21:54:04 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 463, in main rv = instance.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 126, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3194, in configure_pki_data response = client.configure(data) File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in configure r = self.connection.post('/rest/installer/configure', data, headers) File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in post r.raise_for_status() File "/usr/lib/python2.7/site-packages/requests/models.py", line 683, in raise_for_status raise HTTPError(http_error_msg, response=self) " does any one have any ideas on what could be causing this. Thank You From WilliamC.Elliott at s-itsolutions.at Tue Jun 24 20:09:10 2014 From: WilliamC.Elliott at s-itsolutions.at (Elliott William C OSS sIT) Date: Tue, 24 Jun 2014 20:09:10 +0000 Subject: [Pki-users] PIN reuse with SCEP flatfile authentication Message-ID: <85C87A9995875247B2DD471950E0AE4D1B7FC2D5@M0182.s-mxs.net> Hi, We're trying to get automated enrollment going with a new dogtag CA (v.9 auf RHEL6) using SCEP. We have a system in place which verifies signing requests (assuming the role of an RA) and would pass them on to the CA using the SCEP protocol. We have problems trying to achieve a configuration with which we can live with. version 9 of DT is very stringent about not allowing reuse of PINs. How do others use SCEP with thousands of clients without managing the flatfile.txt for all of the different hosts and PINs? (In the past we have used the same PIN for all hosts, route all requests over the same IP (UID) and restricted DT from commenting out the entry in flatfile.txt. However, the latest versions of DT seem to cache the status of UID/PIN from the flatfile in memory as already used and invalid after it is used once. When I read the documentation of CS 8.1 regarding router certificates, I'm amazed by the tedious manual steps involved with authentication. How can this be used with thousands of clients? I'd like to have the CA authenticate the SCEP requests based on a the pkcs7 signature - that being one using a valid cert from the CA (similar to renewal in the protocol, without the PIN.) I tried this with and without a PIN in the pkcs10 request, but it also failed unless a valid PIN was in the flatfile.txt file. Authentication seems always to require a valid (one-time) PIN. Basically, we'd like to be able to reuse PINs as before - even though this was disallowed in a security bug-fix (I don't have the bug ID at hand ). Or, I'd even grudgingly accept NO authentication, and I would restrict/control access through other means (network, etc.) I'd love to hear from anyone who has SCEP in use with many hosts! How do you achieve it these days??? Thanks in advance for any tips, William Elliott s IT Solutions Open System Services s IT Solutions AT Spardat GmbH mailto:william.elliott at s-itsolutions.at Head Office: Vienna Commercial Register No.: 152289f Commercial Court of Vienna This message and any attached files are confidential and intended solely for the addressee(s). Any publication, transmission or other use of the information by a person or entity other than the intended addressee is prohibited. If you receive this in error please contact the sender and delete the material. The sender does not accept liability for any errors or omissions as a result of the transmission. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbernst at gmail.com Fri Jun 27 17:02:05 2014 From: sbernst at gmail.com (sbernst at gmail.com) Date: Fri, 27 Jun 2014 17:02:05 +0000 Subject: [Pki-users] =?utf-8?q?ECC_entity_certificate_signing_and_Dogtag?= In-Reply-To: References: Message-ID: <53adabeb.8a65b60a.2db6.ffff9e30@mx.google.com> Hi there... It has been suggested that this is likely a question for CFU (Christina). How and where do I get the libraries to get ECC working on DogTag on FC20? Specifically looking to sign client side generated PKCS#10 key blobs. The Dogtag 10 release from 17 Jan 2013 suggested that this might be supported, but Info from the link below says that, ?Certicom software tokens could not be used because of an issue with malformed private keys.? https://www.redhat.com/archives/pki-users/2013-January/msg00001.html So what all is required to sign ECC generated requests? (not planning on use of TMS interface at this point). I saw that bug Bug 986831 says that, ?Some tools are broken for ECC with NSS token alone,? (from the 10.1 release announcement from November of last year https://www.redhat.com/archives/pki-users/2013-November/msg00001.html) but I'm not authorized to view its details. (I mention this to demonstrate that I'm trying to do my homework on this issue before asking for help.) Thank you so much, in advance, for any and all help. - Steven -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Mon Jun 30 18:15:24 2014 From: cfu at redhat.com (Christina Fu) Date: Mon, 30 Jun 2014 11:15:24 -0700 Subject: [Pki-users] ECC entity certificate signing and Dogtag In-Reply-To: <53adabeb.8a65b60a.2db6.ffff9e30@mx.google.com> References: <53adabeb.8a65b60a.2db6.ffff9e30@mx.google.com> Message-ID: <53B1A93C.5090005@redhat.com> Hi Steven, NSS softtoken provides ECC on F20 out of box (https://bugzilla.redhat.com/show_bug.cgi?id=1019244 ). During installation, you just want to make sure that you select the right option accordingly. On the client side, the current firefox version supports CRMF key gen with EC. You can try it on one of the enrollment profiles at the EE port. From the CLI, certutil works well. You can do something like the following to get PKCS#10: certutil -d . -R -k ec -q nistp256 -s "CN=test2014" -a -o req.test2014 Christina On 06/27/2014 10:02 AM, sbernst at gmail.com wrote: > Hi there... It has been suggested that this is likely a question for > CFU (Christina). > > How and where do I get the libraries to get ECC working on DogTag on > FC20? Specifically looking to sign client side generated PKCS#10 key > blobs. The Dogtag 10 release from 17 Jan 2013 suggested that this > might be supported, but Info from the link below says that, "Certicom > software tokens could not be used because of an issue with malformed > private keys." > https://www.redhat.com/archives/pki-users/2013-January/msg00001.html > > So what all is required to sign ECC generated requests? (not planning > on use of TMS interface at this point). I saw that bug Bug 986831 says > that, "Some tools are broken for ECC with NSS token alone," (from the > 10.1 release announcement from November of last year > https://www.redhat.com/archives/pki-users/2013-November/msg00001.html) > > but I'm not authorized to view its details. (I mention this to > demonstrate that I'm trying to do my homework on this issue before > asking for help.) > > Thank you so much, in advance, for any and all help. > > - Steven > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: