[Pki-users] SCEP Enrollment fails with Certificate not found .
Christina Fu
cfu at redhat.com
Tue Nov 25 17:57:03 UTC 2014
Hi William,
Thank you very much for your feedback. I find helping people like you
very rewarding.
I do not have time to read it through carefully at the moment, but
could you please file two bug? One for #1 and one for the LunaSA
unwrapping related issues. You can just copy and paste the relevant
portion of your email into each bug.
Here is the info: http://pki.fedoraproject.org/wiki/PKI_Bugs
btw, out of curiosity, can you search in your debug log for the string:
"handlePKIOperation: Encryption algorithm"
What algorithm does it say? Please put that in bug #2 as well.
Each HSM actually requires different flags and attributes to work. For
example, to unwrap, Lunasa would require sensitive to be false and
extractable to be true, while Thales nethsm would require sensitive to
be false and extractable to be false. key types make a difference too
for rsa and ecc keys need different attributes. I suspect the code in
the SCEP part of the woods might not have been tuned to handle such
differences.
thanks,
Christina
On 11/25/2014 04:23 AM, Elliott William C OSS sIT wrote:
> We want to post the results of our solution to problem(s) we were having.
>
> In all, we had three different issues to overcome to get SCEP Enrollment working under RHEL6/Dogtag 9 when using Safenet HSMs.
>
>
> 1. "Certificate not found: osstest:caSigningCert cert-pki-testca1"
>
> This message is somewhat misleading because the correct combination of token and CA nickname are displayed. However the debug messages from
> method CryptoContext show that mNickname incorrectly has the token name prepended twice, and is what throws the exception:
>
> [05/Nov/2014:13:29:59][http-9180-1]: CRSEnrollment: CryptoContext: token name: osstest'
> [05/Nov/2014:13:29:59][http-9180-1]: CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert cert-pki-testca1'
>
> As described in my first post, mNickname is modified with every call to CryptoContext - an additional token name is then prepended with every call.
> In fact, using a HSM, the CA nickname already contains the token name when mNickname is set in init(), and needs never be prepended.
>
> Commenting out the offending line in CrypoContext() resolves the issue, when a HSM is used:
>
> pki-core-9.0.3-38.el6_6.src.rpm and pki-core-9.0.3-32.el6.src.rpm - both are identical in CRSEnrollment.java:
> 1973 if (mTokenName.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) ||
> 1974 mTokenName.equalsIgnoreCase("Internal Key Storage Token") ||
> 1975 mTokenName.length() == 0) {
> 1976 keyStorageToken = cm.getInternalKeyStorageToken();
> 1977 internalKeyStorageToken = keyStorageToken;
> 1978 CMS.debug("CRSEnrollment: CryptoContext: internal token name: '"+mTokenName+"'");
> 1979 } else {
> 1980 keyStorageToken = cm.getTokenByName(mTokenName);
> 1981 internalKeyStorageToken = null;
> 1982 // mNickname = mTokenName + ":" + mNickname;
> 1983 CMS.debug("CRSEnrollment: CryptoContext: token name: "+mTokenName+"'");
> 1984 }
>
> For some reason, the following relatively careful conditional prepending of the token name was removed from the init() methond and placed into CryptoContext() in version 9.0.3 that is packaged with RHEL6. In these versions we tested, mNickname is brutally prepended with every call.
>
> The following version 9 in the Dogtag git repository still had it right, and also in version 10 it's also correct again:
>
> DOGTAG_9_0_FEDORA_15_16_17_20111028
> 176 if (!(mTokenName.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) ||
> 177 mTokenName.equalsIgnoreCase("Internal Key Storage Token") ||
> 178 mTokenName.length() == 0)) {
> 179 int i = mNickname.indexOf(':');
> 180 if (!((i > -1) && (mTokenName.length() == i) && (mNickname.startsWith(mTokenName)))) {
> 181 mNickname = mTokenName + ":" + mNickname;
> 182 }
> 183 }
>
> DOGTAG_10_1_1_1_FEDORA_20_20140321
> 248 if (!(mTokenName.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) ||
> 249 mTokenName.equalsIgnoreCase("Internal Key Storage Token") || mTokenName.length() == 0)) {
> 250 int i = mNickname.indexOf(':');
> 251 if (!((i > -1) && (mTokenName.length() == i) && (mNickname.startsWith(mTokenName)))) {
> 252 mNickname = mTokenName + ":" + mNickname;
> 253 }
> 254 }
>
>
> *******************
> Should we submit a bug report for this in the current RHEL6 packages?
> We'd love to see this fixed in the RH packages and not have to compile our own packages with every update of RHEL6.
> *******************
>
> 2. Could not to unwrap PKCS10 blob
>
> [14/Nov/2014:08:30:08][http-9180-1]: failed to unwrap PKCS10 org.mozilla.jss.crypto.SymmetricKey$NotExtractableException
> [14/Nov/2014:08:30:08][http-9180-1]: ServletException javax.servlet.ServletException: Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: null
>
> Here, the CA is unable to process requests from the client (again sscep) encrypted with 3DES although this is the single allowed algorithm enabled by default.
> I have no idea what is causing this error, but the workaround is to fall back to DES: allow DES in CS.cfg and configure it on the client.
> When using no HSM, just a local nss keystore, the error doesn't occur.
>
> 3. FIPS 140-2 mode
>
> The same error message in 2. occurs when the HSM is _not_ in FIPS mode. Both RHEL6/Dogtag 9 and RHEL5/Dogtag 1.3 LunaSA 4 and 5. Without FIPS mode activated, all requests fail with Could not unwrap PKCS10 blob: null. (also when des is used for request)
>
> Workaround: activate FIPS mode on the HSM. -
>
>
> Case 3. (and maybe case 2.) is very similar to, if not related to [the still open] Bug 825887 (https://bugzilla.redhat.com/show_bug.cgi?id=825887). There, it was the activation of FIPS mode for a local NSS database which triggered the issue. (I assume that FIPS mode for NSS prevents the cloning/exporting of keys - which is of course always the behavior of the HSM, regardless of FIPS mode. ) Our requests also failed at exactly the same call getDESKeyGenerator().clone as described in the Bug 825887.
>
>
> Best regards,
> William
>
> -----Original Message-----
> From: Elliott William C OSS sIT
> Sent: Dienstag, 21. Oktober 2014 14:55
> To: pki-users at redhat.com
> Subject: RE: [Pki-users] SCEP Enrollment fails with Certificate not found . [heur][html-removed]
>
> (sorry for the delay - I was out of the office for some time)
>
> The package version we're trying is pki-ca-9.0.3-32.el6.noarch, on RHEL6 as I said. But since the last email we've also tried 9.0.3-38, with the same result.
> We always ran through the wizard panels using all default values, changing nothing, but now we configure the ca with pkisilent with the same default values to make sure the configuration doesn't change from one test to the next.
>
> The only change we make is afterwords to enable scep in the config:
>
> ca.scep.allowedEncryptionAlgorithms=DES3
> ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
> ca.scep.enable=true
> ca.scep.encryptionAlgorithm=DES3
> ca.scep.hashAlgorithm=SHA1
> ca.scep.nonceSizeLimit=16
>
> The whole thing always works fine when we use the internal token (and with RHEL5/Dogtag 1.3 on the hsm), but throws the exception when the hsm is used as token.
> We use sscep to submit requests to the ca.
>
> We had never set the two parameters (scep.nickname, scep.tokenname) you suggested trying.
> Here are the results of your suggestions below :
>
> ** 1. This is our current configuration which always produces the exception.
> From debug log:
> CRSEnrollment: init: SCEP support is enabled.
> CRSEnrollment: init: SCEP nickname: osstest:caSigningCert cert-pki-testca1
> CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
> CRSEnrollment: init: Token name: osstest
> CRSEnrollment: init: Is SCEP using CA keys: true
> CRSEnrollment: init: mNonceSizeLimit: 16
> CRSEnrollment: init: mHashAlgorithm: SHA1
> CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
> CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
> CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
> CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
> CRSEnrollment: init: mEncryptionAlgorithm: DES3
> CRSEnrollment: init: mEncryptionAlgorithmList: DES3
> CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
> CRSEnrollment: init: mProfileId=caRouterCert
> ...
> CRSEnrollment: CryptoContext: token name: osstest'
> CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert cert-pki-testca1'
> handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
> at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
> ...
>
> ** 2. Setting ca.scep.nickname at first produced no discernable change,
> other than, requests for the ca cert. with "sscep getca" then fail reliably.
> Due to token name not being set:
> From debug log:
> CRSEnrollment: init: SCEP support is enabled.
> CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-testca1
> CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
> CRSEnrollment: init: Token name:
> CRSEnrollment: init: Is SCEP using CA keys: false
> CRSEnrollment: init: mNonceSizeLimit: 16
> CRSEnrollment: init: mHashAlgorithm: SHA1
> CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
> CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
> CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
> CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
> CRSEnrollment: init: mEncryptionAlgorithm: DES3
> CRSEnrollment: init: mEncryptionAlgorithmList: DES3
> CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
> CRSEnrollment: init: mProfileId=caRouterCert
> ...
> CRSEnrollment: CryptoContext: internal token name: ''
> CRSEnrollment: CryptoContext: mNickname: 'caSigningCert cert-pki-testca1'
> handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
> at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
> ...
>
> ** 3. setting both ca.scep.nickname and ca.scep.tokenname also does not get around the problem.
>
> From debug log:
> CRSEnrollment: init: SCEP support is enabled.
> CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-testca1
> CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
> CRSEnrollment: init: Token name: osstest
> CRSEnrollment: init: Is SCEP using CA keys: false
> CRSEnrollment: init: mNonceSizeLimit: 16
> CRSEnrollment: init: mHashAlgorithm: SHA1
> CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
> CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
> CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
> CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
> CRSEnrollment: init: mEncryptionAlgorithm: DES3
> CRSEnrollment: init: mEncryptionAlgorithmList: DES3
> CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
> CRSEnrollment: init: mProfileId=caRouterCert
> ...
> CRSEnrollment: CryptoContext: token name: osstest' <-- from sscep getca request
> CRSEnrollment: CryptoContext: mNickname: 'osstest:caSigningCert cert-pki-testca1'
> ...
> CRSEnrollment: CryptoContext: token name: osstest'
> CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert cert-pki-testca1' <-- from sscep enroll request
> handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
> at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
> at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
> at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>
>
> best regards,
> William
>
> -----Original Message-----
> From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Christina Fu
> Sent: Donnerstag, 02. Oktober 2014 02:15
> To: pki-users at redhat.com
> Subject: Re: [Pki-users] SCEP Enrollment fails with Certificate not found . [heur][html-removed]
>
> btw, I'm not suggesting that you need either or both config params.
>
> three sets of config you can try:
> 1. don't specify either ca.scep.nickname or ca.scep.tokenname
> (I think by default it takes the ca signing cert, if that's what you
> intend to use anyway)
>
> 2. specify nickname only ca.scep.nickname (without the token)
> ca.scep.nickname=caSigningCert cert-pki-testca1
> (I think by default, if the nickname you specified matches that of the
> ca, it will find the token for you)
>
> 3. specify both nickname and token:
> ca.scep.nickname=caSigningCert cert-pki-testca1
> ca.scep.tokenname=osstest
> (last resort, because when you do this, it thinks it's not using the ca
> signing cert.. )
>
> Let us know.
> Christina
>
> On 10/01/2014 05:00 PM, Christina Fu wrote:
>> What's your scep config values, specifically:
>> ca.scep.nickname
>> ca.scep.tokenname
>>
>> Christina
>>
>> On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote:
>>> Hello,
>>>
>>> We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs
>>> setup for SCEP enrollment. But, no matter whether we try the older
>>> HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a
>>> successful SCEP request. The following exception occurs in the debug log:
>>>
>>> [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation
>>>
>>> [29/Sep/2014:13:41:17][http-9180-1]:
>>> message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ
>>>
>>> KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w
>>>
>>> ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt
>>>
>>> dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG
>>>
>>> SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH
>>>
>>> 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP
>>>
>>> RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs
>>>
>>> HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r
>>>
>>> SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g
>>>
>>> rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF
>>>
>>> Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM
>>>
>>> X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW
>>>
>>> m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu
>>>
>>> udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc
>>>
>>> AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT
>>>
>>> l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61
>>>
>>> JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz
>>>
>>> cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z
>>>
>>> gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB
>>>
>>> dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG
>>>
>>> NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy
>>>
>>> MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx
>>>
>>> MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF
>>>
>>> gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM
>>>
>>> rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip
>>>
>>> 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB
>>>
>>> gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN
>>>
>>> L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp
>>>
>>> e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w
>>>
>>> GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG
>>>
>>> OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC
>>>
>>> MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw
>>>
>>> OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg
>>>
>>> hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0
>>>
>>> QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB
>>>
>>> gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH
>>>
>>> eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm
>>>
>>> /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+
>>>
>>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
>>> token name: osstest'
>>>
>>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
>>> mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1'
>>>
>>> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
>>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
>>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>>
>>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
>>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>>
>>> at
>>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>>>
>>> at
>>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>>>
>>> at
>>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>>>
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>>
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>
>>> at
>>> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>>>
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>
>>> at
>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>
>>> at
>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>>
>>> at
>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>>
>>> at
>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>
>>> at
>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>
>>> at
>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>>>
>>> at
>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>>>
>>> at
>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>>>
>>> at
>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>>>
>>> at java.lang.Thread.run(Thread.java:701)
>>>
>>> [29/Sep/2014:13:41:17][http-9180-1]: ServletException
>>> javax.servlet.ServletException: Failed to process message in CEP
>>> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>>>
>>> What stands out is the line with mNickname. After restarting the
>>> service, with the first request, the HSM token name appears to be
>>> listed twice in the *mNickname* string. Interestingly, with each new
>>> request, the number of token names increases by one in the string.
>>> i.e. with the 2^nd attempt, the same exception occurs but the token
>>> name appears three times:
>>>
>>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
>>> token name: osstest'
>>>
>>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
>>> mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1'
>>>
>>> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
>>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
>>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>>
>>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
>>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>>
>>> at
>>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>>>
>>> at
>>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>>>
>>> at
>>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>>>
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>>
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>
>>> at
>>> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>>>
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>
>>> at
>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>
>>> at
>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>>
>>> at
>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>>
>>> at
>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>
>>> at
>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>
>>> at
>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>>>
>>> at
>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>>>
>>> at
>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>>>
>>> at
>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>>>
>>> at java.lang.Thread.run(Thread.java:701)
>>>
>>> [29/Sep/2014:13:41:17][http-9180-1]: ServletException
>>> javax.servlet.ServletException: Failed to process message in CEP
>>> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>>>
>>> As mentioned, the exception occurs with both versions 4 and 5 of
>>> LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating
>>> with SCEP enrollment.) With local tokens, (no HSMs) the error does
>>> not occur.
>>>
>>> Any Ideas, how we can track this down? We definitely need to get this
>>> running.
>>>
>>> Best regards!
>>>
>>> William Elliott
>>>
>>> s IT Solutions
>>>
>>> Open System Services
>>>
>>> s IT Solutions AT Spardat GmbH
>>>
>>> A-1110 Wien, Geiselbergstraße 21 - 25
>>>
>>> Phone: +43 (0)5 0100 - 39376
>>>
>>> Fax: +43 (0)5 0100 9 - 39376
>>>
>>> Mobile: +43 (0)5 0100 6 - 39376
>>>
>>> _mailto:william.elliott at s-itsolutions.at
>>> <mailto:william.elliott%20at%20s-itsolutions.at>_
>>>
>>> www.s-itsolutions.com <http://www.s-itsolutions.com/>
>>>
>>> Head Office: Vienna Commercial Register No.: 152289f Commercial Court
>>> of Vienna
>>>
>>> This message and any attached files are confidential and intended
>>> solely for the addressee(s). Any publication, transmission or other
>>> use of the information by a person or entity other than the intended
>>> addressee is prohibited. If you receive this in error please contact
>>> the sender and delete the material. The sender does not accept
>>> liability for any errors or omissions as a result of the transmission.
>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list