[Pki-users] SCEP Enrollment fails with Certificate not found .

Christina Fu cfu at redhat.com
Thu Oct 2 00:00:07 UTC 2014 

What's your scep config values, specifically:
ca.scep.nickname
ca.scep.tokenname

Christina

On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote:
>
> Hello,
>
> We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs 
> setup for SCEP enrollment. But, no matter whether we try the older 
> HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a 
> successful SCEP request. The following exception occurs in the debug log:
>
> [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation
>
> [29/Sep/2014:13:41:17][http-9180-1]: 
> message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ
>
> KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w
>
> ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt
>
> dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG
>
> SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH
>
> 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP
>
> RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs
>
> HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r
>
> SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g
>
> rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF
>
> Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM
>
> X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW
>
> m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu
>
> udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc
>
> AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT
>
> l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61
>
> JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz
>
> cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z
>
> gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB
>
> dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG
>
> NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy
>
> MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx
>
> MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF
>
> gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM
>
> rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip
>
> 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB
>
> gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN
>
> L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp
>
> e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w
>
> GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG
>
> OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC
>
> MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw
>
> OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg
>
> hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0
>
> QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB
>
> gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH
>
> eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm
>
> /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
> token name: osstest'
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
> mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1'
>
> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception 
> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
>         at 
> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>
>         at 
> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>
>         at 
> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
>         at 
> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
>         at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>
>         at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>
>         at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>
>         at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>
>         at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>
>         at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>
>         at 
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>
>         at 
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>
>         at 
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>
>         at java.lang.Thread.run(Thread.java:701)
>
> [29/Sep/2014:13:41:17][http-9180-1]: ServletException 
> javax.servlet.ServletException: Failed to process message in CEP 
> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> What stands out is the line with mNickname. After restarting the 
> service, with the first request, the HSM token name appears to be 
> listed twice in the *mNickname* string.  Interestingly, with each new 
> request, the number of token names increases by one in the string. 
> i.e. with the 2^nd attempt, the same exception occurs but the token 
> name appears three times:
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
> token name: osstest'
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
> mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1'
>
> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception 
> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
>         at 
> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>
>         at 
> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>
>         at 
> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
>         at 
> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
>         at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>
>         at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>
>         at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>
>         at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>
>         at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>
>         at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>
>         at 
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>
>         at 
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>
>         at 
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>
>         at java.lang.Thread.run(Thread.java:701)
>
> [29/Sep/2014:13:41:17][http-9180-1]: ServletException 
> javax.servlet.ServletException: Failed to process message in CEP 
> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> As mentioned, the exception occurs with both versions 4 and 5 of 
> LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating 
> with SCEP enrollment.) With local tokens, (no HSMs) the error does not 
> occur.
>
> Any Ideas, how we can track this down? We definitely need to get this 
> running.
>
> Best regards!
>
> William Elliott
>
> s IT Solutions
>
> Open System Services
>
> s IT Solutions AT Spardat GmbH
>
> A-1110 Wien, Geiselbergstraße 21 - 25
>
> Phone: +43 (0)5 0100 - 39376
>
> Fax: +43 (0)5 0100 9 - 39376
>
> Mobile: +43 (0)5 0100 6 - 39376
>
> _mailto:william.elliott at s-itsolutions.at 
> <mailto:william.elliott%20at%20s-itsolutions.at>_
>
> www.s-itsolutions.com <http://www.s-itsolutions.com/>
>
> Head Office: Vienna Commercial Register No.: 152289f Commercial Court 
> of Vienna
>
> This message and any attached files are confidential and intended 
> solely for the addressee(s). Any publication, transmission or other 
> use of the information by a person or entity other than the intended 
> addressee is prohibited. If you receive this in error please contact 
> the sender and delete the material. The sender does not accept 
> liability for any errors or omissions as a result of the transmission.
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141001/7776c86c/attachment.htm>

More information about the Pki-users mailing list