[Pki-users] SCEP directory authentication

Emily Stemmerich Emily at arcananet.com
Mon Apr 27 23:53:43 UTC 2015 

Hi,

I am still trying to get Dogtag 10.2.1 on Fedora 21 working to allow for router identity certificates obtained by Cisco Routers via SCEP to be auto-renewing.  I have found that the one-time pin model doesn’t work for auto-renewal.  I was pointed to the RedHat document below that discusses using directory-based auth in Section 8.2.1, but I’m having issues with getting it to work.

 https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Enrollment.html#Setting_up_Directory_Based_Authentication

I’m not certain what to put in the dnpattern attribute and there are no examples I can find and am wondering if it is the reason attempts show uid and credentials as null from the router – details of the setup later on in this email.

  *
dnpattern. Specifies a string representing a subject name pattern to formulate from the directory attributes and entry DN.

------------------------------------------

>From my CS.conf (RouterAuth is then referenced in the caRouterCert.cfg instead of flatfile):

auths.instance.RouterAuth.pluginName=UidPwdDirAuth
auths.instance.RouterAuth.ldap.basedn=ou=RouterID,dc=auth,dc=sample,dc=com
auths.instance.RouterAuth.ldap.ldapconn.host=localhost
auths.instance.RouterAuth.ldap.ldapconn.port=389
auths.instance.RouterAuth.ldap.ldapconn.secureConn=false
------------------------------------------

I’ve created a hierarchy outside of dogtag for doing router auth:
ou=RouterID,dc=auth,dc=sample,dc=com
------------------------------------------

Test User Account (I am not sure what objectClass to use, so I found one with uid and password as options and used that):
dn: uid=172.18.240.11,ou=RouterID,dc=auth,dc=sample,dc=com
uid: 172.18.240.11
objectClass: inetUser
userPassword: testpass

------------------------------------------
Router config.  For flatfile auth it ends up using the wan IP and the password and password in the identity section, however for LDAP auth I don’t know what things would map to:

crypto ca identity SAMPLE
enrollment url http://172.21.4.239:8080/ca/cgi-bin
revocation-check none
fqdn emilyvpn.sample.com
serial-number none
ip-address none
hash sha256
password testpass
rsakeypair  MEVO 2048
auto-enroll 75
crl optional
exit

crypto ca authenticate SAMPLE

------------------------------------------

When I try and get a cert from the Cisco Router I get output like the following in the debug file that lists both UID and credential as null:

[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Got authenticator=com.netscape.cms.authentication.UidPwdDirAuthentication
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory::getConn
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory.getConn(): num avail conns now 4
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Authenticating UID=null
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: returnConn: mNumConns now 4
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: operation failure - Authentication credential for uid is null.
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: Output PKIOperation response:

Thanks for any assistance,
-Emily






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150427/4fbbcedb/attachment.htm>

More information about the Pki-users mailing list