From jgallartm at gmail.com  Tue Feb  3 16:32:51 2015
From: jgallartm at gmail.com (Javier Gallart)
Date: Tue, 3 Feb 2015 17:32:51 +0100
Subject: [Pki-users] Unable to format smart card
In-Reply-To: <CACviLGaBUW+GLyvrKCnEuED2zYvfbt2kb_b=xNf=8GVjTApKjg@mail.gmail.com>
References: <CACviLGaBUW+GLyvrKCnEuED2zYvfbt2kb_b=xNf=8GVjTApKjg@mail.gmail.com>
Message-ID: <CACviLGYJW8KsVp=c2vyq2A+1kO1-Lc3qE-JJBeC3aqYU2K5Vcg@mail.gmail.com>

Hello

we still haven't been able to figure out how to fix this problem. I'm
attaching the config files.

Regards

Javi

On Fri, Jan 23, 2015 at 5:14 PM, Javier Gallart <jgallartm at gmail.com> wrote:

> Hello all
>
> first question in the list. I recently installed Dogtag version 10.2.1.
> Testing is going fine so far, with the exception of the smart card format
> stage.
> Let me give you the specs of  the system:
> -Dogtag runs on a Fedora20  x86_64
> -ESC (version esc-1.1.0-14.el5.centos1) runs on a Centos 5.11 x86_64
> -Smart Card Model:SmartCafe Expert 3.2 72K from G&D with 72K on-board
> EEPROM
>
> When I push the format button, the authentication looks good; however the
> operation fails throwing this message: "The Smart Card Server cannot
> establish a secure channel with the smart card".
>
> Looking at the logs:
> ----TPS----
> [23/Jan/2015:11:05:05][http-bio-8443-exec-11]:
> TPSEngine.computeSessionKey: Non zero status result: 1
> [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: Message
> processing failed: TPSProcessor.setupSecureChannel: Can't set up secure
> channel: TPSEngine.computeSessionKey: invalid returned status: 1
> [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSMessage.write: Writing:
> s=43&msg_type=13&operation=5&result=1&message=17
> [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process:
> leaving: result: 1 status: STATUS_ERROR_SECURE_CHANNEL
> [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: After session.process()
> exiting ...
>
>
> ----TKS----
>
>
> [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:
> ComputeSessionKey():  xkeyInfo[0] = 0x1,  xkeyInfo[1] = 0x2
> [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:
> ComputeSessionKey():  Nist SP800-108 KDF will be used for key versions >=
> 0x0
> [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:
> ComputeSessionKey():  Nist SP800-108 KDF (if used) will use KDD.
> [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet about to try
> ComputeSessionKey selectedToken=Internal Key Storage Token
> keyNickName=#01#02
> [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:Tried
> ComputeSessionKey, got NULL
> java.lang.Exception: Can't compute session key!
>
> (...)
>
> [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet Computing
> Session Key: java.lang.Exception: Can't compute session key!
> [23/Jan/2015:11:05:05][http-bio-8443-exec-14]:
> TokenServlet:outputString.encode status=1
> [23/Jan/2015:11:05:05][http-bio-8443-exec-14]:
> TokenServlet:outputString.length 8
> [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: SignedAuditEventFactory:
> create()
> message=[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE][CUID_decoded=00002161960056514505][KDD_decoded=00002161960056514505][Outcome=Failure][status=1][AgentID=xxxxx-8443][IsCryptoValidate=true][IsServerSideKeygen=false][SelectedToken=Internal
> Key Storage
> Token][KeyNickName=#01#02][TKSKeyset=defKeySet][KeyInfo_KeyVersion=0x1][NistSP800_108KdfOnKeyVersion=0x0][NistSP800_108KdfUseCuidAsKdd=false][Error=Problem
> generating session key info.] TKS Compute session key request failed
>
> Any idea about the where the problem might be?
>
> Thanks in advance
>
> Regards
>
> Javi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150203/8c78898c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tks.cfg
Type: application/octet-stream
Size: 28338 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150203/8c78898c/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tps.cfg
Type: application/octet-stream
Size: 90970 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150203/8c78898c/attachment-0001.obj>

From jgallartm at gmail.com  Tue Feb  3 16:38:03 2015
From: jgallartm at gmail.com (Javier Gallart)
Date: Tue, 3 Feb 2015 17:38:03 +0100
Subject: [Pki-users] Command pki user-cert-find returns always 0
Message-ID: <CACviLGa9Nt+pPd+fwLnf=_N+=TnK5rr9KHD-nz-CHe3be8wmJg@mail.gmail.com>

Hello

during the tests of Dogtag testing of the pki cli client, we've noticed
that the command user-cert-find always returns 0. Doing it in two steps
(ldapsearch and the pki-cert-show) it works fine.

Regards

Javi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150203/f0b6310e/attachment.htm>

From jgallartm at gmail.com  Tue Feb  3 17:15:00 2015
From: jgallartm at gmail.com (Javier Gallart)
Date: Tue, 3 Feb 2015 18:15:00 +0100
Subject: [Pki-users] Dogtag with Thales HSM
Message-ID: <CACviLGYks+U2aZKLGjOSyNii=wAjVo3irHFWjCYKjgqrgKKVgQ@mail.gmail.com>

Hello

we are trying to setup Dogtag 10.2.1 with a Nshield Solo as HSM. We haven't
found a specific guide for this apart from the RedHat documentation:

https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/using-tokens.html

The guide states: "The Certificate System supports the nCipher netHSM
hardware security module (HSM) by default".

Does that mean that pkispawn will detect the module and use it or any
manual intervention is required afterwards?

Regards

Javi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150203/f90a0f2e/attachment.htm>

From jmagne at redhat.com  Tue Feb  3 18:55:29 2015
From: jmagne at redhat.com (John Magne)
Date: Tue, 3 Feb 2015 13:55:29 -0500 (EST)
Subject: [Pki-users] Unable to format smart card
In-Reply-To: <CACviLGYJW8KsVp=c2vyq2A+1kO1-Lc3qE-JJBeC3aqYU2K5Vcg@mail.gmail.com>
References: <CACviLGaBUW+GLyvrKCnEuED2zYvfbt2kb_b=xNf=8GVjTApKjg@mail.gmail.com>
	<CACviLGYJW8KsVp=c2vyq2A+1kO1-Lc3qE-JJBeC3aqYU2K5Vcg@mail.gmail.com>
Message-ID: <1052468891.7178513.1422989729001.JavaMail.zimbra@redhat.com>

OH Hello Sorry:

Sorry about the delay, I got avalanched in work.


The last I recall, you said that you were using a scp02 card.

That is a not starter. We only have gp2.0.1 / scp01 support 
right this minute. We are working though.



----- Original Message -----
From: "Javier Gallart" <jgallartm at gmail.com>
To: pki-users at redhat.com
Sent: Tuesday, February 3, 2015 8:32:51 AM
Subject: Re: [Pki-users] Unable to format smart card

Hello 

we still haven't been able to figure out how to fix this problem. I'm attaching the config files. 

Regards 

Javi 

On Fri, Jan 23, 2015 at 5:14 PM, Javier Gallart < jgallartm at gmail.com > wrote: 



Hello all 

first question in the list. I recently installed Dogtag version 10.2.1. Testing is going fine so far, with the exception of the smart card format stage. 
Let me give you the specs of the system: 
-Dogtag runs on a Fedora20 x86_64 
-ESC (version esc-1.1.0-14.el5.centos1) runs on a Centos 5.11 x86_64 
-Smart Card Model:SmartCafe Expert 3.2 72K from G&D with 72K on-board EEPROM 

When I push the format button, the authentication looks good; however the operation fails throwing this message: "The Smart Card Server cannot establish a secure channel with the smart card". 

Looking at the logs: 
----TPS---- 
[23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSEngine.computeSessionKey: Non zero status result: 1 
[23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: Message processing failed: TPSProcessor.setupSecureChannel: Can't set up secure channel: TPSEngine.computeSessionKey: invalid returned status: 1 
[23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSMessage.write: Writing: s=43&msg_type=13&operation=5&result=1&message=17 
[23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: leaving: result: 1 status: STATUS_ERROR_SECURE_CHANNEL 
[23/Jan/2015:11:05:05][http-bio-8443-exec-11]: After session.process() exiting ... 


----TKS---- 


[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: ComputeSessionKey(): xkeyInfo[0] = 0x1, xkeyInfo[1] = 0x2 
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF will be used for key versions >= 0x0 
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use KDD. 
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet about to try ComputeSessionKey selectedToken=Internal Key Storage Token keyNickName=#01#02 
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:Tried ComputeSessionKey, got NULL 
java.lang.Exception: Can't compute session key! 

(...) 

[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet Computing Session Key: java.lang.Exception: Can't compute session key! 
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:outputString.encode status=1 
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:outputString.length 8 
[23/Jan/2015:11:05:05][http-bio-8443-exec-14]: SignedAuditEventFactory: create() message=[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE][CUID_decoded=00002161960056514505][KDD_decoded=00002161960056514505][Outcome=Failure][status=1][AgentID=xxxxx-8443][IsCryptoValidate=true][IsServerSideKeygen=false][SelectedToken=Internal Key Storage Token][KeyNickName=#01#02][TKSKeyset=defKeySet][KeyInfo_KeyVersion=0x1][NistSP800_108KdfOnKeyVersion=0x0][NistSP800_108KdfUseCuidAsKdd=false][Error=Problem generating session key info.] TKS Compute session key request failed 

Any idea about the where the problem might be? 

Thanks in advance 

Regards 

Javi 



_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users



From cfu at redhat.com  Tue Feb  3 21:34:00 2015
From: cfu at redhat.com (Christina Fu)
Date: Tue, 03 Feb 2015 13:34:00 -0800
Subject: [Pki-users] Dogtag with Thales HSM
In-Reply-To: <CACviLGYks+U2aZKLGjOSyNii=wAjVo3irHFWjCYKjgqrgKKVgQ@mail.gmail.com>
References: <CACviLGYks+U2aZKLGjOSyNii=wAjVo3irHFWjCYKjgqrgKKVgQ@mail.gmail.com>
Message-ID: <54D13EC8.1020105@redhat.com>

Javi,

The documentation was for RHCS8.1, for which the installation wizard 
would find the right supported modules.

For Dogtag, we have a ticket open for 
https://fedorahosted.org/pki/ticket/1200 make sure pkispawn works with hsm

I never tried it myself with pkispawn, but I imagine you can try looking 
up all the parameters with the name "token" in it in 
/etc/pki/default.cfg, and create a custom cfg files that contain these 
parameters with the right token name.
That is of course under the assumption that you have set up the HSM and 
the library with the secmod using modutil.

Let us know what happens.  You can also contribute by adding your 
findings in the ticket yourself and we will take that into account when 
the ticket is being worked on.

Christina

On 02/03/2015 09:15 AM, Javier Gallart wrote:
> Hello
>
> we are trying to setup Dogtag 10.2.1 with a Nshield Solo as HSM. We 
> haven't found a specific guide for this apart from the RedHat 
> documentation:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/using-tokens.html
>
> The guide states: "The Certificate System supports the nCipher netHSM 
> hardware security module (HSM) by default".
>
> Does that mean that pkispawn will detect the module and use it or any 
> manual intervention is required afterwards?
>
> Regards
>
> Javi
>
>
>
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150203/daf0f621/attachment.htm>

From alee at redhat.com  Wed Feb  4 03:44:08 2015
From: alee at redhat.com (Ade Lee)
Date: Tue, 03 Feb 2015 22:44:08 -0500
Subject: [Pki-users] Dogtag with Thales HSM
In-Reply-To: <54D13EC8.1020105@redhat.com>
References: <CACviLGYks+U2aZKLGjOSyNii=wAjVo3irHFWjCYKjgqrgKKVgQ@mail.gmail.com>
	<54D13EC8.1020105@redhat.com>
Message-ID: <1423021448.19504.1.camel@alee-redhat.laptop>

On Tue, 2015-02-03 at 13:34 -0800, Christina Fu wrote:
> Javi,
> 
> The documentation was for RHCS8.1, for which the installation wizard
> would find the right supported modules.
> 
> For Dogtag, we have a ticket open for
> https://fedorahosted.org/pki/ticket/1200 make sure pkispawn works with
> hsm
> 
> I never tried it myself with pkispawn, but I imagine you can try
> looking up all the parameters with the name "token" in it
> in /etc/pki/default.cfg, and create a custom cfg files that contain
> these parameters with the right token name.
> That is of course under the assumption that you have set up the HSM
> and the library with the secmod using modutil.
> 
> Let us know what happens.  You can also contribute by adding your
> findings in the ticket yourself and we will take that into account
> when the ticket is being worked on.
> 

Incidentally, the ticket Christina references is supposed to be worked
on and fixed by the end of this month or shortly thereafter.

Ade

> Christina
> 
> On 02/03/2015 09:15 AM, Javier Gallart wrote:
> 
> > Hello
> > 
> > we are trying to setup Dogtag 10.2.1 with a Nshield Solo as HSM. We
> > haven't found a specific guide for this apart from the RedHat
> > documentation:
> > 
> > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/using-tokens.html
> > 
> > 
> > The guide states: "The Certificate System supports the nCipher
> > netHSM hardware security module (HSM) by default".
> > 
> > 
> > Does that mean that pkispawn will detect the module and use it or
> > any manual intervention is required afterwards?
> > 
> > Regards
> > 
> > Javi
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users




From rpb5bnc at gmail.com  Thu Feb  5 14:28:06 2015
From: rpb5bnc at gmail.com (Peter Beal)
Date: Thu, 05 Feb 2015 09:28:06 -0500
Subject: [Pki-users] Exception when upgrading to 10.2.0
Message-ID: <54D37DF6.8060508@gmail.com>

Hello,

Our project has been integrating our own RA with Dogtag and everything 
has been going perfectly.  We made our first internal release to our 
downstream product teams at the end of last year. Unfortunately, all our 
development had been done using Dogtag 10.0.6 on Fedora 19, which is 
pretty old at this point.  Our test team installed a Fedora 21 system 
and Dogtag 10.2.0 and attempted to run our regression tests.  What they 
found was that when our RA attempted to enroll a certificate we received 
an error response instead of a successful response containing a certID.

The XML sent to both 10.0.6 and 10.2.0 is:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><CertEnrollmentRequest>    <profileId>caAutoCiscoRA</profileId>    <isRenewal>false</isRenewal>    <xmlOutput>false</xmlOutput>    <Input>       <InputAttrs>   <InputAttr name="cert_request_type">pkcs10</InputAttr>      <InputAttr name="cert_request">MIIBUzCBvQIBADAUMRIwEAYDVQQDEwkxMjcuMC4wLjEwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBALvXizDymVYx6ic1Dz8dDppziWjfhIr2CkrtGyfGHJa1Loy9
OkWdS2w3CH/ASNVL3vTeA7dAly6SHgxrXEOtBFLL8KKnDzDg6oqyM4OFmhZBr/gW
QXlrIbwEWvGOXHuFLSzcuN9B7iqVn7UXQHl6c5QRmi+iZB1dL0MiQ59MG+a7AgMB
AAGgADANBgkqhkiG9w0BAQsFAAOBgQAiFqKKrAe+ToLFhOhlRwqsuzSUzqeQ16kw
MM5MZ4gnVZr6PAO0ixk1KUEcSmAppq0hC8NOikXiWzbkRAKpF0AMbF9e3EbKcZWU
TOpCd6BAjjo0M5ceki6R0RRKRYRGDgJiFJbJttpqKrh4Ngw8iuZ/MyXZd/YcfnRo
kaB+Gz8gRg==
</InputAttr>       </InputAttrs>    </Input></CertEnrollmentRequest>

In the case of 10.0.6, the response was:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><CertRequestInfos><CertRequestInfo><requestType>enrollment</requestType><requestStatus>complete</requestStatus><requestURL>https://dogsled:8444/ca/rest/623660</requestURL><certId>0x98361</certId><certURL>https://dogsled:8444/ca/rest/623457</certURL><certRequestType>pkcs10</certRequestType><operationResult>success</operationResult></CertRequestInfo></CertRequestInfos>


In the case of 10.2.0, the response was:

<html><head><title>Apache Tomcat/7.0.52 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - java.lang.NullPointerException</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>java.lang.NullPointerException</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
         org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
         org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
         org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
         org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
         org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
         org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
         org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
         org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
         javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
         sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         sun.

And the end of the debug log was:

# tail -f /var/log/pki/pki-tomcat/ca/debug

[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: CertRequestResource.enrollCert()
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: mapping: default
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: required auth methods: [*]
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: anonymous access allowed
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: ACLInterceptor: CertRequestResource.enrollCert()
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: ACLInterceptor: No ACL mapping.
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: MessageFormatInterceptor: CertRequestResource.enrollCert()
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: MessageFormatInterceptor: content-type: application/xml
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: MessageFormatInterceptor: accept: [*/*]
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: MessageFormatInterceptor: request format: application/xml
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: MessageFormatInterceptor: response format: application/xml
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}.
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: Start of CertProcessor Input Parameters
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: CertProcessor Input Parameter isRenewal='false'
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: End of CertProcessor Input Parameters
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: EnrollmentSubmitter: isRenewal false
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: EnrollmentSubmitter: profileId null
java.lang.NullPointerException
         at java.util.Hashtable.get(Hashtable.java:363)
         at com.netscape.cmscore.profile.ProfileSubsystem.getProfile(ProfileSubsystem.java:302)
         at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:137)
         at com.netscape.cms.servlet.cert.CertRequestDAO.submitRequest(CertRequestDAO.java:178)
         at org.dogtagpki.server.ca.rest.CertRequestService.enrollCert(CertRequestService.java:135)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:483)
         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
         at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)
         at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221)
         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
         at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
         at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
         at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
         at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:483)
         at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
         at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
         at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
         at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
         at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
         at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
         at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
         at java.security.AccessController.doPrivileged(Native Method)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
         at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
         at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:483)
         at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
         at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
         at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
         at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:238)
         at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
         at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
         at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
         at java.security.AccessController.doPrivileged(Native Method)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221)
         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
         at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
         at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
         at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
         at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
         at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
         at java.lang.Thread.run(Thread.java:745)


Nothing is changed on the RA side between these two runs.  Is there 
something that now needs to be done different with 10.2 and above versus 
10.0?

Thanks very much,
Pete Beal




From mtaggart at philasd.org  Thu Feb  5 17:11:52 2015
From: mtaggart at philasd.org (Taggart, Michelle)
Date: Thu, 5 Feb 2015 12:11:52 -0500 (EST)
Subject: [Pki-users] Requiring the Hash Algorithm SHA-2 on server
	certificates
In-Reply-To: <22206173.1586.1423156216111.JavaMail.mtaggart@MAC-QP91604V0TM.local>
Message-ID: <13350784.1591.1423156311060.JavaMail.mtaggart@MAC-QP91604V0TM.local>

Hi, 

Hoping this is just a trivial question. Is there a way to configure the caServerCert certificate profile to include the requirement/constraint for having SHA-2 hashing algorithm in the issued certificate? 




Thanks, 
Michelle Taggart | Enterprise Systems Engineer | The School District of Philadelphia | mtaggart at philasd.org | 215.400.4470 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150205/763807f9/attachment.htm>

From rpb5bnc at gmail.com  Mon Feb 16 14:36:41 2015
From: rpb5bnc at gmail.com (Peter Beal)
Date: Mon, 16 Feb 2015 09:36:41 -0500
Subject: [Pki-users] Exception when upgrading to 10.2.0
In-Reply-To: <54D37DF6.8060508@gmail.com>
References: <54D37DF6.8060508@gmail.com>
Message-ID: <54E20079.7040506@gmail.com>

Hi,

We have not been able to make any progress on this over the past week to 
determine why the response was a null pointer exception.  Is there any 
suggestion on where we should look to figure out why this works on the 
older 10.0.6 and is failing with 10.2.0?

Thanks,
Pete Beal

On 2/5/15 9:28 AM, Peter Beal wrote:
> Hello,
>
> Our project has been integrating our own RA with Dogtag and everything 
> has been going perfectly.  We made our first internal release to our 
> downstream product teams at the end of last year. Unfortunately, all 
> our development had been done using Dogtag 10.0.6 on Fedora 19, which 
> is pretty old at this point.  Our test team installed a Fedora 21 
> system and Dogtag 10.2.0 and attempted to run our regression tests.  
> What they found was that when our RA attempted to enroll a certificate 
> we received an error response instead of a successful response 
> containing a certID.
>
> The XML sent to both 10.0.6 and 10.2.0 is:
>
> <?xml version="1.0" encoding="UTF-8" 
> standalone="yes"?><CertEnrollmentRequest> 
> <profileId>caAutoCiscoRA</profileId> <isRenewal>false</isRenewal> 
> <xmlOutput>false</xmlOutput>    <Input> <InputAttrs>   <InputAttr 
> name="cert_request_type">pkcs10</InputAttr> <InputAttr 
> name="cert_request">MIIBUzCBvQIBADAUMRIwEAYDVQQDEwkxMjcuMC4wLjEwgZ8wDQYJKoZIhvcNAQEB
> BQADgY0AMIGJAoGBALvXizDymVYx6ic1Dz8dDppziWjfhIr2CkrtGyfGHJa1Loy9
> OkWdS2w3CH/ASNVL3vTeA7dAly6SHgxrXEOtBFLL8KKnDzDg6oqyM4OFmhZBr/gW
> QXlrIbwEWvGOXHuFLSzcuN9B7iqVn7UXQHl6c5QRmi+iZB1dL0MiQ59MG+a7AgMB
> AAGgADANBgkqhkiG9w0BAQsFAAOBgQAiFqKKrAe+ToLFhOhlRwqsuzSUzqeQ16kw
> MM5MZ4gnVZr6PAO0ixk1KUEcSmAppq0hC8NOikXiWzbkRAKpF0AMbF9e3EbKcZWU
> TOpCd6BAjjo0M5ceki6R0RRKRYRGDgJiFJbJttpqKrh4Ngw8iuZ/MyXZd/YcfnRo
> kaB+Gz8gRg==
> </InputAttr>       </InputAttrs> </Input></CertEnrollmentRequest>
>
> In the case of 10.0.6, the response was:
>
> <?xml version="1.0" encoding="UTF-8" 
> standalone="yes"?><CertRequestInfos><CertRequestInfo><requestType>enrollment</requestType><requestStatus>complete</requestStatus><requestURL>https://dogsled:8444/ca/rest/623660</requestURL><certId>0x98361</certId><certURL>https://dogsled:8444/ca/rest/623457</certURL><certRequestType>pkcs10</certRequestType><operationResult>success</operationResult></CertRequestInfo></CertRequestInfos>
>
>
> In the case of 10.2.0, the response was:
>
> <html><head><title>Apache Tomcat/7.0.52 - Error 
> report</title><style><!--H1 
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} 
> H2 
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} 
> H3 
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} 
> BODY 
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} 
> B 
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} 
> P 
> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A 
> {color : black;}A.name {color : black;}HR {color : 
> #525D76;}--></style> </head><body><h1>HTTP Status 500 - 
> java.lang.NullPointerException</h1><HR size="1" 
> noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> 
> <u>java.lang.NullPointerException</u></p><p><b>description</b> <u>The 
> server encountered an internal error that prevented it from fulfilling 
> this request.</u></p><p><b>exception</b> 
> <pre>org.jboss.resteasy.spi.UnhandledException: 
> java.lang.NullPointerException
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
>         sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         sun.
>
> And the end of the debug log was:
>
> # tail -f /var/log/pki/pki-tomcat/ca/debug
>
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: 
> CertRequestResource.enrollCert()
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: 
> mapping: default
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: 
> required auth methods: [*]
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: 
> anonymous access allowed
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: ACLInterceptor: 
> CertRequestResource.enrollCert()
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: ACLInterceptor: No ACL 
> mapping.
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: 
> MessageFormatInterceptor: CertRequestResource.enrollCert()
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: 
> MessageFormatInterceptor: content-type: application/xml
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: 
> MessageFormatInterceptor: accept: [*/*]
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: 
> MessageFormatInterceptor: request format: application/xml
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: 
> MessageFormatInterceptor: response format: application/xml
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: according to ccMode, 
> authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, 
> use default authz mgr: {2}.
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: Start of CertProcessor 
> Input Parameters
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: CertProcessor Input 
> Parameter isRenewal='false'
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: End of CertProcessor 
> Input Parameters
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: EnrollmentSubmitter: 
> isRenewal false
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: EnrollmentSubmitter: 
> profileId null
> java.lang.NullPointerException
>         at java.util.Hashtable.get(Hashtable.java:363)
>         at 
> com.netscape.cmscore.profile.ProfileSubsystem.getProfile(ProfileSubsystem.java:302)
>         at 
> com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:137)
>         at 
> com.netscape.cms.servlet.cert.CertRequestDAO.submitRequest(CertRequestDAO.java:178)
>         at 
> org.dogtagpki.server.ca.rest.CertRequestService.enrollCert(CertRequestService.java:135)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:483)
>         at 
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
>         at 
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
>         at 
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)
>         at 
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221)
>         at 
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
>         at 
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>         at 
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>         at 
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>         at 
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
>         at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:483)
>         at 
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>         at 
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>         at 
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>         at 
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
>         at 
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
>         at 
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
>         at 
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>         at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:483)
>         at 
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>         at 
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>         at 
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>         at 
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:238)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
>         at 
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
>         at 
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
>         at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221)
>         at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
>         at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
>         at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>         at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>         at 
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
>         at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>         at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
>         at 
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
>         at 
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
>         at 
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
>         at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>         at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>         at java.lang.Thread.run(Thread.java:745)
>
>
> Nothing is changed on the RA side between these two runs.  Is there 
> something that now needs to be done different with 10.2 and above 
> versus 10.0?
>
> Thanks very much,
> Pete Beal
>