From jgallartm at gmail.com Tue Feb 3 16:32:51 2015 From: jgallartm at gmail.com (Javier Gallart) Date: Tue, 3 Feb 2015 17:32:51 +0100 Subject: [Pki-users] Unable to format smart card In-Reply-To: References: Message-ID: Hello we still haven't been able to figure out how to fix this problem. I'm attaching the config files. Regards Javi On Fri, Jan 23, 2015 at 5:14 PM, Javier Gallart wrote: > Hello all > > first question in the list. I recently installed Dogtag version 10.2.1. > Testing is going fine so far, with the exception of the smart card format > stage. > Let me give you the specs of the system: > -Dogtag runs on a Fedora20 x86_64 > -ESC (version esc-1.1.0-14.el5.centos1) runs on a Centos 5.11 x86_64 > -Smart Card Model:SmartCafe Expert 3.2 72K from G&D with 72K on-board > EEPROM > > When I push the format button, the authentication looks good; however the > operation fails throwing this message: "The Smart Card Server cannot > establish a secure channel with the smart card". > > Looking at the logs: > ----TPS---- > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: > TPSEngine.computeSessionKey: Non zero status result: 1 > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: Message > processing failed: TPSProcessor.setupSecureChannel: Can't set up secure > channel: TPSEngine.computeSessionKey: invalid returned status: 1 > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSMessage.write: Writing: > s=43&msg_type=13&operation=5&result=1&message=17 > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: > leaving: result: 1 status: STATUS_ERROR_SECURE_CHANNEL > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: After session.process() > exiting ... > > > ----TKS---- > > > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: > ComputeSessionKey(): xkeyInfo[0] = 0x1, xkeyInfo[1] = 0x2 > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: > ComputeSessionKey(): Nist SP800-108 KDF will be used for key versions >= > 0x0 > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: > ComputeSessionKey(): Nist SP800-108 KDF (if used) will use KDD. > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet about to try > ComputeSessionKey selectedToken=Internal Key Storage Token > keyNickName=#01#02 > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:Tried > ComputeSessionKey, got NULL > java.lang.Exception: Can't compute session key! > > (...) > > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet Computing > Session Key: java.lang.Exception: Can't compute session key! > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: > TokenServlet:outputString.encode status=1 > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: > TokenServlet:outputString.length 8 > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: SignedAuditEventFactory: > create() > message=[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE][CUID_decoded=00002161960056514505][KDD_decoded=00002161960056514505][Outcome=Failure][status=1][AgentID=xxxxx-8443][IsCryptoValidate=true][IsServerSideKeygen=false][SelectedToken=Internal > Key Storage > Token][KeyNickName=#01#02][TKSKeyset=defKeySet][KeyInfo_KeyVersion=0x1][NistSP800_108KdfOnKeyVersion=0x0][NistSP800_108KdfUseCuidAsKdd=false][Error=Problem > generating session key info.] TKS Compute session key request failed > > Any idea about the where the problem might be? > > Thanks in advance > > Regards > > Javi > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: tks.cfg Type: application/octet-stream Size: 28338 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: tps.cfg Type: application/octet-stream Size: 90970 bytes Desc: not available URL: From jgallartm at gmail.com Tue Feb 3 16:38:03 2015 From: jgallartm at gmail.com (Javier Gallart) Date: Tue, 3 Feb 2015 17:38:03 +0100 Subject: [Pki-users] Command pki user-cert-find returns always 0 Message-ID: Hello during the tests of Dogtag testing of the pki cli client, we've noticed that the command user-cert-find always returns 0. Doing it in two steps (ldapsearch and the pki-cert-show) it works fine. Regards Javi -------------- next part -------------- An HTML attachment was scrubbed... URL: From jgallartm at gmail.com Tue Feb 3 17:15:00 2015 From: jgallartm at gmail.com (Javier Gallart) Date: Tue, 3 Feb 2015 18:15:00 +0100 Subject: [Pki-users] Dogtag with Thales HSM Message-ID: Hello we are trying to setup Dogtag 10.2.1 with a Nshield Solo as HSM. We haven't found a specific guide for this apart from the RedHat documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/using-tokens.html The guide states: "The Certificate System supports the nCipher netHSM hardware security module (HSM) by default". Does that mean that pkispawn will detect the module and use it or any manual intervention is required afterwards? Regards Javi -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Tue Feb 3 18:55:29 2015 From: jmagne at redhat.com (John Magne) Date: Tue, 3 Feb 2015 13:55:29 -0500 (EST) Subject: [Pki-users] Unable to format smart card In-Reply-To: References: Message-ID: <1052468891.7178513.1422989729001.JavaMail.zimbra@redhat.com> OH Hello Sorry: Sorry about the delay, I got avalanched in work. The last I recall, you said that you were using a scp02 card. That is a not starter. We only have gp2.0.1 / scp01 support right this minute. We are working though. ----- Original Message ----- From: "Javier Gallart" To: pki-users at redhat.com Sent: Tuesday, February 3, 2015 8:32:51 AM Subject: Re: [Pki-users] Unable to format smart card Hello we still haven't been able to figure out how to fix this problem. I'm attaching the config files. Regards Javi On Fri, Jan 23, 2015 at 5:14 PM, Javier Gallart < jgallartm at gmail.com > wrote: Hello all first question in the list. I recently installed Dogtag version 10.2.1. Testing is going fine so far, with the exception of the smart card format stage. Let me give you the specs of the system: -Dogtag runs on a Fedora20 x86_64 -ESC (version esc-1.1.0-14.el5.centos1) runs on a Centos 5.11 x86_64 -Smart Card Model:SmartCafe Expert 3.2 72K from G&D with 72K on-board EEPROM When I push the format button, the authentication looks good; however the operation fails throwing this message: "The Smart Card Server cannot establish a secure channel with the smart card". Looking at the logs: ----TPS---- [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSEngine.computeSessionKey: Non zero status result: 1 [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: Message processing failed: TPSProcessor.setupSecureChannel: Can't set up secure channel: TPSEngine.computeSessionKey: invalid returned status: 1 [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSMessage.write: Writing: s=43&msg_type=13&operation=5&result=1&message=17 [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: leaving: result: 1 status: STATUS_ERROR_SECURE_CHANNEL [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: After session.process() exiting ... ----TKS---- [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: ComputeSessionKey(): xkeyInfo[0] = 0x1, xkeyInfo[1] = 0x2 [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF will be used for key versions >= 0x0 [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use KDD. [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet about to try ComputeSessionKey selectedToken=Internal Key Storage Token keyNickName=#01#02 [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:Tried ComputeSessionKey, got NULL java.lang.Exception: Can't compute session key! (...) [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet Computing Session Key: java.lang.Exception: Can't compute session key! [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:outputString.encode status=1 [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:outputString.length 8 [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: SignedAuditEventFactory: create() message=[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE][CUID_decoded=00002161960056514505][KDD_decoded=00002161960056514505][Outcome=Failure][status=1][AgentID=xxxxx-8443][IsCryptoValidate=true][IsServerSideKeygen=false][SelectedToken=Internal Key Storage Token][KeyNickName=#01#02][TKSKeyset=defKeySet][KeyInfo_KeyVersion=0x1][NistSP800_108KdfOnKeyVersion=0x0][NistSP800_108KdfUseCuidAsKdd=false][Error=Problem generating session key info.] TKS Compute session key request failed Any idea about the where the problem might be? Thanks in advance Regards Javi _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From cfu at redhat.com Tue Feb 3 21:34:00 2015 From: cfu at redhat.com (Christina Fu) Date: Tue, 03 Feb 2015 13:34:00 -0800 Subject: [Pki-users] Dogtag with Thales HSM In-Reply-To: References: Message-ID: <54D13EC8.1020105@redhat.com> Javi, The documentation was for RHCS8.1, for which the installation wizard would find the right supported modules. For Dogtag, we have a ticket open for https://fedorahosted.org/pki/ticket/1200 make sure pkispawn works with hsm I never tried it myself with pkispawn, but I imagine you can try looking up all the parameters with the name "token" in it in /etc/pki/default.cfg, and create a custom cfg files that contain these parameters with the right token name. That is of course under the assumption that you have set up the HSM and the library with the secmod using modutil. Let us know what happens. You can also contribute by adding your findings in the ticket yourself and we will take that into account when the ticket is being worked on. Christina On 02/03/2015 09:15 AM, Javier Gallart wrote: > Hello > > we are trying to setup Dogtag 10.2.1 with a Nshield Solo as HSM. We > haven't found a specific guide for this apart from the RedHat > documentation: > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/using-tokens.html > > The guide states: "The Certificate System supports the nCipher netHSM > hardware security module (HSM) by default". > > Does that mean that pkispawn will detect the module and use it or any > manual intervention is required afterwards? > > Regards > > Javi > > > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Wed Feb 4 03:44:08 2015 From: alee at redhat.com (Ade Lee) Date: Tue, 03 Feb 2015 22:44:08 -0500 Subject: [Pki-users] Dogtag with Thales HSM In-Reply-To: <54D13EC8.1020105@redhat.com> References: <54D13EC8.1020105@redhat.com> Message-ID: <1423021448.19504.1.camel@alee-redhat.laptop> On Tue, 2015-02-03 at 13:34 -0800, Christina Fu wrote: > Javi, > > The documentation was for RHCS8.1, for which the installation wizard > would find the right supported modules. > > For Dogtag, we have a ticket open for > https://fedorahosted.org/pki/ticket/1200 make sure pkispawn works with > hsm > > I never tried it myself with pkispawn, but I imagine you can try > looking up all the parameters with the name "token" in it > in /etc/pki/default.cfg, and create a custom cfg files that contain > these parameters with the right token name. > That is of course under the assumption that you have set up the HSM > and the library with the secmod using modutil. > > Let us know what happens. You can also contribute by adding your > findings in the ticket yourself and we will take that into account > when the ticket is being worked on. > Incidentally, the ticket Christina references is supposed to be worked on and fixed by the end of this month or shortly thereafter. Ade > Christina > > On 02/03/2015 09:15 AM, Javier Gallart wrote: > > > Hello > > > > we are trying to setup Dogtag 10.2.1 with a Nshield Solo as HSM. We > > haven't found a specific guide for this apart from the RedHat > > documentation: > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/using-tokens.html > > > > > > The guide states: "The Certificate System supports the nCipher > > netHSM hardware security module (HSM) by default". > > > > > > Does that mean that pkispawn will detect the module and use it or > > any manual intervention is required afterwards? > > > > Regards > > > > Javi > > > > > > > > > > > > > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From rpb5bnc at gmail.com Thu Feb 5 14:28:06 2015 From: rpb5bnc at gmail.com (Peter Beal) Date: Thu, 05 Feb 2015 09:28:06 -0500 Subject: [Pki-users] Exception when upgrading to 10.2.0 Message-ID: <54D37DF6.8060508@gmail.com> Hello, Our project has been integrating our own RA with Dogtag and everything has been going perfectly. We made our first internal release to our downstream product teams at the end of last year. Unfortunately, all our development had been done using Dogtag 10.0.6 on Fedora 19, which is pretty old at this point. Our test team installed a Fedora 21 system and Dogtag 10.2.0 and attempted to run our regression tests. What they found was that when our RA attempted to enroll a certificate we received an error response instead of a successful response containing a certID. The XML sent to both 10.0.6 and 10.2.0 is: caAutoCiscoRA false false pkcs10 MIIBUzCBvQIBADAUMRIwEAYDVQQDEwkxMjcuMC4wLjEwgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBALvXizDymVYx6ic1Dz8dDppziWjfhIr2CkrtGyfGHJa1Loy9 OkWdS2w3CH/ASNVL3vTeA7dAly6SHgxrXEOtBFLL8KKnDzDg6oqyM4OFmhZBr/gW QXlrIbwEWvGOXHuFLSzcuN9B7iqVn7UXQHl6c5QRmi+iZB1dL0MiQ59MG+a7AgMB AAGgADANBgkqhkiG9w0BAQsFAAOBgQAiFqKKrAe+ToLFhOhlRwqsuzSUzqeQ16kw MM5MZ4gnVZr6PAO0ixk1KUEcSmAppq0hC8NOikXiWzbkRAKpF0AMbF9e3EbKcZWU TOpCd6BAjjo0M5ceki6R0RRKRYRGDgJiFJbJttpqKrh4Ngw8iuZ/MyXZd/YcfnRo kaB+Gz8gRg== In the case of 10.0.6, the response was: enrollmentcompletehttps://dogsled:8444/ca/rest/6236600x98361https://dogsled:8444/ca/rest/623457pkcs10success In the case of 10.2.0, the response was: Apache Tomcat/7.0.52 - Error report

HTTP Status 500 - java.lang.NullPointerException


type Exception report

message java.lang.NullPointerException

description The server encountered an internal error that prevented it from fulfilling this request.

exception

org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
         org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
         org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
         org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
         org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
         org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
         org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
         org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
         org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
         javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
         sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         sun.

And the end of the debug log was:

# tail -f /var/log/pki/pki-tomcat/ca/debug

[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: CertRequestResource.enrollCert()
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: mapping: default
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: required auth methods: [*]
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: anonymous access allowed
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: ACLInterceptor: CertRequestResource.enrollCert()
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: ACLInterceptor: No ACL mapping.
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: MessageFormatInterceptor: CertRequestResource.enrollCert()
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: MessageFormatInterceptor: content-type: application/xml
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: MessageFormatInterceptor: accept: [*/*]
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: MessageFormatInterceptor: request format: application/xml
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: MessageFormatInterceptor: response format: application/xml
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}.
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: Start of CertProcessor Input Parameters
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: CertProcessor Input Parameter isRenewal='false'
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: End of CertProcessor Input Parameters
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: EnrollmentSubmitter: isRenewal false
[23/Jan/2015:10:40:55][http-bio-8443-exec-24]: EnrollmentSubmitter: profileId null
java.lang.NullPointerException
         at java.util.Hashtable.get(Hashtable.java:363)
         at com.netscape.cmscore.profile.ProfileSubsystem.getProfile(ProfileSubsystem.java:302)
         at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:137)
         at com.netscape.cms.servlet.cert.CertRequestDAO.submitRequest(CertRequestDAO.java:178)
         at org.dogtagpki.server.ca.rest.CertRequestService.enrollCert(CertRequestService.java:135)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:483)
         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
         at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)
         at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221)
         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
         at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
         at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
         at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
         at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:483)
         at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
         at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
         at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
         at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
         at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
         at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
         at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
         at java.security.AccessController.doPrivileged(Native Method)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
         at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
         at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:483)
         at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
         at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
         at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
         at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:238)
         at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
         at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
         at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
         at java.security.AccessController.doPrivileged(Native Method)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221)
         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
         at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
         at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
         at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
         at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
         at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
         at java.lang.Thread.run(Thread.java:745)


Nothing is changed on the RA side between these two runs.  Is there 
something that now needs to be done different with 10.2 and above versus 
10.0?

Thanks very much,
Pete Beal




From mtaggart at philasd.org  Thu Feb  5 17:11:52 2015
From: mtaggart at philasd.org (Taggart, Michelle)
Date: Thu, 5 Feb 2015 12:11:52 -0500 (EST)
Subject: [Pki-users] Requiring the Hash Algorithm SHA-2 on server
	certificates
In-Reply-To: <22206173.1586.1423156216111.JavaMail.mtaggart@MAC-QP91604V0TM.local>
Message-ID: <13350784.1591.1423156311060.JavaMail.mtaggart@MAC-QP91604V0TM.local>

Hi, 

Hoping this is just a trivial question. Is there a way to configure the caServerCert certificate profile to include the requirement/constraint for having SHA-2 hashing algorithm in the issued certificate? 




Thanks, 
Michelle Taggart | Enterprise Systems Engineer | The School District of Philadelphia | mtaggart at philasd.org | 215.400.4470 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From rpb5bnc at gmail.com  Mon Feb 16 14:36:41 2015
From: rpb5bnc at gmail.com (Peter Beal)
Date: Mon, 16 Feb 2015 09:36:41 -0500
Subject: [Pki-users] Exception when upgrading to 10.2.0
In-Reply-To: <54D37DF6.8060508@gmail.com>
References: <54D37DF6.8060508@gmail.com>
Message-ID: <54E20079.7040506@gmail.com>

Hi,

We have not been able to make any progress on this over the past week to 
determine why the response was a null pointer exception.  Is there any 
suggestion on where we should look to figure out why this works on the 
older 10.0.6 and is failing with 10.2.0?

Thanks,
Pete Beal

On 2/5/15 9:28 AM, Peter Beal wrote:
> Hello,
>
> Our project has been integrating our own RA with Dogtag and everything 
> has been going perfectly.  We made our first internal release to our 
> downstream product teams at the end of last year. Unfortunately, all 
> our development had been done using Dogtag 10.0.6 on Fedora 19, which 
> is pretty old at this point.  Our test team installed a Fedora 21 
> system and Dogtag 10.2.0 and attempted to run our regression tests.  
> What they found was that when our RA attempted to enroll a certificate 
> we received an error response instead of a successful response 
> containing a certID.
>
> The XML sent to both 10.0.6 and 10.2.0 is:
>
>  standalone="yes"?> 
> caAutoCiscoRA false 
> false         name="cert_request_type">pkcs10  name="cert_request">MIIBUzCBvQIBADAUMRIwEAYDVQQDEwkxMjcuMC4wLjEwgZ8wDQYJKoZIhvcNAQEB
> BQADgY0AMIGJAoGBALvXizDymVYx6ic1Dz8dDppziWjfhIr2CkrtGyfGHJa1Loy9
> OkWdS2w3CH/ASNVL3vTeA7dAly6SHgxrXEOtBFLL8KKnDzDg6oqyM4OFmhZBr/gW
> QXlrIbwEWvGOXHuFLSzcuN9B7iqVn7UXQHl6c5QRmi+iZB1dL0MiQ59MG+a7AgMB
> AAGgADANBgkqhkiG9w0BAQsFAAOBgQAiFqKKrAe+ToLFhOhlRwqsuzSUzqeQ16kw
> MM5MZ4gnVZr6PAO0ixk1KUEcSmAppq0hC8NOikXiWzbkRAKpF0AMbF9e3EbKcZWU
> TOpCd6BAjjo0M5ceki6R0RRKRYRGDgJiFJbJttpqKrh4Ngw8iuZ/MyXZd/YcfnRo
> kaB+Gz8gRg==
>         
>
> In the case of 10.0.6, the response was:
>
>  standalone="yes"?>enrollmentcompletehttps://dogsled:8444/ca/rest/6236600x98361https://dogsled:8444/ca/rest/623457pkcs10success
>
>
> In the case of 10.2.0, the response was:
>
> Apache Tomcat/7.0.52 - Error 
> report 

HTTP Status 500 - > java.lang.NullPointerException


noshade="noshade">

type Exception report

message > java.lang.NullPointerException

description The > server encountered an internal error that prevented it from fulfilling > this request.

exception >

org.jboss.resteasy.spi.UnhandledException: 
> java.lang.NullPointerException
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
>         sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         sun.
>
> And the end of the debug log was:
>
> # tail -f /var/log/pki/pki-tomcat/ca/debug
>
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: 
> CertRequestResource.enrollCert()
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: 
> mapping: default
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: 
> required auth methods: [*]
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: AuthMethodInterceptor: 
> anonymous access allowed
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: ACLInterceptor: 
> CertRequestResource.enrollCert()
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: ACLInterceptor: No ACL 
> mapping.
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: 
> MessageFormatInterceptor: CertRequestResource.enrollCert()
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: 
> MessageFormatInterceptor: content-type: application/xml
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: 
> MessageFormatInterceptor: accept: [*/*]
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: 
> MessageFormatInterceptor: request format: application/xml
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: 
> MessageFormatInterceptor: response format: application/xml
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: according to ccMode, 
> authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, 
> use default authz mgr: {2}.
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: Start of CertProcessor 
> Input Parameters
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: CertProcessor Input 
> Parameter isRenewal='false'
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: End of CertProcessor 
> Input Parameters
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: EnrollmentSubmitter: 
> isRenewal false
> [23/Jan/2015:10:40:55][http-bio-8443-exec-24]: EnrollmentSubmitter: 
> profileId null
> java.lang.NullPointerException
>         at java.util.Hashtable.get(Hashtable.java:363)
>         at 
> com.netscape.cmscore.profile.ProfileSubsystem.getProfile(ProfileSubsystem.java:302)
>         at 
> com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:137)
>         at 
> com.netscape.cms.servlet.cert.CertRequestDAO.submitRequest(CertRequestDAO.java:178)
>         at 
> org.dogtagpki.server.ca.rest.CertRequestService.enrollCert(CertRequestService.java:135)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:483)
>         at 
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
>         at 
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
>         at 
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)
>         at 
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221)
>         at 
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
>         at 
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>         at 
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>         at 
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>         at 
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
>         at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:483)
>         at 
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>         at 
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>         at 
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>         at 
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
>         at 
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
>         at 
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
>         at 
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>         at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:483)
>         at 
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>         at 
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>         at 
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>         at 
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:238)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
>         at 
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
>         at 
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
>         at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221)
>         at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
>         at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
>         at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>         at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>         at 
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
>         at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>         at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
>         at 
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
>         at 
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
>         at 
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
>         at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>         at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>         at java.lang.Thread.run(Thread.java:745)
>
>
> Nothing is changed on the RA side between these two runs.  Is there 
> something that now needs to be done different with 10.2 and above 
> versus 10.0?
>
> Thanks very much,
> Pete Beal
>