From prmarino1 at gmail.com Wed Mar 4 19:45:57 2015 From: prmarino1 at gmail.com (Paul Robert Marino) Date: Wed, 4 Mar 2015 14:45:57 -0500 Subject: [Pki-users] several Howtos on the site seem to be missing Message-ID: when I go to http://pki.fedoraproject.org/wiki/PKI_Documentation several of the "Quick Links" are missing. specifically http://directory.fedoraproject.org/wiki/Fortitude http://directory.fedoraproject.org/wiki/CoolKey and http://directory.fedoraproject.org/wiki/Windows_Certificate_Auto_Enrollment http://directory.fedoraproject.org/wiki/Windows_Certificate_Auto_Enrollment is a significant problem because its referenced in Red Hats documentation https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/autoenrollemnt-proxy.html as the place to go to download the latest version of the auto enrollment proxy. From reesb at hushmail.com Tue Mar 17 01:01:54 2015 From: reesb at hushmail.com (Rees) Date: Tue, 17 Mar 2015 09:01:54 +0800 Subject: [Pki-users] tomcat error Message-ID: <8b6ec388ad7f9a204d8fb77604d8de9a@smtp.hushmail.com> I'm unsure what exactly caused this but when i attempt to access my instance of dogtag tomcat is reporting the following errors; org.apache.jasper.JasperException: An exception occurred processing JSP page /index.jsp at line 172 169: } 170: 171: ServletContext tksContext = getServletContext().getContext("/tks"); 172: String tksName = tksContext.getServletContextName(); 173: String tksPath = tksContext.getContextPath(); 174: if (!"".equals(tksPath) && request.isSecure()) { 175: %> Is it possible to re-install the tomcat instance without losing my CA install? Or can anyone suggest another resolution. Cheers Rees -------------- next part -------------- An HTML attachment was scrubbed... URL: From reesb at hushmail.com Tue Mar 17 03:01:26 2015 From: reesb at hushmail.com (Rees) Date: Tue, 17 Mar 2015 11:01:26 +0800 Subject: [Pki-users] tomcat error In-Reply-To: <8b6ec388ad7f9a204d8fb77604d8de9a@smtp.hushmail.com> References: <8b6ec388ad7f9a204d8fb77604d8de9a@smtp.hushmail.com> Message-ID: <5b39c13febb2dddd385f5ef83ab8f962@smtp.hushmail.com> FYI i rolled back to Tomcat 7.0.54 (from .59) and it has resolved the issue. Rees On 17/03/2015 9:01 am, Rees wrote: > I'm unsure what exactly caused this but when i attempt to access my > instance of dogtag tomcat is reporting the following errors; > org.apache.jasper.JasperException: An exception occurred processing JSP page /index.jsp at line 172 > > 169: } > 170: > 171: ServletContext tksContext = getServletContext().getContext("/tks"); > 172: String tksName = tksContext.getServletContextName(); > 173: String tksPath = tksContext.getContextPath(); > 174: if (!"".equals(tksPath) && request.isSecure()) { > 175: %> > > > Is it possible to re-install the tomcat instance without losing my CA install? Or can anyone suggest another resolution. > > Cheers > > Rees > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From ricardoalx.perez at gmail.com Thu Mar 19 06:35:23 2015 From: ricardoalx.perez at gmail.com (Ricardo Alexander Perez Ricardez) Date: Thu, 19 Mar 2015 00:35:23 -0600 Subject: [Pki-users] Install Dogtag CS on JBoss Message-ID: Is posible install Dogtag Certificate System on Jboss instead of Tomcat application server? -------------- next part -------------- An HTML attachment was scrubbed... URL: From Majain at verisign.com Thu Mar 26 16:10:21 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Thu, 26 Mar 2015 16:10:21 +0000 Subject: [Pki-users] Issues Installing an externally signed CA configuration In-Reply-To: References: Message-ID: Hello All, I?ve been able to successfully install and test Dogtag Certificate Enrollment and Approval APIs using self signed CA available with standard Dogtag installation. Also, the java based pkiconsole works perfectly fine without any issues. However, I?m unable to do so Installing an externally signed CA configuration. I?ve Dogtag 10.1 version installed. I followed the exact instructions outlined in the section 'Installing an externally signed CA? at the link below: http://man.sourcentral.org/f18/8+pkispawn While the installation seems to succeed, I?m seeing following errors in logs (/var/lib/pki/pki-tomcat/logs/ca/debug) when I launch pkiconsole (java based console) and provide username/password (caadmin/password123): --------------------------------------------------------------------------------- [26/Mar/2015:15:54:39][http-bio-8443-exec-9]: AdminServlet:service() uri = /ca/auths [26/Mar/2015:15:54:39][http-bio-8443-exec-9]: AdminServlet::service() param name='OP_TYPE' value='OP_AUTH' [26/Mar/2015:15:54:39][http-bio-8443-exec-9]: AdminServlet::service() param name='OP_SCOPE' value='authType' [26/Mar/2015:15:54:47][http-bio-8443-exec-11]: AdminServlet:service() uri = /ca/auths [26/Mar/2015:15:54:47][http-bio-8443-exec-11]: AdminServlet::service() param name='OP_TYPE' value='OP_AUTH' [26/Mar/2015:15:54:47][http-bio-8443-exec-11]: AdminServlet::service() param name='OP_SCOPE' value='auths' [26/Mar/2015:15:54:47][http-bio-8443-exec-11]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure [26/Mar/2015:15:54:47][http-bio-8443-exec-11]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure --------------------------------------------------------------------------------- Any help is greatly appreciated. Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve at sylvation.com Sat Mar 28 23:41:21 2015 From: steve at sylvation.com (Steve Neuharth) Date: Sat, 28 Mar 2015 18:41:21 -0500 Subject: [Pki-users] Best, stable release of Dogtag? Message-ID: Hello, My company is in need of an internal PKI and we're considering using Dogtag. I have tried installing version 10.2.0-5 on fedora 21, following the quick start guide, accepting the defaults and receive only nullPointerException when attempting to use the web UI. I understand that 10.x is alpha so should I be using version 9.x? We do have redhat licenses so I'd really prefer RHEL over fedora. So, what is the best production ready configuration for Dogtag? I just need a PKI that works, preferably with a REST api that can auto-sign certificates. thanks for your help --steve -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve at sylvation.com Sun Mar 29 18:20:31 2015 From: steve at sylvation.com (Steve Neuharth) Date: Sun, 29 Mar 2015 13:20:31 -0500 Subject: [Pki-users] Fedora 21 + Quickstart guide = non functional dogtag server Message-ID: Hello, I'm trying to test DogTag server and I'm unable to get the web UI to function. I've installed a fresh fedora server and I'm following the instructions here . When I hit the url https://dogtag.test.org/ca, it redirects me back to root '/' and I get the error: *Mar 29, 2015 1:17:20 PM org.apache.catalina.core.StandardWrapperValve invokeSEVERE: Servlet.service() for servlet [jsp] in context with path [] threw exception [java.lang.NullPointerException] with root causejava.lang.NullPointerException at org.apache.jsp.index_jsp._jspService(index_jsp.java:208) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:276) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:273) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:308) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:168) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:276) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:273) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:308) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:248) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:238) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745)* can anyone tell me what I did wrong? I doubt that the rpm is bad or the install guide is wrong so I suspect that it's user error. I get no errors at install time and I've attempted this about 4 times, always with the same result. WTF? --steve -------------- next part -------------- An HTML attachment was scrubbed... URL: From Majain at verisign.com Mon Mar 30 00:18:52 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Mon, 30 Mar 2015 00:18:52 +0000 Subject: [Pki-users] Issues Installing an externally signed CA configuration Message-ID: After providing the valid certificate chain to ?pki_external_ca_cert_chain_path? parameter, the installation was successful and I?m also able to launch pkiconsole successfully. From: , "Jain, Mahendra" > Date: Thursday, March 26, 2015 at 12:10 PM To: "pki-users at redhat.com" > Subject: [Pki-users] Issues Installing an externally signed CA configuration Hello All, I?ve been able to successfully install and test Dogtag Certificate Enrollment and Approval APIs using self signed CA available with standard Dogtag installation. Also, the java based pkiconsole works perfectly fine without any issues. However, I?m unable to do so Installing an externally signed CA configuration. I?ve Dogtag 10.1 version installed. I followed the exact instructions outlined in the section 'Installing an externally signed CA? at the link below: http://man.sourcentral.org/f18/8+pkispawn While the installation seems to succeed, I?m seeing following errors in logs (/var/lib/pki/pki-tomcat/logs/ca/debug) when I launch pkiconsole (java based console) and provide username/password (caadmin/password123): --------------------------------------------------------------------------------- [26/Mar/2015:15:54:39][http-bio-8443-exec-9]: AdminServlet:service() uri = /ca/auths [26/Mar/2015:15:54:39][http-bio-8443-exec-9]: AdminServlet::service() param name='OP_TYPE' value='OP_AUTH' [26/Mar/2015:15:54:39][http-bio-8443-exec-9]: AdminServlet::service() param name='OP_SCOPE' value='authType' [26/Mar/2015:15:54:47][http-bio-8443-exec-11]: AdminServlet:service() uri = /ca/auths [26/Mar/2015:15:54:47][http-bio-8443-exec-11]: AdminServlet::service() param name='OP_TYPE' value='OP_AUTH' [26/Mar/2015:15:54:47][http-bio-8443-exec-11]: AdminServlet::service() param name='OP_SCOPE' value='auths' [26/Mar/2015:15:54:47][http-bio-8443-exec-11]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure [26/Mar/2015:15:54:47][http-bio-8443-exec-11]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure --------------------------------------------------------------------------------- Any help is greatly appreciated. Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From Majain at verisign.com Mon Mar 30 01:07:02 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Mon, 30 Mar 2015 01:07:02 +0000 Subject: [Pki-users] Renew PKI Administrator (caadmin) certificate Message-ID: Hello All, When I install the Dogtag Certificate System, the installation creates default PKI Administrator user (caadmin) and it?s certificate expires in 2 years. How do I renew the certificate for the PKI Administrator user? Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From Majain at verisign.com Mon Mar 30 01:41:08 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Mon, 30 Mar 2015 01:41:08 +0000 Subject: [Pki-users] Renew PKI Administrator (caadmin) certificate In-Reply-To: References: Message-ID: Correction: I meant, How can it be renewed for more than 2 years (say 5 years)? From: , "Jain, Mahendra" > Date: Sunday, March 29, 2015 at 9:07 PM To: "pki-users at redhat.com" > Subject: [Pki-users] Renew PKI Administrator (caadmin) certificate Hello All, When I install the Dogtag Certificate System, the installation creates default PKI Administrator user (caadmin) and it?s certificate expires in 2 years. How do I renew the certificate for the PKI Administrator user? Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From nali.mrt at gmail.com Mon Mar 30 05:13:03 2015 From: nali.mrt at gmail.com (Nalinda Herath) Date: Mon, 30 Mar 2015 10:43:03 +0530 Subject: [Pki-users] Renew PKI Administrator (caadmin) certificate In-Reply-To: References: Message-ID: For issuing the CA admin certificate, CA uses the dual-use user certificate profile. First disable that profile via the agent interface and login to the PKIconsole. Go to the causerCert profile (i cant remember the exact name) and change the validity default parameter constraint. to renew, by default it should be within the renewal grace period. On Mon, Mar 30, 2015 at 7:11 AM, Jain, Mahendra wrote: > Correction: I meant, How can it be renewed for more than 2 years (say 5 > years)? > > From: , "Jain, Mahendra" > Date: Sunday, March 29, 2015 at 9:07 PM > To: "pki-users at redhat.com" > Subject: [Pki-users] Renew PKI Administrator (caadmin) certificate > > Hello All, > > When I install the Dogtag Certificate System, the installation creates > default PKI Administrator user (caadmin) and it's certificate expires in 2 > years. > How do I renew the certificate for the PKI Administrator user? > > Thanks, > Mahendra > "This message (including any attachments) is intended only for the use of > the individual or entity to which it is addressed, and may contain > information that is non-public, proprietary, privileged, confidential and > exempt from disclosure under applicable law or may be constituted as > attorney work product. If you are not the intended recipient, you are > hereby notified that any use, dissemination, distribution, or copying of > this communication is strictly prohibited. If you have received this > message in error, notify sender immediately and delete this message > immediately." > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -- Best Regards, Nalinda -------------- next part -------------- An HTML attachment was scrubbed... URL: From Majain at verisign.com Mon Mar 30 14:54:02 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Mon, 30 Mar 2015 14:54:02 +0000 Subject: [Pki-users] Renew PKI Administrator (caadmin) certificate In-Reply-To: References: Message-ID: Thanks. It worked. Btw, the profile name is caAdminCert for default PKI Administrator user (cadmic). Here?re the steps I followed to renew default PKI Administrator user: 1. Disable the caAdminCert profile via the agent interface (caadmin uses Security Domain Administrator Certificate Enrollment profile) 2. Change the validity default parameter constraint for caAdminCert profile via PKIconsole 3. Enable the caAdminCert profile via the agent interface 4. Submit the certificate renewal request using 'Self-renew user SSL client certificates? option via End Users interface - Mahendra From: Nalinda Herath > Date: Monday, March 30, 2015 at 1:13 AM To: "Jain, Mahendra" > Cc: "pki-users at redhat.com" > Subject: Re: [Pki-users] Renew PKI Administrator (caadmin) certificate For issuing the CA admin certificate, CA uses the dual-use user certificate profile. First disable that profile via the agent interface and login to the PKIconsole. Go to the causerCert profile (i cant remember the exact name) and change the validity default parameter constraint. to renew, by default it should be within the renewal grace period. On Mon, Mar 30, 2015 at 7:11 AM, Jain, Mahendra > wrote: Correction: I meant, How can it be renewed for more than 2 years (say 5 years)? From: , "Jain, Mahendra" > Date: Sunday, March 29, 2015 at 9:07 PM To: "pki-users at redhat.com" > Subject: [Pki-users] Renew PKI Administrator (caadmin) certificate Hello All, When I install the Dogtag Certificate System, the installation creates default PKI Administrator user (caadmin) and it?s certificate expires in 2 years. How do I renew the certificate for the PKI Administrator user? Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -- Best Regards, Nalinda -------------- next part -------------- An HTML attachment was scrubbed... URL: From Majain at verisign.com Mon Mar 30 15:46:26 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Mon, 30 Mar 2015 15:46:26 +0000 Subject: [Pki-users] How to setup PKI Administrator user Message-ID: Hello All, When I install the Dogtag Certificate System, the installation creates default PKI Administrator user (caadmin). What is the procedure to setup additional PKI Administrator users so that they can also access agent interface? Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From nali.mrt at gmail.com Mon Mar 30 16:24:10 2015 From: nali.mrt at gmail.com (Nalinda Herath) Date: Mon, 30 Mar 2015 21:54:10 +0530 Subject: [Pki-users] How to setup PKI Administrator user In-Reply-To: References: Message-ID: Dear Mahendra, You can get it done through the pkiconsole. first create a new user via the web interface. Then open the pkiconsole, go to users and groups and add a new user for the system. Set the required attributes and add that user to the "Certificate Manager Agents" group. use the certificate of the new user created via the web interface. hope this will help Regards, Nalinda On Mon, Mar 30, 2015 at 9:16 PM, Jain, Mahendra wrote: > Hello All, > > When I install the Dogtag Certificate System, the installation creates > default PKI Administrator user (caadmin). > What is the procedure to setup additional PKI Administrator users so that > they can also access agent interface? > > Thanks, > Mahendra > "This message (including any attachments) is intended only for the use of > the individual or entity to which it is addressed, and may contain > information that is non-public, proprietary, privileged, confidential and > exempt from disclosure under applicable law or may be constituted as > attorney work product. If you are not the intended recipient, you are > hereby notified that any use, dissemination, distribution, or copying of > this communication is strictly prohibited. If you have received this > message in error, notify sender immediately and delete this message > immediately." > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -- Best Regards, Nalinda -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Mon Mar 30 17:24:23 2015 From: alee at redhat.com (Ade Lee) Date: Mon, 30 Mar 2015 13:24:23 -0400 Subject: [Pki-users] Fedora 21 + Quickstart guide = non functional dogtag server In-Reply-To: References: Message-ID: <1427736263.26215.5.camel@aleeredhat.laptop> Hi Steve, There is currently a bug with the top level URL. https://fedorahosted.org/pki/ticket/1284 Until this is fixed, pkispawn has been modified (in 10.2.2) to point to a lower level URL. In your case, that URL would be: https://dogtag.test.org/ca/services Just point your browser to that URL, and everything should work just fine. Ade On Sun, 2015-03-29 at 13:20 -0500, Steve Neuharth wrote: > Hello, > > > I'm trying to test DogTag server and I'm unable to get the web UI to > function. I've installed a fresh fedora server and I'm following the > instructions here. When I hit the url https://dogtag.test.org/ca, it > redirects me back to root '/' and I get the error: > > Mar 29, 2015 1:17:20 PM org.apache.catalina.core.StandardWrapperValve > invoke > SEVERE: Servlet.service() for servlet [jsp] in context with path [] > threw exception [java.lang.NullPointerException] wit > h root cause > java.lang.NullPointerException > at org.apache.jsp.index_jsp._jspService(index_jsp.java:208) > at > org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > at > org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432) > at > org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395) > at > org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339) > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at org.apache.catalina.security.SecurityUtil > $1.run(SecurityUtil.java:276) > at org.apache.catalina.security.SecurityUtil > $1.run(SecurityUtil.java:273) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:308) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:168) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) > at org.apache.catalina.core.ApplicationFilterChain.access > $000(ApplicationFilterChain.java:55) > at org.apache.catalina.core.ApplicationFilterChain > $1.run(ApplicationFilterChain.java:191) > at org.apache.catalina.core.ApplicationFilterChain > $1.run(ApplicationFilterChain.java:187) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at org.apache.catalina.security.SecurityUtil > $1.run(SecurityUtil.java:276) > at org.apache.catalina.security.SecurityUtil > $1.run(SecurityUtil.java:273) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:308) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:248) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:238) > at org.apache.catalina.core.ApplicationFilterChain.access > $000(ApplicationFilterChain.java:55) > at org.apache.catalina.core.ApplicationFilterChain > $1.run(ApplicationFilterChain.java:191) > at org.apache.catalina.core.ApplicationFilterChain > $1.run(ApplicationFilterChain.java:187) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074) > at org.apache.coyote.AbstractProtocol > $AbstractConnectionHandler.process(AbstractProtocol.java:611) > at org.apache.tomcat.util.net.JIoEndpoint > $SocketProcessor.run(JIoEndpoint.java:316) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor > $Worker.run(ThreadPoolExecutor.java:617) > at org.apache.tomcat.util.threads.TaskThread > $WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > > > can anyone tell me what I did wrong? I doubt that the rpm is bad or > the install guide is wrong so I suspect that it's user error. I get no > errors at install time and I've attempted this about 4 times, always > with the same result. > > > WTF? > > --steve > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From Majain at verisign.com Mon Mar 30 17:37:19 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Mon, 30 Mar 2015 17:37:19 +0000 Subject: [Pki-users] How to setup PKI Administrator user In-Reply-To: References: Message-ID: Hi Nalinda, Thanks for the quick response. How do I create a new user via the web interface? Do you mean submit a 'Manual User Dual-Use Certificate Enrollment? request via end user interface and once the request is approved, use that certificate when creating user via PKIConsole? Thanks, Mahendra From: Nalinda Herath > Date: Monday, March 30, 2015 at 12:24 PM To: "Jain, Mahendra" > Cc: "pki-users at redhat.com" > Subject: Re: [Pki-users] How to setup PKI Administrator user Dear Mahendra, You can get it done through the pkiconsole. first create a new user via the web interface. Then open the pkiconsole, go to users and groups and add a new user for the system. Set the required attributes and add that user to the "Certificate Manager Agents" group. use the certificate of the new user created via the web interface. hope this will help Regards, Nalinda On Mon, Mar 30, 2015 at 9:16 PM, Jain, Mahendra > wrote: Hello All, When I install the Dogtag Certificate System, the installation creates default PKI Administrator user (caadmin). What is the procedure to setup additional PKI Administrator users so that they can also access agent interface? Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -- Best Regards, Nalinda -------------- next part -------------- An HTML attachment was scrubbed... URL: From nali.mrt at gmail.com Tue Mar 31 02:22:16 2015 From: nali.mrt at gmail.com (Nalinda Herath) Date: Tue, 31 Mar 2015 07:52:16 +0530 Subject: [Pki-users] How to setup PKI Administrator user In-Reply-To: References: Message-ID: Yes mahendra On Mar 30, 2015 11:07 PM, "Jain, Mahendra" wrote: > Hi Nalinda, > > Thanks for the quick response. > > How do I create a new user via the web interface? > Do you mean submit a 'Manual User Dual-Use Certificate Enrollment' request > via end user interface and once the request is approved, use that > certificate when creating user via PKIConsole? > > Thanks, > Mahendra > > From: Nalinda Herath > Date: Monday, March 30, 2015 at 12:24 PM > To: "Jain, Mahendra" > Cc: "pki-users at redhat.com" > Subject: Re: [Pki-users] How to setup PKI Administrator user > > Dear Mahendra, > > You can get it done through the pkiconsole. > > first create a new user via the web interface. > > Then open the pkiconsole, go to users and groups and add a new user for > the system. Set the required attributes and add that user to the > "Certificate Manager Agents" group. use the certificate of the new user > created via the web interface. > > hope this will help > > Regards, > Nalinda > > On Mon, Mar 30, 2015 at 9:16 PM, Jain, Mahendra > wrote: > >> Hello All, >> >> When I install the Dogtag Certificate System, the installation creates >> default PKI Administrator user (caadmin). >> What is the procedure to setup additional PKI Administrator users so that >> they can also access agent interface? >> >> Thanks, >> Mahendra >> "This message (including any attachments) is intended only for the use of >> the individual or entity to which it is addressed, and may contain >> information that is non-public, proprietary, privileged, confidential and >> exempt from disclosure under applicable law or may be constituted as >> attorney work product. If you are not the intended recipient, you are >> hereby notified that any use, dissemination, distribution, or copying of >> this communication is strictly prohibited. If you have received this >> message in error, notify sender immediately and delete this message >> immediately." >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > > > -- > Best Regards, > Nalinda > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve at sylvation.com Tue Mar 31 14:33:14 2015 From: steve at sylvation.com (Steve Neuharth) Date: Tue, 31 Mar 2015 09:33:14 -0500 Subject: [Pki-users] Fedora 21 + Quickstart guide = non functional dogtag server In-Reply-To: <1427736263.26215.5.camel@aleeredhat.laptop> References: <1427736263.26215.5.camel@aleeredhat.laptop> Message-ID: sorry... should have replied to the list. I updated pki to 10.2.0-5, tried the url using /ca/services and I get a different exception: hmmmm. I still get an exception. java.io.IOException: CS server is not ready to serve. com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) javax.servlet.http.HttpServlet.service(HttpServlet.java:727) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:497) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:276) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:273) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:549) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:308) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:168) java.security.AccessController.doPrivileged(Native Method) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:497) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:276) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:273) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:549) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:308) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:248) On Mon, Mar 30, 2015 at 12:24 PM, Ade Lee wrote: > Hi Steve, > > There is currently a bug with the top level URL. > https://fedorahosted.org/pki/ticket/1284 > > Until this is fixed, pkispawn has been modified (in 10.2.2) to point to > a lower level URL. In your case, that URL would be: > > https://dogtag.test.org/ca/services > > Just point your browser to that URL, and everything should work just > fine. > > Ade > > > On Sun, 2015-03-29 at 13:20 -0500, Steve Neuharth wrote: > > Hello, > > > > > > I'm trying to test DogTag server and I'm unable to get the web UI to > > function. I've installed a fresh fedora server and I'm following the > > instructions here. When I hit the url https://dogtag.test.org/ca, it > > redirects me back to root '/' and I get the error: > > > > Mar 29, 2015 1:17:20 PM org.apache.catalina.core.StandardWrapperValve > > invoke > > SEVERE: Servlet.service() for servlet [jsp] in context with path [] > > threw exception [java.lang.NullPointerException] wit > > h root cause > > java.lang.NullPointerException > > at org.apache.jsp.index_jsp._jspService(index_jsp.java:208) > > at > > org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) > > at > > javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > > at > > > org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432) > > at > > org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395) > > at > > org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339) > > at > > javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:497) > > at org.apache.catalina.security.SecurityUtil > > $1.run(SecurityUtil.java:276) > > at org.apache.catalina.security.SecurityUtil > > $1.run(SecurityUtil.java:273) > > at java.security.AccessController.doPrivileged(Native Method) > > at > > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > at > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:308) > > at > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:168) > > at > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) > > at org.apache.catalina.core.ApplicationFilterChain.access > > $000(ApplicationFilterChain.java:55) > > at org.apache.catalina.core.ApplicationFilterChain > > $1.run(ApplicationFilterChain.java:191) > > at org.apache.catalina.core.ApplicationFilterChain > > $1.run(ApplicationFilterChain.java:187) > > at java.security.AccessController.doPrivileged(Native Method) > > at > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > > at > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:497) > > at org.apache.catalina.security.SecurityUtil > > $1.run(SecurityUtil.java:276) > > at org.apache.catalina.security.SecurityUtil > > $1.run(SecurityUtil.java:273) > > at java.security.AccessController.doPrivileged(Native Method) > > at > > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > at > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:308) > > at > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:248) > > at > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:238) > > at org.apache.catalina.core.ApplicationFilterChain.access > > $000(ApplicationFilterChain.java:55) > > at org.apache.catalina.core.ApplicationFilterChain > > $1.run(ApplicationFilterChain.java:191) > > at org.apache.catalina.core.ApplicationFilterChain > > $1.run(ApplicationFilterChain.java:187) > > at java.security.AccessController.doPrivileged(Native Method) > > at > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > > at > > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221) > > at > > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > > at > > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) > > at > > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) > > at > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > > at > > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > > at > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > > at > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) > > at > > > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074) > > at org.apache.coyote.AbstractProtocol > > $AbstractConnectionHandler.process(AbstractProtocol.java:611) > > at org.apache.tomcat.util.net.JIoEndpoint > > $SocketProcessor.run(JIoEndpoint.java:316) > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at java.util.concurrent.ThreadPoolExecutor > > $Worker.run(ThreadPoolExecutor.java:617) > > at org.apache.tomcat.util.threads.TaskThread > > $WrappingRunnable.run(TaskThread.java:61) > > at java.lang.Thread.run(Thread.java:745) > > > > > > can anyone tell me what I did wrong? I doubt that the rpm is bad or > > the install guide is wrong so I suspect that it's user error. I get no > > errors at install time and I've attempted this about 4 times, always > > with the same result. > > > > > > WTF? > > > > --steve > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Tue Mar 31 14:38:49 2015 From: alee at redhat.com (Ade Lee) Date: Tue, 31 Mar 2015 10:38:49 -0400 Subject: [Pki-users] Fedora 21 + Quickstart guide = non functional dogtag server In-Reply-To: References: <1427736263.26215.5.camel@aleeredhat.laptop> Message-ID: <1427812729.21274.2.camel@aleeredhat.laptop> Something else is going on there -- maybe the ldap server is down? Please attach some logs and we can try to see what went wrong. Logs are in /var/log/pki/pki-tomcat/ and also : journalctl -u pki-tomcatd at pki-tomcat.service Ade On Tue, 2015-03-31 at 09:33 -0500, Steve Neuharth wrote: > sorry... should have replied to the list. > > > I updated pki to 10.2.0-5, tried the url using /ca/services and I get > a different exception: > > hmmmm. I still get an exception. > > java.io.IOException: CS server is not ready to serve. > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) > javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > java.lang.reflect.Method.invoke(Method.java:497) > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:276) > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:273) > java.security.AccessController.doPrivileged(Native Method) > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:308) > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:168) > java.security.AccessController.doPrivileged(Native Method) > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > java.lang.reflect.Method.invoke(Method.java:497) > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:276) > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:273) > java.security.AccessController.doPrivileged(Native Method) > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:308) > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:248) > > > > On Mon, Mar 30, 2015 at 12:24 PM, Ade Lee wrote: > Hi Steve, > > There is currently a bug with the top level URL. > https://fedorahosted.org/pki/ticket/1284 > > Until this is fixed, pkispawn has been modified (in 10.2.2) to > point to > a lower level URL. In your case, that URL would be: > > https://dogtag.test.org/ca/services > > Just point your browser to that URL, and everything should > work just > fine. > > Ade > > > On Sun, 2015-03-29 at 13:20 -0500, Steve Neuharth wrote: > > Hello, > > > > > > I'm trying to test DogTag server and I'm unable to get the > web UI to > > function. I've installed a fresh fedora server and I'm > following the > > instructions here. When I hit the url > https://dogtag.test.org/ca, it > > redirects me back to root '/' and I get the error: > > > > Mar 29, 2015 1:17:20 PM > org.apache.catalina.core.StandardWrapperValve > > invoke > > SEVERE: Servlet.service() for servlet [jsp] in context with > path [] > > threw exception [java.lang.NullPointerException] wit > > h root cause > > java.lang.NullPointerException > > at > org.apache.jsp.index_jsp._jspService(index_jsp.java:208) > > at > > > org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) > > at > > javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > > at > > > org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432) > > at > > > org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395) > > at > > > org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339) > > at > > javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > > at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:497) > > at org.apache.catalina.security.SecurityUtil > > $1.run(SecurityUtil.java:276) > > at org.apache.catalina.security.SecurityUtil > > $1.run(SecurityUtil.java:273) > > at > java.security.AccessController.doPrivileged(Native Method) > > at > > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > at > > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:308) > > at > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:168) > > at > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) > > at > org.apache.catalina.core.ApplicationFilterChain.access > > $000(ApplicationFilterChain.java:55) > > at org.apache.catalina.core.ApplicationFilterChain > > $1.run(ApplicationFilterChain.java:191) > > at org.apache.catalina.core.ApplicationFilterChain > > $1.run(ApplicationFilterChain.java:187) > > at > java.security.AccessController.doPrivileged(Native Method) > > at > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > > at > > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > > at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:497) > > at org.apache.catalina.security.SecurityUtil > > $1.run(SecurityUtil.java:276) > > at org.apache.catalina.security.SecurityUtil > > $1.run(SecurityUtil.java:273) > > at > java.security.AccessController.doPrivileged(Native Method) > > at > > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > at > > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:308) > > at > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:248) > > at > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:238) > > at > org.apache.catalina.core.ApplicationFilterChain.access > > $000(ApplicationFilterChain.java:55) > > at org.apache.catalina.core.ApplicationFilterChain > > $1.run(ApplicationFilterChain.java:191) > > at org.apache.catalina.core.ApplicationFilterChain > > $1.run(ApplicationFilterChain.java:187) > > at > java.security.AccessController.doPrivileged(Native Method) > > at > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > > at > > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221) > > at > > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > > at > > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) > > at > > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) > > at > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > > at > > > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > > at > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > > at > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) > > at > > > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074) > > at org.apache.coyote.AbstractProtocol > > > $AbstractConnectionHandler.process(AbstractProtocol.java:611) > > at org.apache.tomcat.util.net.JIoEndpoint > > $SocketProcessor.run(JIoEndpoint.java:316) > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at java.util.concurrent.ThreadPoolExecutor > > $Worker.run(ThreadPoolExecutor.java:617) > > at org.apache.tomcat.util.threads.TaskThread > > $WrappingRunnable.run(TaskThread.java:61) > > at java.lang.Thread.run(Thread.java:745) > > > > > > can anyone tell me what I did wrong? I doubt that the rpm is > bad or > > the install guide is wrong so I suspect that it's user > error. I get no > > errors at install time and I've attempted this about 4 > times, always > > with the same result. > > > > > > WTF? > > > > --steve > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > > > From Majain at verisign.com Tue Mar 31 18:15:42 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Tue, 31 Mar 2015 18:15:42 +0000 Subject: [Pki-users] How to setup PKI Administrator user In-Reply-To: References: Message-ID: Hi Nalinda, I requested the certificate using 'Manual User Dual-Use Certificate Enrollment? option. However, when I tried to import the generated certificate into Firefox browser, I get following error: 'This personal certificate can't be installed because you don't own the corresponding private key which was created when the certificate was requested.' To work around this, I manually created private key and CSR on the client machine using following steps: 1. Generate a new private key and Certificate Signing Request: $ openssl req -out operator.csr -new -newkey rsa:2048 -nodes -keyout operator.key 2. Submit a CSR using ?Manual Administrator Certificate Enrollment? option via end user interface (Note: Ensure that the Subject Name field is populated with the exact value as it appears in the Subject attribute of CSR) 3. Create a pkcs#12 file once the above CSR is approved: $ openssl pkcs12 -export -out operator.p12 -inkey operator.key -in operator.cert -certfile ca.cert 4. Using PKIConsole, create a new user, add that user to the "Certificate Manager Agents? group and associate the certificate (operator.cert) obtained in the step#3 above 5. Launch Firefox browser and import pkcs#12 file (operator.p12) under 'Your Certificates? section With these steps, I can now successfully access agent interface. So, I would like to know when and how 'Manual User Dual-Use Certificate Enrollment? option is useful in overall solution. Thanks, Mahendra From: Nalinda Herath > Date: Monday, March 30, 2015 at 10:22 PM To: "Jain, Mahendra" > Cc: "pki-users at redhat.com" > Subject: Re: [Pki-users] How to setup PKI Administrator user Yes mahendra On Mar 30, 2015 11:07 PM, "Jain, Mahendra" > wrote: Hi Nalinda, Thanks for the quick response. How do I create a new user via the web interface? Do you mean submit a 'Manual User Dual-Use Certificate Enrollment? request via end user interface and once the request is approved, use that certificate when creating user via PKIConsole? Thanks, Mahendra From: Nalinda Herath > Date: Monday, March 30, 2015 at 12:24 PM To: "Jain, Mahendra" > Cc: "pki-users at redhat.com" > Subject: Re: [Pki-users] How to setup PKI Administrator user Dear Mahendra, You can get it done through the pkiconsole. first create a new user via the web interface. Then open the pkiconsole, go to users and groups and add a new user for the system. Set the required attributes and add that user to the "Certificate Manager Agents" group. use the certificate of the new user created via the web interface. hope this will help Regards, Nalinda On Mon, Mar 30, 2015 at 9:16 PM, Jain, Mahendra > wrote: Hello All, When I install the Dogtag Certificate System, the installation creates default PKI Administrator user (caadmin). What is the procedure to setup additional PKI Administrator users so that they can also access agent interface? Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -- Best Regards, Nalinda -------------- next part -------------- An HTML attachment was scrubbed... URL: From Majain at verisign.com Thu Mar 26 16:03:12 2015 From: Majain at verisign.com (Jain, Mahendra) Date: Thu, 26 Mar 2015 16:03:12 +0000 Subject: [Pki-users] Issues Installing an externally signed CA configuration Message-ID: Hello All, I?ve been able to successfully install and test Dogtag Certificate Enrollment and Approval APIs using self signed CA available with standard Dogtag installation. Also, the java based pkiconsole works perfectly fine without any issues. However, I?m unable to do so Installing an externally signed CA configuration. I?ve Dogtag 10.1 version installed. I followed the exact instructions outlined in the section 'Installing an externally signed CA? at the link below: http://man.sourcentral.org/f18/8+pkispawn While the installation seems to succeed, I?m seeing following errors in logs (/var/lib/pki/pki-tomcat/logs/ca/debug) when I launch pkiconsole (java based console) and provide username/password (caadmin/password123): --------------------------------------------------------------------------------- [26/Mar/2015:15:54:39][http-bio-8443-exec-9]: AdminServlet:service() uri = /ca/auths [26/Mar/2015:15:54:39][http-bio-8443-exec-9]: AdminServlet::service() param name='OP_TYPE' value='OP_AUTH' [26/Mar/2015:15:54:39][http-bio-8443-exec-9]: AdminServlet::service() param name='OP_SCOPE' value='authType' [26/Mar/2015:15:54:47][http-bio-8443-exec-11]: AdminServlet:service() uri = /ca/auths [26/Mar/2015:15:54:47][http-bio-8443-exec-11]: AdminServlet::service() param name='OP_TYPE' value='OP_AUTH' [26/Mar/2015:15:54:47][http-bio-8443-exec-11]: AdminServlet::service() param name='OP_SCOPE' value='auths' [26/Mar/2015:15:54:47][http-bio-8443-exec-11]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure [26/Mar/2015:15:54:47][http-bio-8443-exec-11]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure --------------------------------------------------------------------------------- Any help is greatly appreciated. Thanks, Mahendra ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve at sylvation.com Sat Mar 28 18:11:51 2015 From: steve at sylvation.com (Steve Neuharth) Date: Sat, 28 Mar 2015 13:11:51 -0500 Subject: [Pki-users] Best, stable release of Dogtag Message-ID: Hello, My company is in need of an internal PKI and we're considering using Dogtag. I have tried installing version 10.2.0-5 on fedora 21, following the quick start guide, accepting the defaults and receive only nullPointerException when attempting to use the web UI. I understand that 10.x is alpha so should I be using version 9.x? We do have redhat licenses so I'd really prefer RHEL over fedora. So, what is the best production ready configuration for Dogtag? I just need a PKI that works, preferably with a REST api that can auto-sign certificates. thanks for your help --steve -------------- next part -------------- An HTML attachment was scrubbed... URL: From mrniranjan at redhat.com Mon Mar 30 16:24:36 2015 From: mrniranjan at redhat.com (Niranjan M.R) Date: Mon, 30 Mar 2015 21:54:36 +0530 Subject: [Pki-users] How to setup PKI Administrator user In-Reply-To: References: Message-ID: <551978C4.7090802@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/30/2015 09:16 PM, Jain, Mahendra wrote: > Hello All, > > When I install the Dogtag Certificate System, the installation creates default PKI Administrator user (caadmin). > What is the procedure to setup additional PKI Administrator users so that they can also access agent interface? If you are on latest dogtag (fedora 20), you could pki user cli to create user and add him to Certificate Manager Agents Group . Also use a user profile to generate cert for the new user and add the cert using pki user cli . Import the cert to browser (including keys). You could do the same using pkiconsole too. > > Thanks, > Mahendra > > > ?This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain > information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted > as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or > copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this > message immediately.? > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > - -- Niranjan irc: mrniranjan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iKYEARECAGYFAlUZeMRfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEY3OTE3QTg3ODE0RkVCQ0YyNjgyOTRENjJF RURDNTVGNjA0N0M3QzcACgkQLu3FX2BHx8dsCwCgh14OK+0ZFyFYUWkEt04Idgq0 E4kAoIohPEYgdwXYLXPiMunLSyDhEOQz =766t -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x6047C7C7.asc Type: application/pgp-keys Size: 1893 bytes Desc: not available URL: