[Pki-users] SCEP directory authentication

Christina Fu cfu at redhat.com
Fri May 1 23:30:10 UTC 2015 

Hi Emily,
By default SCEP could take a challengePassword (internally 
"challengePhrase") that you could map with the host id, which is what 
the FlatFile authentication does.  However, the directory based 
authenticator handles literally "uid" and "pwd".  You will need to get 
challengePhrase mapped to pwd into the request, and to do that you could 
write a plugin for it.

I think you could try editing the following file
server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
to get "uid" and "pwd' filled in the request.
We have professional services that could help write plugins.

Christina


On 05/01/2015 12:34 PM, Emily Stemmerich wrote:
> Hi,
>
> I was wondering if anyone could offer some assistance with getting 
> SCEP working with LDAP auth?
>
> Thanks!
> -Emily
>
> Date: Monday, April 27, 2015 at 4:53 PM
> To: "pki-users at redhat.com <mailto:pki-users at redhat.com>" 
> <pki-users at redhat.com <mailto:pki-users at redhat.com>>
> Subject: [Pki-users] SCEP directory authentication
>
> Hi,
>
> I am still trying to get Dogtag 10.2.1 on Fedora 21 working to allow 
> for router identity certificates obtained by Cisco Routers via SCEP to 
> be auto-renewing.  I have found that the one-time pin model doesn’t 
> work for auto-renewal.  I was pointed to the RedHat document below 
> that discusses using directory-based auth in Section 8.2.1, but I’m 
> having issues with getting it to work.
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Enrollment.html#Setting_up_Directory_Based_Authentication
>
> I’m not certain what to put in the dnpattern attribute and there are 
> no examples I can find and am wondering if it is the reason attempts 
> show uid and credentials as null from the router – details of the 
> setup later on in this email.
>
>  *
>     *dnpattern.* Specifies a string representing a subject name
>     pattern to formulate from the directory attributes and entry DN.
>
> ------------------------------------------
>
> From my CS.conf (RouterAuth is then referenced in the caRouterCert.cfg 
> instead of flatfile):
>
> auths.instance.RouterAuth.pluginName=UidPwdDirAuth
> auths.instance.RouterAuth.ldap.basedn=ou=RouterID,dc=auth,dc=sample,dc=com
> auths.instance.RouterAuth.ldap.ldapconn.host=localhost
> auths.instance.RouterAuth.ldap.ldapconn.port=389
> auths.instance.RouterAuth.ldap.ldapconn.secureConn=false
> ------------------------------------------
>
> I’ve created a hierarchy outside of dogtag for doing router auth:
> ou=RouterID,dc=auth,dc=sample,dc=com
> ------------------------------------------
>
> Test User Account (I am not sure what objectClass to use, so I found 
> one with uid and password as options and used that):
> dn: uid=172.18.240.11,ou=RouterID,dc=auth,dc=sample,dc=com
> uid: 172.18.240.11
> |objectClass: inetUser|
> userPassword: testpass
>
> ------------------------------------------
> Router config.  For flatfile auth it ends up using the wan IP and the 
> password and password in the identity section, however for LDAP auth I 
> don’t know what things would map to:
>
> crypto ca identity SAMPLE
> enrollment url http://172.21.4.239:8080/ca/cgi-bin
> revocation-check none
> fqdn emilyvpn.sample.com
> serial-number none
> ip-address none
> hash sha256
> password testpass
> rsakeypair  MEVO 2048
> auto-enroll 75
> crl optional
> exit
>
> crypto ca authenticate SAMPLE
>
> ------------------------------------------
>
> When I try and get a cert from the Cisco Router I get output like the 
> following in the debug file that lists both UID and credential as null:
>
> [24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Got 
> authenticator=com.netscape.cms.authentication.UidPwdDirAuthentication
> [24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory::getConn
> [24/Apr/2015:16:31:18][http-bio-8080-exec-7]: 
> LdapAnonConnFactory.getConn(): num avail conns now 4
> [24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Authenticating UID=null
> [24/Apr/2015:16:31:19][http-bio-8080-exec-7]: returnConn: mNumConns now 4
> [24/Apr/2015:16:31:19][http-bio-8080-exec-7]: operation failure - 
> Authentication credential for uid is null.
> [24/Apr/2015:16:31:19][http-bio-8080-exec-7]: Output PKIOperation 
> response:
>
> Thanks for any assistance,
> -Emily
>
>
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150501/e3deac2f/attachment.htm>

More information about the Pki-users mailing list