[Pki-users] Flat-file auth
James Masson
james.masson at jmips.co.uk
Wed Sep 30 08:25:41 UTC 2015
Hi list,
I'm trying to use flat-file auth on certificate requests via Certmonger.
I can successfully get certificates issued when I remove authentication.
I've restricted the Certificate Profile to require flat-file authentication.
I'm running Centos7 with pki-server-10.1.2-7.el7.noarch and
certmonger-0.78.4-1.el7.centos.x86_64
The error I get is.
"[29/Sep/2015:15:31:38][http-bio-8080-exec-10]: CertProcessor:
authentication error Authentication credential for uid is null.
The request generated by Certmonger looks like this.
###
GET
/ca/ee/ca/profileSubmit?profileId=IPASubCA&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG%0ASIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q%0AnPQBQ6U0KbTKmKM81%2F2kD39eaMMzdyqBi%2BcbsPMOl93%2F%2FB88Eu8QRLis6hYMmgUF%0Av%2BcSS2JOHPOC8RY8YbkVlRYUGb%2BbMkldQEYsIOfad8xlfDBh%2Bg5ImA%2FrYS2g6MgV%0ACI0k%2F6w1nsNGJof7U2KEJpLJOvI%2F%2FwznaF%2FkuJC5kYrPLbOIEbQvM5%2F8Kcyh1W48%0AtgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67%2FAx%2FI2T34MpD5AN%0AWN1b9de3nWEce%2BMoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw%0AGwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG%0AA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX%2F%2BEWI84MCIG%0ACSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA%0AA4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T%2BkGSDgnzdK8afO8CwC6kfwAP8PZNo2L%0AcbpbiqYRSrwGOqmLpalxBG21T47c%2BonW2x8x4UYitpQH%2BUQE1P1SKiiiPA%2B6sj0f%0A5dFfPLjQGDrD1cpD!
8abY7HGPH
3
NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ%0APR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv%0AfKrckHp4AHK7B0hv%2FteB7GiqqrYA3cq9M3T6B17MnmjDF%2FyrS8uLl6DhFug0PLE2%0Afen%2FbDiCjJ3IDIqhS0hheym07ca8%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true&uid=foo&pwd=password
###
flatfile.txt looks like:
#
uid:foo
pwd:password
#
CS.cfg contains:
#
auths.instance.flatFileAuth.authAttributes=pwd
auths.instance.flatFileAuth.deferOnFailure=true
auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
auths.instance.flatFileAuth.keyAttributes=uid
auths.instance.flatFileAuth.pluginName=FlatFileAuth
#
The full error from the pki debug logs is below
thanks!
James M
###
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:service() uri
= /ca/ee/ca/profileSubmit
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='profileId' value='IPASubCA'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='cert_request_type' value='pkcs10'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='cert_request' value='-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q
nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF
v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV
CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48
tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN
WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw
GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG
A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG
CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA
A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L
cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f
5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ
PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv
fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2
fen/bDiCjJ3IDIqhS0hheym07ca8
-----END NEW CERTIFICATE REQUEST-----
'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='xml' value='true'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='uid' value='foo'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='pwd' value='(sensitive)'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:
caProfileSubmit start to service.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: xmlOutput true
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet:
isRenewal false
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: according to ccMode,
authorization for servlet: caProfileSubmit is LDAP based, not XML {1},
use default authz mgr: {2}.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: Start of CertProcessor
Input Parameters
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter profileId='IPASubCA'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter cert_request_type='pkcs10'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter isRenewal='false'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter cert_request='-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q
nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF
v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV
CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48
tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN
WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw
GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG
A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG
CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA
A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L
cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f
5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ
PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv
fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2
fen/bDiCjJ3IDIqhS0hheym07ca8
-----END NEW CERTIFICATE REQUEST-----
'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: End of CertProcessor
Input Parameters
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
isRenewal false
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
profileId IPASubCA
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set
Inputs into profile Context
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
authenticator flatFileAuth found
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]:
CertRequestSubmitter:setCredentialsIntoContext() authIds` null
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set
sslClientCertProvider
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: authenticate:
authentication required.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: in auditSubjectID
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:
auditSubjectID auditContext
{sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider at 5cd82562,
profileContext=com.netscape.cms.profile.common.EnrollProfileContext at 727e748c}
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet
auditSubjectID: subjectID: null
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: FlatFileAuth:
concatenating string i=0 keyAttrs[0] = uid
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor:
authentication error Authentication credential for uid is null.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: SignedAuditEventFactory:
create() message=[AuditEvent=AUTH_FAIL][SubjectID=$NonRoleUser$ :
Unidentified][Outcome=Failure][AuthMgr=flatFileAuth][AttemptedCred=Unidentified]
authentication failure
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet:
authentication error in processing request: Authentication credential
for uid is null.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: curDate=Wed
Sep 30 08:14:32 UTC 2015 id=caProfileSubmit time=12
###
More information about the Pki-users
mailing list