[Pki-users] Flat-file auth
John Magne
jmagne at redhat.com
Wed Sep 30 17:29:48 UTC 2015
Hi:
Have you modified the cert profile you are using to point to that auth instance?
See profiles/ca/caRouterCert.cfg for a sample.
Hopefully that is your issue.
----- Original Message -----
> From: "James Masson" <james.masson at jmips.co.uk>
> To: pki-users at redhat.com
> Sent: Wednesday, September 30, 2015 1:25:41 AM
> Subject: [Pki-users] Flat-file auth
>
>
> Hi list,
>
> I'm trying to use flat-file auth on certificate requests via Certmonger.
> I can successfully get certificates issued when I remove authentication.
> I've restricted the Certificate Profile to require flat-file authentication.
>
> I'm running Centos7 with pki-server-10.1.2-7.el7.noarch and
> certmonger-0.78.4-1.el7.centos.x86_64
>
> The error I get is.
>
> "[29/Sep/2015:15:31:38][http-bio-8080-exec-10]: CertProcessor:
> authentication error Authentication credential for uid is null.
>
> The request generated by Certmonger looks like this.
>
> ###
> GET
> /ca/ee/ca/profileSubmit?profileId=IPASubCA&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG%0ASIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q%0AnPQBQ6U0KbTKmKM81%2F2kD39eaMMzdyqBi%2BcbsPMOl93%2F%2FB88Eu8QRLis6hYMmgUF%0Av%2BcSS2JOHPOC8RY8YbkVlRYUGb%2BbMkldQEYsIOfad8xlfDBh%2Bg5ImA%2FrYS2g6MgV%0ACI0k%2F6w1nsNGJof7U2KEJpLJOvI%2F%2FwznaF%2FkuJC5kYrPLbOIEbQvM5%2F8Kcyh1W48%0AtgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67%2FAx%2FI2T34MpD5AN%0AWN1b9de3nWEce%2BMoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw%0AGwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG%0AA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX%2F%2BEWI84MCIG%0ACSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA%0AA4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T%2BkGSDgnzdK8afO8CwC6kfwAP8PZNo2L%0AcbpbiqYRSrwGOqmLpalxBG21T47c%2BonW2x8x4UYitpQH%2BUQE1P1SKiiiPA%2B6sj0f%0A5dFfPLjQGDrD1cpD!
> 8abY7HGPH
> 3
> NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ%0APR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv%0AfKrckHp4AHK7B0hv%2FteB7GiqqrYA3cq9M3T6B17MnmjDF%2FyrS8uLl6DhFug0PLE2%0Afen%2FbDiCjJ3IDIqhS0hheym07ca8%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true&uid=foo&pwd=password
> ###
>
> flatfile.txt looks like:
> #
> uid:foo
> pwd:password
>
>
> #
>
> CS.cfg contains:
> #
> auths.instance.flatFileAuth.authAttributes=pwd
> auths.instance.flatFileAuth.deferOnFailure=true
> auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
> auths.instance.flatFileAuth.keyAttributes=uid
> auths.instance.flatFileAuth.pluginName=FlatFileAuth
> #
>
>
> The full error from the pki debug logs is below
>
> thanks!
>
> James M
>
> ###
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:service() uri
> = /ca/ee/ca/profileSubmit
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> param name='profileId' value='IPASubCA'
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> param name='cert_request_type' value='pkcs10'
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> param name='cert_request' value='-----BEGIN NEW CERTIFICATE REQUEST-----
> MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG
> SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q
> nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF
> v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV
> CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48
> tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN
> WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw
> GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG
> A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG
> CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA
> A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L
> cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f
> 5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ
> PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv
> fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2
> fen/bDiCjJ3IDIqhS0hheym07ca8
> -----END NEW CERTIFICATE REQUEST-----
> '
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> param name='xml' value='true'
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> param name='uid' value='foo'
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> param name='pwd' value='(sensitive)'
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:
> caProfileSubmit start to service.
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: xmlOutput true
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet:
> isRenewal false
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: according to ccMode,
> authorization for servlet: caProfileSubmit is LDAP based, not XML {1},
> use default authz mgr: {2}.
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: Start of CertProcessor
> Input Parameters
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
> Parameter profileId='IPASubCA'
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
> Parameter cert_request_type='pkcs10'
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
> Parameter isRenewal='false'
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
> Parameter cert_request='-----BEGIN NEW CERTIFICATE REQUEST-----
> MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG
> SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q
> nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF
> v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV
> CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48
> tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN
> WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw
> GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG
> A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG
> CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA
> A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L
> cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f
> 5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ
> PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv
> fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2
> fen/bDiCjJ3IDIqhS0hheym07ca8
> -----END NEW CERTIFICATE REQUEST-----
> '
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: End of CertProcessor
> Input Parameters
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
> isRenewal false
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
> profileId IPASubCA
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set
> Inputs into profile Context
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
> authenticator flatFileAuth found
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]:
> CertRequestSubmitter:setCredentialsIntoContext() authIds` null
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set
> sslClientCertProvider
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: authenticate:
> authentication required.
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: in auditSubjectID
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:
> auditSubjectID auditContext
> {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider at 5cd82562,
> profileContext=com.netscape.cms.profile.common.EnrollProfileContext at 727e748c}
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet
> auditSubjectID: subjectID: null
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: FlatFileAuth:
> concatenating string i=0 keyAttrs[0] = uid
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor:
> authentication error Authentication credential for uid is null.
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: SignedAuditEventFactory:
> create() message=[AuditEvent=AUTH_FAIL][SubjectID=$NonRoleUser$ :
> Unidentified][Outcome=Failure][AuthMgr=flatFileAuth][AttemptedCred=Unidentified]
> authentication failure
>
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet:
> authentication error in processing request: Authentication credential
> for uid is null.
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: curDate=Wed
> Sep 30 08:14:32 UTC 2015 id=caProfileSubmit time=12
> ###
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
More information about the Pki-users
mailing list