[Pki-users] Flat-file auth
James Masson
james.masson at jmips.co.uk
Wed Sep 30 17:39:03 UTC 2015
CSR Profile does reference the flatFile provider.
I've also tried the a similar setup with client-cert based auth, which also
fails.
Ditto with Dogtag 10.2
I must be missing something here, or else Certmonger's Dogtag auth options
aren't doing what they should.
Thanks
James M
On 30 Sep 2015 6:29 pm, "John Magne" <jmagne at redhat.com> wrote:
> Hi:
>
> Have you modified the cert profile you are using to point to that auth
> instance?
>
> See profiles/ca/caRouterCert.cfg for a sample.
>
> Hopefully that is your issue.
>
>
>
> ----- Original Message -----
> > From: "James Masson" <james.masson at jmips.co.uk>
> > To: pki-users at redhat.com
> > Sent: Wednesday, September 30, 2015 1:25:41 AM
> > Subject: [Pki-users] Flat-file auth
> >
> >
> > Hi list,
> >
> > I'm trying to use flat-file auth on certificate requests via Certmonger.
> > I can successfully get certificates issued when I remove authentication.
> > I've restricted the Certificate Profile to require flat-file
> authentication.
> >
> > I'm running Centos7 with pki-server-10.1.2-7.el7.noarch and
> > certmonger-0.78.4-1.el7.centos.x86_64
> >
> > The error I get is.
> >
> > "[29/Sep/2015:15:31:38][http-bio-8080-exec-10]: CertProcessor:
> > authentication error Authentication credential for uid is null.
> >
> > The request generated by Certmonger looks like this.
> >
> > ###
> > GET
> >
> /ca/ee/ca/profileSubmit?profileId=IPASubCA&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG%0ASIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q%0AnPQBQ6U0KbTKmKM81%2F2kD39eaMMzdyqBi%2BcbsPMOl93%2F%2FB88Eu8QRLis6hYMmgUF%0Av%2BcSS2JOHPOC8RY8YbkVlRYUGb%2BbMkldQEYsIOfad8xlfDBh%2Bg5ImA%2FrYS2g6MgV%0ACI0k%2F6w1nsNGJof7U2KEJpLJOvI%2F%2FwznaF%2FkuJC5kYrPLbOIEbQvM5%2F8Kcyh1W48%0AtgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67%2FAx%2FI2T34MpD5AN%0AWN1b9de3nWEce%2BMoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw%0AGwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG%0AA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX%2F%2BEWI84MCIG%0ACSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA%0AA4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T%2BkGSDgnzdK8afO8CwC6kfwAP8PZNo2L%0AcbpbiqYRSrwGOqmLpalxBG21T47c%2BonW2x8x4UYitpQH%2BUQE1P1SKiiiPA%2B6sj0f%0A5dFfPLjQGDrD1cpD!
> > 8abY7HGPH
> > 3
> >
> NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ%0APR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv%0AfKrckHp4AHK7B0hv%2FteB7GiqqrYA3cq9M3T6B17MnmjDF%2FyrS8uLl6DhFug0PLE2%0Afen%2FbDiCjJ3IDIqhS0hheym07ca8%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true&uid=foo&pwd=password
> > ###
> >
> > flatfile.txt looks like:
> > #
> > uid:foo
> > pwd:password
> >
> >
> > #
> >
> > CS.cfg contains:
> > #
> > auths.instance.flatFileAuth.authAttributes=pwd
> > auths.instance.flatFileAuth.deferOnFailure=true
> >
> auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
> > auths.instance.flatFileAuth.keyAttributes=uid
> > auths.instance.flatFileAuth.pluginName=FlatFileAuth
> > #
> >
> >
> > The full error from the pki debug logs is below
> >
> > thanks!
> >
> > James M
> >
> > ###
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:service() uri
> > = /ca/ee/ca/profileSubmit
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> > param name='profileId' value='IPASubCA'
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> > param name='cert_request_type' value='pkcs10'
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> > param name='cert_request' value='-----BEGIN NEW CERTIFICATE REQUEST-----
> > MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG
> > SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q
> > nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF
> > v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV
> > CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48
> > tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN
> > WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw
> > GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG
> > A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG
> > CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA
> > A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L
> > cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f
> > 5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ
> > PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv
> > fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2
> > fen/bDiCjJ3IDIqhS0hheym07ca8
> > -----END NEW CERTIFICATE REQUEST-----
> > '
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> > param name='xml' value='true'
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> > param name='uid' value='foo'
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> > param name='pwd' value='(sensitive)'
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:
> > caProfileSubmit start to service.
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: xmlOutput true
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet:
> > isRenewal false
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: according to ccMode,
> > authorization for servlet: caProfileSubmit is LDAP based, not XML {1},
> > use default authz mgr: {2}.
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: Start of CertProcessor
> > Input Parameters
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
> > Parameter profileId='IPASubCA'
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
> > Parameter cert_request_type='pkcs10'
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
> > Parameter isRenewal='false'
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
> > Parameter cert_request='-----BEGIN NEW CERTIFICATE REQUEST-----
> > MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG
> > SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q
> > nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF
> > v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV
> > CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48
> > tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN
> > WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw
> > GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG
> > A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG
> > CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA
> > A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L
> > cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f
> > 5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ
> > PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv
> > fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2
> > fen/bDiCjJ3IDIqhS0hheym07ca8
> > -----END NEW CERTIFICATE REQUEST-----
> > '
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: End of CertProcessor
> > Input Parameters
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
> > isRenewal false
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
> > profileId IPASubCA
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set
> > Inputs into profile Context
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
> > authenticator flatFileAuth found
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]:
> > CertRequestSubmitter:setCredentialsIntoContext() authIds` null
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set
> > sslClientCertProvider
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: authenticate:
> > authentication required.
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: in
> auditSubjectID
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:
> > auditSubjectID auditContext
> >
> {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider at 5cd82562
> ,
> >
> profileContext=com.netscape.cms.profile.common.EnrollProfileContext at 727e748c
> }
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet
> > auditSubjectID: subjectID: null
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: FlatFileAuth:
> > concatenating string i=0 keyAttrs[0] = uid
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor:
> > authentication error Authentication credential for uid is null.
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: SignedAuditEventFactory:
> > create() message=[AuditEvent=AUTH_FAIL][SubjectID=$NonRoleUser$ :
> >
> Unidentified][Outcome=Failure][AuthMgr=flatFileAuth][AttemptedCred=Unidentified]
> > authentication failure
> >
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet:
> > authentication error in processing request: Authentication credential
> > for uid is null.
> > [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: curDate=Wed
> > Sep 30 08:14:32 UTC 2015 id=caProfileSubmit time=12
> > ###
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150930/1dca30b7/attachment.htm>
More information about the Pki-users
mailing list