[Pki-users] Flat-file auth

John Magne jmagne at redhat.com
Wed Sep 30 18:15:22 UTC 2015 

Looking at the code and your logs more closely.

It looks like the proper auth manager is being invoked,
and its reading the file correctly, it just appears that the
UID and pwd are not making it to the back end.

I can do some more poking around and get back.

thanks,
jack

----- Original Message -----
From: "James Masson" <james.masson at jmips.co.uk>
To: pki-users at redhat.com
Sent: Wednesday, September 30, 2015 10:39:03 AM
Subject: Re: [Pki-users] Flat-file auth



CSR Profile does reference the flatFile provider. 

I've also tried the a similar setup with client-cert based auth, which also fails. 

Ditto with Dogtag 10.2 

I must be missing something here, or else Certmonger's Dogtag auth options aren't doing what they should. 

Thanks 

James M 
On 30 Sep 2015 6:29 pm, "John Magne" < jmagne at redhat.com > wrote: 


Hi: 

Have you modified the cert profile you are using to point to that auth instance? 

See profiles/ca/caRouterCert.cfg for a sample. 

Hopefully that is your issue. 



----- Original Message ----- 
> From: "James Masson" < james.masson at jmips.co.uk > 
> To: pki-users at redhat.com 
> Sent: Wednesday, September 30, 2015 1:25:41 AM 
> Subject: [Pki-users] Flat-file auth 
> 
> 
> Hi list, 
> 
> I'm trying to use flat-file auth on certificate requests via Certmonger. 
> I can successfully get certificates issued when I remove authentication. 
> I've restricted the Certificate Profile to require flat-file authentication. 
> 
> I'm running Centos7 with pki-server-10.1.2-7.el7.noarch and 
> certmonger-0.78.4-1.el7.centos.x86_64 
> 
> The error I get is. 
> 
> "[29/Sep/2015:15:31:38][http-bio-8080-exec-10]: CertProcessor: 
> authentication error Authentication credential for uid is null. 
> 
> The request generated by Certmonger looks like this. 
> 
> ### 
> GET 
> /ca/ee/ca/profileSubmit?profileId=IPASubCA&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG%0ASIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q%0AnPQBQ6U0KbTKmKM81%2F2kD39eaMMzdyqBi%2BcbsPMOl93%2F%2FB88Eu8QRLis6hYMmgUF%0Av%2BcSS2JOHPOC8RY8YbkVlRYUGb%2BbMkldQEYsIOfad8xlfDBh%2Bg5ImA%2FrYS2g6MgV%0ACI0k%2F6w1nsNGJof7U2KEJpLJOvI%2F%2FwznaF%2FkuJC5kYrPLbOIEbQvM5%2F8Kcyh1W48%0AtgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67%2FAx%2FI2T34MpD5AN%0AWN1b9de3nWEce%2BMoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw%0AGwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG%0AA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX%2F%2BEWI84MCIG%0ACSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA%0AA4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T%2BkGSDgnzdK8afO8CwC6kfwAP8PZNo2L%0AcbpbiqYRSrwGOqmLpalxBG21T47c%2BonW2x8x4UYitpQH%2BUQE1P1SKiiiPA%2B6sj0f%0A5dFfPLjQGDrD1cpD! 
> 8abY7HGPH 
> 3 
> NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ%0APR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv%0AfKrckHp4AHK7B0hv%2FteB7GiqqrYA3cq9M3T6B17MnmjDF%2FyrS8uLl6DhFug0PLE2%0Afen%2FbDiCjJ3IDIqhS0hheym07ca8%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true&uid=foo&pwd=password 
> ### 
> 
> flatfile.txt looks like: 
> # 
> uid:foo 
> pwd:password 
> 
> 
> # 
> 
> CS.cfg contains: 
> # 
> auths.instance.flatFileAuth.authAttributes=pwd 
> auths.instance.flatFileAuth.deferOnFailure=true 
> auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt 
> auths.instance.flatFileAuth.keyAttributes=uid 
> auths.instance.flatFileAuth.pluginName=FlatFileAuth 
> # 
> 
> 
> The full error from the pki debug logs is below 
> 
> thanks! 
> 
> James M 
> 
> ### 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:service() uri 
> = /ca/ee/ca/profileSubmit 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service() 
> param name='profileId' value='IPASubCA' 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service() 
> param name='cert_request_type' value='pkcs10' 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service() 
> param name='cert_request' value='-----BEGIN NEW CERTIFICATE REQUEST----- 
> MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG 
> SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q 
> nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF 
> v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV 
> CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48 
> tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN 
> WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw 
> GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG 
> A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG 
> CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA 
> A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L 
> cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f 
> 5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ 
> PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv 
> fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2 
> fen/bDiCjJ3IDIqhS0hheym07ca8 
> -----END NEW CERTIFICATE REQUEST----- 
> ' 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service() 
> param name='xml' value='true' 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service() 
> param name='uid' value='foo' 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service() 
> param name='pwd' value='(sensitive)' 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: 
> caProfileSubmit start to service. 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: xmlOutput true 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet: 
> isRenewal false 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: according to ccMode, 
> authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, 
> use default authz mgr: {2}. 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: Start of CertProcessor 
> Input Parameters 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input 
> Parameter profileId='IPASubCA' 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input 
> Parameter cert_request_type='pkcs10' 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input 
> Parameter isRenewal='false' 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input 
> Parameter cert_request='-----BEGIN NEW CERTIFICATE REQUEST----- 
> MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG 
> SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q 
> nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF 
> v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV 
> CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48 
> tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN 
> WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw 
> GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG 
> A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG 
> CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA 
> A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L 
> cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f 
> 5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ 
> PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv 
> fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2 
> fen/bDiCjJ3IDIqhS0hheym07ca8 
> -----END NEW CERTIFICATE REQUEST----- 
> ' 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: End of CertProcessor 
> Input Parameters 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: 
> isRenewal false 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: 
> profileId IPASubCA 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set 
> Inputs into profile Context 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: 
> authenticator flatFileAuth found 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: 
> CertRequestSubmitter:setCredentialsIntoContext() authIds` null 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set 
> sslClientCertProvider 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: authenticate: 
> authentication required. 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: in auditSubjectID 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: 
> auditSubjectID auditContext 
> {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider at 5cd82562, 
> profileContext=com.netscape.cms.profile.common.EnrollProfileContext at 727e748c} 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet 
> auditSubjectID: subjectID: null 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: FlatFileAuth: 
> concatenating string i=0 keyAttrs[0] = uid 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor: 
> authentication error Authentication credential for uid is null. 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: SignedAuditEventFactory: 
> create() message=[AuditEvent=AUTH_FAIL][SubjectID=$NonRoleUser$ : 
> Unidentified][Outcome=Failure][AuthMgr=flatFileAuth][AttemptedCred=Unidentified] 
> authentication failure 
> 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet: 
> authentication error in processing request: Authentication credential 
> for uid is null. 
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: curDate=Wed 
> Sep 30 08:14:32 UTC 2015 id=caProfileSubmit time=12 
> ### 
> 
> _______________________________________________ 
> Pki-users mailing list 
> Pki-users at redhat.com 
> https://www.redhat.com/mailman/listinfo/pki-users 
> 

_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list