From cfu at redhat.com Mon Aug 1 21:18:50 2016 From: cfu at redhat.com (Christina Fu) Date: Mon, 1 Aug 2016 14:18:50 -0700 Subject: [Pki-users] setting up Directory-based authentication In-Reply-To: <01b901d1e73d$e31301b0$a9390510$@gps-pamcary.com.br> References: <01b901d1e73d$e31301b0$a9390510$@gps-pamcary.com.br> Message-ID: <50d8356b-7507-8c99-db1d-72c7fd4ea2b8@redhat.com> Hi Sergio, I'm not sure if this has ever made it into dogtag document, but here is the instruction I have written for bound LDAP based authentication. I can't say that I remember every detail, but it's what I have written down anyway ;-/ In some environment, one might want to disallow anonymous bind for the ldap server that is used for authentication. To create a bound connection between a CA and the ldap server, you need to make a few configuration changes: * Set up directory-based authentication as following example in CS.cfg: 1. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory Manager auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP externalLDAP.authPrefix=auths.instance.UserDirEnrollment cms.passwordlist=internaldb,replicationdb,externalLDAP where the bindPWPrompt is the ?tag? or ?prompt? that is used in the password.conf file; It is also the name used under the passwordlist and the authPrefix * Add the ?tag? or ?prompt? from the CS.cfg with its password in the password.conf: o externalLDAP= Please try it out and let us know if it works or need any clarification. Hope this helps, Christina On 07/26/2016 06:01 AM, S?rgio Pereira wrote: > > Hi there, > > I?m having a hard time setting up the directory-based authentication > for dogtag 10.3.3-1. I did follow the instructions as > http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles and > I get an error when trying to bind/authenticate against directory > service (Microsoft AD2008) as follows: > > [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: DirBasedAuthentication: > authenticate: before authenticate() call > > [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating UID=john.luk > > [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: UidPwdDirAuthentication: > Authenticating: Searching for uid=john.luk base DN=OU=IT,dc=domain,dc=com > > [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: User > authentication failure: netscape.ldap.LDAPException: error result (1); > 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this > operation a successful bind must be completed on the connection., data > 0, v1772 > > [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: closing > bad connection > > The directives (bellow) are used to bind the AD2008 and I already > tested the account and it is working. > > auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Service > Account,ou=IT,dc=domain,dc=com > > auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=password > > John Luk is applying for the certificate using the web enrollment > process (caDirUserCert profile). > > What am I missing? > > Thx, > > sergio > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From sergio.pereira at gps-pamcary.com.br Tue Aug 2 13:16:05 2016 From: sergio.pereira at gps-pamcary.com.br (=?iso-8859-1?Q?S=E9rgio_Pereira?=) Date: Tue, 2 Aug 2016 10:16:05 -0300 Subject: [Pki-users] setting up Directory-based authentication Message-ID: <036f01d1ecc0$065959d0$130c0d70$@gps-pamcary.com.br> Hi Christina, Worked like a charm. I suggest updating the documentation (http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles) mentioning the tag ldapBoundConn=true (there is no reference for it). Also, I've noticed that the authentication is based on uid ldap attribute ... is there any way of changing it to authenticate against sAMAccountName (Microsoft Active Directory attribute)? I didn't find any tag to define the attribute I want to authenticate against. Thank you once more sergio Date: Mon, 1 Aug 2016 14:18:50 -0700 From: Christina Fu To: pki-users at redhat.com Subject: Re: [Pki-users] setting up Directory-based authentication Message-ID: <50d8356b-7507-8c99-db1d-72c7fd4ea2b8 at redhat.com> Content-Type: text/plain; charset="windows-1252"; Format="flowed" Hi Sergio, I'm not sure if this has ever made it into dogtag document, but here is the instruction I have written for bound LDAP based authentication. I can't say that I remember every detail, but it's what I have written down anyway ;-/ In some environment, one might want to disallow anonymous bind for the ldap server that is used for authentication. To create a bound connection between a CA and the ldap server, you need to make a few configuration changes: * Set up directory-based authentication as following example in CS.cfg: 1. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory Manager auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP externalLDAP.authPrefix=auths.instance.UserDirEnrollment cms.passwordlist=internaldb,replicationdb,externalLDAP where the bindPWPrompt is the ?tag? or ?prompt? that is used in the password.conf file; It is also the name used under the passwordlist and the authPrefix * Add the ?tag? or ?prompt? from the CS.cfg with its password in the password.conf: o externalLDAP= Please try it out and let us know if it works or need any clarification. Hope this helps, Christina On 07/26/2016 06:01 AM, S?rgio Pereira wrote: > > Hi there, > > I?m having a hard time setting up the directory-based authentication > for dogtag 10.3.3-1. I did follow the instructions as > http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles and > I get an error when trying to bind/authenticate against directory > service (Microsoft AD2008) as follows: > > [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: DirBasedAuthentication: > authenticate: before authenticate() call > > [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating > UID=john.luk > > [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: UidPwdDirAuthentication: > Authenticating: Searching for uid=john.luk base > DN=OU=IT,dc=domain,dc=com > > [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: User > authentication failure: netscape.ldap.LDAPException: error result (1); > 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this > operation a successful bind must be completed on the connection., data > 0, v1772 > > [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: closing > bad connection > > The directives (bellow) are used to bind the AD2008 and I already > tested the account and it is working. > > auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Service > Account,ou=IT,dc=domain,dc=com > > auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=password > > John Luk is applying for the certificate using the web enrollment > process (caDirUserCert profile). > > What am I missing? > > Thx, > > sergio > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users End of Pki-users Digest, Vol 100, Issue 1 ***************************************** From jagadish_yellulla at tecnics.com Thu Aug 4 09:52:31 2016 From: jagadish_yellulla at tecnics.com (jagadish_yellulla at tecnics.com) Date: Thu, 4 Aug 2016 15:22:31 +0530 (IST) Subject: [Pki-users] Regarding DogTag Message-ID: <1470304351.51037991@apps.rackspace.com> Hi Support, Could you please help us in installing/setting up Dogtag 10 or Dogtag 9 environment in Redhat linux 6. ->How to configure repo of dogtag in redhat. ->Prerequisites like libraries ->Step by Step Installation guide of each component. ->Administration guide ->High Availability set up of Dogtag. -> API to access from JAVA API based applications. Thanks, Jagadish Yellulla -------------- next part -------------- An HTML attachment was scrubbed... URL: From leonardo at lbasolutions.com Fri Aug 19 10:28:32 2016 From: leonardo at lbasolutions.com (Leonardo Bacha Abrantes) Date: Fri, 19 Aug 2016 07:28:32 -0300 Subject: [Pki-users] Authorize Sub-CA to be created Message-ID: Hi guys, I'm trying to configure a subordinate CA, but am receiving the message "ERROR: Unable to access security domain: 401 Client Error: Unauthorized". I follow these steps: ===>> On Server01 (root-ca): setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \ General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \ slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \ slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD > myconfig.txt [DEFAULT] pki_admin_password=Root-CA_pwd pki_client_database_password=Root-CA_pwd pki_client_pkcs12_password=Root-CA_pwd pki_ds_password=Root-CA_pwd pki_security_domain_password=Root-CA_pwd pki_admin_password=Root-CA_pwd pki_client_database_password=Root-CA_pwd pki_client_pkcs12_password=Root-CA_pwd pki_ds_bind_dn=cn=ldapadmin pki_ds_password=Root-CA_pwd pki_security_domain_password=Root-CA_pwd pki_instance_name=pki-RootCA [CA] pki_ca_signing_subject_dn=cn=EXAMLE Root Certification Authority,o=XXXXXXXXXXX,c=BR pki_admin_nickname=PKI Administrator for EXAMPLE pki_admin_subject_dn=cn=PKI Administrator Root CA,e=admin at XXXXX.XXX.xx ,o=XXXXXXXXXX,c=BR pki_admin_email=admin at XXXXXX.xxx.xx ===>> On Server02 (Sub-ca): setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \ General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \ slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \ slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD > myconfig.txt [DEFAULT] pki_admin_password=SUB-CA_Passord pki_client_database_password=SUB-CA_Passord pki_client_pkcs12_password=SUB-CA_Passord pki_ds_password=SUB-CA_Passord pki_security_domain_password=SUB-CA_Passord pki_admin_password=SUB-CA_Passord pki_client_database_password=SUB-CA_Passord pki_client_pkcs12_password=SUB-CA_Passord pki_ds_bind_dn=cn=ldapadmin pki_ds_password=SUB-CA_Passord pki_security_domain_password=SUB-CA_Passord pki_instance_name=pki-SubCA pki_security_domain_hostname=root-ca.xxxx.xxx.xx pki_security_domain_https_port=8443 pki_security_domain_user=caadmin [CA] pki_subordinate=True pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443 pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority L2,o=XXXXXXXXXXX,c=BR pki_subordinate_create_new_security_domain=True pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2 pki_admin_nickname=PKI Administrator for Example Sub-CA L2 pki_admin_subject_dn=cn=PKI Administrator CA L2,e=admin at xxxxx.xxx.xx ,o=XXXXXXXXXXX,c=BR pki_admin_email=admin at xxxx.xxx.xx when I run pkispawn -v -s CA -f myconfig.txt on Server02: ERROR: Unable to access security domain: 401 Client Error: Unauthorized === I tried to use the same passwords on myconfig.txt in both servers just to test, but I receive the same message. Can you help me please ? many thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From leonardo at lbasolutions.com Fri Aug 19 17:45:19 2016 From: leonardo at lbasolutions.com (Leonardo Bacha Abrantes) Date: Fri, 19 Aug 2016 14:45:19 -0300 Subject: [Pki-users] Authorize Sub-CA to be created In-Reply-To: References: Message-ID: Hi, bellow my debug log [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SessionContextInterceptor: SecurityDomainResource.getDomainInfo() [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SessionContextInterceptor: Not authenticated. [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: SecurityDomainResource.getDomainInfo() [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: mapping: default [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: required auth methods: [*] [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: anonymous access allowed [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: SecurityDomainResource.getDomainInfo() [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor.filter: no authorization required [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: No ACL mapping; authz not required. [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization success [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: SecurityDomainResource.getDomainInfo() [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: content-type: null [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: accept: [application/json] [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: response format: application/json [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Creating LdapBoundConnFactor(SecurityDomainProcessor) [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapBoundConnFactory: init [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapBoundConnFactory:doCloning true [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init() [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init begins [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: prompt is internaldb [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: try getting from memory cache [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: got password from memory [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: password found for prompt. [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: password ok: store in memory cache [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init ends [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: init: before makeConnection errorIfDown is false [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: makeConnection: errorIfDown false [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Established LDAP connection using basic authentication to host root-ca.xxxxx.xxx.xx port 389 as cn=ldapadmin [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: initializing with mininum 3 and maximum 15 connections to host root-ca.xxxxx.xxx.xx port 389, secure connection, false, authentication type 1 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: increasing minimum connections by 3 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new total available connections 3 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new number of connections 3 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: In LdapBoundConnFactory::getConn() [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: masterConn is connected: true [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: conn is connected true [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: mNumConns now 2 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: name: xxxxx.xxx.xx Security Domain [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: CA [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - cn=root-ca.xxxxx.xxx.xx:8443,cn=CAList,ou=Security Domain,o=pki-RootCA-CA [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - objectClass: top [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - host: root-ca.xxxxx.xxx.xx [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - SecurePort: 8443 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - SecureAgentPort: 8443 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - SecureAdminPort: 8443 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - SecureEEClientAuthPort: 8443 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - UnSecurePort: 8080 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - Clone: FALSE [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - SubsystemName: CA root-ca.xxxxx.xxx.xx 8443 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - cn: root-ca.xxxxx.xxx.xx:8443 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - DomainManager: TRUE [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: OCSP [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: KRA [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: RA [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: TKS [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: TPS [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: Releasing ldap connection [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3 [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PKIRealm: Authenticating user caadmin with password. [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PasswdUserDBAuthentication: UID: caadmin [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: In LdapBoundConnFactory::getConn() [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: masterConn is connected: true [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: conn is connected true [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: mNumConns now 2 [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3 [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PasswdUserDBAuthentication: DN: uid=caadmin,ou=people,o=pki-RootCA-CA [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: LdapAnonConnFactory::getConn [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: LdapAnonConnFactory.getConn(): num avail conns now 2 [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 2 [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure any help will be very much appreciated ! On Fri, Aug 19, 2016 at 7:28 AM, Leonardo Bacha Abrantes < leonardo at lbasolutions.com> wrote: > Hi guys, > > I'm trying to configure a subordinate CA, but am receiving the message > "ERROR: Unable to access security domain: 401 Client Error: Unauthorized". > > > I follow these steps: > > > > > ===>> On Server01 (root-ca): > > > setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \ > General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \ > slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \ > slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ > slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD > > > > > myconfig.txt > > > [DEFAULT] > pki_admin_password=Root-CA_pwd > pki_client_database_password=Root-CA_pwd > pki_client_pkcs12_password=Root-CA_pwd > pki_ds_password=Root-CA_pwd > pki_security_domain_password=Root-CA_pwd > pki_admin_password=Root-CA_pwd > pki_client_database_password=Root-CA_pwd > pki_client_pkcs12_password=Root-CA_pwd > pki_ds_bind_dn=cn=ldapadmin > pki_ds_password=Root-CA_pwd > pki_security_domain_password=Root-CA_pwd > pki_instance_name=pki-RootCA > > [CA] > pki_ca_signing_subject_dn=cn=EXAMLE Root Certification > Authority,o=XXXXXXXXXXX,c=BR > pki_admin_nickname=PKI Administrator for EXAMPLE > pki_admin_subject_dn=cn=PKI Administrator Root CA,e=admin at XXXXX.XXX.xx,o= > XXXXXXXXXX,c=BR > pki_admin_email=admin at XXXXXX.xxx.xx > > > > > > ===>> On Server02 (Sub-ca): > > > setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \ > General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \ > slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \ > slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ > slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD > > > > > myconfig.txt > > [DEFAULT] > pki_admin_password=SUB-CA_Passord > pki_client_database_password=SUB-CA_Passord > pki_client_pkcs12_password=SUB-CA_Passord > pki_ds_password=SUB-CA_Passord > pki_security_domain_password=SUB-CA_Passord > pki_admin_password=SUB-CA_Passord > pki_client_database_password=SUB-CA_Passord > pki_client_pkcs12_password=SUB-CA_Passord > pki_ds_bind_dn=cn=ldapadmin > pki_ds_password=SUB-CA_Passord > pki_security_domain_password=SUB-CA_Passord > pki_instance_name=pki-SubCA > pki_security_domain_hostname=root-ca.xxxx.xxx.xx > pki_security_domain_https_port=8443 > pki_security_domain_user=caadmin > > [CA] > pki_subordinate=True > pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443 > pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority > L2,o=XXXXXXXXXXX,c=BR > pki_subordinate_create_new_security_domain=True > pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2 > pki_admin_nickname=PKI Administrator for Example Sub-CA L2 > pki_admin_subject_dn=cn=PKI Administrator CA L2,e=admin at xxxxx.xxx.xx,o= > XXXXXXXXXXX,c=BR > pki_admin_email=admin at xxxx.xxx.xx > > > > > when I run pkispawn -v -s CA -f myconfig.txt on Server02: > > > ERROR: Unable to access security domain: 401 Client Error: Unauthorized > > > > === > > > > I tried to use the same passwords on myconfig.txt in both servers just to > test, but I receive the same message. > > > Can you help me please ? > > many thanks! > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Sat Aug 20 01:57:55 2016 From: msauton at redhat.com (Marc Sauton) Date: Fri, 19 Aug 2016 18:57:55 -0700 Subject: [Pki-users] Authorize Sub-CA to be created In-Reply-To: References: Message-ID: <57B7B923.8060004@redhat.com> the password provided for the uid caadmin may have been "incorrect" Thanks, M. On 08/19/2016 10:45 AM, Leonardo Bacha Abrantes wrote: > Hi, bellow my debug log > > > > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SessionContextInterceptor: SecurityDomainResource.getDomainInfo() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SessionContextInterceptor: Not authenticated. > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: > SecurityDomainResource.getDomainInfo() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: > mapping: default > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: > required auth methods: [*] > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: > anonymous access allowed > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: > SecurityDomainResource.getDomainInfo() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor.filter: > no authorization required > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: No ACL > mapping; authz not required. > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SignedAuditEventFactory: create() > message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL > mapping not found; OK:SecurityDomainResource.getDomainInfo] > authorization success > > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > MessageFormatInterceptor: SecurityDomainResource.getDomainInfo() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > MessageFormatInterceptor: content-type: null > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > MessageFormatInterceptor: accept: [application/json] > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > MessageFormatInterceptor: response format: application/json > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: according to ccMode, > authorization for servlet: securitydomain is LDAP based, not XML {1}, > use default authz mgr: {2}. > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Creating > LdapBoundConnFactor(SecurityDomainProcessor) > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapBoundConnFactory: init > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > LdapBoundConnFactory:doCloning true > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init begins > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: > prompt is internaldb > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: try > getting from memory cache > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: got > password from memory > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: > password found for prompt. > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: password > ok: store in memory cache > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init ends > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: init: before > makeConnection errorIfDown is false > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: makeConnection: > errorIfDown false > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Established LDAP > connection using basic authentication to host root-ca.xxxxx.xxx.xx > port 389 as cn=ldapadmin > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: initializing with > mininum 3 and maximum 15 connections to host root-ca.xxxxx.xxx.xx port > 389, secure connection, false, authentication type 1 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: increasing minimum > connections by 3 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new total available > connections 3 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new number of connections 3 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: In > LdapBoundConnFactory::getConn() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: masterConn is > connected: true > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: conn is > connected true > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: mNumConns now 2 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SecurityDomainProcessor: name: xxxxx.xxx.xx Security Domain > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SecurityDomainProcessor: subtype: CA > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SecurityDomainProcessor: - > cn=root-ca.xxxxx.xxx.xx:8443,cn=CAList,ou=Security Domain,o=pki-RootCA-CA > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SecurityDomainProcessor: - objectClass: top > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SecurityDomainProcessor: - host: root-ca.xxxxx.xxx.xx > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SecurityDomainProcessor: - SecurePort: 8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SecurityDomainProcessor: - SecureAgentPort: 8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SecurityDomainProcessor: - SecureAdminPort: 8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SecurityDomainProcessor: - SecureEEClientAuthPort: 8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SecurityDomainProcessor: - UnSecurePort: 8080 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SecurityDomainProcessor: - Clone: FALSE > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SecurityDomainProcessor: - SubsystemName: CA root-ca.xxxxx.xxx.xx 8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SecurityDomainProcessor: - cn: root-ca.xxxxx.xxx.xx:8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SecurityDomainProcessor: - DomainManager: TRUE > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > SecurityDomainProcessor: subtype: OCSP > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > SecurityDomainProcessor: subtype: KRA > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > SecurityDomainProcessor: subtype: RA > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > SecurityDomainProcessor: subtype: TKS > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > SecurityDomainProcessor: subtype: TPS > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: Releasing ldap connection > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3 > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PKIRealm: > Authenticating user caadmin with password. > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > PasswdUserDBAuthentication: UID: caadmin > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: In > LdapBoundConnFactory::getConn() > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: masterConn is > connected: true > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: conn is > connected true > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: mNumConns now 2 > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3 > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > PasswdUserDBAuthentication: DN: uid=caadmin,ou=people,o=pki-RootCA-CA > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > LdapAnonConnFactory::getConn > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > LdapAnonConnFactory.getConn(): num avail conns now 2 > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 2 > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > SignedAuditEventFactory: create() > message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] > authentication failure > > > > any help will be very much appreciated ! > > > On Fri, Aug 19, 2016 at 7:28 AM, Leonardo Bacha Abrantes > > wrote: > > Hi guys, > > I'm trying to configure a subordinate CA, but am receiving the > message "ERROR: Unable to access security domain: 401 Client > Error: Unauthorized". > > > I follow these steps: > > > > > ===>> On Server01 (root-ca): > > > setup-ds.pl --silent > General.FullMachineName=root-ca.xxx.xxx.xx \ > General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \ > slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \ > slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ > slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD > > > > > myconfig.txt > > > [DEFAULT] > pki_admin_password=Root-CA_pwd > pki_client_database_password=Root-CA_pwd > pki_client_pkcs12_password=Root-CA_pwd > pki_ds_password=Root-CA_pwd > pki_security_domain_password=Root-CA_pwd > pki_admin_password=Root-CA_pwd > pki_client_database_password=Root-CA_pwd > pki_client_pkcs12_password=Root-CA_pwd > pki_ds_bind_dn=cn=ldapadmin > pki_ds_password=Root-CA_pwd > pki_security_domain_password=Root-CA_pwd > pki_instance_name=pki-RootCA > > [CA] > pki_ca_signing_subject_dn=cn=EXAMLE Root Certification > Authority,o=XXXXXXXXXXX,c=BR > pki_admin_nickname=PKI Administrator for EXAMPLE > pki_admin_subject_dn=cn=PKI Administrator Root > CA,e=admin at XXXXX.XXX.xx,o=XXXXXXXXXX,c=BR > pki_admin_email=admin at XXXXXX.xxx.xx > > > > > > ===>> On Server02 (Sub-ca): > > > setup-ds.pl --silent > General.FullMachineName=sub-ca.xxx.xxx.xx \ > General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \ > slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \ > slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ > slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD > > > > > myconfig.txt > > [DEFAULT] > pki_admin_password=SUB-CA_Passord > pki_client_database_password=SUB-CA_Passord > pki_client_pkcs12_password=SUB-CA_Passord > pki_ds_password=SUB-CA_Passord > pki_security_domain_password=SUB-CA_Passord > pki_admin_password=SUB-CA_Passord > pki_client_database_password=SUB-CA_Passord > pki_client_pkcs12_password=SUB-CA_Passord > pki_ds_bind_dn=cn=ldapadmin > pki_ds_password=SUB-CA_Passord > pki_security_domain_password=SUB-CA_Passord > pki_instance_name=pki-SubCA > pki_security_domain_hostname=root-ca.xxxx.xxx.xx > pki_security_domain_https_port=8443 > pki_security_domain_user=caadmin > > [CA] > pki_subordinate=True > pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443 > > pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority > L2,o=XXXXXXXXXXX,c=BR > pki_subordinate_create_new_security_domain=True > pki_subordinate_security_domain_name=EXAMPLE Certification > Authority L2 > pki_admin_nickname=PKI Administrator for Example Sub-CA L2 > pki_admin_subject_dn=cn=PKI Administrator CA > L2,e=admin at xxxxx.xxx.xx,o=XXXXXXXXXXX,c=BR > pki_admin_email=admin at xxxx.xxx.xx > > > > > when I run pkispawn -v -s CA -f myconfig.txt on Server02: > > > ERROR: Unable to access security domain: 401 Client Error: > Unauthorized > > > > === > > > > I tried to use the same passwords on myconfig.txt in both servers > just to test, but I receive the same message. > > > Can you help me please ? > > many thanks! > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From leonardo at lbasolutions.com Sat Aug 20 02:53:50 2016 From: leonardo at lbasolutions.com (Leonardo Bacha Abrantes) Date: Fri, 19 Aug 2016 23:53:50 -0300 Subject: [Pki-users] Authorize Sub-CA to be created In-Reply-To: <57B7B923.8060004@redhat.com> References: <57B7B923.8060004@redhat.com> Message-ID: Hi Marc, Yep, I saw it in log, but its strange because I typed the correct password (copy and paste to avoid errors) I also tried to use the same password of all parameters in both servers just to test, but failed. I don't know exactly if something is missing in myconfig.txt file on server01 or in server02 or iI skipped some step. The steps are configure a directory server and create a config file to be used by pkispawn, in both servers and then run pkispawn -s Ca -f myconfig.txt. Is it right or is necessary to do anything else? Many thanks! On Aug 19, 2016 10:57 PM, "Marc Sauton" wrote: > the password provided for the uid caadmin may have been "incorrect" > Thanks, > M. > > On 08/19/2016 10:45 AM, Leonardo Bacha Abrantes wrote: > > Hi, bellow my debug log > > > > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SessionContextInterceptor: > SecurityDomainResource.getDomainInfo() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SessionContextInterceptor: > Not authenticated. > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: > SecurityDomainResource.getDomainInfo() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: > mapping: default > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: > required auth methods: [*] > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: > anonymous access allowed > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: > SecurityDomainResource.getDomainInfo() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor.filter: no > authorization required > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: No ACL > mapping; authz not required. > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SignedAuditEventFactory: > create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$ > Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL > mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization > success > > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: > SecurityDomainResource.getDomainInfo() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: > content-type: null > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: > accept: [application/json] > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: > response format: application/json > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: according to ccMode, > authorization for servlet: securitydomain is LDAP based, not XML {1}, use > default authz mgr: {2}. > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Creating > LdapBoundConnFactor(SecurityDomainProcessor) > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapBoundConnFactory: init > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > LdapBoundConnFactory:doCloning true > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init begins > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: prompt > is internaldb > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: try > getting from memory cache > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: got > password from memory > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: > password found for prompt. > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: password ok: > store in memory cache > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init ends > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: init: before > makeConnection errorIfDown is false > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: makeConnection: > errorIfDown false > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Established LDAP > connection using basic authentication to host root-ca.xxxxx.xxx.xx port 389 > as cn=ldapadmin > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: initializing with mininum > 3 and maximum 15 connections to host root-ca.xxxxx.xxx.xx port 389, secure > connection, false, authentication type 1 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: increasing minimum > connections by 3 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new total available > connections 3 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new number of connections 3 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: In > LdapBoundConnFactory::getConn() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: masterConn is connected: > true > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: conn is connected > true > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: mNumConns now 2 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > name: xxxxx.xxx.xx Security Domain > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > subtype: CA > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - cn=root-ca.xxxxx.xxx.xx:8443,cn=CAList,ou=Security > Domain,o=pki-RootCA-CA > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - objectClass: top > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - host: root-ca.xxxxx.xxx.xx > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - SecurePort: 8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - SecureAgentPort: 8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - SecureAdminPort: 8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - SecureEEClientAuthPort: 8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - UnSecurePort: 8080 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - Clone: FALSE > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - SubsystemName: CA root-ca.xxxxx.xxx.xx 8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - cn: root-ca.xxxxx.xxx.xx:8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - DomainManager: TRUE > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > subtype: OCSP > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: > subtype: KRA > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: > subtype: RA > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: > subtype: TKS > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: > subtype: TPS > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: Releasing ldap connection > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3 > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PKIRealm: Authenticating > user caadmin with password. > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > PasswdUserDBAuthentication: UID: caadmin > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: In > LdapBoundConnFactory::getConn() > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: masterConn is connected: > true > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: conn is connected > true > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: mNumConns now 2 > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3 > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > PasswdUserDBAuthentication: DN: uid=caadmin,ou=people,o=pki-RootCA-CA > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > LdapAnonConnFactory::getConn > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > LdapAnonConnFactory.getConn(): num avail conns now 2 > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 2 > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SignedAuditEventFactory: > create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][ > Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] > authentication failure > > > > any help will be very much appreciated ! > > > On Fri, Aug 19, 2016 at 7:28 AM, Leonardo Bacha Abrantes < > leonardo at lbasolutions.com> wrote: > >> Hi guys, >> >> I'm trying to configure a subordinate CA, but am receiving the message >> "ERROR: Unable to access security domain: 401 Client Error: Unauthorized". >> >> >> I follow these steps: >> >> >> >> >> ===>> On Server01 (root-ca): >> >> >> setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \ >> General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \ >> slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \ >> slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ >> slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD >> >> >> >> > myconfig.txt >> >> >> [DEFAULT] >> pki_admin_password=Root-CA_pwd >> pki_client_database_password=Root-CA_pwd >> pki_client_pkcs12_password=Root-CA_pwd >> pki_ds_password=Root-CA_pwd >> pki_security_domain_password=Root-CA_pwd >> pki_admin_password=Root-CA_pwd >> pki_client_database_password=Root-CA_pwd >> pki_client_pkcs12_password=Root-CA_pwd >> pki_ds_bind_dn=cn=ldapadmin >> pki_ds_password=Root-CA_pwd >> pki_security_domain_password=Root-CA_pwd >> pki_instance_name=pki-RootCA >> >> [CA] >> pki_ca_signing_subject_dn=cn=EXAMLE Root Certification >> Authority,o=XXXXXXXXXXX,c=BR >> pki_admin_nickname=PKI Administrator for EXAMPLE >> pki_admin_subject_dn=cn=PKI Administrator Root CA,e=admin at XXXXX.XXX.xx,o= >> XXXXXXXXXX,c=BR >> pki_admin_email=admin at XXXXXX.xxx.xx >> >> >> >> >> >> ===>> On Server02 (Sub-ca): >> >> >> setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \ >> General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \ >> slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \ >> slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ >> slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD >> >> >> >> > myconfig.txt >> >> [DEFAULT] >> pki_admin_password=SUB-CA_Passord >> pki_client_database_password=SUB-CA_Passord >> pki_client_pkcs12_password=SUB-CA_Passord >> pki_ds_password=SUB-CA_Passord >> pki_security_domain_password=SUB-CA_Passord >> pki_admin_password=SUB-CA_Passord >> pki_client_database_password=SUB-CA_Passord >> pki_client_pkcs12_password=SUB-CA_Passord >> pki_ds_bind_dn=cn=ldapadmin >> pki_ds_password=SUB-CA_Passord >> pki_security_domain_password=SUB-CA_Passord >> pki_instance_name=pki-SubCA >> pki_security_domain_hostname=root-ca.xxxx.xxx.xx >> pki_security_domain_https_port=8443 >> pki_security_domain_user=caadmin >> >> [CA] >> pki_subordinate=True >> pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443 >> pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority >> L2,o=XXXXXXXXXXX,c=BR >> pki_subordinate_create_new_security_domain=True >> pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2 >> pki_admin_nickname=PKI Administrator for Example Sub-CA L2 >> pki_admin_subject_dn=cn=PKI Administrator CA L2,e=admin at xxxxx.xxx.xx,o= >> XXXXXXXXXXX,c=BR >> pki_admin_email=admin at xxxx.xxx.xx >> >> >> >> >> when I run pkispawn -v -s CA -f myconfig.txt on Server02: >> >> >> ERROR: Unable to access security domain: 401 Client Error: Unauthorized >> >> >> >> === >> >> >> >> I tried to use the same passwords on myconfig.txt in both servers just to >> test, but I receive the same message. >> >> >> Can you help me please ? >> >> many thanks! >> >> >> > > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Mon Aug 22 14:03:07 2016 From: alee at redhat.com (Ade Lee) Date: Mon, 22 Aug 2016 10:03:07 -0400 Subject: [Pki-users] Authorize Sub-CA to be created In-Reply-To: References: Message-ID: <1471874587.11148.9.camel@redhat.com> See inline below -- On Fri, 2016-08-19 at 07:28 -0300, Leonardo Bacha Abrantes wrote: > Hi guys, > > I'm trying to configure a subordinate CA, but am receiving the > message "ERROR: Unable to access security domain: 401 Client Error: > Unauthorized". > > > I follow these steps: > > > > > ===>> On Server01 (root-ca): > > > setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \ > General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \ > slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \ > slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ > slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD > > > > > myconfig.txt > > > [DEFAULT] > pki_admin_password=Root-CA_pwd > pki_client_database_password=Root-CA_pwd > pki_client_pkcs12_password=Root-CA_pwd > pki_ds_password=Root-CA_pwd > pki_security_domain_password=Root-CA_pwd > pki_admin_password=Root-CA_pwd > pki_client_database_password=Root-CA_pwd > pki_client_pkcs12_password=Root-CA_pwd > pki_ds_bind_dn=cn=ldapadmin > pki_ds_password=Root-CA_pwd > pki_security_domain_password=Root-CA_pwd > pki_instance_name=pki-RootCA > > [CA] > pki_ca_signing_subject_dn=cn=EXAMLE Root Certification > Authority,o=XXXXXXXXXXX,c=BR > pki_admin_nickname=PKI Administrator for EXAMPLE > pki_admin_subject_dn=cn=PKI Administrator Root CA, > e=admin at XXXXX.XXX.xx,o=XXXXXXXXXX,c=BR > pki_admin_email=admin at XXXXXX.xxx.xx > > > > > > ===>> On Server02 (Sub-ca): > > > setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \ > General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \ > slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \ > slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ > slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD > > > > > myconfig.txt > > [DEFAULT] > pki_admin_password=SUB-CA_Passord > pki_client_database_password=SUB-CA_Passord > pki_client_pkcs12_password=SUB-CA_Passord > pki_ds_password=SUB-CA_Passord > pki_security_domain_password=SUB-CA_Passord > pki_admin_password=SUB-CA_Passord > pki_client_database_password=SUB-CA_Passord > pki_client_pkcs12_password=SUB-CA_Passord > pki_ds_bind_dn=cn=ldapadmin > pki_ds_password=SUB-CA_Passord > pki_security_domain_password=SUB-CA_Passord This is incorrect. The security domain password -- which for some reason you have listed twice in this section -- should be the password for the admin user in the root CA. The subCA is contacting the rootCA - which hosts the secruity domain to register the new subsystem with the domain. > pki_instance_name=pki-SubCA > pki_security_domain_hostname=root-ca.xxxx.xxx.xx > pki_security_domain_https_port=8443 > pki_security_domain_user=caadmin > > [CA] > pki_subordinate=True > pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443 > pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority L2,o=XXXXXXXXXXX,c=BR > pki_subordinate_create_new_security_domain=True > pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2 > pki_admin_nickname=PKI Administrator for Example Sub-CA L2 > pki_admin_subject_dn=cn=PKI Administrator CA L2,e=admin at xxxxx.xxx.xx,o=XXXXXXXXXXX,c=BR > pki_admin_email=admin at xxxx.xxx.xx > > > > > when I run pkispawn -v -s CA -f myconfig.txt on Server02: > > > > ERROR: Unable to access security domain: 401 Client Error: Unauthorized > > > > === > > > > I tried to use the same passwords on myconfig.txt in both servers just to test, but I receive the same message. > > > Can you help me please ? > > many thanks! > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com> https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From leonardo at lbasolutions.com Tue Aug 23 16:45:20 2016 From: leonardo at lbasolutions.com (Leonardo Bacha Abrantes) Date: Tue, 23 Aug 2016 13:45:20 -0300 Subject: [Pki-users] Authorize Sub-CA to be created In-Reply-To: <1471874587.11148.9.camel@redhat.com> References: <1471874587.11148.9.camel@redhat.com> Message-ID: Hi, It worked !! Only the Subordinate CA has a certificate valid only for 2 years. Now I'm looking for how to increase it. Many thanks! On Mon, Aug 22, 2016 at 11:03 AM, Ade Lee wrote: > See inline below -- > > On Fri, 2016-08-19 at 07:28 -0300, Leonardo Bacha Abrantes wrote: > > Hi guys, > > I'm trying to configure a subordinate CA, but am receiving the message > "ERROR: Unable to access security domain: 401 Client Error: Unauthorized". > > > I follow these steps: > > > > > ===>> On Server01 (root-ca): > > > setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \ > General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \ > slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \ > slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ > slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD > > > > > myconfig.txt > > > [DEFAULT] > pki_admin_password=Root-CA_pwd > pki_client_database_password=Root-CA_pwd > pki_client_pkcs12_password=Root-CA_pwd > pki_ds_password=Root-CA_pwd > pki_security_domain_password=Root-CA_pwd > pki_admin_password=Root-CA_pwd > pki_client_database_password=Root-CA_pwd > pki_client_pkcs12_password=Root-CA_pwd > pki_ds_bind_dn=cn=ldapadmin > pki_ds_password=Root-CA_pwd > pki_security_domain_password=Root-CA_pwd > pki_instance_name=pki-RootCA > > [CA] > pki_ca_signing_subject_dn=cn=EXAMLE Root Certification > Authority,o=XXXXXXXXXXX,c=BR > pki_admin_nickname=PKI Administrator for EXAMPLE > pki_admin_subject_dn=cn=PKI Administrator Root CA,e=admin at XXXXX.XXX.xx,o= > XXXXXXXXXX,c=BR > pki_admin_email=admin at XXXXXX.xxx.xx > > > > > > ===>> On Server02 (Sub-ca): > > > setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \ > General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \ > slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \ > slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ > slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD > > > > > myconfig.txt > > [DEFAULT] > pki_admin_password=SUB-CA_Passord > pki_client_database_password=SUB-CA_Passord > pki_client_pkcs12_password=SUB-CA_Passord > pki_ds_password=SUB-CA_Passord > pki_security_domain_password=SUB-CA_Passord > pki_admin_password=SUB-CA_Passord > pki_client_database_password=SUB-CA_Passord > pki_client_pkcs12_password=SUB-CA_Passord > pki_ds_bind_dn=cn=ldapadmin > pki_ds_password=SUB-CA_Passord > pki_security_domain_password=SUB-CA_Passord > > > This is incorrect. The security domain password -- which for some reason > you have listed twice > in this section -- should be the password for the admin user in the root > CA. > > The subCA is contacting the rootCA - which hosts the secruity domain to > register the new subsystem > with the domain. > > pki_instance_name=pki-SubCA > pki_security_domain_hostname=root-ca.xxxx.xxx.xx > pki_security_domain_https_port=8443 > pki_security_domain_user=caadmin > > [CA] > pki_subordinate=True > pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443 > pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority > L2,o=XXXXXXXXXXX,c=BR > pki_subordinate_create_new_security_domain=True > pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2 > pki_admin_nickname=PKI Administrator for Example Sub-CA L2 > pki_admin_subject_dn=cn=PKI Administrator CA L2,e=admin at xxxxx.xxx.xx,o= > XXXXXXXXXXX,c=BR > pki_admin_email=admin at xxxx.xxx.xx > > > > > when I run pkispawn -v -s CA -f myconfig.txt on Server02: > > > ERROR: Unable to access security domain: 401 Client Error: Unauthorized > > > > === > > > > I tried to use the same passwords on myconfig.txt in both servers just to > test, but I receive the same message. > > > Can you help me please ? > > many thanks! > > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From leonardo at lbasolutions.com Wed Aug 24 11:28:25 2016 From: leonardo at lbasolutions.com (Leonardo Bacha Abrantes) Date: Wed, 24 Aug 2016 08:28:25 -0300 Subject: [Pki-users] Change OCSP URI in certificates Message-ID: Hi guys, I created my Root-cA using standard tomcat ports (8080 and 8443) and it's workig very well, so, the certificates are being created with URIName point to 'http://server02.example.com:8080/ca/ocsp' and I want to change it to ' http://server02.example.com/ca/ocsp', because I'll keep tomcat working in standard ports and I'll redirect the traffic in port 80 to 8080 via iptables. I'm creating a subordinate CA and I configured in Root-CA 'policyset.caCertSet.10.default.params.authInfoAccessADLocationType_0= http://root-ca.cnfcp.gov.br/ca/ocsp' in /var/lib/pki/pki-RootCA/ca/profiles/ca/caInstallCACert.cfg, however the certificate are being created but it is not appearing in certificate. Can you give me some help please ? Many thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: