[Pki-users] Authorize Sub-CA to be created
Marc Sauton
msauton at redhat.com
Sat Aug 20 01:57:55 UTC 2016
the password provided for the uid caadmin may have been "incorrect"
Thanks,
M.
On 08/19/2016 10:45 AM, Leonardo Bacha Abrantes wrote:
> Hi, bellow my debug log
>
>
>
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SessionContextInterceptor: SecurityDomainResource.getDomainInfo()
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SessionContextInterceptor: Not authenticated.
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
> SecurityDomainResource.getDomainInfo()
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
> mapping: default
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
> required auth methods: [*]
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
> anonymous access allowed
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor:
> SecurityDomainResource.getDomainInfo()
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor.filter:
> no authorization required
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: No ACL
> mapping; authz not required.
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SignedAuditEventFactory: create()
> message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL
> mapping not found; OK:SecurityDomainResource.getDomainInfo]
> authorization success
>
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> MessageFormatInterceptor: SecurityDomainResource.getDomainInfo()
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> MessageFormatInterceptor: content-type: null
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> MessageFormatInterceptor: accept: [application/json]
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> MessageFormatInterceptor: response format: application/json
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: according to ccMode,
> authorization for servlet: securitydomain is LDAP based, not XML {1},
> use default authz mgr: {2}.
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Creating
> LdapBoundConnFactor(SecurityDomainProcessor)
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapBoundConnFactory: init
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> LdapBoundConnFactory:doCloning true
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init()
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init begins
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init:
> prompt is internaldb
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: try
> getting from memory cache
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: got
> password from memory
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init:
> password found for prompt.
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: password
> ok: store in memory cache
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init ends
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: init: before
> makeConnection errorIfDown is false
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: makeConnection:
> errorIfDown false
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Established LDAP
> connection using basic authentication to host root-ca.xxxxx.xxx.xx
> port 389 as cn=ldapadmin
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: initializing with
> mininum 3 and maximum 15 connections to host root-ca.xxxxx.xxx.xx port
> 389, secure connection, false, authentication type 1
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: increasing minimum
> connections by 3
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new total available
> connections 3
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new number of connections 3
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: In
> LdapBoundConnFactory::getConn()
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: masterConn is
> connected: true
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: conn is
> connected true
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: mNumConns now 2
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SecurityDomainProcessor: name: xxxxx.xxx.xx Security Domain
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SecurityDomainProcessor: subtype: CA
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SecurityDomainProcessor: -
> cn=root-ca.xxxxx.xxx.xx:8443,cn=CAList,ou=Security Domain,o=pki-RootCA-CA
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SecurityDomainProcessor: - objectClass: top
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SecurityDomainProcessor: - host: root-ca.xxxxx.xxx.xx
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SecurityDomainProcessor: - SecurePort: 8443
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SecurityDomainProcessor: - SecureAgentPort: 8443
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SecurityDomainProcessor: - SecureAdminPort: 8443
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SecurityDomainProcessor: - SecureEEClientAuthPort: 8443
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SecurityDomainProcessor: - UnSecurePort: 8080
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SecurityDomainProcessor: - Clone: FALSE
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SecurityDomainProcessor: - SubsystemName: CA root-ca.xxxxx.xxx.xx 8443
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SecurityDomainProcessor: - cn: root-ca.xxxxx.xxx.xx:8443
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SecurityDomainProcessor: - DomainManager: TRUE
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> SecurityDomainProcessor: subtype: OCSP
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
> SecurityDomainProcessor: subtype: KRA
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
> SecurityDomainProcessor: subtype: RA
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
> SecurityDomainProcessor: subtype: TKS
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
> SecurityDomainProcessor: subtype: TPS
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: Releasing ldap connection
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PKIRealm:
> Authenticating user caadmin with password.
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
> PasswdUserDBAuthentication: UID: caadmin
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: In
> LdapBoundConnFactory::getConn()
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: masterConn is
> connected: true
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: conn is
> connected true
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: mNumConns now 2
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
> PasswdUserDBAuthentication: DN: uid=caadmin,ou=people,o=pki-RootCA-CA
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
> LdapAnonConnFactory::getConn
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
> LdapAnonConnFactory.getConn(): num avail conns now 2
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 2
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
> SignedAuditEventFactory: create()
> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin]
> authentication failure
>
>
>
> any help will be very much appreciated !
>
>
> On Fri, Aug 19, 2016 at 7:28 AM, Leonardo Bacha Abrantes
> <leonardo at lbasolutions.com <mailto:leonardo at lbasolutions.com>> wrote:
>
> Hi guys,
>
> I'm trying to configure a subordinate CA, but am receiving the
> message "ERROR: Unable to access security domain: 401 Client
> Error: Unauthorized".
>
>
> I follow these steps:
>
>
>
>
> ===>> On Server01 (root-ca):
>
>
> setup-ds.pl <http://setup-ds.pl> --silent
> General.FullMachineName=root-ca.xxx.xxx.xx \
> General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
> slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \
> slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
> slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD
>
>
>
> > myconfig.txt
>
>
> [DEFAULT]
> pki_admin_password=Root-CA_pwd
> pki_client_database_password=Root-CA_pwd
> pki_client_pkcs12_password=Root-CA_pwd
> pki_ds_password=Root-CA_pwd
> pki_security_domain_password=Root-CA_pwd
> pki_admin_password=Root-CA_pwd
> pki_client_database_password=Root-CA_pwd
> pki_client_pkcs12_password=Root-CA_pwd
> pki_ds_bind_dn=cn=ldapadmin
> pki_ds_password=Root-CA_pwd
> pki_security_domain_password=Root-CA_pwd
> pki_instance_name=pki-RootCA
>
> [CA]
> pki_ca_signing_subject_dn=cn=EXAMLE Root Certification
> Authority,o=XXXXXXXXXXX,c=BR
> pki_admin_nickname=PKI Administrator for EXAMPLE
> pki_admin_subject_dn=cn=PKI Administrator Root
> CA,e=admin at XXXXX.XXX.xx,o=XXXXXXXXXX,c=BR
> pki_admin_email=admin at XXXXXX.xxx.xx
>
>
>
>
>
> ===>> On Server02 (Sub-ca):
>
>
> setup-ds.pl <http://setup-ds.pl> --silent
> General.FullMachineName=sub-ca.xxx.xxx.xx \
> General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
> slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \
> slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
> slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD
>
>
>
> > myconfig.txt
>
> [DEFAULT]
> pki_admin_password=SUB-CA_Passord
> pki_client_database_password=SUB-CA_Passord
> pki_client_pkcs12_password=SUB-CA_Passord
> pki_ds_password=SUB-CA_Passord
> pki_security_domain_password=SUB-CA_Passord
> pki_admin_password=SUB-CA_Passord
> pki_client_database_password=SUB-CA_Passord
> pki_client_pkcs12_password=SUB-CA_Passord
> pki_ds_bind_dn=cn=ldapadmin
> pki_ds_password=SUB-CA_Passord
> pki_security_domain_password=SUB-CA_Passord
> pki_instance_name=pki-SubCA
> pki_security_domain_hostname=root-ca.xxxx.xxx.xx
> pki_security_domain_https_port=8443
> pki_security_domain_user=caadmin
>
> [CA]
> pki_subordinate=True
> pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443
> <https://root-ca.xxxx.xxxv.xx:8443>
> pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority
> L2,o=XXXXXXXXXXX,c=BR
> pki_subordinate_create_new_security_domain=True
> pki_subordinate_security_domain_name=EXAMPLE Certification
> Authority L2
> pki_admin_nickname=PKI Administrator for Example Sub-CA L2
> pki_admin_subject_dn=cn=PKI Administrator CA
> L2,e=admin at xxxxx.xxx.xx,o=XXXXXXXXXXX,c=BR
> pki_admin_email=admin at xxxx.xxx.xx
>
>
>
>
> when I run pkispawn -v -s CA -f myconfig.txt on Server02:
>
>
> ERROR: Unable to access security domain: 401 Client Error:
> Unauthorized
>
>
>
> ===
>
>
>
> I tried to use the same passwords on myconfig.txt in both servers
> just to test, but I receive the same message.
>
>
> Can you help me please ?
>
> many thanks!
>
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20160819/b7c6ba05/attachment.htm>
More information about the Pki-users
mailing list