[Pki-users] Authorize Sub-CA to be created
Leonardo Bacha Abrantes
leonardo at lbasolutions.com
Sat Aug 20 02:53:50 UTC 2016
Hi Marc,
Yep, I saw it in log, but its strange because I typed the correct password
(copy and paste to avoid errors)
I also tried to use the same password of all parameters in both servers
just to test, but failed.
I don't know exactly if something is missing in myconfig.txt file on
server01 or in server02 or iI skipped some step.
The steps are configure a directory server and create a config file to be
used by pkispawn, in both servers and then run pkispawn -s Ca -f
myconfig.txt.
Is it right or is necessary to do anything else?
Many thanks!
On Aug 19, 2016 10:57 PM, "Marc Sauton" <msauton at redhat.com> wrote:
> the password provided for the uid caadmin may have been "incorrect"
> Thanks,
> M.
>
> On 08/19/2016 10:45 AM, Leonardo Bacha Abrantes wrote:
>
> Hi, bellow my debug log
>
>
>
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SessionContextInterceptor:
> SecurityDomainResource.getDomainInfo()
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SessionContextInterceptor:
> Not authenticated.
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
> SecurityDomainResource.getDomainInfo()
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
> mapping: default
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
> required auth methods: [*]
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
> anonymous access allowed
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor:
> SecurityDomainResource.getDomainInfo()
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor.filter: no
> authorization required
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: No ACL
> mapping; authz not required.
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SignedAuditEventFactory:
> create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$
> Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL
> mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization
> success
>
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor:
> SecurityDomainResource.getDomainInfo()
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor:
> content-type: null
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor:
> accept: [application/json]
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor:
> response format: application/json
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: according to ccMode,
> authorization for servlet: securitydomain is LDAP based, not XML {1}, use
> default authz mgr: {2}.
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Creating
> LdapBoundConnFactor(SecurityDomainProcessor)
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapBoundConnFactory: init
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
> LdapBoundConnFactory:doCloning true
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init()
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init begins
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: prompt
> is internaldb
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: try
> getting from memory cache
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: got
> password from memory
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init:
> password found for prompt.
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: password ok:
> store in memory cache
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init ends
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: init: before
> makeConnection errorIfDown is false
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: makeConnection:
> errorIfDown false
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Established LDAP
> connection using basic authentication to host root-ca.xxxxx.xxx.xx port 389
> as cn=ldapadmin
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: initializing with mininum
> 3 and maximum 15 connections to host root-ca.xxxxx.xxx.xx port 389, secure
> connection, false, authentication type 1
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: increasing minimum
> connections by 3
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new total available
> connections 3
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new number of connections 3
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: In
> LdapBoundConnFactory::getConn()
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: masterConn is connected:
> true
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: conn is connected
> true
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: mNumConns now 2
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
> name: xxxxx.xxx.xx Security Domain
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
> subtype: CA
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
> - cn=root-ca.xxxxx.xxx.xx:8443,cn=CAList,ou=Security
> Domain,o=pki-RootCA-CA
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
> - objectClass: top
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
> - host: root-ca.xxxxx.xxx.xx
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
> - SecurePort: 8443
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
> - SecureAgentPort: 8443
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
> - SecureAdminPort: 8443
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
> - SecureEEClientAuthPort: 8443
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
> - UnSecurePort: 8080
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
> - Clone: FALSE
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
> - SubsystemName: CA root-ca.xxxxx.xxx.xx 8443
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
> - cn: root-ca.xxxxx.xxx.xx:8443
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
> - DomainManager: TRUE
> [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
> subtype: OCSP
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor:
> subtype: KRA
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor:
> subtype: RA
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor:
> subtype: TKS
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor:
> subtype: TPS
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: Releasing ldap connection
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PKIRealm: Authenticating
> user caadmin with password.
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
> PasswdUserDBAuthentication: UID: caadmin
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: In
> LdapBoundConnFactory::getConn()
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: masterConn is connected:
> true
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: conn is connected
> true
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: mNumConns now 2
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
> PasswdUserDBAuthentication: DN: uid=caadmin,ou=people,o=pki-RootCA-CA
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
> LdapAnonConnFactory::getConn
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
> LdapAnonConnFactory.getConn(): num avail conns now 2
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 2
> [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SignedAuditEventFactory:
> create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][
> Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin]
> authentication failure
>
>
>
> any help will be very much appreciated !
>
>
> On Fri, Aug 19, 2016 at 7:28 AM, Leonardo Bacha Abrantes <
> leonardo at lbasolutions.com> wrote:
>
>> Hi guys,
>>
>> I'm trying to configure a subordinate CA, but am receiving the message
>> "ERROR: Unable to access security domain: 401 Client Error: Unauthorized".
>>
>>
>> I follow these steps:
>>
>>
>>
>>
>> ===>> On Server01 (root-ca):
>>
>>
>> setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \
>> General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
>> slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \
>> slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
>> slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD
>>
>>
>>
>> > myconfig.txt
>>
>>
>> [DEFAULT]
>> pki_admin_password=Root-CA_pwd
>> pki_client_database_password=Root-CA_pwd
>> pki_client_pkcs12_password=Root-CA_pwd
>> pki_ds_password=Root-CA_pwd
>> pki_security_domain_password=Root-CA_pwd
>> pki_admin_password=Root-CA_pwd
>> pki_client_database_password=Root-CA_pwd
>> pki_client_pkcs12_password=Root-CA_pwd
>> pki_ds_bind_dn=cn=ldapadmin
>> pki_ds_password=Root-CA_pwd
>> pki_security_domain_password=Root-CA_pwd
>> pki_instance_name=pki-RootCA
>>
>> [CA]
>> pki_ca_signing_subject_dn=cn=EXAMLE Root Certification
>> Authority,o=XXXXXXXXXXX,c=BR
>> pki_admin_nickname=PKI Administrator for EXAMPLE
>> pki_admin_subject_dn=cn=PKI Administrator Root CA,e=admin at XXXXX.XXX.xx,o=
>> XXXXXXXXXX,c=BR
>> pki_admin_email=admin at XXXXXX.xxx.xx
>>
>>
>>
>>
>>
>> ===>> On Server02 (Sub-ca):
>>
>>
>> setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \
>> General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
>> slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \
>> slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
>> slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD
>>
>>
>>
>> > myconfig.txt
>>
>> [DEFAULT]
>> pki_admin_password=SUB-CA_Passord
>> pki_client_database_password=SUB-CA_Passord
>> pki_client_pkcs12_password=SUB-CA_Passord
>> pki_ds_password=SUB-CA_Passord
>> pki_security_domain_password=SUB-CA_Passord
>> pki_admin_password=SUB-CA_Passord
>> pki_client_database_password=SUB-CA_Passord
>> pki_client_pkcs12_password=SUB-CA_Passord
>> pki_ds_bind_dn=cn=ldapadmin
>> pki_ds_password=SUB-CA_Passord
>> pki_security_domain_password=SUB-CA_Passord
>> pki_instance_name=pki-SubCA
>> pki_security_domain_hostname=root-ca.xxxx.xxx.xx
>> pki_security_domain_https_port=8443
>> pki_security_domain_user=caadmin
>>
>> [CA]
>> pki_subordinate=True
>> pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443
>> pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority
>> L2,o=XXXXXXXXXXX,c=BR
>> pki_subordinate_create_new_security_domain=True
>> pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2
>> pki_admin_nickname=PKI Administrator for Example Sub-CA L2
>> pki_admin_subject_dn=cn=PKI Administrator CA L2,e=admin at xxxxx.xxx.xx,o=
>> XXXXXXXXXXX,c=BR
>> pki_admin_email=admin at xxxx.xxx.xx
>>
>>
>>
>>
>> when I run pkispawn -v -s CA -f myconfig.txt on Server02:
>>
>>
>> ERROR: Unable to access security domain: 401 Client Error: Unauthorized
>>
>>
>>
>> ===
>>
>>
>>
>> I tried to use the same passwords on myconfig.txt in both servers just to
>> test, but I receive the same message.
>>
>>
>> Can you help me please ?
>>
>> many thanks!
>>
>>
>>
>
>
> _______________________________________________
> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20160819/5ca7180c/attachment.htm>
More information about the Pki-users
mailing list