From cfu at redhat.com Wed Aug 1 01:29:52 2018 From: cfu at redhat.com (Christina Fu) Date: Tue, 31 Jul 2018 21:29:52 -0400 (EDT) Subject: [Pki-users] Help about back-end database support In-Reply-To: References: Message-ID: <1945720177.38392615.1533086992250.JavaMail.zimbra@redhat.com> Hi Neha, Could you clarify what is meant by "back-end database" to your site? If you are talking about using an Sql server as CA's internal database for storing certificate requests, certificates, privileged user/group information, etc. then no. If you are talking about using an existing SQL server which contains general users entries and the intend is to use that database as an authentication mechanism for doing certificate enrollments, then I suppose you could write an authentication plugin for that purpose. For information on how to write an authentication plugin, you can look at http://www.dogtagpki.org/wiki/PKI_Authentication_Plug-ins It's a bit old so may need a little tweaks here and there, but the framework is there. Christina ----- Original Message ----- From: "Neha Godwal" To: pki-users at redhat.com Sent: Wednesday, July 25, 2018 10:21:57 AM Subject: [Pki-users] Help about back-end database support I am looking to use dogtag pki system to setup root CA for my cluster. Please let me know if there is a support available to Sql server as a back-end database. Best, Neha _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From edewata at redhat.com Tue Aug 14 22:00:31 2018 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 14 Aug 2018 18:00:31 -0400 (EDT) Subject: [Pki-users] PKI 10.6.6 Release In-Reply-To: <144055746.18843284.1534283869614.JavaMail.zimbra@redhat.com> Message-ID: <1077683232.18843615.1534284031804.JavaMail.zimbra@redhat.com> Hi, PKI 10.6.6 is now available upstream: https://github.com/dogtagpki/pki/releases/tag/v10.6.6 Fedora 28 builds are available via the following update: https://bodhi.fedoraproject.org/updates/FEDORA-2018-9132d6f913 Fedora 29 builds are available in Koji. Fedora 27 builds are available in this COPR repository: https://copr.fedorainfracloud.org/coprs/g/pki/10.6/ Thanks. -- Endi S. Dewata From tjaalton at ubuntu.com Sun Aug 26 18:49:52 2018 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Sun, 26 Aug 2018 21:49:52 +0300 Subject: [Pki-users] trouble getting 10.6.6 up Message-ID: Hi, I've updated dogtag, jss, tomcatjss, ldapjdk to latest versions on Ubuntu, and now pkispawn fails and catalina.out has: SEVERE: Failed to initialize connector [Connector[org.dogtagpki.tomcat.Http11NioProtocol-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[org.dogtagpki.tomcat.Http11NioPr otocol-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:113) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.startup.Catalina.load(Catalina.java:632) at org.apache.catalina.startup.Catalina.load(Catalina.java:655) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:996) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) ... 12 more Caused by: java.lang.IllegalArgumentException: Alias name [sslserver] does not identify a key entry at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:226) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1086) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:268) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) at org.apache.catalina.connector.Connector.initInternal(Connector.java:993) ... 13 more Caused by: java.io.IOException: Alias name [sslserver] does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:229) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) ... 20 more so apparently I'm missing something, probably related to PKCS#11 keystore work.. Also, the 60s timeout waiting for the server to reply doesn't seem to work at least here: 2018-08-26 19:45:43 pkispawn : INFO ........... checking https://ubudevel:8443/ca 2018-08-26 20:51:29 pkispawn : ERROR ........... server did not start after 60s -- t From edewata at redhat.com Mon Aug 27 14:52:54 2018 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 27 Aug 2018 10:52:54 -0400 (EDT) Subject: [Pki-users] trouble getting 10.6.6 up In-Reply-To: References: Message-ID: <1428210099.23060303.1535381574090.JavaMail.zimbra@redhat.com> Hi Timo, The key alias should point to the SSL certificate and key in the NSS database. Could you confirm that you have an "sslserver" certificate? Could you also show me how the SSL Connector element looks like in the server.xml? Thanks. -- Endi S. Dewata ----- Original Message ----- > > Hi, > > I've updated dogtag, jss, tomcatjss, ldapjdk to latest versions on Ubuntu, > and now pkispawn fails and catalina.out has: > > SEVERE: Failed to initialize connector > [Connector[org.dogtagpki.tomcat.Http11NioProtocol-8443]] > org.apache.catalina.LifecycleException: Failed to initialize component > [Connector[org.dogtagpki.tomcat.Http11NioPr > otocol-8443]] > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:113) > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > at org.apache.catalina.startup.Catalina.load(Catalina.java:632) > at org.apache.catalina.startup.Catalina.load(Catalina.java:655) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492) > Caused by: org.apache.catalina.LifecycleException: Protocol handler > initialization failed > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:996) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > ... 12 more > Caused by: java.lang.IllegalArgumentException: Alias name [sslserver] does > not identify a key entry > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87) > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:226) > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1086) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:268) > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) > at > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:993) > ... 13 more > Caused by: java.io.IOException: Alias name [sslserver] does not identify a > key entry > at > org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:229) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) > ... 20 more > > so apparently I'm missing something, probably related to PKCS#11 keystore > work.. > > > Also, the 60s timeout waiting for the server to reply doesn't seem to work at > least here: > > 2018-08-26 19:45:43 pkispawn : INFO ........... checking > https://ubudevel:8443/ca > 2018-08-26 20:51:29 pkispawn : ERROR ........... server did not start > after 60s > > > > -- > t > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From tjaalton at ubuntu.com Mon Aug 27 17:53:48 2018 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Mon, 27 Aug 2018 20:53:48 +0300 Subject: [Pki-users] trouble getting 10.6.6 up In-Reply-To: <1428210099.23060303.1535381574090.JavaMail.zimbra@redhat.com> References: <1428210099.23060303.1535381574090.JavaMail.zimbra@redhat.com> Message-ID: On 27.08.2018 17:52, Endi Sukma Dewata wrote: > Hi Timo, > > The key alias should point to the SSL certificate and key in the NSS > database. Could you confirm that you have an "sslserver" certificate? > Could you also show me how the SSL Connector element looks like in > the server.xml? Thanks. Thanks for the help on IRC, this is sorted now. 'pki-server migrate' was not run on startup, and running it failed because '/usr/sbin/tomcat' isn't a thing on Debian so I had to hardcode the Tomcat version. -- t