[Pki-users] OCSP in a different server from CA

Jonathan Montero jmrxto at gmail.com
Sat Mar 2 02:52:13 UTC 2019 

*I didn't use any file for the installation, i used the basic questions
with their answers. This is a replica of how things went.*


[root at ocsp01 ~]# pkispawn -s OCSP -vvv

IMPORTANT:

    Interactive installation currently only exists for very basic
deployments!

    For example, deployments intent upon using advanced features such as:

        * Cloning,
        * Elliptic Curve Cryptography (ECC),
        * External CA,
        * Hardware Security Module (HSM),
        * Subordinate CA,
        * etc.,

    must provide the necessary override parameters in a separate
    configuration file.

    Run 'man pkispawn' for details.

Tomcat:
  Instance [pki-tomcat]: testinstance
  HTTP port [8080]:
  Secure HTTP port [8443]:
  AJP port [8009]:
  Management port [8005]:

Administrator:
  Username [ocspadmin]:
  Password:
  Verify password:
  Import certificate (Yes/No) [Y]?
  Import certificate from [/root/.dogtag/testinstance/ca_admin.cert]:
/root/ca_admin.cert

Directory Server:
  Hostname [ocsp01.pki.ccpsd.corp]: ca01
  Use a secure LDAPS connection (Yes/No/Quit) [N]?
  LDAP Port [389]:
  Bind DN [cn=Directory Manager]:
  Password:
  Base DN [o=testinstance-OCSP]:

Security Domain:
  Hostname [ocsp01.pki.ccpsd.corp]: ca01
  Secure HTTP port [8443]:
  Name: Test Instance Security Domain
  Username [caadmin]:
  Password:

Begin installation (Yes/No/Quit)? Yes


*As you can see, the LDAP server was up, it asked for user and password and
went to the next step. The security domain, when i indicated the host of
the CA, it was detected, so that was good also.*

*If you take a look to the
/etc/sysconfig/pki/tomcat/testinstance/ocsp/deployment.cfg*
[DEFAULT]
pki_instance_name = testinstance
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pin = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_ds_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_security_domain_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX

[OCSP]
pki_http_port = 8080
pki_https_port = 8443
pki_ajp_port = 8009
pki_tomcat_server_port = 8005
pki_admin_uid = ocspadmin
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_import_admin_cert = True
pki_admin_cert_file = /root/ca_admin.cert
pki_ds_hostname = ca01
pki_ds_ldap_port = 389
pki_ds_bind_dn = cn=Directory Manager
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=testinstance-OCSP
pki_security_domain_hostname = ca01
pki_security_domain_https_port = 8443
pki_security_domain_name = Test Instance Security Domain
pki_security_domain_user = caadmin
pki_security_domain_password = XXXXXXXX
pki_client_pin = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX

*The CA deployment file is this*
[DEFAULT]
pki_instance_name = testinstance
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pin = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_ds_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_security_domain_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX

[CA]
pki_http_port = 8080
pki_https_port = 8443
pki_ajp_port = 8009
pki_tomcat_server_port = 8005
pki_admin_uid = caadmin
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_import_admin_cert = False
pki_client_admin_cert = /root/.dogtag/testinstance/ca_admin.cert
pki_ds_hostname = ca01.pki.ccpsd.corp
pki_ds_ldap_port = 389
pki_ds_bind_dn = cn=Directory Manager
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=testinstance-CA
pki_security_domain_name = Test Instance Security Domain
pki_client_pin = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_security_domain_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX



Jonathan Montero

IT Professional | IT Trainer
M: 809-609-3003
S: tuxmontero
E: jmrxto at gmail.com
A: Santo Domingo, DR

jonathanmontero.com

<https://www.linkedin.com/in/monterojonathan>
<https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto>
<https://github.com/tuxmontero>



On Fri, Mar 1, 2019 at 8:41 PM Marc Sauton <msauton at redhat.com> wrote:

> Make sure in the OCSP's pkispawn config file, the security domain
> configured for the CA, and make sure that CA and its LDAP server are up.
> Or may be something is missing in that OCSP's pkispawn config file, or
> incorrect.
> There may be more hints into the /var/log/pki/pki-ocsp/ocsp/debug file,
> like may be a private key could not be unlocked (file or hsm)
> Thanks,
> M.
>
> On Fri, Mar 1, 2019 at 5:24 AM Jonathan Montero <jmrxto at gmail.com> wrote:
>
>> Hi Guys, i have a case that i haven't been able to solve. I'm not too
>> experienced in dogtag, but believe me, i'm doing my best. I installed a CA
>> in server1 and OSCP in server2. Server1 is working fine as CA. When i
>> "pkispawn -s OCSP -vvv" in server 2, things go fine until the last moment.
>>
>> pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
>> pkispawn    : INFO     ....... executing 'systemctl start
>> pki-tomcatd at testinstance.service'
>> pkispawn    : DEBUG    ........... No connection - server may still be
>> down
>> pkispawn    : DEBUG    ........... No connection - exception thrown:
>> ('Connection aborted.', error(111, 'Connection refused'))
>> pkispawn    : DEBUG    ........... No connection - server may still be
>> down
>> pkispawn    : DEBUG    ........... No connection - exception thrown:
>> ('Connection aborted.', error(111, 'Connection refused'))
>> pkispawn    : DEBUG    ........... No connection - server may still be
>> down
>> pkispawn    : DEBUG    ........... No connection - exception thrown:
>> ('Connection aborted.', error(111, 'Connection refused'))
>> pkispawn    : DEBUG    ........... No connection - server may still be
>> down
>> pkispawn    : DEBUG    ........... No connection - exception thrown: 500
>> Server Error: Internal Server Error
>> pkispawn    : DEBUG    ........... No connection - server may still be
>> down
>>
>>
>> *firewalld is down and disabled, same with iptables, same with selinux in
>> both servers*
>>
>>
>> I'm using default values (most of them) before going to production.
>>
>> what am i missing here?
>>
>> Jonathan Montero
>>
>> IT Professional | IT Trainer
>> M: 809-609-3003
>> S: tuxmontero
>> E: jmrxto at gmail.com
>> A: Santo Domingo, DR
>>
>> jonathanmontero.com
>>
>> <https://www.linkedin.com/in/monterojonathan>
>> <https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto>
>> <https://github.com/tuxmontero>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20190301/d2c3ac72/attachment.htm>

More information about the Pki-users mailing list