From cfu at redhat.com Thu Dec 10 02:16:04 2020 From: cfu at redhat.com (Christina Fu) Date: Wed, 9 Dec 2020 18:16:04 -0800 Subject: [Pki-users] Dogtag PKI CA not enrolling router with CN or when IP specified in Trustpoint confg In-Reply-To: <5EE39083-9C3D-4A2F-8FB3-45B01CAD3D82@cisco.com> References: <5EE39083-9C3D-4A2F-8FB3-45B01CAD3D82@cisco.com> Message-ID: Hi Rohan, I have only played with IP UID/PWD auth with SCEP, which I just tried and seems to be working. Could you maybe give me info on how you set up CN/PWD and I could look into that. thanks, Christina On Sun, Nov 29, 2020 at 11:57 PM Rohan Raymore (rraymore) < rraymore at cisco.com> wrote: > Hello, > > > > I am looking for some guidance/assistance with a dogtag-pki CA server > setup that I am testing. > > > > Environment: > > Cisco ASR router > > CentOS 7 vm > > PKI version 10.5.18-7.e17 installed > > Configured to use flatfile to authenticate Cisco router using UID/PWD via > SCEP > > I am able to successfully authenticate and enroll the router via SCEP > using UID/PWD in flatfile > > > > Issue: > > The UID=IP-address of the router interface toward the CA server, this IP > is assigned via DHCP, thus not deterministic. > > When I configured an IP address of a Loopback interface under the > Trustpoint configuration of the router I can see that it seen by the CA in > the logs but it is not used for authentication/enroll > > I tried to change the CS.cfg file to use the CN/PWD to authenticate, > however it appears I may have missed something as it fails with a password > null. > > > > Can you please assist with providing one of two options: > > 1. How to authenticate/enroll router via Loopback interface IP address > that is specified in the Trustpoint configuration of the router? > 2. How to authenticate/enroll the router using the CN/PWD in the > flatfile? > > > > > > Thanks in advance for your assistance! > > > > See below some output from the debug file: > > > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: Got > authenticator=com.netscape.cms.authentication.FlatFileAuth > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length = > 1 > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: > concatenating: 10.0.1.1 > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key > 10.0.1.1 <-------- this is the IP I have configured in flatfile > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length = > 1 > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: > concatenating: null > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating > string i=0 keyAttrs[0] = UID > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: > authenticating user: finding user from key: 10.1.1.1 <----- this is the > router outside interface IP > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: User not > found in password file. > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: operation failure - Invalid > Credential. > > > > > > > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Found profile=caRouterCert > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Retrieving authenticator > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Got > authenticator=com.netscape.cms.authentication.FlatFileAuth > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1 > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: > concatenating: dev-sec-a-2.example.com > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key > dev-sec-a-2.example.com > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1 > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: > concatenating: null > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating > string i=0 keyAttrs[0] = CN > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: operation failure - > Authentication credential for CN is null. > > > > > > Regards, > > Rohan Raymore > > [image: signature_652684385] > > > > Rohan Raymore > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 5143 bytes Desc: not available URL: From rraymore at cisco.com Thu Dec 10 17:37:16 2020 From: rraymore at cisco.com (Rohan Raymore (rraymore)) Date: Thu, 10 Dec 2020 17:37:16 +0000 Subject: [Pki-users] Dogtag PKI CA not enrolling router with CN or when IP specified in Trustpoint confg In-Reply-To: References: <5EE39083-9C3D-4A2F-8FB3-45B01CAD3D82@cisco.com>, Message-ID: Hi Christian, Thanks for following up. You are correct, I have testing UID/PWD auth with SCEP and that is working fine. As mentioned the only reason I am not able to use this method, is because the UID/IP address is using the DHCP assigned uplink IP address. For my solution we need a more deterministic UID, as such I was attempting to use the CN/PWD auth with SCEP. The way I setup the CN/PWD auth with SCEP is first get a working UID/PWD auth with SCEP setup. Then edit the ??/ca/CS.cfg?: auths.instance.flatFileAuth.authAttributes=PWD auths.instance.flatFileAuth.deferOnFailure=true auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt auths.instance.flatFileAuth.keyAttributes=CN auths.instance.flatFileAuth.pluginName=FlatFileAuth Then edit the ??/ca/flatfile.txt?: CN:dev-sec-a-2.example.com PWD:password Then I restart the service and test. Cheers, Rohan From: Christina Fu Date: Wednesday, December 9, 2020 at 6:16 PM To: Rohan Raymore (rraymore) Cc: pki-users at redhat.com Subject: Re: [Pki-users] Dogtag PKI CA not enrolling router with CN or when IP specified in Trustpoint confg Hi Rohan, I have only played with IP UID/PWD auth with SCEP, which I just tried and seems to be working. Could you maybe give me info on how you set up CN/PWD and I could look into that. thanks, Christina On Sun, Nov 29, 2020 at 11:57 PM Rohan Raymore (rraymore) > wrote: Hello, I am looking for some guidance/assistance with a dogtag-pki CA server setup that I am testing. Environment: Cisco ASR router CentOS 7 vm PKI version 10.5.18-7.e17 installed Configured to use flatfile to authenticate Cisco router using UID/PWD via SCEP I am able to successfully authenticate and enroll the router via SCEP using UID/PWD in flatfile Issue: The UID=IP-address of the router interface toward the CA server, this IP is assigned via DHCP, thus not deterministic. When I configured an IP address of a Loopback interface under the Trustpoint configuration of the router I can see that it seen by the CA in the logs but it is not used for authentication/enroll I tried to change the CS.cfg file to use the CN/PWD to authenticate, however it appears I may have missed something as it fails with a password null. Can you please assist with providing one of two options: 1. How to authenticate/enroll router via Loopback interface IP address that is specified in the Trustpoint configuration of the router? 2. How to authenticate/enroll the router using the CN/PWD in the flatfile? Thanks in advance for your assistance! See below some output from the debug file: [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length = 1 [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating: 10.0.1.1 [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key 10.0.1.1 <-------- this is the IP I have configured in flatfile [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length = 1 [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating: null [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating string i=0 keyAttrs[0] = UID [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: authenticating user: finding user from key: 10.1.1.1 <----- this is the router outside interface IP [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: User not found in password file. [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: operation failure - Invalid Credential. [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Found profile=caRouterCert [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Retrieving authenticator [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1 [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating: dev-sec-a-2.example.com [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key dev-sec-a-2.example.com [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1 [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating: null [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating string i=0 keyAttrs[0] = CN [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: operation failure - Authentication credential for CN is null. Regards, Rohan Raymore [signature_652684385] Rohan Raymore _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 5145 bytes Desc: image001.png URL: