[Pki-users] Dogtag PKI CA not enrolling router with CN or when IP specified in Trustpoint confg

Christina Fu cfu at redhat.com
Thu Dec 10 02:16:04 UTC 2020 

Hi Rohan,
I have only played with IP UID/PWD auth with SCEP, which I just tried and
seems to be working.
Could you maybe give me info on how you set up CN/PWD and I could look into
that.

thanks,
Christina

On Sun, Nov 29, 2020 at 11:57 PM Rohan Raymore (rraymore) <
rraymore at cisco.com> wrote:

> Hello,
>
>
>
> I am looking for some guidance/assistance with  a dogtag-pki CA server
> setup that I am testing.
>
>
>
> Environment:
>
> Cisco ASR router
>
> CentOS 7 vm
>
> PKI version 10.5.18-7.e17 installed
>
> Configured to use flatfile to authenticate Cisco router using UID/PWD via
> SCEP
>
> I am able to successfully authenticate and enroll the router via SCEP
> using UID/PWD in flatfile
>
>
>
> Issue:
>
> The UID=IP-address of the router interface toward the CA server, this IP
> is assigned via DHCP, thus not deterministic.
>
> When I configured an IP address of a Loopback interface under the
> Trustpoint configuration of the router I can see that it seen by the CA in
> the logs but it is not used for authentication/enroll
>
> I tried to change the CS.cfg file to use the CN/PWD to authenticate,
> however it appears I may have missed something as it fails with a password
> null.
>
>
>
> Can you please assist with providing one of two options:
>
>    1. How to authenticate/enroll router via Loopback interface IP address
>    that is specified in the Trustpoint configuration of the router?
>    2. How to authenticate/enroll the router using the CN/PWD in the
>    flatfile?
>
>
>
>
>
> Thanks in advance for  your assistance!
>
>
>
> See below some output from the debug file:
>
> <snip>
>
> [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: Got
> authenticator=com.netscape.cms.authentication.FlatFileAuth
>
> [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length =
> 1
>
> [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth:
> concatenating: 10.0.1.1
>
> [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key
> 10.0.1.1  <-------- this is the IP I have configured in flatfile
>
> [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length =
> 1
>
> [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth:
> concatenating: null
>
> [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key
>
> [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating
> string i=0  keyAttrs[0] = UID
>
> [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth:
> authenticating user: finding user from key: 10.1.1.1 <----- this is the
> router outside interface IP
>
> [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: User not
> found in password file.
>
> [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: operation failure - Invalid
> Credential.
>
> <snap>
>
>
>
> <snip>
>
> [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Found profile=caRouterCert
>
> [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Retrieving authenticator
>
> [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Got
> authenticator=com.netscape.cms.authentication.FlatFileAuth
>
> [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1
>
> [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth:
> concatenating: dev-sec-a-2.example.com
>
> [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key
> dev-sec-a-2.example.com
>
> [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1
>
> [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth:
> concatenating: null
>
> [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key
>
> [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating
> string i=0  keyAttrs[0] = CN
>
> [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: operation failure -
> Authentication credential for CN is null.
>
> <snap>
>
>
>
> Regards,
>
> Rohan Raymore
>
> [image: signature_652684385]
>
>
>
> Rohan Raymore <http://directory.cisco.com/dir/details/rraymore>
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20201209/9bd5f2d3/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5143 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20201209/9bd5f2d3/attachment.png>

More information about the Pki-users mailing list