[Pki-users] Dogtag PKI CA not enrolling router with CN or when IP specified in Trustpoint confg
Rohan Raymore (rraymore)
rraymore at cisco.com
Mon Nov 30 07:56:44 UTC 2020
Hello,
I am looking for some guidance/assistance with a dogtag-pki CA server setup that I am testing.
Environment:
Cisco ASR router
CentOS 7 vm
PKI version 10.5.18-7.e17 installed
Configured to use flatfile to authenticate Cisco router using UID/PWD via SCEP
I am able to successfully authenticate and enroll the router via SCEP using UID/PWD in flatfile
Issue:
The UID=IP-address of the router interface toward the CA server, this IP is assigned via DHCP, thus not deterministic.
When I configured an IP address of a Loopback interface under the Trustpoint configuration of the router I can see that it seen by the CA in the logs but it is not used for authentication/enroll
I tried to change the CS.cfg file to use the CN/PWD to authenticate, however it appears I may have missed something as it fails with a password null.
Can you please assist with providing one of two options:
1. How to authenticate/enroll router via Loopback interface IP address that is specified in the Trustpoint configuration of the router?
2. How to authenticate/enroll the router using the CN/PWD in the flatfile?
Thanks in advance for your assistance!
See below some output from the debug file:
<snip>
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length = 1
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating: 10.0.1.1
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key 10.0.1.1 <-------- this is the IP I have configured in flatfile
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length = 1
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating: null
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating string i=0 keyAttrs[0] = UID
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: authenticating user: finding user from key: 10.1.1.1 <----- this is the router outside interface IP
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: User not found in password file.
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: operation failure - Invalid Credential.
<snap>
<snip>
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Found profile=caRouterCert
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Retrieving authenticator
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating: dev-sec-a-2.example.com
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key dev-sec-a-2.example.com
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating: null
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating string i=0 keyAttrs[0] = CN
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: operation failure - Authentication credential for CN is null.
<snap>
Regards,
Rohan Raymore
[signature_652684385]
Rohan Raymore<http://directory.cisco.com/dir/details/rraymore>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20201130/eb644417/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5143 bytes
Desc: image001.png
URL: <http://listman.redhat.com/archives/pki-users/attachments/20201130/eb644417/attachment.png>
More information about the Pki-users
mailing list