"PKI Subsystem Configuration" help (RD@WoSign)
by wosign .cn
Hi, all,
I am trying to install Dogtag Certificate System, but at the
"PKI Subsystem Configuration", we have the problem at step: "Creat e a New
Securit y Domain", whatever we enter, it display error "$errorString", and
if we choose the "*Join an Existing Security Domain *", it display error
"org.xml.sax.SAXParseException: The string "--" is not permitted within
comments.
Maybe some components or configure is error, but I setup and configure pki
subsystem(include Requirements and runtime tool) by the site:
http://pki.fedoraproject.org/wiki/PKI_Install_Guide ,
the infomation of my configure and environment:
hostname: wotestca.com
step 1:
============================================================
Starting pki-ca: [OK]
pki-ca (pid 2817) is running ...
'pki-ca' must still be CONFIGURED!
(see /var/log/pki-ca-install.log)
Before proceeding with the configuration, make sure
the firewall settings of this machine permit proper
access to this subsystem.
Please start the configuration by accessing:
https://wotestca.com
:9445/ca/admin/console/config/login?pin=HPQkcbu71yCYkSpJg6Qz<https://wosignfedora:9445/ca/admin/console/config/login?pin=HPQkcbu71yCYk...>
After configuration, the server can be operated by the command:
/sbin/service pki-cad restart pki-ca
------------------------------------------------------------------------------------------------------------------------
step 2:
open : "https://wotestca.com
:9445/ca/admin/console/config/login?pin=HPQkcbu71yCYkSpJg6Qz<https://wofedora:9445/ca/admin/console/config/login?pin=HPQkcbu71yCYkSpJg6Qz>
"
to CA Setup Wizard
step 3:
choose* "Create a New Security Domain", * enter " testwosecdomain" and
click "NEXT>" button,
return errror"Invalid characters found in Security Domain Name
testwosecdomain. Valid characters are A-Z, a-z, 0-9, dash and space"
choose "*Join an Existing Security Domain *" ,
if enter "https://wotestca.com:9445 <https://wofedora:9445/>"
return error "org.xml.sax.SAXParseException: The string "--" is not
permitted within comments"
if enter" https://wotestca.com:9443" or " https://wotestca.com:9446"
return error "Illegal SSL Admin HTTPS url value for the security domain "
check the directory server:
#service dirsrv status
#dirsrv testca (pid 3342) is running......
So, we can't go on, please tell me what's the problem, and how to do?
thanks a lot.
--
Best Regards,
jeff
13 years, 1 month
testing pki-ca behind apache for ipa
by Ade Lee
Adam,
As you know, I have been testing putting a dogtag CA behind an apache
instance - and using the standard ports to contact the CA. The basic
idea is to let apache handle the client authentication required, and
then to pass the relevant parameters to tomcat using AJP.
What this means is there will be a dogtag.conf file placed
under /etc/httpd/httpd.conf - and this file will contain Location
elements with ProxyPass directives. Some of these (agent pages) will
require client authentication, and some will not.
I had run into an issue with my browser where when switching from
non-client-auth to client-auth, renegotiations were being disallowed.
This is, I strongly suspect due to the fixes in NSS for the MITM issue,
where "unsafe" legacy renegotiations will be disallowed. Attempts to
pass the relevant environment parameters to NSS failed to alter this
result. I'll continue to work with Rob on this.
However, I believe that this problem will not affect the installation/
interaction of IPA with dogtag. Why? Because the ipa-ra-plugin is
using the latest NSS under the covers - which uses the new safe
regotiation protocol.
My initial testing seems to indicate that this is in fact the case.
However, as I have been pulled into fips issues, I was hoping you could
continue the testing. Once we have a working setup, we can worry about
the code changes to pkicreate/pkisilent to do most of the
configuration.
Here is what you need to do:
1. Install ipa with dogtag
2. Stop the CA (service pki-cad stop pki-ca)
3. Modify /etc/pki-ca/server.xml. You need to uncomment the ajp port,
and have it redirect for SSL to the EE port (9444)
4. Modify the web.xml in /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to
turn off the filtering mechanism. You will see stanzas like the
following for ee, agent and admin ports. Make sure that active is set
to false for all.
<filter>
<filter-name>AgentRequestFilter</filter-name>
<filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
<init-param>
<param-name>https_port</param-name>
<param-value>9203</param-value>
</init-param>
<init-param>
<param-name>active</param-name>
<param-value>false</param-value>
</init-param>
</filter>
5. Place the attached dogtag.conf file into /etc/httpd/conf.d/
6. restart the ca. (service pki-cad start pki-ca)
We are now ready to do some testing.
1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443
2. Do your IPA cert tests and confirm that it works ok.
3. Try installing a replica. Make sure to pass https://hostname:443
That is - do not leave out the 443 part as the installation code will
not recognize 443 as a default port. Actually, now that I think about
it - there will be more changes needed in the Installation Panel code to
get all this to work. So I'll get to this when I can.
Thanks,
Ade
13 years, 1 month