[PATCH] 0139 Merge duplicate authz plugin code into superclass
by Fraser Tweedale
The attached patch merges some duplicate authz manager code into the
existing AAclAuthz superclass.
It simplifies things if we end up adding a new authz manager as part
of external authentication / GSS-API support. But it's a nice
refactor to do anyway :)
Thanks,
Fraser
8 years, 4 months
[PATCH] 0138 Move AuthToken key constants to IAuthToken
by Fraser Tweedale
The attached patch moves some string constants from AuthToken to
IAuthToken. External authentication support will bring a new
implementation of IAuthToken so moving these to the interface
simplifies things.
Thanks,
Fraser
8 years, 4 months
Re: [Pki-devel] port to tomcat 8.5?
by Timo Aaltonen
On 02.12.2016 12:01, Timo Aaltonen wrote:
>
> Hi
>
> Debian recently switched to tomcat 8.5 which broke Dogtag. First issue that I found was that Http11Protocol is no more, need to use Http11NioProtocol. Fixing that it then fails with:
>
> 02-Dec-2016 11:26:05.270 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]]
> org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:113)
> at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
> Caused by: java.lang.NoClassDefFoundError: org/apache/tomcat/util/net/ServerSocketFactory
> ...
>
> I see Fedora is still at 8.0, so no-one has tried 8.5 yet?
Looks like tomcat 8.5 breaks the build as well for both dogtag
and tomcatjss. Debian freeze is in Jan 5th, this needs to be fixed well
before x-mas just to be on the safe side :/
dogtag build log: http://pastebin.com/gabUtiTy
tomcatjss build log: http://pastebin.com/3qrh5Eqp
--
t
8 years, 4 months
Re: [Pki-devel] [Pki-users] CS Server error
by Fraser Tweedale
On Wed, Dec 07, 2016 at 05:29:41PM -0800, Rafael Leiva-Ochoa wrote:
> Here you go....I hope you can help. I am already starting to use it in
> production testing...I would hate to start all over...: (
>
The error in your log is:
[06/Dec/2016:23:28:45][localhost-startStop-1]: AuthSubsystem: initializing authentication manager flatFileAuth
Property auths.instance.flatFileAuth.pluginName missing value
at com.netscape.cmscore.base.PropConfigStore.getString(PropConfigStore.java:258)
at com.netscape.cmscore.authentication.AuthSubsystem.init(AuthSubsystem.java:200)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:582)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
... lots more traceback
This causes a shutdown of the Dogtag application (but not Tomcat
itself, hence it is still able to respond to HTTP requests).
Have you modified anything in /etc/pki/pki-tomcat/ca/CS.cfg
yourself? If not, perhaps it was an update gone awry, or some other
corruption of CS.cfg.
The `flatFileAuth' properties in CS.cfg should be something like:
auths.instance.flatFileAuth.authAttributes=PWD
auths.instance.flatFileAuth.deferOnFailure=true
auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
auths.instance.flatFileAuth.keyAttributes=UID
auths.instance.flatFileAuth.pluginName=FlatFileAuth
Try fixing that up and seeing if Dogtag starts. If it does not,
please attach debug log (latter portions thereof) and the CS.cfg.
Thanks,
Fraser
> On Wed, Dec 7, 2016 at 4:25 PM, Fraser Tweedale <ftweedal(a)redhat.com> wrote:
>
> > On Wed, Dec 07, 2016 at 02:11:53PM -0800, Rafael Leiva-Ochoa wrote:
> > > Hi Team,
> > >
> > > I have installed Dogtag on one of my Raspberry PI 3 devices for
> > > testing. At first it was working great. Then, I noticed that it took a
> > very
> > > long time for the DogTag Start Page to startup when I rebooted my Pi. In
> > > some cases, it took 10min's, but I attributed this to the fact that it
> > was
> > > running on a ARM processor, and it takes a while to start up. Now, for
> > some
> > > reason, I am getting this error:
> > >
> > > HTTP Status 500 - CS server is not ready to serve.
> > >
> > > *type* Exception report
> > >
> > > *message* *CS server is not ready to serve.*
> > >
> > > *description* *The server encountered an internal error that prevented it
> > > from fulfilling this request.*
> > >
> > > *exception*
> > >
> > > java.io.IOException: CS server is not ready to serve.
> > > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.
> > java:445)
> > > javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
> > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > sun.reflect.NativeMethodAccessorImpl.invoke(
> > NativeMethodAccessorImpl.java:62)
> > > sun.reflect.DelegatingMethodAccessorImpl.invoke(
> > DelegatingMethodAccessorImpl.java:43)
> > > java.lang.reflect.Method.invoke(Method.java:498)
> > > org.apache.catalina.security.SecurityUtil$1.run(
> > SecurityUtil.java:293)
> > > org.apache.catalina.security.SecurityUtil$1.run(
> > SecurityUtil.java:290)
> > > java.security.AccessController.doPrivileged(Native Method)
> > > javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> > > org.apache.catalina.security.SecurityUtil.execute(
> > SecurityUtil.java:325)
> > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(
> > SecurityUtil.java:176)
> > > java.security.AccessController.doPrivileged(Native Method)
> > > org.apache.tomcat.websocket.server.WsFilter.doFilter(
> > WsFilter.java:52)
> > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > sun.reflect.NativeMethodAccessorImpl.invoke(
> > NativeMethodAccessorImpl.java:62)
> > > sun.reflect.DelegatingMethodAccessorImpl.invoke(
> > DelegatingMethodAccessorImpl.java:43)
> > > java.lang.reflect.Method.invoke(Method.java:498)
> > > org.apache.catalina.security.SecurityUtil$1.run(
> > SecurityUtil.java:293)
> > > org.apache.catalina.security.SecurityUtil$1.run(
> > SecurityUtil.java:290)
> > > java.security.AccessController.doPrivileged(Native Method)
> > > javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> > > org.apache.catalina.security.SecurityUtil.execute(
> > SecurityUtil.java:325)
> > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(
> > SecurityUtil.java:264)
> > >
> > > *note* *The full stack trace of the root cause is available in the Apache
> > > Tomcat/8.0.38 logs.*
> > > ------------------------------
> > > Apache Tomcat/8.0.38
> > >
> > > I have tried rebooting the PI many times, and looking at the logs, but no
> > > luck. Any ideas?
> > >
> > > Thanks,
> > >
> > > Rafael
> >
> > Thank you for testing Dogtag an ARM / RPi :)
> >
> > Could you please provide the /var/log/pki/pki-tomcat/ca/debug log
> > file? Probably best to upload the file somewhere and point us to
> > it, or send it to me off-list; it can be quite large.
> >
> > I will take a look at it and try and work out what's causing the
> > failure.
> >
> > Thanks,
> > Fraser
> >
8 years, 4 months
[PATCH] Fixed user certificate renewal using pki client-cert-request.
by Endi Sukma Dewata
When a user renews its certificate using pki client-cert-request
the CLI will authenticate using the certificate and send an empty
request message. The server is supposed to use the certificate's
serial number to process the renewal request.
Currently the request fails if the serial number is missing from
the request message. The server has been fixed such that it
ignores the missing serial number and use the certificate's serial
number instead.
https://fedorahosted.org/pki/ticket/2476
Pushed to master under one-liner/trivial rule.
--
Endi S. Dewata
8 years, 4 months
