October 2010 - Pki-users - Dogtag Pki List Archives

DogTAG PKI - crlDistributionPoints cert profile: Type_0 : URIName error

by Frederic d'Huart

Hello Pki users, Section B.1.4. of the RH admin guide refers to the following acceptable values for crlDistributionPoint Type: DirectoryName URIName RelativeToIssuer Using PKIConsole, I have added to the caUserCert profile a policy for include a CDP as follow: policyset.userCertSet.13.default.name=CRL Distribution Points Extension Default policyset.userCertSet.13.default.params.crlDistPointsCritical=false policyset.userCertSet.13.default.params.crlDistPointsEnable_0=true policyset.userCertSet.13.default.params.crlDistPointsPointType_0=URIName policyset.userCertSet.13.default.params.crlDistPointsPointName_0=http://xxx.xxx.xxx/crl/xxx.crl policyset.userCertSet.13.default.params.crlDistPointsReasons_0= after profile re-activated, and new request generated, I get the following error on the agent interface: The Certificate System has encountered an unrecoverable error. Error Message: /java.lang.ClassCastException: netscape.security.x509.Extension cannot be cast to netscape.security.x509.CRLDistributionPointsExtension/ Please contact your local administrator for assistance. Any Ideas what could be wrong ? Thank you.

13 years, 10 months

4
8
0 / 0

Auto Enrollment Proxy for Windows with Dogtag CA?

by Thomas.Peter2＠swisscom.com

Hi! Can anybody help me with the following question: Is it possible to use the Auto Enrollment Proxy for Windows<http://directory.fedoraproject.org/wiki/Windows_Certificate_Auto_Enrollment> (AEP) with a Dogtag CA? More precisely: I setup a Dogtag Certification Authority<http://pki.fedoraproject.org/wiki/PKI_Main_Page> on a computer running Fedora 13. It works fine through the webinterface that is provided with the Dogtag Sertificate System. I also setup AEP according to all the instructions found here<http://directory.fedoraproject.org/wiki/Auto_Enroll_Documentation>. I'm pretty sure that I did all the configurations needed in my Windows domain and the corresponding Active Directory. When I request a certificate from the domain controller (I request a certificate of the type 'Domain Controller', as described here<http://directory.fedoraproject.org/wiki/HowTO:_Windows_Domain_Controller_...>), I can capture a fair amount of TCP traffic (with Wireshark) between the domain controller and the computer that is running the Dogtag CA on the correct port (default 9445). However, my Dogtag CA seems to reject the certificate signing requests (CSR) it receives from my Windows domain controller, the domain controller issues the error message "The certificate request cannot be created. The requested property value is empty". I know this error message does not really state what I observe, why would there be traffic on the wire, if the CSR has not even been created (Windows...). If I request a certificate from the command line, as described here<http://directory.fedoraproject.org/wiki/Auto_Enroll_Enrollment>, I get the error message "The parameter is incorrect. 0x80070057 (WIN32: 87)". I did not do any special AEP related configuration on my Dogtag CA, as this<http://directory.fedoraproject.org/wiki/Auto_Enroll_RHCSConfiguration> page seems to be incomplete. Do I need to configure my Dogtag CA in any way for this to work or wouldn't it work at all (because a Dogtag CA might not really be a Red Hat Certificate System CA)? Thank you for your help! Thomas Peter

14 years, 2 months

2
3
0 / 0

Re: [Pki-users] Rotating debug logs.

by Jerry McCarthy

Replying to my own post for others edification. I changed the logrotate to: /var/log/pki-ca/debug /var/log/pki-kra/debug /var/log/pki-ocsp/debug /var/log/pki-ra/debug { copytruncate weekly rotate 5 notifempty missingok } And now my logs are rotating fine. Regards, Jerry McCarthy CPMG -----Original Message----- From: Jerry McCarthy [mailto:jerry@cpmg.com] Sent: Sunday, October 03, 2010 12:12 PM To: 'pki-users(a)redhat.com' Subject: Rotating debug logs. Some of my debug logs (/var/log/pki-*/debug) are getting large. I tried adding: /var/log/pki-ca/debug /var/log/pki-kra/debug /var/log/pki-ocsp/debug /var/log/pki-ra/debug { weekly rotate 5 notifempty missingok } To /etc/logrotate.d But that didn't appear to do anything. Can anybody give me some suggestions as to how to setup the debug logs for auto rotation? Regards, Jerry McCarthy CPMG

14 years, 2 months

1
0
0 / 0

PKI Console - Publishing Acl Error

by Frederic d'Huart

Hello Pki Users, I have an problem to access the DogTAG Publishing tab of the PKIConsole. I want to enable a new CRL File publishing object as described into the section 8.2.1 of the admin guide. but I receive the error "You are not allowed to perform this operation" anytime I'm trying to access the publishing tab and subObjects. The ca_log show this error ___ /var/log/pki-ca/debug [10/Oct/2010:11:06:52][http-9445-Processor24]: LdapBoundConnFactory.java:391:returnConn() returnConn: mNumConns now 3 [10/Oct/2010:11:06:52][http-9445-Processor24]: AAclAuthz.java:643:evaluateExpressions() evaluated expression: group="Registration Manager Agents" to be true [10/Oct/2010:11:06:52][http-9445-Processor24]: SignedAuditEventFactory.java:78:create() SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_FAIL][SubjectID=admin][Outcome=Failure][aclResource=<null>][Op=<null>] authorization failure [10/Oct/2010:11:06:52][http-9445-Processor24]: LdapBoundConnFactory.java:343:getConn() getConn: mNumConns now 2 [10/Oct/2010:11:06:52][http-9445-Processor24]: LdapBoundConnFactory.java:391:returnConn() returnConn: mNumConns now 3 [10/Oct/2010:11:06:52][http-9445-Processor24]: SignedAuditEventFactory.java:78:create() SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=admin][Outcome=Failure][Role=Certificate Manager Agents, Registration Manager Agents, Trusted Managers, Administrators, Security Domain Administrators, Enterprise CA Administrators, Enterprise KRA Administrators, Enterprise OCSP Administrators, Enterprise TKS Administrators, Enterprise RA Administrators, Enterprise TPS Administrators] assume privileged role I have checked everywhere in the PKIConsole ACL's tab, but I didn't find anything ... Does somebody would have an idea how to fix it ? Thank you ..

14 years, 2 months

2
2
0 / 0

Rotating debug logs.

by Jerry McCarthy

Some of my debug logs (/var/log/pki-*/debug) are getting large. I tried adding: /var/log/pki-ca/debug /var/log/pki-kra/debug /var/log/pki-ocsp/debug /var/log/pki-ra/debug { weekly rotate 5 notifempty missingok } To /etc/logrotate.d But that didn't appear to do anything. Can anybody give me some suggestions as to how to setup the debug logs for auto rotation? Regards, Jerry McCarthy CPMG

14 years, 2 months

2
3
0 / 0

how to use remote LDAP user auth with dogtag CA/RA?

by James Kinney

I would like to use a remote ldap connection for user authentication at the CA for user certs. However, the ldap in use requires non-anonymous bind connections and the UidPwdDirAuth plugin does not provide for any connection type other than anonymous. There is a UidPwdPinDirAuth plugin that does provide binddn fields but that seems to not use them since the autotest that happens only returns an error from the server "connections failed. Anonymous connections not allowed" (or something similar). -- James "Jim" Kinney (404) 407-7967 GTRI

14 years, 2 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-users October 2010