June 2014 - Pki-users - Dogtag Pki List Archives

by Elliott William C OSS sIT

Hi all, Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming? We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded. Thanks and best regards, William Elliott s IT Solutions Open System Services

8 years, 11 months

4
6
0 / 0

ECC entity certificate signing and Dogtag

by sbernst＠gmail.com

Hi there... It has been suggested that this is likely a question for CFU (Christina). How and where do I get the libraries to get ECC working on DogTag on FC20? Specifically looking to sign client side generated PKCS#10 key blobs. The Dogtag 10 release from 17 Jan 2013 suggested that this might be supported, but Info from the link below says that, “Certicom software tokens could not be used because of an issue with malformed private keys.” https://www.redhat.com/archives/pki-users/2013-January/msg00001.html So what all is required to sign ECC generated requests? (not planning on use of TMS interface at this point). I saw that bug Bug 986831 says that, “Some tools are broken for ECC with NSS token alone,” (from the 10.1 release announcement from November of last year https://www.redhat.com/archives/pki-users/2013-November/msg00001.html) but I'm not authorized to view its details. (I mention this to demonstrate that I'm trying to do my homework on this issue before asking for help.) Thank you so much, in advance, for any and all help. - Steven

10 years, 11 months

2
1
0 / 0

PIN reuse with SCEP flatfile authentication

by Elliott William C OSS sIT

Hi, We're trying to get automated enrollment going with a new dogtag CA (v.9 auf RHEL6) using SCEP. We have a system in place which verifies signing requests (assuming the role of an RA) and would pass them on to the CA using the SCEP protocol. We have problems trying to achieve a configuration with which we can live with. version 9 of DT is very stringent about not allowing reuse of PINs. How do others use SCEP with thousands of clients without managing the flatfile.txt for all of the different hosts and PINs? (In the past we have used the same PIN for all hosts, route all requests over the same IP (UID) and restricted DT from commenting out the entry in flatfile.txt. However, the latest versions of DT seem to cache the status of UID/PIN from the flatfile in memory as already used and invalid after it is used once. When I read the documentation of CS 8.1 regarding router certificates, I'm amazed by the tedious manual steps involved with authentication. How can this be used with thousands of clients? I'd like to have the CA authenticate the SCEP requests based on a the pkcs7 signature - that being one using a valid cert from the CA (similar to renewal in the protocol, without the PIN.) I tried this with and without a PIN in the pkcs10 request, but it also failed unless a valid PIN was in the flatfile.txt file. Authentication seems always to require a valid (one-time) PIN. Basically, we'd like to be able to reuse PINs as before - even though this was disallowed in a security bug-fix (I don't have the bug ID at hand ). Or, I'd even grudgingly accept NO authentication, and I would restrict/control access through other means (network, etc.) I'd love to hear from anyone who has SCEP in use with many hosts! How do you achieve it these days??? Thanks in advance for any tips, William Elliott s IT Solutions Open System Services s IT Solutions AT Spardat GmbH mailto:william.elliott@s-itsolutions.at Head Office: Vienna Commercial Register No.: 152289f Commercial Court of Vienna This message and any attached files are confidential and intended solely for the addressee(s). Any publication, transmission or other use of the information by a person or entity other than the intended addressee is prohibited. If you receive this in error please contact the sender and delete the material. The sender does not accept liability for any errors or omissions as a result of the transmission.

10 years, 11 months

1
0
0 / 0

problems creating a KRA clone

by Paul Robert Marino

I'm in the process of creating a replica of a dogtag 10 server adn all is well sofar except for one thing I initially made a mistake in the config file for the pkispawn cloning the KRA Ive tried pkidestroy then manually deleting the database and the replication agreements in 389 server but I keep getting stuck on this. " 2014-06-09 21:53:54 pkispawn : INFO ....... constructing PKI configuration data. 2014-06-09 21:53:54 pkispawn : INFO ....... configuring PKI configuration data. 2014-06-09 21:54:04 pkispawn : ERROR ....... Exception from Java Configuration Servlet: Errors in pushing KRA connector information to the CA: com.netscape.certsrv.base.ConflictingOperationException: Attribute or value exists. 2014-06-09 21:54:04 pkispawn : DEBUG ....... Error Type: HTTPError 2014-06-09 21:54:04 pkispawn : DEBUG ....... Error Message: 500 Server Error: Internal Server Error 2014-06-09 21:54:04 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 463, in main rv = instance.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 126, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3194, in configure_pki_data response = client.configure(data) File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in configure r = self.connection.post('/rest/installer/configure', data, headers) File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in post r.raise_for_status() File "/usr/lib/python2.7/site-packages/requests/models.py", line 683, in raise_for_status raise HTTPError(http_error_msg, response=self) " does any one have any ideas on what could be causing this. Thank You

11 years

1
0
0 / 0

locking down specific URL's on port 8080

by Paul Robert Marino

hello I am currently working on a new dogtag PKI 10 install I relized though there are 3 URL's that concern me and I would like to preven public access to them they are http://<FQDN>:8080/ca/ee/ca/profileSelect?profileId=<profiletypehere>, http://<FQDN>:8080, and http://<FQDN>:8080/ca/ee/ca/profileList im looking at a method mentioned here http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_Address... Ive tried putting in a rule into /etc/pki/pki-tomcat/web.xml like so " <filter> <filter-name>Remote Address Filter</filter-name> <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class> <init-param> <param-name>allow</param-name> <param-value>192\.168\.100\.\d+|192\.168\.200\.\d+</param-value> </init-param> </filter> <filter-mapping> <filter-name>Remote Address Filter</filter-name> <url-pattern>/ca/ee/ca/profileSelect*|/ca/ee/ca/profileSubmit*|/ca/ee/ca/profileList</url-pattern> </filter-mapping> " note Ive changed the subnets those are not the real ones I used in my configuration. Unfortunately it doesn't seem to be working. does any one have any pointers for me or an example of what they have used for this?

11 years

1
1
0 / 0

possible bug in DogTag 10 on Fedora 20

by Paul Robert Marino

I'm trying to install the RA when I try to run the following I get " # pkispawn -s RA -v Tomcat: Instance [pki-apache]: HTTP port [80]: Secure HTTP port [443]: Traceback (most recent call last): File "/usr/sbin/pkispawn", line 530, in <module> main(sys.argv) File "/usr/sbin/pkispawn", line 148, in main parser.read_text('AJP port', config.pki_subsystem, 'pki_ajp_port') File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", line 257, in read_text default = self.pki_master_dict[key] KeyError: 'pki_ajp_port' " does any one know if this is a known bug new bug or am I using the wrong method?

11 years

2
2
0 / 0

support for tomcat8?

by Timo Aaltonen

Hi Next Debian release will probably ship with only tomcat 8.x in the archive, so I was wondering if Dogtag needs anything special to use it? I see that Fedora still has 7.0.x. -- t

11 years

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-users June 2014