August 2015 - Pki-users - Dogtag Pki List Archives

by pki tech

Hi all, Good day to you all. What is the process to renew all the four system certificates (SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when those existing certificates are currently expired. I cant access the pkiconsole also as the system is not up and running. I have used the certutil to generate the certificate requests and get it signed by the CA. But it didn't work as expected. I believe the procedure that i have followed to request generation or the signing profiles used for the generation, may have some issues. Cheers. Regards, Mark

9 years, 2 months

3
2
0 / 0

base64 CMC Request format

by Elliott William C OSS sIT

Hi all, Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming? We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded. Thanks and best regards, William Elliott s IT Solutions Open System Services

9 years, 2 months

4
6
0 / 0

How to setup PKI CA to ask for passwords at startup?

by Aleksey Chudov

Hi, The password.conf file stores system passwords in plaintext, and I prefer to enter system passwords manually and to remove the password file. I have found original documentation https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/.... But it is for older version on PKI and does not work with systemd. How to setup PKI CA to ask for NSS DB password at startup? Packages versions (I have rebuilt F22 packages for CentOS 7): # rpm -qa | grep pki pki-base-10.2.5-1.el7.centos.noarch pki-server-10.2.5-1.el7.centos.noarch dogtag-pki-server-theme-10.2.5-1.el7.centos.noarch pki-ca-10.2.5-1.el7.centos.noarch pki-tools-10.2.5-1.el7.centos.x86_64 dogtag-pki-console-theme-10.2.5-1.el7.centos.noarch Aleksey

10 years

4
8
0 / 0

Possible PKI LDAP connections leak?

by Aleksey Chudov

Hi, I have found possible PKI LDAP connections leak on access to /ca/rest/securityDomain/domainInfo url. To reproduce # ss -ant state established sport = :636 Recv-Q Send-Q Local Address:Port Peer Address:Port 0 0 10.172.3.13:636 10.172.3.13:57696 0 0 10.172.3.13:636 10.172.3.13:57692 0 0 10.172.3.13:636 10.172.3.13:57695 0 0 10.172.3.13:636 10.172.3.13:57690 0 0 10.172.3.13:636 10.172.3.13:57689 0 0 10.172.3.13:636 10.172.3.13:57693 0 0 10.172.3.13:636 10.172.3.13:57688 0 0 10.172.3.13:636 10.172.3.13:57691 0 0 10.172.3.13:636 10.172.3.13:57687 # ss -ant state established sport = :636 | wc -l 10 # for ((i=0; i<256; i++)); do curl http://localhost/ca/rest/securityDomain/domainInfo &>/dev/null; done # ss -ant state established sport = :636 | wc -l 266 Every request to /ca/rest/securityDomain/domainInfo url increases number on LDAP connections and produces the same message in debug log [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SessionContextInterceptor: Not authenticated. [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: SecurityDomainResource.getDomainInfo() [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: mapping: default [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: required auth methods: [*] [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: anonymous access allowed [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: SecurityDomainResource.getDomainInfo() [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor.filter: no authorization required [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: No ACL mapping; authz not required. [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization success [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: SecurityDomainResource.getDomainInfo() [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: content-type: null [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: accept: [*/*] [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: response format: application/xml [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Creating LdapBoundConnFactor(SecurityDomainProcessor) [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapBoundConnFactory: init [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapBoundConnFactory:doCloning true [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init() [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init begins [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: prompt is internaldb [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: try getting from memory cache [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: got password from memory [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: password found for prompt. [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: password ok: store in memory cache [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init ends [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: init: before makeConnection errorIfDown is false [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: makeConnection: errorIfDown false [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SSL handshake happened [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Established LDAP connection using basic authentication to host srv334.example.com port 636 as cn=Directory Manager [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: initializing with mininum 3 and maximum 15 connections to host srv334.example.com port 636, secure connection, true, authentication type 1 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: increasing minimum connections by 3 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new total available connections 3 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new number of connections 3 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: In LdapBoundConnFactory::getConn() [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: masterConn is connected: true [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: conn is connected true [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: mNumConns now 2 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: name: Company LLC [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: CA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn=srv333.example.com:8443,cn=CAList,ou=Security Domain,o=pki-tomcat-CA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - DomainManager: TRUE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn: srv333.example.com:8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SubsystemName: CA srv333.example.com 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - Clone: FALSE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - UnSecurePort: 8080 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureEEClientAuthPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAdminPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAgentPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecurePort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - host: srv333.example.com [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - objectClass: top [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn=srv334.example.com:8443,cn=CAList,ou=Security Domain,o=pki-tomcat-CA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - objectClass: top [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn: srv334.example.com:8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - host: srv334.example.com [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecurePort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAgentPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAdminPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - UnSecurePort: 8080 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureEEClientAuthPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - DomainManager: TRUE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - Clone: TRUE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SubsystemName: CA srv334.example.com 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn=srv335.example.com:8443,cn=CAList,ou=Security Domain,o=pki-tomcat-CA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - objectClass: top [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn: srv335.example.com:8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - host: srv335.example.com [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecurePort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAgentPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAdminPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - UnSecurePort: 8080 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureEEClientAuthPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - DomainManager: TRUE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - Clone: TRUE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SubsystemName: CA srv335.example.com 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: OCSP [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: KRA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: RA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: TKS [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: TPS [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Releasing ldap connection [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: returnConn: mNumConns now 3 At the same time requests to different urls does not increase the number of established LDAP connections. Is it a bug or expected behavior? Aleksey

10 years

2
2
0 / 0

Starting with Dogtag PKI

by Yogesh Sharma

Hi, *We are planning to use Fedora Dogtag for our Certificate Management where we can keep track of certificates and Internal CA.* However , we use CentOS in our Environment. Is it possible to have Dogtag on CentOS or Fedora is must. If CentOS is an options which version of CentOS has latest/stable Dogtag PKI. *Please suggest* *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000(a)gmail.com <yks0000(a)gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks0000> <http://in.linkedin.com/in/yks0000> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus>

10 years

2
2
0 / 0

How to install RA on DogTag 10?

by Ben Peck

I'm running Fedora 21 with Dogtag 10.2.1-3 and trying to get the Registration Authority subsystem to install to enable SCEP ultimately. I installed pki-ra, but when I run "pkispawn -s RA" I get the following: Traceback (most recent call last): File "/usr/sbin/pkispawn", line 579, in <module> main(sys.argv) File "/usr/sbin/pkispawn", line 143, in main parser.init_config() File "/usr/lib/python2.7/site-packages/pki/server/ deployment/pkiparser.py", line 192, in init_config 'pki_instance_name': default_instance_name, UnboundLocalError: local variable 'default_instance_name' referenced before assignment Can anyone point me in the right direction concerning SCEP and DogTag 10? Is there some updated documentation on this somewhere I'm missing? Thanks, Ben

10 years, 1 month

2
2
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-users August 2015