6:30 p.m.
Hi Emily,
By default SCEP could take a challengePassword (internally
"challengePhrase") that you could map with the host id, which is what
the FlatFile authentication does. However, the directory based
authenticator handles literally "uid" and "pwd". You will need to get
challengePhrase mapped to pwd into the request, and to do that you could
write a plugin for it.
I think you could try editing the following file
server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
to get "uid" and "pwd' filled in the request.
We have professional services that could help write plugins.
Christina
On 05/01/2015 12:34 PM, Emily Stemmerich wrote:
Hi,
I was wondering if anyone could offer some assistance with getting
SCEP working with LDAP auth?
Thanks!
-Emily
Date: Monday, April 27, 2015 at 4:53 PM
To: "pki-users(a)redhat.com <mailto:pki-users@redhat.com>"
<pki-users(a)redhat.com <mailto:pki-users@redhat.com>>
Subject: [Pki-users] SCEP directory authentication
Hi,
I am still trying to get Dogtag 10.2.1 on Fedora 21 working to allow
for router identity certificates obtained by Cisco Routers via SCEP to
be auto-renewing. I have found that the one-time pin model doesn’t
work for auto-renewal. I was pointed to the RedHat document below
that discusses using directory-based auth in Section 8.2.1, but I’m
having issues with getting it to work.
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
I’m not certain what to put in the dnpattern attribute and there are
no examples I can find and am wondering if it is the reason attempts
show uid and credentials as null from the router – details of the
setup later on in this email.
*
*dnpattern.* Specifies a string representing a subject name
pattern to formulate from the directory attributes and entry DN.
------------------------------------------
From my CS.conf (RouterAuth is then referenced in the caRouterCert.cfg
instead of flatfile):
auths.instance.RouterAuth.pluginName=UidPwdDirAuth
auths.instance.RouterAuth.ldap.basedn=ou=RouterID,dc=auth,dc=sample,dc=com
auths.instance.RouterAuth.ldap.ldapconn.host=localhost
auths.instance.RouterAuth.ldap.ldapconn.port=389
auths.instance.RouterAuth.ldap.ldapconn.secureConn=false
------------------------------------------
I’ve created a hierarchy outside of dogtag for doing router auth:
ou=RouterID,dc=auth,dc=sample,dc=com
------------------------------------------
Test User Account (I am not sure what objectClass to use, so I found
one with uid and password as options and used that):
dn: uid=172.18.240.11,ou=RouterID,dc=auth,dc=sample,dc=com
uid: 172.18.240.11
|objectClass: inetUser|
userPassword: testpass
------------------------------------------
Router config. For flatfile auth it ends up using the wan IP and the
password and password in the identity section, however for LDAP auth I
don’t know what things would map to:
crypto ca identity SAMPLE
enrollment url http://172.21.4.239:8080/ca/cgi-bin
revocation-check none
fqdn emilyvpn.sample.com
serial-number none
ip-address none
hash sha256
password testpass
rsakeypair MEVO 2048
auto-enroll 75
crl optional
exit
crypto ca authenticate SAMPLE
------------------------------------------
When I try and get a cert from the Cisco Router I get output like the
following in the debug file that lists both UID and credential as null:
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Got
authenticator=com.netscape.cms.authentication.UidPwdDirAuthentication
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory::getConn
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]:
LdapAnonConnFactory.getConn(): num avail conns now 4
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Authenticating UID=null
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: returnConn: mNumConns now 4
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: operation failure -
Authentication credential for uid is null.
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: Output PKIOperation
response:
Thanks for any assistance,
-Emily