Hello, i've checked it, the CA is trusted (Firefox Browser). I have also the problem that the Logon with pkiconsole now crashed. The login-window came up after username/password the pkiconsole exits. Tomorrow i will look for the debug-log what happens and also uses the IE for testing. regards Klaus Heyden > -----Ursprüngliche Nachricht----- > Von: "Marc Sauton" <msauton(a)redhat.com&gt; > Gesendet: 29.10.08 20:38:09 > An: Klaus (Allianz ASIC)" <KLAUS.HEYDEN(a)ALLIANZ.DE&gt; > CC: pki-users(a)redhat.com > Betreff: Re: [Pki-users] failed Administrator logon > > Heyden, Klaus (Allianz ASIC) wrote: > >> Hello, >> >> i have the problem the the CA don't accept the Administrator login. >> Either on HTTPS-interface or via pkiconsole. It's a new installation >> and the Admin-Certificate exists in the Browser with secret key. The >> problem ist that the CA first dor thier job normal. When i now try to >> login i got a catalina error like this. i dont reconfigure the CA only >> restart. I also configured an HSM (Luna) but dont use key's inside the >> HSM. >> > You may want to collect the ca debug log when you try to do client auth > in your browser against the https agent pages. > Or review the debug log during the ca instance configuration, near the > key generation for the ca instance or when you selected either a > software token or hsm, for any errors. > I suppose the ca instance was restarted after the web based wizard > configuration was successfully completed. > It is always possible to use another client certificate for an agent or > admin user of the certificate system. > You may want to verify the browser has and trust the issuer of the agent > cert you try to use. > >> -------------------catalina.out---------------------------------- >> Oct 29, 2008 5:43:55 PM org.apache.catalina.core.ApplicationContext log" >> INFO: caListRequests: You did not provide a valid certificate for this >> operation >> ---------------------------------------------------------------------- >> >> the debug-file shows: >> ---------------------debug---------------------------------------- >> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service() >> uri = /ca/agent/header >> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet::service() >> param name='selected' value='ca' >> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: caheader >> start to service. >> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet.java: >> renderTemplate >> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: curDate=Wed >> Oct 29 18:15:07 CET 2008 id=caheader time=0 >> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service() >> uri = /ca/agent/ca/listRequests.html >> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: >> caListRequests start to service. >> [29/Oct/2008:18:15:07][http-9443-Processor21]: DisplayHtmlServlet >> about to service >> [29/Oct/2008:18:15:07][http-9443-Processor21]: IP: 10.94.112.222 >> [29/Oct/2008:18:15:07][http-9443-Processor21]: AuthMgrName: >> certUserDBAuthMgr >> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: retrieving >> SSL certificate >> [29/Oct/2008:18:15:07][http-9443-Processor21]: >> SignedAuditEventFactory: create() >> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=$Unidentified$][AttemptedCred=$Unidentified$] >> authentication failure >> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: getConn: mNumConns >> now 2 >> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: >> ObjectStreamMapper:mapObjectToLDAPAttributeSet revokedCerts size=84 >> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: >> ObjectStreamMapper:mapObjectToLDAPAttributeSet unrevokedCerts size=84 >> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: >> ObjectStreamMapper:mapObjectToLDAPAttributeSet expiredCerts size=84 >> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: returnConn: >> mNumConns now 3 >> ---------------------------------------------------------------------- >> >> certutil -L -d . shows me: >> ---------------------------------------------------------------------- >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> ocspSigningCert cert-ca4-1 u,u,u >> subsystemCert cert-ca4-1 u,u,u >> caSigningCert cert-ca4-1 CTu,Cu,Cu >> Server-Cert cert-ca4-1 u,u,u >> Allianz Group Root CA II - Allianz Group CT,C,C >> ---------------------------------------------------------------------- >> >> >> reagards >> Klaus Heyden >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users(a)redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> >> > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > _________________________________________________________________________ In 5 Schritten zur eigenen Homepage. Jetzt Domain sichern und gestalten! Nur 3,99 EUR/Monat! http://www.maildomain.web.de/?mc=021114