Pki-users December 2012

users@lists.dogtagpki.org

2 participants
4 discussions

Problems with Dogtag and CA cert signed by External CA

by Dwayne MacKinnon

Hi all, A helpful fellow called alee on #dogtag-pki suggested I write the list. I've been playing with dogtag-pki-9.0.0-10 on 64-bit Fedora 17. I'm looking to use dogtag to run a subordinate CA that does all our everyday PKI stuff. So when I used pki-create and went into the webform, I went the "create a csr" route and signed it using a root CA I'd set up using openssl. Everything seemed to work out fine, until I got to the point where I was restarting pki-cad (using systemctl restart pki-cad(a)pki-ca.service). It wouldn't start. With alee's help I tracked it down to a failure of SystemCertsVerification during the selftests. He asked me to submit my debug log to the list, so here it is. Cheers, DMK

11 years, 3 months

4
4
0 / 0

PKI CA web services not functional (Dog Tag 9.0 CentOS 6)

by Jim Galvin

ALCON, I am working my way through setting up a CentOS 6 64-bit workstation with 389 Directory Services and Dog Tag CS 9.0 for a test environment. I have the DS service up and running and have installed the "pki-core" RPMs and additonal Fedora Core 15 RPM files for pki-console and pki-ra. I successfully configured the CA and created the appropriate certificates. I can see the CA elements in the 389console so I know that CS <-> LDAP communications are successful. I can also use the pki-console to see that a CA certificate and its related key pair are available. My problems are related to the web side of the CA service. I cannot access the web-based services: FQDN:9444/ca/ee/ca (SSL End User Services) or FQDN:9443/ca/agent/ca/ (Agent Services (does prompt for a certifiate)) which are display as hyperlinks from CA Services page FQDN:45/ca/services. When I click these links I get a blank page. Also, the CA Services page shows "XXXXXX" and "XXXXXX® Certificate System" in the page heading. I assume something about Dog Tag should be there. To add some additional content I went ahead and installed the pki-ra RPM and attempted to configure the instance. When accessing the pki-ra administrative configuration page (this works) the RA cannot contact the existing Security Domain at FQDN:9445. This is confusing as the pkiconsole can connect at FQDN:9445/ca, so something must be working. :-) Any assistance would be most grateful. Thank you for your time and efforts. [root@FQDN ~]# service pki-cad status pki-ca (pid 1857) is running... [ OK ] Unsecure Port = http://FQDN:9180/ca/ee/ca Secure Agent Port = https://FQDN:9443/ca/agent/ca Secure EE Port = https://FQDN:9444/ca/ee/ca Secure Admin Port = https://FQDN:9445/ca/services EE Client Auth Port = https://FQDN:9446/ca/eeca/ca PKI Console Port = pkiconsole https://FQDN:9445/ca Tomcat Port = 9701 (for shutdown) PKI Instance Name: pki-ca PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: FQDN Domain URL: https://FQDN:9445 ========================================================================== [root@FQDN ~]# getenforce Permissive [root@FQDN ~]# service iptables status iptables: Firewall is not running. root@FQDN ~]# netstat -an|more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 192.168.1.94:22 192.168.1.109:56448 ESTABLISHED tcp 0 0 ::ffff:127.0.0.1:9701 :::* LISTEN tcp 0 0 :::9445 :::* LISTEN tcp 0 0 :::389 :::* LISTEN tcp 0 0 :::9446 :::* LISTEN tcp 0 0 :::5672 :::* LISTEN tcp 0 0 :::22 :::* LISTEN tcp 0 0 ::1:25 :::* LISTEN tcp 0 0 :::9180 :::* LISTEN tcp 0 0 :::9443 :::* LISTEN tcp 0 0 :::9444 :::* LISTEN [root@FQDN ~]# more /var/log/pki-ca/system 2310.main - [28/Dec/2012:07:47:08 EST] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 2310.main - [28/Dec/2012:07:47:09 EST] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value 2310.http-9445-7 - [28/Dec/2012:07:51:37 EST] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 2310.http-9445-7 - [28/Dec/2012:07:53:26 EST] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException 3256.http-9445-7 - [28/Dec/2012:09:05:06 EST] [20] [3] JSS Import certificate org.mozilla.jss.CryptoManager$NicknameConflictException [root@ca-l pki-ca]# more /var/log/pki-ca/localhost.2012-12-28.log Dec 28, 2012 7:47:27 AM org.apache.catalina.core.ApplicationContext log INFO: Use of the properties initialization parameter 'properties' has been deprecated by 'org.apache.velocity.properties' Dec 28, 2012 7:47:28 AM org.apache.catalina.core.ApplicationContext log INFO: Use of the properties initialization parameter 'properties' has been deprecated by 'org.apache.velocity.properties' Dec 28, 2012 7:56:07 AM org.apache.catalina.core.ApplicationContext log SEVERE: Servlet castart threw unload() exception javax.servlet.ServletException: Servlet.destroy() for servlet castart threw exception at org.apache.catalina.core.StandardWrapper.unload(StandardWrapper.java:1413) at org.apache.catalina.core.StandardWrapper.stop(StandardWrapper.java:1739) at org.apache.catalina.core.StandardContext.stop(StandardContext.java:4601) at org.apache.catalina.core.ContainerBase.removeChild(ContainerBase.java:924) at org.apache.catalina.startup.HostConfig.undeployApps(HostConfig.java:1319) at org.apache.catalina.startup.HostConfig.stop(HostConfig.java:1290) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:323) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.core.ContainerBase.stop(ContainerBase.java:1086) at org.apache.catalina.core.ContainerBase.stop(ContainerBase.java:1098) at org.apache.catalina.core.StandardEngine.stop(StandardEngine.java:448) at org.apache.catalina.core.StandardService.stop(StandardService.java:584) at org.apache.catalina.core.StandardServer.stop(StandardServer.java:744) at org.apache.catalina.startup.Catalina.stop(Catalina.java:643) at org.apache.catalina.startup.Catalina.start(Catalina.java:618) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Caused by: java.lang.NullPointerException at com.netscape.ca.CertificateAuthority.shutdown(CertificateAuthority.java:496) at com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:1609) at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1552) at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:199) at com.netscape.cms.servlet.base.CMSStartServlet.destroy(CMSStartServlet.java:108) at org.apache.catalina.core.StandardWrapper.unload(StandardWrapper.java:1394) ... 20 more Dec 28, 2012 9:43:03 AM org.apache.catalina.core.ApplicationContext log SEVERE: Servlet castart threw unload() exception javax.servlet.ServletException: Servlet.destroy() for servlet castart threw exception at org.apache.catalina.core.StandardWrapper.unload(StandardWrapper.java:1413) at org.apache.catalina.core.StandardWrapper.stop(StandardWrapper.java:1739) at org.apache.catalina.core.StandardContext.stop(StandardContext.java:4601) at org.apache.catalina.core.ContainerBase.removeChild(ContainerBase.java:924) at org.apache.catalina.startup.HostConfig.undeployApps(HostConfig.java:1319) at org.apache.catalina.startup.HostConfig.stop(HostConfig.java:1290) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:323) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.core.ContainerBase.stop(ContainerBase.java:1086) at org.apache.catalina.core.ContainerBase.stop(ContainerBase.java:1098) at org.apache.catalina.core.StandardEngine.stop(StandardEngine.java:448) at org.apache.catalina.core.StandardService.stop(StandardService.java:584) at org.apache.catalina.core.StandardServer.stop(StandardServer.java:744) at org.apache.catalina.startup.Catalina.stop(Catalina.java:643) at org.apache.catalina.startup.Catalina.start(Catalina.java:618) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Caused by: java.lang.NoSuchMethodError at java.lang.Thread.destroy(Thread.java:979) at com.netscape.cmscore.jobs.JobsScheduler.shutdown(JobsScheduler.java:448) at com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:1609) at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1551) at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:199) at com.netscape.cms.servlet.base.CMSStartServlet.destroy(CMSStartServlet.java:108) at org.apache.catalina.core.StandardWrapper.unload(StandardWrapper.java:1394) ... 20 more Dec 28, 2012 11:06:53 AM org.apache.catalina.core.ApplicationContext log SEVERE: Servlet castart threw unload() exception javax.servlet.ServletException: Servlet.destroy() for servlet castart threw exception at org.apache.catalina.core.StandardWrapper.unload(StandardWrapper.java:1413) at org.apache.catalina.core.StandardWrapper.stop(StandardWrapper.java:1739) at org.apache.catalina.core.StandardContext.stop(StandardContext.java:4601) at org.apache.catalina.core.ContainerBase.removeChild(ContainerBase.java:924) at org.apache.catalina.startup.HostConfig.undeployApps(HostConfig.java:1319) at org.apache.catalina.startup.HostConfig.stop(HostConfig.java:1290) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:323) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.core.ContainerBase.stop(ContainerBase.java:1086) at org.apache.catalina.core.ContainerBase.stop(ContainerBase.java:1098) at org.apache.catalina.core.StandardEngine.stop(StandardEngine.java:448) at org.apache.catalina.core.StandardService.stop(StandardService.java:584) at org.apache.catalina.core.StandardServer.stop(StandardServer.java:744) at org.apache.catalina.startup.Catalina.stop(Catalina.java:643) at org.apache.catalina.startup.Catalina.start(Catalina.java:618) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Caused by: java.lang.NoSuchMethodError at java.lang.Thread.destroy(Thread.java:979) at com.netscape.cmscore.jobs.JobsScheduler.shutdown(JobsScheduler.java:448) at com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:1609) at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1551) at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:199) at com.netscape.cms.servlet.base.CMSStartServlet.destroy(CMSStartServlet.java:108) at org.apache.catalina.core.StandardWrapper.unload(StandardWrapper.java:1394) ... 20 more Dec 28, 2012 11:59:32 AM org.apache.catalina.core.ApplicationContext log SEVERE: Servlet castart threw unload() exception javax.servlet.ServletException: Servlet.destroy() for servlet castart threw exception at org.apache.catalina.core.StandardWrapper.unload(StandardWrapper.java:1413) at org.apache.catalina.core.StandardWrapper.stop(StandardWrapper.java:1739) at org.apache.catalina.core.StandardContext.stop(StandardContext.java:4601) at org.apache.catalina.core.ContainerBase.removeChild(ContainerBase.java:924) at org.apache.catalina.startup.HostConfig.undeployApps(HostConfig.java:1319) at org.apache.catalina.startup.HostConfig.stop(HostConfig.java:1290) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:323) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.core.ContainerBase.stop(ContainerBase.java:1086) at org.apache.catalina.core.ContainerBase.stop(ContainerBase.java:1098) at org.apache.catalina.core.StandardEngine.stop(StandardEngine.java:448) at org.apache.catalina.core.StandardService.stop(StandardService.java:584) at org.apache.catalina.core.StandardServer.stop(StandardServer.java:744) at org.apache.catalina.startup.Catalina.stop(Catalina.java:643) at org.apache.catalina.startup.Catalina.start(Catalina.java:618) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Caused by: java.lang.NoSuchMethodError at java.lang.Thread.destroy(Thread.java:979) at com.netscape.cmscore.jobs.JobsScheduler.shutdown(JobsScheduler.java:448) at com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:1609) at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1551) at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:199) at com.netscape.cms.servlet.base.CMSStartServlet.destroy(CMSStartServlet.java:108) at org.apache.catalina.core.StandardWrapper.unload(StandardWrapper.java:1394) ... 20 more

11 years, 4 months

1
0
0 / 0

Assistance requested: cannot locate "pkiconsole" or "pki-console" on Dog Tag CS 9.0

by Jim Galvin

Hello, I have installed Dog Tag 9.0.3 from EPEL RPM on a CentOS 6 64-bit machine. My LDAP server is Fedora 389 version 1.2.10.12 also from RPM. This is a test envrionment for another product where certificates are required. Per Dog Tag documentation I am utilizing the RHCS documentation in setting up and configuring the CA. The documentation makes use of the utility "pkiconsole". I cannot find this in my filesystem. I have looked into various pki-console-based RPM files but none seem to provide this utility. I am sure I have missed over something in the documentation. If someone could provide me a link to instructions or something to assist I would be most grateful. Here is a listing of the pki-related packages I have installed: pki-symkey-9.0.3-24.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch pki-java-tools-9.0.3-24.el6.noarch pki-setup-9.0.3-24.el6.noarch pki-ca-9.0.3-24.el6.noarch pki-util-9.0.3-24.el6.noarch pki-common-9.0.3-24.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch pki-selinux-9.0.3-24.el6.noarch pki-native-tools-9.0.3-24.el6.x86_64 Thank you, Jim Galvin

11 years, 4 months

1
1
0 / 0

Announcing Dogtag 10.0 Release Candidate 1

by Ade Lee

The Dogtag team is proud to announce version Dogtag v10.0.0 Release Candidate 1. A build is available for Fedora 18 in the updates-testing repo. Please try it out and provide karma to move it to the F18 stable repo. Daily developer builds for Fedora 17 and 18 are available at http://nkinder.fedorapeople.org/dogtag-devel/fedora/ == Build Versions == pki-core-10.0.0-2.fc18 pki-ra-10.0.0-1.fc18 pki-tps-10.0.0-1.fc18 dogtag-pki-10.0.0-1.fc18 dogtag-pki-theme-10.0.0-1.fc18 pki-console-10.0.0-1.fc18 == Highlights since Dogtag v. 10.0.0 beta 2 (Oct 30 2012) == * Simplified and enhanced pkispawn. ** Added detailed man pages to document use of pkispawn, pkidestroy and the command line utility pki. ** Removed --dry-run option and unused respawn() code. ** Replaced links of scriptlets with lists ** Modified the way pkispawn parses configuration files. pkispawn now reads a template file for default settings, and a much smaller and simpler user-defined configuration file for customizations and overrides. Moreover, pkispawn uses interpolation to substitute in values. See the man pages for details. ** Added the ability to import an admin cert into the administrative user created for each subsystem. This allows multiple subsystems within the same instance to be more easily managed within the same browser. ** Implemented ability to install a subordinate CA using pkispawn. ** Implemented ability to install an externally signed CA using pkispawn. * Simplified the structure of the UI packages ** All images and css files have been moved to dogtag-pki-server-theme for all subsystems. ** Removed unused and duplicated files. ** Template files have been moved to the underlying subsystem files. In future, all theme related messages in those files will be parameterized and placed in dogtag-pki-server-theme. This will significantly simplify the process of customizing or internationalizing an instance and its theme. ** Retired all the subsystem specific UI packages, reducing the number of UI packages from 7 to 1. * Security fixes for CVE-2012-4543 Certificate System: Multiple cross-site scripting flaws by displaying CRL or processing. * Memory fixes for the TPS * Updated to latest version of cmake, removing obsolete modules. == Notes for F17 == * Only developer builds are available for F17. * F17 tomcat used to have a bug in the way it handles pid files. https://bugzilla.redhat.com/show_bug.cgi?id=863307. Make sure that you have at least tomcat-7.0.32-1.fc17. == Feedback == Please provide comments, bugs and other feedback via the pki-devel mailing list: http://www.redhat.com/mailman/listinfo/pki-devel == Detailed Changelog == akoneru (2): 0667896 Fix for improper crl retrieval from CA. f400f3b Invalid ACL resources Fix in KRA for certServer.kra.keys alee (25): 6e77f33 Updated pki-core spec file to 10.0.0-2 a505c8c fix typo in spec file f73a662 Update to rc1 build 1e46576 Added more detail to man page for pki(1) cbfdae8 Remove server code from CertSearchRequest cd279e3 Modified section on sample.cfg a3f7d58 Interpolation correction patch based on review comments 065d883 Use interpolation to build default parameters 35dc100 Change the structure of the client directory. 03a6350 Common User: pkispawn changes 6be1194 Common admin user: config servlet changes 871b442 Misc changes to get rhel 7 build to work 40e58f9 Link to resteasy-base on rhel systems when running pkispawn 96af71d Removed obsolete cmake modules, updated spec files 9862a04 Updating cmake variables 440a9e7 removed obsolete cmake modules 1de7c91 Change cmake projects from Java to NONE 2efc66e spec file changes 999a0f1 Added missing Provides eb74b11 update to b3 64eaca2 Fix issue with pki_external being referenced for non-CA 318716f removed dry_run from pkispawn 019a933 Remove unused respawn code. a80e994 Convert admin cert from a to b before importing to certdb db9537d Set paths for default instance awnuk(1): 883e0ec number verification edewata (52): 9996d71 Parameterizing RESTEasy paths. 81bb209 Archiving default deployment configuration. 66c519f I18n for ProfileList.template. a4c95c3 Removed RA and TPS theme packages. 3dfee91 Reorganized TPS CSS files. d8f56d8 Reorganized TPS templates and scripts. 538dee3 Reorganized RA templates and scripts. 083e130 Fixed permission problem in TKS. 6344d6e Replaced links of scriptlets with lists. 471a493 Simplified the configuration file using defaults. 5e93dc2 Reorganized sensitive parameters. cef7a77 Fixed issuedOn parameters for cert-find. ba1e743 Fixed default security domain user. 68751fb Refactored pkiparser.py into PKIConfigParser. 9bb7143 Removed CA, KRA, OCSP, TKS theme packages. 46fda5d Reorganized CA, KRA, OCSP, TKS templates. edf9c22 Reorganized common templates. c8336ea Renamed pki-common-theme to pki-server-theme. 105ffbd Reorganized ESC images. 545b796 Removed unused files in tps-ui. f3e20fc Removed unused files in ra-ui. 6197b95 Removed unused files in tks-ui. b45fc00 Removed unused files in ocsp-ui. d248593 Removed unused files in kra-ui. 42f48ab Removed unused files in ca-ui. 41e061f Removed unused files in common-ui. fb80a25 Updated tools to deploy combined images and CSS files. 4109bc3 Combined theme images and CSS files into common-ui. 515e882 Fixed pkisilent build problem. cb209df Added ACLInterceptor. 87556b7 Update pki-base.css paths. 386d703 Updated rootca.gif and sub.gif paths. 6a1302a Updated icon-software.gif paths. 1ca3b21 Updated icon_crit_update.gif paths. d7306c4 Updated clearpixel.gif paths. 599a3e7 Updated certificate.png and no-certificate.png paths. 5a14647 Updated bigrotation2.gif paths. d5802a7 Updated lgRightTab2.gif paths. 33746d8 Updated dgRightTab2.gif paths. 918764d Updated lgRightTab.gif paths. 6e836a6 Updated lgLeftTab.gif paths. 792becd Updated goto-tall.gif paths. 3b4a7e4 Updated dgRightTab.gif paths. 122b650 Updated dgLeftTab.gif paths. 45aff6c Updated spacer.gif paths. 137d8f9 Updated hr.gif paths. 810ecfe Updated gray90.gif paths. f077cf4 Updated logo_header.gif paths. a959d7d Updated favicon.ico paths. 70a0dd8 Merged theme files. d9a9e23 Fixed problem finding SHA-256 message digest. 8eb2ccf Fixed PrettyPrintCert and PrettyPrintCrl. jmagne(1): 6180bb1 Latest TPS memory related fixes. mharmsen (9): 70938da More edits to man pages including spell checking via 'aspell'. 34851bb Revised 'pki_default.cfg5' man page. e7b7d98 Added man pages. 8d5eb93 Implemented ability to utilize an external CA 6a1cf64 Removed 'pki/base/silent/templates/subca_silent.template'. af58413 Move default location for client cert database (pkisilent) cfcd015 Move default location for client certificate database 1e15712 Enable Subordinate CA 906acfd Enable building on ARM architecture.

11 years, 4 months

1
0
0 / 0

← Newer
1
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-users December 2012