FW: pki=kra configuration hangs on Administration
by Chris Grijalva
Ade,
Thanks for the help.
It turned out to be a cert issue.
Resolution was to remove all PKI certs in Firefox and then remove and reinstall pki-ocsp, pki-kra and pki-ca.
All 3 modules configured cleanly.
-----Original Message-----
From: Ade Lee [mailto:alee@redhat.com]
Sent: Thursday, March 28, 2013 9:59 AM
To: Chris Grijalva
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] pki=kra configuration hangs on Administration
Can you try using Firefox to do the configuration of the KRA?
Up to now, we have supported only firefox for the installation servlets.
If that still does not work, we'd need to see some server logs - say everything under /var/log/pki-kra, as well as logs for the CA.
The status says that it still needs to be configured because the configuration did not complete. As you say, it looks like its failing to generate an administrator cert. That may be a problem in the client (Chrome), in the KRA/OCSP, or on the CA (which would be receiving the cert request and issuing the cert). We'd need to look at logs to see where its failing.
Ade
On Wed, 2013-03-27 at 17:39 -0500, Chris Grijalva wrote:
> Hi all, new to the list.
>
>
>
> Installed the following packages on CentOS 6.4
>
>
>
> [root@devops-cert tmp]# yum list | grep pki
>
> dogtag-pki-ca-theme.noarch
> 9.0.6-1.fc15
> @/dogtag-pki-ca-theme-9.0.6-1.fc15.noarch
>
> dogtag-pki-common-theme.noarch
> 9.0.6-1.fc15
> @/dogtag-pki-common-theme-9.0.6-1.fc15.noarch
>
> dogtag-pki-console-theme.noarch
> 9.0.6-1.fc15
> @/dogtag-pki-console-theme-9.0.6-1.fc15.noarch
>
> dogtag-pki-kra-theme.noarch
> 9.0.6-1.fc15
> @/dogtag-pki-kra-theme-9.0.6-1.fc15.noarch
>
> dogtag-pki-ocsp-theme.noarch
> 9.0.6-1.fc15
> @/dogtag-pki-ocsp-theme-9.0.6-1.fc15.noarch
>
> pki-ca.noarch
> 9.0.3-30.el6 @base
>
> pki-common.noarch
> 9.0.3-30.el6 @base
>
> pki-common-javadoc.noarch
> 9.0.3-30.el6 @base
>
> pki-console.noarch
> 9.0.3-1.fc15 @/pki-console-9.0.3-1.fc15.noarch
>
> pki-java-tools.noarch
> 9.0.3-30.el6 @base
>
> pki-java-tools-javadoc.noarch
> 9.0.3-30.el6 @base
>
> pki-kra.noarch
> 9.0.4-1.fc15 @/pki-kra-9.0.4-1.fc15.noarch
>
> pki-native-tools.x86_64
> 9.0.3-30.el6 @base
>
> pki-ocsp.noarch
> 9.0.3-1.fc15 @/pki-ocsp-9.0.3-1.fc15.noarch
>
> pki-selinux.noarch
> 9.0.3-30.el6 @base
>
> pki-setup.noarch
> 9.0.3-30.el6 @base
>
> pki-silent.noarch
> 9.0.3-30.el6 @base
>
> pki-symkey.x86_64
> 9.0.3-30.el6 @base
>
> pki-util.noarch
> 9.0.3-30.el6 @base
>
> pki-util-javadoc.noarch
> 9.0.3-30.el6 @base
>
> ipa-pki-ca-theme.noarch 9.0.3-7.el6
> base
>
> ipa-pki-common-theme.noarch
> 9.0.3-7.el6 base
>
> krb5-pkinit-openssl.x86_64
> 1.10.3-10.el6_4.1 updates
>
>
>
> jss.x86_64
> 4.2.6-24.el6 @base
>
> tomcatjss.noarch 2.1.0-2.el6
> @base
>
> osutil.x86_64 2.0.1-1.el6
> @base
>
>
>
> Configured pki-ca cleanly and then proceeded to configure pki-kra,
> which hangs on the Administrator panel.
>
> Debug doesn't show errors, only logging status.
>
>
>
> [27/Mar/2013:12:59:49][http-10445-3]: AdminPanel: display
>
> [27/Mar/2013:12:59:49][http-10445-3]: panel no=13
>
> [27/Mar/2013:12:59:49][http-10445-3]: panel name=adminpanel
>
> [27/Mar/2013:12:59:49][http-10445-3]: total number of panels=16
>
>
>
> I’ve bounced pki-krad, used a new instance of Chrome as admin when
> running the pki-kra admin console config.
>
> Used the pki-ca Administrator cert listed below, as a template for
> pki-kra and still no joy.
>
>
>
> The Dogtag Certificate Manager shows 5 pki-kra DRM certificates, but
> no admin cert. pki-krad status shows it's
>
> running, but must still be CONFIGURED!
>
>
>
> JXplorer shows,
>
> 2;4;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=CA Subsystem
> Certificate,OU=pki-ca,O=Pfi Domain
>
> 2;10;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=DRM Subsystem
> Certificate,OU=pki-kra,O=Pfi Domain
>
> 2;14;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=OCSP Subsystem
> Certificate,OU=pki-ocsp,O=Pfi Domain
>
>
>
> 2;6;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=CA
> Administrator of Instance
> pki-ca,UID=admin,E=Chris.Grijalva(a)soteradefense.com,O=Pfi Domain
>
>
>
> Any idea what I’m doing wrong and why this configuration doesn’t
> generate a pki-kra or pki-ocspd CA Administrator cert to complete the
> configuration?
>
>
>
>
>
> Cheers,
>
> Chris Grijalva
>
>
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
11 years, 6 months
pki=kra configuration hangs on Administration
by Chris Grijalva
Hi all, new to the list.
Installed the following packages on CentOS 6.4
[root@devops-cert tmp]# yum list | grep pki
dogtag-pki-ca-theme.noarch 9.0.6-1.fc15 @/dogtag-pki-ca-theme-9.0.6-1.fc15.noarch
dogtag-pki-common-theme.noarch 9.0.6-1.fc15 @/dogtag-pki-common-theme-9.0.6-1.fc15.noarch
dogtag-pki-console-theme.noarch 9.0.6-1.fc15 @/dogtag-pki-console-theme-9.0.6-1.fc15.noarch
dogtag-pki-kra-theme.noarch 9.0.6-1.fc15 @/dogtag-pki-kra-theme-9.0.6-1.fc15.noarch
dogtag-pki-ocsp-theme.noarch 9.0.6-1.fc15 @/dogtag-pki-ocsp-theme-9.0.6-1.fc15.noarch
pki-ca.noarch 9.0.3-30.el6 @base
pki-common.noarch 9.0.3-30.el6 @base
pki-common-javadoc.noarch 9.0.3-30.el6 @base
pki-console.noarch 9.0.3-1.fc15 @/pki-console-9.0.3-1.fc15.noarch
pki-java-tools.noarch 9.0.3-30.el6 @base
pki-java-tools-javadoc.noarch 9.0.3-30.el6 @base
pki-kra.noarch 9.0.4-1.fc15 @/pki-kra-9.0.4-1.fc15.noarch
pki-native-tools.x86_64 9.0.3-30.el6 @base
pki-ocsp.noarch 9.0.3-1.fc15 @/pki-ocsp-9.0.3-1.fc15.noarch
pki-selinux.noarch 9.0.3-30.el6 @base
pki-setup.noarch 9.0.3-30.el6 @base
pki-silent.noarch 9.0.3-30.el6 @base
pki-symkey.x86_64 9.0.3-30.el6 @base
pki-util.noarch 9.0.3-30.el6 @base
pki-util-javadoc.noarch 9.0.3-30.el6 @base
ipa-pki-ca-theme.noarch 9.0.3-7.el6 base
ipa-pki-common-theme.noarch 9.0.3-7.el6 base
krb5-pkinit-openssl.x86_64 1.10.3-10.el6_4.1 updates
jss.x86_64 4.2.6-24.el6 @base
tomcatjss.noarch 2.1.0-2.el6 @base
osutil.x86_64 2.0.1-1.el6 @base
Configured pki-ca cleanly and then proceeded to configure pki-kra, which hangs on the Administrator panel.
Debug doesn't show errors, only logging status.
[27/Mar/2013:12:59:49][http-10445-3]: AdminPanel: display
[27/Mar/2013:12:59:49][http-10445-3]: panel no=13
[27/Mar/2013:12:59:49][http-10445-3]: panel name=adminpanel
[27/Mar/2013:12:59:49][http-10445-3]: total number of panels=16
I've bounced pki-krad, used a new instance of Chrome as admin when running the pki-kra admin console config.
Used the pki-ca Administrator cert listed below, as a template for pki-kra and still no joy.
The Dogtag Certificate Manager shows 5 pki-kra DRM certificates, but no admin cert. pki-krad status shows it's
running, but must still be CONFIGURED!
JXplorer shows,
2;4;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=CA Subsystem Certificate,OU=pki-ca,O=Pfi Domain
2;10;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=DRM Subsystem Certificate,OU=pki-kra,O=Pfi Domain
2;14;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=OCSP Subsystem Certificate,OU=pki-ocsp,O=Pfi Domain
2;6;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=CA Administrator of Instance pki-ca,UID=admin,E=Chris.Grijalva(a)soteradefense.com,O=Pfi Domain
Any idea what I'm doing wrong and why this configuration doesn't generate a pki-kra or pki-ocspd CA Administrator cert to complete the configuration?
Cheers,
Chris Grijalva
11 years, 6 months
SCEP Support
by Elliott William C OSS sIT
Hello,
We currently use SCEP for Cisco Routers with a RedHat CS.
However as far as we can tell, "CA Key Rollover" is not implemented. Furthermore, we can't find any indication that it's implemented in in Dogtag 9 or 10.
Could anyone confirm this?
Does anyone work around this problem?
As far as we can see, few or no CA SW supports this, aside from the IOS CA from Cisco. The SCEP RFC says that the other two PKIX standards for certificate management are superior to SCEP, which has deficiencies, and is quasi-deprecated. Therefore my assumption is, that no one (other than cisco) plans to invest any effort in expanding SCEP support in Dogtag or any other opensource CA software.
Best regards,
William Elliott
11 years, 7 months