May 2015 - Pki-users - Dogtag Pki List Archives

by pki tech

Hi all, Good day to you all. What is the process to renew all the four system certificates (SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when those existing certificates are currently expired. I cant access the pkiconsole also as the system is not up and running. I have used the certutil to generate the certificate requests and get it signed by the CA. But it didn't work as expected. I believe the procedure that i have followed to request generation or the signing profiles used for the generation, may have some issues. Cheers. Regards, Mark

7 years, 9 months

3
2
0 / 0

base64 CMC Request format

by Elliott William C OSS sIT

Hi all, Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming? We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded. Thanks and best regards, William Elliott s IT Solutions Open System Services

7 years, 9 months

4
6
0 / 0

ESC doesn't recognize smartcard / standalone operation?

by Nordgren, Bryce L -FS

My system is to the point where command line interaction with the smart card behaves as expected, as long as I use the OpenSC middleware to pam_pkcs11, and not coolkey. Using pklogin_finder asks for the PIN, verifies the certificates, and maps the user to a local system account. System details in previous thread: https://www.redhat.com/archives/pki-users/2015-April/msg00041.html My expectation was that the "smart card manager" should pop up when the card is inserted. It doesn't. I can type "esc" at the command line, and it says "No Cards Present" with everything greyed out. Likewise, inserting the smart card at the login prompt does nothing. There _is_ an "./escd" process running. Is ESC hardwired to use coolkey, which can't read my card? How can I debug this? Final question: Am I correct to assume that my situation does not call for a TPS, TKS, or even a CA? I must not touch the info on these smart cards: Never format, never issue certs, never save, never change. My machines just need to respect a totally external PKI infrastructure: ask for PIN, verify cert against the CA bundle, and start a login session. For any of the things I would need a PKI infrastructure for, I need to make an appointment at a GSA Credentialing Center, then physically show up with two forms of ID in hand. Many thanks for your helpful advice! Bryce

8 years, 11 months

3
3
0 / 0

PIV-II middleware bug in coolkey

by Nordgren, Bryce L -FS

Continuation of thread started in: https://www.redhat.com/archives/pki-users/2015-April/msg00041.html Synopsis: coolkey misinterprets my USDA LincPass (issued by a GSA Credentialing Center) as a CAC, then fails. It's a PIV-II, according to OpenSC, which doesn't fail. Using the OpenSC module with pam-pkcs11, I was able to get pklogin_finder to validate my certificates and associate my card to a user account via cn mapper. Using the coolkey module, errors ensued and logs are attached to the above thread. The question is: how do I/should I report this bug? Coolkey looks dead. No svn commits for 4 years. Last mailing list traffic on coolkey-devel was 2012. Is there anyone on the project? In the interim, I was also able to locate a standard deck of test cards [1], both for 30 day loan and for purchase @ $1900. The test deck contains two "golden" cards and 22 cards with known problems that the software should catch. It does not appear I can request an "extra" card from USDA for testing. If there's anyone left to update coolkey, do you think the 30 day loan (potentially with an extension) is enough time to debug the software, or at the very least get a start on it? If the $1900 deck is necessary to add this functionality, it may be possible to donate or semi-permanently loan a set to the open source project. But I'd definitely need to understand what the coolkey project's release and testing plan is and who would hold the physical assets. Thanks, Bryce [1] http://www.idmanagement.gov/ficam-testing-program

8 years, 11 months

2
2
0 / 0

Can I change the CN = CA Signing Certificate to something else?

by Ben Peck

I'm running Fedora 21 with Dogtag 10.2.1-3. My CA's Certificate was given "CA Signing Certificate" as its CN, and I'm wondering how it got that way and it might be customized on install. Running pkispawn interactively definitely didn't give me an opportunity to supply a name, and looking over the config file I could customize also doesn't seem to provide an opportunity to customize this: Dogtag 9 gave the opportunity to customize this as part of the initial setup - where is this done in version 10? thanks, Ben pki_admin_email=caadmin(a)example.com pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=Secret123 pki_admin_uid=caadmin pki_backup_keys=True pki_backup_password=Secret123 pki_client_database_password=Secret123 pki_client_database_purge=False pki_client_pkcs12_password=Secret123 pki_ds_base_dn=dc=ca,dc=example,dc=com pki_ds_database=ca pki_ds_password=Secret123 pki_security_domain_name=EXAMPLE pki_token_password=Secret123

8 years, 11 months

3
3
0 / 0

OCSP Manager and large CRLs

by David Stutzman - US

I'm attempting to configure an instance of the standalone OCSP Manager and I'm having an issue with it loading the active set of DoD CAs/CRLs. I'm using the LDAP store and have the 17 active CAs/CRLs (Root 2, ID and Email 25-32) added in the configuration. I loaded the directory server (389 ds) with a java program so I know all entries are configured exactly the same with caCertificate;binary and certificateRevocationList;binary attributes for each. While loading, In the debug logs I see "Started CRL Update" for all 17 but then I'll only see 13 finish. I see increased CPU usage (basically 100%) for several minutes after starting the service until the 14th CRL is processed when the machine goes back to idle and it just seems to stop processing the remaining 3 large CRLs. The problem CRLs are understandably the 4 largest at 27.6Mb (this one loads about 4 min 45 seconds after startup), 30.6Mb, 29.5Mb, 33.5Mb. The virtual machine I'm using has 4 cores and 8GB of memory (originally 4, but increasing to 8 didn't seem to help). I see nothing in the system or transaction logs to indicate what the problem is either. The rpm version of the pki-ocsp package is 9.0.15-1. Thanks, Dave

8 years, 11 months

1
0
0 / 0

XSS attacks on the web administration page (port 9180, port 9444)

by Thibaut Pouzet

Hi, We are using the dogtag PKI tool packaged through IPA on CentOS 6.6, here are the system information : * pki-ca-9.0.3-38.el6_6.noarch * pki-setup-9.0.3-38.el6_6.noarch $ uname -a Linux ipa_server 2.6.32-504.12.2.el6.x86_64 #1 SMP Wed Mar 11 22:03:14 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux $ cat /etc/redhat-release CentOS release 6.6 (Final) It appears that the administation page is vulnerable to XSS attacks, wether through the SSL administration page, or the non-SSL administration page. Here is the PoC : * http://ipa_server:9180/ca/ee/ca/profileSelect?profileId=plop%3C/script%3E... * https://ipa_server:9444/ca/ee/ca/profileSelect?profileId=plop%3C/script%3... I cannot seem to find any trace of this problem on google, am I missing something ? Is it the same for other people ? Cheers, -- Thibaut Pouzet Lyra Network Ingénieur Systèmes et Réseaux (+33) 5 31 22 40 08 www.lyra-network.com

8 years, 11 months

1
0
0 / 0

Re: [Pki-users] confused about access control list

by Christina Fu

Hi, I was looking for an exact aci syntax example you tried that failed so I could help you better with. Did you do something like: resourceACLS: certServer.ee.request.enrollment:submit:allow (submit) user!="someBody" && group="Agents":All Agents other than someBody may submit an enrollment request I got the syntax info from the link I gave you. Let me know if that's what you tried. Christina On 04/24/2015 11:14 AM, Ali Khalidi wrote: > In my test, I've added an user to CM and assigned him Agent group > permissions. > now, I want to deny this user enrollment submission, so there are two > default and pre-existing ACLs of relevance: > certServer.ca.request.enrollment and certServer.ee.request.enrollment > in both I tried the following to the submit right: > change the submit right from allow to deny -> the user can still > submit and enroll a certificate > change back to allow, then added a deny rule with the username > specified -> the user can still submit and enroll a certificate > > these were just experiments to understand how ACLs work. > > my end goal, if possible with dogtag, and I would appreciate if you > point me to the right direction is: > restrict an agent to submit and execute and enrollment based on a > specific certificate profile. > > having said the latter, the user_origreq looked promising for that > matter, but I have no clue how to create a new ACL with it. help is > appreciated in the area as well. > > > Thanks, > > Ali > > > > > > > > On Fri, Apr 24, 2015 at 7:31 PM, Christina Fu <cfu(a)redhat.com > <mailto:cfu@redhat.com>> wrote: > > > On 04/22/2015 02:17 AM, Ali Khalidi wrote: >> I've tried a simple example of using the ACL to block profile >> listing and it works. however, I want to disable a CA agent from >> submitting/approving or executing any enrollment requests. I've >> went through all the ACLs, and whenever I encountered a submit >> right, I flipped to deny. despite that the agent still is able to >> submit and enroll certificates. >> > information on access control can be found here: > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/... > > It would help if you give us an acl example that you tried that > does not work? > >> >> another aspect, I was looking into the user_orgreq ACL plugin. >> can someone provide and an example on how this can be used in the >> context of ACLs? > > The user_origreq is an access evaluator plugin for the > UserOrigReqAccessEvaluator. Its primary purpose is for access > control during renewal. It checks to see the the authenticated > user and the original request ownership match. > > Hope this helps. > >> >> thanks, >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com> >> https://www.redhat.com/mailman/listinfo/pki-users > > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com <mailto:Pki-users@redhat.com> > https://www.redhat.com/mailman/listinfo/pki-users > >

8 years, 11 months

2
2
0 / 0

Re: [Pki-users] SCEP directory authentication

by Emily Stemmerich

Hi, I was wondering if anyone could offer some assistance with getting SCEP working with LDAP auth? Thanks! -Emily Date: Monday, April 27, 2015 at 4:53 PM To: "pki-users(a)redhat.com<mailto:pki-users@redhat.com>" <pki-users(a)redhat.com<mailto:pki-users@redhat.com>> Subject: [Pki-users] SCEP directory authentication Hi, I am still trying to get Dogtag 10.2.1 on Fedora 21 working to allow for router identity certificates obtained by Cisco Routers via SCEP to be auto-renewing. I have found that the one-time pin model doesn’t work for auto-renewal. I was pointed to the RedHat document below that discusses using directory-based auth in Section 8.2.1, but I’m having issues with getting it to work. https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/... I’m not certain what to put in the dnpattern attribute and there are no examples I can find and am wondering if it is the reason attempts show uid and credentials as null from the router – details of the setup later on in this email. * dnpattern. Specifies a string representing a subject name pattern to formulate from the directory attributes and entry DN. ------------------------------------------ >From my CS.conf (RouterAuth is then referenced in the caRouterCert.cfg instead of flatfile): auths.instance.RouterAuth.pluginName=UidPwdDirAuth auths.instance.RouterAuth.ldap.basedn=ou=RouterID,dc=auth,dc=sample,dc=com auths.instance.RouterAuth.ldap.ldapconn.host=localhost auths.instance.RouterAuth.ldap.ldapconn.port=389 auths.instance.RouterAuth.ldap.ldapconn.secureConn=false ------------------------------------------ I’ve created a hierarchy outside of dogtag for doing router auth: ou=RouterID,dc=auth,dc=sample,dc=com ------------------------------------------ Test User Account (I am not sure what objectClass to use, so I found one with uid and password as options and used that): dn: uid=172.18.240.11,ou=RouterID,dc=auth,dc=sample,dc=com uid: 172.18.240.11 objectClass: inetUser userPassword: testpass ------------------------------------------ Router config. For flatfile auth it ends up using the wan IP and the password and password in the identity section, however for LDAP auth I don’t know what things would map to: crypto ca identity SAMPLE enrollment url http://172.21.4.239:8080/ca/cgi-bin revocation-check none fqdn emilyvpn.sample.com serial-number none ip-address none hash sha256 password testpass rsakeypair MEVO 2048 auto-enroll 75 crl optional exit crypto ca authenticate SAMPLE ------------------------------------------ When I try and get a cert from the Cisco Router I get output like the following in the debug file that lists both UID and credential as null: [24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Got authenticator=com.netscape.cms.authentication.UidPwdDirAuthentication [24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory::getConn [24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory.getConn(): num avail conns now 4 [24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Authenticating UID=null [24/Apr/2015:16:31:19][http-bio-8080-exec-7]: returnConn: mNumConns now 4 [24/Apr/2015:16:31:19][http-bio-8080-exec-7]: operation failure - Authentication credential for uid is null. [24/Apr/2015:16:31:19][http-bio-8080-exec-7]: Output PKIOperation response: Thanks for any assistance, -Emily

8 years, 12 months

2
1
0 / 0

US Government SmartCard question

by Nordgren, Bryce L -FS

Hi, I'm trying to set up smart card logins on Linux using a clean Fedora 21 install following the instructions at [1]. My main objective is to use my USDA-issued LincPass (the USDA brand of the USAccess card) for login to local accounts on linux machines that are not joined to the domain and which are outside the firewall. Essentially, I have control over a handful of machines, but no control over issuing the smart cards. I'll try to get you relevant debugging info, but I don't know much about smart card internals. My setup (card info from ActivClient on Windows): Card Reader: SCR3310 v2.0 "smartOS powered" Smart Card Mfr: Oberthur Technologies Smart Card Model: ID-One Cosmo v7.0 with Oberthur PIV Applet Suite 2.3.2 The problem: following instructions at [1], "pkcs11_inspect debug" results in "no token available" and the light on the reader never comes on. Googling, I saw that US government cards may require CACKey instead of coolkey, so I downloaded/compiled/installed the version at [2] and modified the pam_pkcs11.conf file. Reboot. Improvement. The light comes on. Repeating the "pkcs11_inspect debug" prompts for a PIN for token, and fails immediately afterward with "pkcs11_pass_login() failed: pkcs11_login() failed". I entered the PIN I enter on Windows. Any insights are appreciated. Thanks, Bryce [1] https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sect-S... [2] https://github.com/Conservatory/CACKey

8 years, 12 months

3
12
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-users May 2015