Hi Marc,
Yep, I saw it in log, but its strange because I typed the correct password (copy and paste to avoid errors)
I also tried to use the same password of all parameters in both servers just to test, but failed.
I don't know exactly if something is missing in myconfig.txt file on server01 or in server02 or iI skipped some step.
The steps are configure a directory server and create a config file to be used by pkispawn, in both servers and then run pkispawn -s Ca -f myconfig.txt.
Is it right or is necessary to do anything else?
Many thanks!
the password provided for the uid caadmin may have been "incorrect"
Thanks,
M.
On 08/19/2016 10:45 AM, Leonardo Bacha Abrantes wrote:
Hi, bellow my debug log
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SessionContextInterceptor: SecurityDomainResource. getDomainInfo() [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SessionContextInterceptor: Not authenticated. [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: SecurityDomainResource. getDomainInfo() [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: mapping: default [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: required auth methods: [*] [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: anonymous access allowed [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: SecurityDomainResource. getDomainInfo() [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor.filter: no authorization required [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: No ACL mapping; authz not required. [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_ SUCCESS][SubjectID=$ Unidentified$][Outcome= Success][aclResource=null][Op= null][Info=ACL mapping not found; OK:SecurityDomainResource. getDomainInfo] authorization success
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: SecurityDomainResource. getDomainInfo() [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: content-type: null [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: accept: [application/json] [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: response format: application/json [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Creating LdapBoundConnFactor( SecurityDomainProcessor) [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapBoundConnFactory: init [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapBoundConnFactory:doCloning true [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init() [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init begins [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: prompt is internaldb [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: try getting from memory cache [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: got password from memory [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: password found for prompt. [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: password ok: store in memory cache [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init ends [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: init: before makeConnection errorIfDown is false [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: makeConnection: errorIfDown false [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Established LDAP connection using basic authentication to host root-ca.xxxxx.xxx.xx port 389 as cn=ldapadmin [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: initializing with mininum 3 and maximum 15 connections to host root-ca.xxxxx.xxx.xx port 389, secure connection, false, authentication type 1 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: increasing minimum connections by 3 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new total available connections 3 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new number of connections 3 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: In LdapBoundConnFactory::getConn( ) [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: masterConn is connected: true [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: conn is connected true [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: mNumConns now 2 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: name: xxxxx.xxx.xx Security Domain [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: CA [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - cn=root-ca.xxxxx.xxx.xx:8443, cn=CAList,ou=Security Domain,o=pki-RootCA-CA [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - objectClass: top [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - host: root-ca.xxxxx.xxx.xx [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - SecurePort: 8443 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - SecureAgentPort: 8443 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - SecureAdminPort: 8443 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - SecureEEClientAuthPort: 8443 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - UnSecurePort: 8080 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - Clone: FALSE [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - SubsystemName: CA root-ca.xxxxx.xxx.xx 8443 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - cn: root-ca.xxxxx.xxx.xx:8443 [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: - DomainManager: TRUE [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: OCSP [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: KRA [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: RA [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: TKS [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: TPS [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: Releasing ldap connection [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3 [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PKIRealm: Authenticating user caadmin with password. [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PasswdUserDBAuthentication: UID: caadmin [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: In LdapBoundConnFactory::getConn( ) [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: masterConn is connected: true [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: conn is connected true [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: mNumConns now 2 [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3 [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PasswdUserDBAuthentication: DN: uid=caadmin,ou=people,o=pki- RootCA-CA [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: LdapAnonConnFactory::getConn [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: LdapAnonConnFactory.getConn(): num avail conns now 2 [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 2 [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL] [SubjectID=$Unidentified$][ Outcome=Failure][AuthMgr= passwdUserDBAuthMgr][ AttemptedCred=caadmin] authentication failure
any help will be very much appreciated !
On Fri, Aug 19, 2016 at 7:28 AM, Leonardo Bacha Abrantes <leonardo@lbasolutions.com> wrote:
Hi guys,
I'm trying to configure a subordinate CA, but am receiving the message "ERROR: Unable to access security domain: 401 Client Error: Unauthorized".
I follow these steps:
===>> On Server01 (root-ca):
setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \ General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \ slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD
> myconfig.txt
[DEFAULT]pki_admin_password=Root-CA_pwdpki_client_database_password=Root-CA_pwd pki_client_pkcs12_password=Root-CA_pwd pki_ds_password=Root-CA_pwdpki_security_domain_password=Root-CA_pwd pki_admin_password=Root-CA_pwdpki_client_database_password=Root-CA_pwd pki_client_pkcs12_password=Root-CA_pwd pki_ds_bind_dn=cn=ldapadminpki_ds_password=Root-CA_pwdpki_security_domain_password=Root-CA_pwd pki_instance_name=pki-RootCA
[CA]pki_ca_signing_subject_dn=cn=EXAMLE Root Certification Authority,o=XXXXXXXXXXX,c=BR pki_admin_nickname=PKI Administrator for EXAMPLEpki_admin_subject_dn=cn=PKI Administrator Root CA,e=admin@XXXXX.XXX.xx,o=XXXXXXXXXX,c=BR pki_admin_email=admin@XXXXXX.xxx.xx
===>> On Server02 (Sub-ca):
setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \ General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \ slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD
> myconfig.txt
[DEFAULT]pki_admin_password=SUB-CA_Passord pki_client_database_password=SUB-CA_Passord pki_client_pkcs12_password=SUB-CA_Passord pki_ds_password=SUB-CA_Passordpki_security_domain_password=SUB-CA_Passord pki_admin_password=SUB-CA_Passord pki_client_database_password=SUB-CA_Passord pki_client_pkcs12_password=SUB-CA_Passord pki_ds_bind_dn=cn=ldapadminpki_ds_password=SUB-CA_Passordpki_security_domain_password=SUB-CA_Passord pki_instance_name=pki-SubCApki_security_domain_hostname=root-ca.xxxx.xxx.xx pki_security_domain_https_port=8443 pki_security_domain_user=caadmin
[CA]pki_subordinate=Truepki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443 pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority L2,o=XXXXXXXXXXX,c=BR pki_subordinate_create_new_security_domain=True pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2 pki_admin_nickname=PKI Administrator for Example Sub-CA L2pki_admin_subject_dn=cn=PKI Administrator CA L2,e=admin@xxxxx.xxx.xx,o=XXXXXXXXXXX,c=BR pki_admin_email=admin@xxxx.xxx.xx
when I run pkispawn -v -s CA -f myconfig.txt on Server02:
ERROR: Unable to access security domain: 401 Client Error: Unauthorized
===
I tried to use the same passwords on myconfig.txt in both servers just to test, but I receive the same message.
Can you help me please ?
many thanks!
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/ mailman/listinfo/pki-users