the password provided for the uid caadmin may have been "incorrect"
Thanks,
M.

On 08/19/2016 10:45 AM, Leonardo Bacha Abrantes wrote:
Hi, bellow my debug log 



[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SessionContextInterceptor: SecurityDomainResource.getDomainInfo()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SessionContextInterceptor: Not authenticated.
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: SecurityDomainResource.getDomainInfo()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: mapping: default
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: required auth methods: [*]
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: anonymous access allowed
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: SecurityDomainResource.getDomainInfo()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor.filter: no authorization required
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: No ACL mapping; authz not required.
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization success

[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: SecurityDomainResource.getDomainInfo()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: content-type: null
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: accept: [application/json]
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: response format: application/json
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}.
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Creating LdapBoundConnFactor(SecurityDomainProcessor)
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapBoundConnFactory: init
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapBoundConnFactory:doCloning true
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init begins
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: prompt is internaldb
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: try getting from memory cache
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: got password from memory
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: password found for prompt.
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: password ok: store in memory cache
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init ends
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: init: before makeConnection errorIfDown is false
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: makeConnection: errorIfDown false
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Established LDAP connection using basic authentication to host root-ca.xxxxx.xxx.xx port 389 as cn=ldapadmin
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: initializing with mininum 3 and maximum 15 connections to host root-ca.xxxxx.xxx.xx port 389, secure connection, false, authentication type 1
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: increasing minimum connections by 3
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new total available connections 3
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new number of connections 3
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: In LdapBoundConnFactory::getConn()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: masterConn is connected: true
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: conn is connected true
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: mNumConns now 2
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: name: xxxxx.xxx.xx Security Domain
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: CA
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:  - cn=root-ca.xxxxx.xxx.xx:8443,cn=CAList,ou=Security Domain,o=pki-RootCA-CA
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:    - objectClass: top
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:    - host: root-ca.xxxxx.xxx.xx
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:    - SecurePort: 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:    - SecureAgentPort: 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:    - SecureAdminPort: 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:    - SecureEEClientAuthPort: 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:    - UnSecurePort: 8080
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:    - Clone: FALSE
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:    - SubsystemName: CA root-ca.xxxxx.xxx.xx 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:    - cn: root-ca.xxxxx.xxx.xx:8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:    - DomainManager: TRUE
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: OCSP
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: KRA
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: RA
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: TKS
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: subtype: TPS
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: Releasing ldap connection
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PKIRealm: Authenticating user caadmin with password.
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PasswdUserDBAuthentication: UID: caadmin
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: In LdapBoundConnFactory::getConn()
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: masterConn is connected: true
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: conn is connected true
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: mNumConns now 2
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PasswdUserDBAuthentication: DN: uid=caadmin,ou=people,o=pki-RootCA-CA
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: LdapAnonConnFactory::getConn
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: LdapAnonConnFactory.getConn(): num avail conns now 2
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 2
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure



any help will be very much appreciated !


On Fri, Aug 19, 2016 at 7:28 AM, Leonardo Bacha Abrantes <leonardo@lbasolutions.com> wrote:
Hi guys,

I'm trying to configure a subordinate CA, but am receiving the message "ERROR:  Unable to access security domain: 401 Client Error: Unauthorized".


I follow these steps:




===>> On Server01 (root-ca):


setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \
General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \
slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD



> myconfig.txt


[DEFAULT]
pki_admin_password=Root-CA_pwd
pki_client_database_password=Root-CA_pwd
pki_client_pkcs12_password=Root-CA_pwd
pki_ds_password=Root-CA_pwd
pki_security_domain_password=Root-CA_pwd
pki_admin_password=Root-CA_pwd
pki_client_database_password=Root-CA_pwd
pki_client_pkcs12_password=Root-CA_pwd
pki_ds_bind_dn=cn=ldapadmin
pki_ds_password=Root-CA_pwd
pki_security_domain_password=Root-CA_pwd
pki_instance_name=pki-RootCA

[CA]
pki_ca_signing_subject_dn=cn=EXAMLE Root Certification Authority,o=XXXXXXXXXXX,c=BR
pki_admin_nickname=PKI Administrator for EXAMPLE
pki_admin_subject_dn=cn=PKI Administrator Root CA,e=admin@XXXXX.XXX.xx,o=XXXXXXXXXX,c=BR
pki_admin_email=admin@XXXXXX.xxx.xx





===>> On Server02 (Sub-ca):


setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \
General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \
slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD



> myconfig.txt

[DEFAULT]
pki_admin_password=SUB-CA_Passord
pki_client_database_password=SUB-CA_Passord
pki_client_pkcs12_password=SUB-CA_Passord
pki_ds_password=SUB-CA_Passord
pki_security_domain_password=SUB-CA_Passord
pki_admin_password=SUB-CA_Passord
pki_client_database_password=SUB-CA_Passord
pki_client_pkcs12_password=SUB-CA_Passord
pki_ds_bind_dn=cn=ldapadmin
pki_ds_password=SUB-CA_Passord
pki_security_domain_password=SUB-CA_Passord
pki_instance_name=pki-SubCA
pki_security_domain_hostname=root-ca.xxxx.xxx.xx
pki_security_domain_https_port=8443
pki_security_domain_user=caadmin

[CA]
pki_subordinate=True
pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority L2,o=XXXXXXXXXXX,c=BR
pki_subordinate_create_new_security_domain=True
pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2
pki_admin_nickname=PKI Administrator for Example Sub-CA L2
pki_admin_subject_dn=cn=PKI Administrator CA L2,e=admin@xxxxx.xxx.xx,o=XXXXXXXXXXX,c=BR
pki_admin_email=admin@xxxx.xxx.xx




when I run pkispawn -v -s CA -f myconfig.txt on Server02:


ERROR:  Unable to access security domain: 401 Client Error: Unauthorized



===



I tried to use the same passwords on myconfig.txt in both servers just to test, but I receive the same message.


Can you help me please ?

many thanks!





_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users