Hi,
I am still trying to get Dogtag 10.2.1 on Fedora 21
working to allow for router identity certificates obtained
by Cisco Routers via SCEP to be auto-renewing. I have
found that the one-time pin model doesn’t work for
auto-renewal. I was pointed to the RedHat document below
that discusses using directory-based auth in Section
8.2.1, but I’m having issues with getting it to work.
I’m not certain what to put in the dnpattern attribute
and there are no examples I can find and am wondering if
it is the reason attempts show uid and credentials as null
from the router – details of the setup later on in this
email.
------------------------------------------
From my CS.conf (RouterAuth is then referenced in the
caRouterCert.cfg instead of flatfile):
auths.instance.RouterAuth.pluginName=UidPwdDirAuth
auths.instance.RouterAuth.ldap.basedn=ou=RouterID,dc=auth,dc=sample,dc=com
auths.instance.RouterAuth.ldap.ldapconn.host=localhost
auths.instance.RouterAuth.ldap.ldapconn.port=389
auths.instance.RouterAuth.ldap.ldapconn.secureConn=false
------------------------------------------
I’ve created a hierarchy outside of dogtag for doing
router auth:
ou=RouterID,dc=auth,dc=sample,dc=com
------------------------------------------
Test User Account (I am not sure what objectClass to
use, so I found one with uid and password as options and
used that):
dn:
uid=172.18.240.11,ou=RouterID,dc=auth,dc=sample,dc=com
userPassword: testpass
------------------------------------------
Router config. For flatfile auth it ends up using the
wan IP and the password and password in the identity
section, however for LDAP auth I don’t know what things
would map to:
crypto ca identity SAMPLE
revocation-check none
fqdn emilyvpn.sample.com
serial-number none
ip-address none
hash sha256
password testpass
rsakeypair MEVO 2048
auto-enroll 75
crl optional
exit
crypto ca authenticate SAMPLE
------------------------------------------
When I try and get a cert from the Cisco Router I get
output like the following in the debug file that lists
both UID and credential as null:
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Got
authenticator=com.netscape.cms.authentication.UidPwdDirAuthentication
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]:
LdapAnonConnFactory::getConn
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]:
LdapAnonConnFactory.getConn(): num avail conns now 4
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]:
Authenticating UID=null
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]:
returnConn: mNumConns now 4
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]:
operation failure - Authentication credential for uid
is null.
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: Output
PKIOperation response:
Thanks for any assistance,
-Emily