8:16 p.m.
Hi Rohan,
I have only played with IP UID/PWD auth with SCEP, which I just tried and
seems to be working.
Could you maybe give me info on how you set up CN/PWD and I could look into
that.
thanks,
Christina
On Sun, Nov 29, 2020 at 11:57 PM Rohan Raymore (rraymore) <
rraymore(a)cisco.com> wrote:
Hello,
I am looking for some guidance/assistance with a dogtag-pki CA server
setup that I am testing.
Environment:
Cisco ASR router
CentOS 7 vm
PKI version 10.5.18-7.e17 installed
Configured to use flatfile to authenticate Cisco router using UID/PWD via
SCEP
I am able to successfully authenticate and enroll the router via SCEP
using UID/PWD in flatfile
Issue:
The UID=IP-address of the router interface toward the CA server, this IP
is assigned via DHCP, thus not deterministic.
When I configured an IP address of a Loopback interface under the
Trustpoint configuration of the router I can see that it seen by the CA in
the logs but it is not used for authentication/enroll
I tried to change the CS.cfg file to use the CN/PWD to authenticate,
however it appears I may have missed something as it fails with a password
null.
Can you please assist with providing one of two options:
1. How to authenticate/enroll router via Loopback interface IP address
that is specified in the Trustpoint configuration of the router?
2. How to authenticate/enroll the router using the CN/PWD in the
flatfile?
Thanks in advance for your assistance!
See below some output from the debug file:
<snip>
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: Got
authenticator=com.netscape.cms.authentication.FlatFileAuth
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length =
1
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth:
concatenating: 10.0.1.1
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key
10.0.1.1 <-------- this is the IP I have configured in flatfile
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length =
1
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth:
concatenating: null
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating
string i=0 keyAttrs[0] = UID
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth:
authenticating user: finding user from key: 10.1.1.1 <----- this is the
router outside interface IP
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: User not
found in password file.
[30/Nov/2020:05:49:42][http-bio-8080-exec-21]: operation failure - Invalid
Credential.
<snap>
<snip>
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Found profile=caRouterCert
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Retrieving authenticator
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Got
authenticator=com.netscape.cms.authentication.FlatFileAuth
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth:
concatenating: dev-sec-a-2.example.com
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key
dev-sec-a-2.example.com
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth:
concatenating: null
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating
string i=0 keyAttrs[0] = CN
[30/Nov/2020:07:24:02][http-bio-8080-exec-4]: operation failure -
Authentication credential for CN is null.
<snap>
Regards,
Rohan Raymore
[image: signature_652684385]
Rohan Raymore <http://directory.cisco.com/dir/details/rraymore>
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
