4:01 p.m.
Hello,
i've checked it, the CA is trusted (Firefox Browser). I have also the problem that the
Logon with pkiconsole now crashed. The login-window came up after username/password the
pkiconsole exits. Tomorrow i will look for the debug-log what happens and also uses the IE
for testing.
regards Klaus Heyden
-----Ursprüngliche Nachricht-----
Von: "Marc Sauton" <msauton(a)redhat.com>
Gesendet: 29.10.08 20:38:09
An: Klaus (Allianz ASIC)" <KLAUS.HEYDEN(a)ALLIANZ.DE>
CC: pki-users(a)redhat.com
Betreff: Re: [Pki-users] failed Administrator logon
Heyden, Klaus (Allianz ASIC) wrote:
> Hello,
>
> i have the problem the the CA don't accept the Administrator login.
> Either on HTTPS-interface or via pkiconsole. It's a new installation
> and the Admin-Certificate exists in the Browser with secret key. The
> problem ist that the CA first dor thier job normal. When i now try to
> login i got a catalina error like this. i dont reconfigure the CA only
> restart. I also configured an HSM (Luna) but dont use key's inside the
> HSM.
You may want to collect the ca debug log when you try to do client auth
in your browser against the https agent pages.
Or review the debug log during the ca instance configuration, near the
key generation for the ca instance or when you selected either a
software token or hsm, for any errors.
I suppose the ca instance was restarted after the web based wizard
configuration was successfully completed.
It is always possible to use another client certificate for an agent or
admin user of the certificate system.
You may want to verify the browser has and trust the issuer of the agent
cert you try to use.
> -------------------catalina.out----------------------------------
> Oct 29, 2008 5:43:55 PM org.apache.catalina.core.ApplicationContext log"
> INFO: caListRequests: You did not provide a valid certificate for this
> operation
> ----------------------------------------------------------------------
>
> the debug-file shows:
> ---------------------debug----------------------------------------
> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service()
> uri = /ca/agent/header
> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet::service()
> param name='selected' value='ca'
> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: caheader
> start to service.
> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet.java:
> renderTemplate
> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: curDate=Wed
> Oct 29 18:15:07 CET 2008 id=caheader time=0
> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service()
> uri = /ca/agent/ca/listRequests.html
> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:
> caListRequests start to service.
> [29/Oct/2008:18:15:07][http-9443-Processor21]: DisplayHtmlServlet
> about to service
> [29/Oct/2008:18:15:07][http-9443-Processor21]: IP: 10.94.112.222
> [29/Oct/2008:18:15:07][http-9443-Processor21]: AuthMgrName:
> certUserDBAuthMgr
> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: retrieving
> SSL certificate
> [29/Oct/2008:18:15:07][http-9443-Processor21]:
> SignedAuditEventFactory: create()
>
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=$Unidentified$][AttemptedCred=$Unidentified$]
> authentication failure
> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: getConn: mNumConns
> now 2
> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]:
> ObjectStreamMapper:mapObjectToLDAPAttributeSet revokedCerts size=84
> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]:
> ObjectStreamMapper:mapObjectToLDAPAttributeSet unrevokedCerts size=84
> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]:
> ObjectStreamMapper:mapObjectToLDAPAttributeSet expiredCerts size=84
> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: returnConn:
> mNumConns now 3
> ----------------------------------------------------------------------
>
> certutil -L -d . shows me:
> ----------------------------------------------------------------------
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
> ocspSigningCert cert-ca4-1 u,u,u
> subsystemCert cert-ca4-1 u,u,u
> caSigningCert cert-ca4-1 CTu,Cu,Cu
> Server-Cert cert-ca4-1 u,u,u
> Allianz Group Root CA II - Allianz Group CT,C,C
> ----------------------------------------------------------------------
>
>
> reagards
> Klaus Heyden
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_________________________________________________________________________
In 5 Schritten zur eigenen Homepage. Jetzt Domain sichern und gestalten!
Nur 3,99 EUR/Monat! http://www.maildomain.web.de/?mc=021114