2:34 p.m.
Hi,
I was wondering if anyone could offer some assistance with getting SCEP working with LDAP
auth?
Thanks!
-Emily
Date: Monday, April 27, 2015 at 4:53 PM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: [Pki-users] SCEP directory authentication
Hi,
I am still trying to get Dogtag 10.2.1 on Fedora 21 working to allow for router identity
certificates obtained by Cisco Routers via SCEP to be auto-renewing. I have found that
the one-time pin model doesn’t work for auto-renewal. I was pointed to the RedHat
document below that discusses using directory-based auth in Section 8.2.1, but I’m having
issues with getting it to work.
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
I’m not certain what to put in the dnpattern attribute and there are no examples I can
find and am wondering if it is the reason attempts show uid and credentials as null from
the router – details of the setup later on in this email.
*
dnpattern. Specifies a string representing a subject name pattern to formulate from the
directory attributes and entry DN.
------------------------------------------
From my CS.conf (RouterAuth is then referenced in the caRouterCert.cfg
instead of flatfile):
auths.instance.RouterAuth.pluginName=UidPwdDirAuth
auths.instance.RouterAuth.ldap.basedn=ou=RouterID,dc=auth,dc=sample,dc=com
auths.instance.RouterAuth.ldap.ldapconn.host=localhost
auths.instance.RouterAuth.ldap.ldapconn.port=389
auths.instance.RouterAuth.ldap.ldapconn.secureConn=false
------------------------------------------
I’ve created a hierarchy outside of dogtag for doing router auth:
ou=RouterID,dc=auth,dc=sample,dc=com
------------------------------------------
Test User Account (I am not sure what objectClass to use, so I found one with uid and
password as options and used that):
dn: uid=172.18.240.11,ou=RouterID,dc=auth,dc=sample,dc=com
uid: 172.18.240.11
objectClass: inetUser
userPassword: testpass
------------------------------------------
Router config. For flatfile auth it ends up using the wan IP and the password and
password in the identity section, however for LDAP auth I don’t know what things would map
to:
crypto ca identity SAMPLE
enrollment url http://172.21.4.239:8080/ca/cgi-bin
revocation-check none
fqdn emilyvpn.sample.com
serial-number none
ip-address none
hash sha256
password testpass
rsakeypair MEVO 2048
auto-enroll 75
crl optional
exit
crypto ca authenticate SAMPLE
------------------------------------------
When I try and get a cert from the Cisco Router I get output like the following in the
debug file that lists both UID and credential as null:
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Got
authenticator=com.netscape.cms.authentication.UidPwdDirAuthentication
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory::getConn
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory.getConn(): num avail
conns now 4
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Authenticating UID=null
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: returnConn: mNumConns now 4
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: operation failure - Authentication
credential for uid is null.
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: Output PKIOperation response:
Thanks for any assistance,
-Emily
6:30 p.m.
New subject: SCEP directory authentication
Hi Emily,
By default SCEP could take a challengePassword (internally
"challengePhrase") that you could map with the host id, which is what
the FlatFile authentication does. However, the directory based
authenticator handles literally "uid" and "pwd". You will need to get
challengePhrase mapped to pwd into the request, and to do that you could
write a plugin for it.
I think you could try editing the following file
server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
to get "uid" and "pwd' filled in the request.
We have professional services that could help write plugins.
Christina
On 05/01/2015 12:34 PM, Emily Stemmerich wrote:
Hi,
I was wondering if anyone could offer some assistance with getting
SCEP working with LDAP auth?
Thanks!
-Emily
Date: Monday, April 27, 2015 at 4:53 PM
To: "pki-users(a)redhat.com <mailto:pki-users@redhat.com>"
<pki-users(a)redhat.com <mailto:pki-users@redhat.com>>
Subject: [Pki-users] SCEP directory authentication
Hi,
I am still trying to get Dogtag 10.2.1 on Fedora 21 working to allow
for router identity certificates obtained by Cisco Routers via SCEP to
be auto-renewing. I have found that the one-time pin model doesn’t
work for auto-renewal. I was pointed to the RedHat document below
that discusses using directory-based auth in Section 8.2.1, but I’m
having issues with getting it to work.
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
I’m not certain what to put in the dnpattern attribute and there are
no examples I can find and am wondering if it is the reason attempts
show uid and credentials as null from the router – details of the
setup later on in this email.
*
*dnpattern.* Specifies a string representing a subject name
pattern to formulate from the directory attributes and entry DN.
------------------------------------------
From my CS.conf (RouterAuth is then referenced in the caRouterCert.cfg
instead of flatfile):
auths.instance.RouterAuth.pluginName=UidPwdDirAuth
auths.instance.RouterAuth.ldap.basedn=ou=RouterID,dc=auth,dc=sample,dc=com
auths.instance.RouterAuth.ldap.ldapconn.host=localhost
auths.instance.RouterAuth.ldap.ldapconn.port=389
auths.instance.RouterAuth.ldap.ldapconn.secureConn=false
------------------------------------------
I’ve created a hierarchy outside of dogtag for doing router auth:
ou=RouterID,dc=auth,dc=sample,dc=com
------------------------------------------
Test User Account (I am not sure what objectClass to use, so I found
one with uid and password as options and used that):
dn: uid=172.18.240.11,ou=RouterID,dc=auth,dc=sample,dc=com
uid: 172.18.240.11
|objectClass: inetUser|
userPassword: testpass
------------------------------------------
Router config. For flatfile auth it ends up using the wan IP and the
password and password in the identity section, however for LDAP auth I
don’t know what things would map to:
crypto ca identity SAMPLE
enrollment url http://172.21.4.239:8080/ca/cgi-bin
revocation-check none
fqdn emilyvpn.sample.com
serial-number none
ip-address none
hash sha256
password testpass
rsakeypair MEVO 2048
auto-enroll 75
crl optional
exit
crypto ca authenticate SAMPLE
------------------------------------------
When I try and get a cert from the Cisco Router I get output like the
following in the debug file that lists both UID and credential as null:
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Got
authenticator=com.netscape.cms.authentication.UidPwdDirAuthentication
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory::getConn
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]:
LdapAnonConnFactory.getConn(): num avail conns now 4
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Authenticating UID=null
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: returnConn: mNumConns now 4
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: operation failure -
Authentication credential for uid is null.
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: Output PKIOperation
response:
Thanks for any assistance,
-Emily
3282
days inactive
3282
days old
1 comments
2 participants
participants (2)
-
Christina Fu -
Emily Stemmerich