5:28 a.m.
Hi guys,
I'm trying to configure a subordinate CA, but am receiving the message
"ERROR: Unable to access security domain: 401 Client Error: Unauthorized".
I follow these steps:
===>> On Server01 (root-ca):
setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \
General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \
slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD
myconfig.txt
[DEFAULT]
pki_admin_password=Root-CA_pwd
pki_client_database_password=Root-CA_pwd
pki_client_pkcs12_password=Root-CA_pwd
pki_ds_password=Root-CA_pwd
pki_security_domain_password=Root-CA_pwd
pki_admin_password=Root-CA_pwd
pki_client_database_password=Root-CA_pwd
pki_client_pkcs12_password=Root-CA_pwd
pki_ds_bind_dn=cn=ldapadmin
pki_ds_password=Root-CA_pwd
pki_security_domain_password=Root-CA_pwd
pki_instance_name=pki-RootCA
[CA]
pki_ca_signing_subject_dn=cn=EXAMLE Root Certification
Authority,o=XXXXXXXXXXX,c=BR
pki_admin_nickname=PKI Administrator for EXAMPLE
pki_admin_subject_dn=cn=PKI Administrator Root CA,e=admin(a)XXXXX.XXX.xx
,o=XXXXXXXXXX,c=BR
pki_admin_email=admin(a)XXXXXX.xxx.xx
===>> On Server02 (Sub-ca):
setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \
General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \
slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD
myconfig.txt
[DEFAULT]
pki_admin_password=SUB-CA_Passord
pki_client_database_password=SUB-CA_Passord
pki_client_pkcs12_password=SUB-CA_Passord
pki_ds_password=SUB-CA_Passord
pki_security_domain_password=SUB-CA_Passord
pki_admin_password=SUB-CA_Passord
pki_client_database_password=SUB-CA_Passord
pki_client_pkcs12_password=SUB-CA_Passord
pki_ds_bind_dn=cn=ldapadmin
pki_ds_password=SUB-CA_Passord
pki_security_domain_password=SUB-CA_Passord
pki_instance_name=pki-SubCA
pki_security_domain_hostname=root-ca.xxxx.xxx.xx
pki_security_domain_https_port=8443
pki_security_domain_user=caadmin
[CA]
pki_subordinate=True
pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443
pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority
L2,o=XXXXXXXXXXX,c=BR
pki_subordinate_create_new_security_domain=True
pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2
pki_admin_nickname=PKI Administrator for Example Sub-CA L2
pki_admin_subject_dn=cn=PKI Administrator CA L2,e=admin(a)xxxxx.xxx.xx
,o=XXXXXXXXXXX,c=BR
pki_admin_email=admin(a)xxxx.xxx.xx
when I run pkispawn -v -s CA -f myconfig.txt on Server02:
ERROR: Unable to access security domain: 401 Client Error: Unauthorized
===
I tried to use the same passwords on myconfig.txt in both servers just to
test, but I receive the same message.
Can you help me please ?
many thanks!
12:45 p.m.
Hi, bellow my debug log
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SessionContextInterceptor:
SecurityDomainResource.getDomainInfo()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SessionContextInterceptor:
Not authenticated.
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
SecurityDomainResource.getDomainInfo()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
mapping: default
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
required auth methods: [*]
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
anonymous access allowed
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor:
SecurityDomainResource.getDomainInfo()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor.filter: no
authorization required
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: No ACL
mapping; authz not required.
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SignedAuditEventFactory:
create()
message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL
mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization
success
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor:
SecurityDomainResource.getDomainInfo()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor:
content-type: null
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor:
accept: [application/json]
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor:
response format: application/json
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: according to ccMode,
authorization for servlet: securitydomain is LDAP based, not XML {1}, use
default authz mgr: {2}.
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Creating
LdapBoundConnFactor(SecurityDomainProcessor)
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapBoundConnFactory: init
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
LdapBoundConnFactory:doCloning true
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init begins
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: prompt
is internaldb
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: try
getting from memory cache
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: got
password from memory
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: password
found for prompt.
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: password ok:
store in memory cache
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init ends
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: init: before makeConnection
errorIfDown is false
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: makeConnection: errorIfDown
false
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Established LDAP connection
using basic authentication to host root-ca.xxxxx.xxx.xx port 389 as
cn=ldapadmin
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: initializing with mininum 3
and maximum 15 connections to host root-ca.xxxxx.xxx.xx port 389, secure
connection, false, authentication type 1
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: increasing minimum
connections by 3
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new total available
connections 3
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new number of connections 3
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: In
LdapBoundConnFactory::getConn()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: masterConn is connected: true
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: conn is connected
true
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: mNumConns now 2
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
name: xxxxx.xxx.xx Security Domain
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
subtype: CA
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: -
cn=root-ca.xxxxx.xxx.xx:8443,cn=CAList,ou=Security Domain,o=pki-RootCA-CA
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- objectClass: top
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- host: root-ca.xxxxx.xxx.xx
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- SecurePort: 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- SecureAgentPort: 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- SecureAdminPort: 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- SecureEEClientAuthPort: 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- UnSecurePort: 8080
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- Clone: FALSE
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- SubsystemName: CA root-ca.xxxxx.xxx.xx 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- cn: root-ca.xxxxx.xxx.xx:8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- DomainManager: TRUE
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
subtype: OCSP
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor:
subtype: KRA
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor:
subtype: RA
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor:
subtype: TKS
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor:
subtype: TPS
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: Releasing ldap connection
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PKIRealm: Authenticating
user caadmin with password.
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PasswdUserDBAuthentication:
UID: caadmin
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: In
LdapBoundConnFactory::getConn()
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: masterConn is connected: true
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: conn is connected
true
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: mNumConns now 2
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PasswdUserDBAuthentication:
DN: uid=caadmin,ou=people,o=pki-RootCA-CA
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: LdapAnonConnFactory::getConn
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
LdapAnonConnFactory.getConn(): num avail conns now 2
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 2
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SignedAuditEventFactory:
create()
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin]
authentication failure
any help will be very much appreciated !
On Fri, Aug 19, 2016 at 7:28 AM, Leonardo Bacha Abrantes <
leonardo(a)lbasolutions.com> wrote:
Hi guys,
I'm trying to configure a subordinate CA, but am receiving the message
"ERROR: Unable to access security domain: 401 Client Error: Unauthorized".
I follow these steps:
===>> On Server01 (root-ca):
setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \
General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \
slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD
> myconfig.txt
[DEFAULT]
pki_admin_password=Root-CA_pwd
pki_client_database_password=Root-CA_pwd
pki_client_pkcs12_password=Root-CA_pwd
pki_ds_password=Root-CA_pwd
pki_security_domain_password=Root-CA_pwd
pki_admin_password=Root-CA_pwd
pki_client_database_password=Root-CA_pwd
pki_client_pkcs12_password=Root-CA_pwd
pki_ds_bind_dn=cn=ldapadmin
pki_ds_password=Root-CA_pwd
pki_security_domain_password=Root-CA_pwd
pki_instance_name=pki-RootCA
[CA]
pki_ca_signing_subject_dn=cn=EXAMLE Root Certification
Authority,o=XXXXXXXXXXX,c=BR
pki_admin_nickname=PKI Administrator for EXAMPLE
pki_admin_subject_dn=cn=PKI Administrator Root CA,e=admin(a)XXXXX.XXX.xx,o=
XXXXXXXXXX,c=BR
pki_admin_email=admin(a)XXXXXX.xxx.xx
===>> On Server02 (Sub-ca):
setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \
General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \
slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD
> myconfig.txt
[DEFAULT]
pki_admin_password=SUB-CA_Passord
pki_client_database_password=SUB-CA_Passord
pki_client_pkcs12_password=SUB-CA_Passord
pki_ds_password=SUB-CA_Passord
pki_security_domain_password=SUB-CA_Passord
pki_admin_password=SUB-CA_Passord
pki_client_database_password=SUB-CA_Passord
pki_client_pkcs12_password=SUB-CA_Passord
pki_ds_bind_dn=cn=ldapadmin
pki_ds_password=SUB-CA_Passord
pki_security_domain_password=SUB-CA_Passord
pki_instance_name=pki-SubCA
pki_security_domain_hostname=root-ca.xxxx.xxx.xx
pki_security_domain_https_port=8443
pki_security_domain_user=caadmin
[CA]
pki_subordinate=True
pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443
pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority
L2,o=XXXXXXXXXXX,c=BR
pki_subordinate_create_new_security_domain=True
pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2
pki_admin_nickname=PKI Administrator for Example Sub-CA L2
pki_admin_subject_dn=cn=PKI Administrator CA L2,e=admin(a)xxxxx.xxx.xx,o=
XXXXXXXXXXX,c=BR
pki_admin_email=admin(a)xxxx.xxx.xx
when I run pkispawn -v -s CA -f myconfig.txt on Server02:
ERROR: Unable to access security domain: 401 Client Error: Unauthorized
===
I tried to use the same passwords on myconfig.txt in both servers just to
test, but I receive the same message.
Can you help me please ?
many thanks!
8:57 p.m.
the password provided for the uid caadmin may have been "incorrect"
Thanks,
M.
On 08/19/2016 10:45 AM, Leonardo Bacha Abrantes wrote:
Hi, bellow my debug log
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SessionContextInterceptor: SecurityDomainResource.getDomainInfo()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SessionContextInterceptor: Not authenticated.
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
SecurityDomainResource.getDomainInfo()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
mapping: default
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
required auth methods: [*]
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
anonymous access allowed
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor:
SecurityDomainResource.getDomainInfo()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor.filter:
no authorization required
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: No ACL
mapping; authz not required.
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL
mapping not found; OK:SecurityDomainResource.getDomainInfo]
authorization success
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
MessageFormatInterceptor: SecurityDomainResource.getDomainInfo()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
MessageFormatInterceptor: content-type: null
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
MessageFormatInterceptor: accept: [application/json]
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
MessageFormatInterceptor: response format: application/json
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: according to ccMode,
authorization for servlet: securitydomain is LDAP based, not XML {1},
use default authz mgr: {2}.
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Creating
LdapBoundConnFactor(SecurityDomainProcessor)
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapBoundConnFactory: init
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
LdapBoundConnFactory:doCloning true
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init begins
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init:
prompt is internaldb
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: try
getting from memory cache
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: got
password from memory
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init:
password found for prompt.
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: password
ok: store in memory cache
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init ends
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: init: before
makeConnection errorIfDown is false
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: makeConnection:
errorIfDown false
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Established LDAP
connection using basic authentication to host root-ca.xxxxx.xxx.xx
port 389 as cn=ldapadmin
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: initializing with
mininum 3 and maximum 15 connections to host root-ca.xxxxx.xxx.xx port
389, secure connection, false, authentication type 1
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: increasing minimum
connections by 3
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new total available
connections 3
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new number of connections 3
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: In
LdapBoundConnFactory::getConn()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: masterConn is
connected: true
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: conn is
connected true
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: mNumConns now 2
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SecurityDomainProcessor: name: xxxxx.xxx.xx Security Domain
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SecurityDomainProcessor: subtype: CA
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SecurityDomainProcessor: -
cn=root-ca.xxxxx.xxx.xx:8443,cn=CAList,ou=Security Domain,o=pki-RootCA-CA
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SecurityDomainProcessor: - objectClass: top
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SecurityDomainProcessor: - host: root-ca.xxxxx.xxx.xx
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SecurityDomainProcessor: - SecurePort: 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SecurityDomainProcessor: - SecureAgentPort: 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SecurityDomainProcessor: - SecureAdminPort: 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SecurityDomainProcessor: - SecureEEClientAuthPort: 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SecurityDomainProcessor: - UnSecurePort: 8080
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SecurityDomainProcessor: - Clone: FALSE
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SecurityDomainProcessor: - SubsystemName: CA root-ca.xxxxx.xxx.xx 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SecurityDomainProcessor: - cn: root-ca.xxxxx.xxx.xx:8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SecurityDomainProcessor: - DomainManager: TRUE
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
SecurityDomainProcessor: subtype: OCSP
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
SecurityDomainProcessor: subtype: KRA
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
SecurityDomainProcessor: subtype: RA
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
SecurityDomainProcessor: subtype: TKS
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
SecurityDomainProcessor: subtype: TPS
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: Releasing ldap connection
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PKIRealm:
Authenticating user caadmin with password.
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
PasswdUserDBAuthentication: UID: caadmin
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: In
LdapBoundConnFactory::getConn()
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: masterConn is
connected: true
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: conn is
connected true
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: mNumConns now 2
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
PasswdUserDBAuthentication: DN: uid=caadmin,ou=people,o=pki-RootCA-CA
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
LdapAnonConnFactory::getConn
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
LdapAnonConnFactory.getConn(): num avail conns now 2
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 2
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin]
authentication failure
any help will be very much appreciated !
On Fri, Aug 19, 2016 at 7:28 AM, Leonardo Bacha Abrantes
<leonardo(a)lbasolutions.com <mailto:leonardo@lbasolutions.com>> wrote:
Hi guys,
I'm trying to configure a subordinate CA, but am receiving the
message "ERROR: Unable to access security domain: 401 Client
Error: Unauthorized".
I follow these steps:
===>> On Server01 (root-ca):
setup-ds.pl <http://setup-ds.pl> --silent
General.FullMachineName=root-ca.xxx.xxx.xx \
General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \
slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD
> myconfig.txt
[DEFAULT]
pki_admin_password=Root-CA_pwd
pki_client_database_password=Root-CA_pwd
pki_client_pkcs12_password=Root-CA_pwd
pki_ds_password=Root-CA_pwd
pki_security_domain_password=Root-CA_pwd
pki_admin_password=Root-CA_pwd
pki_client_database_password=Root-CA_pwd
pki_client_pkcs12_password=Root-CA_pwd
pki_ds_bind_dn=cn=ldapadmin
pki_ds_password=Root-CA_pwd
pki_security_domain_password=Root-CA_pwd
pki_instance_name=pki-RootCA
[CA]
pki_ca_signing_subject_dn=cn=EXAMLE Root Certification
Authority,o=XXXXXXXXXXX,c=BR
pki_admin_nickname=PKI Administrator for EXAMPLE
pki_admin_subject_dn=cn=PKI Administrator Root
CA,e=admin(a)XXXXX.XXX.xx,o=XXXXXXXXXX,c=BR
pki_admin_email=admin(a)XXXXXX.xxx.xx
===>> On Server02 (Sub-ca):
setup-ds.pl <http://setup-ds.pl> --silent
General.FullMachineName=sub-ca.xxx.xxx.xx \
General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \
slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD
> myconfig.txt
[DEFAULT]
pki_admin_password=SUB-CA_Passord
pki_client_database_password=SUB-CA_Passord
pki_client_pkcs12_password=SUB-CA_Passord
pki_ds_password=SUB-CA_Passord
pki_security_domain_password=SUB-CA_Passord
pki_admin_password=SUB-CA_Passord
pki_client_database_password=SUB-CA_Passord
pki_client_pkcs12_password=SUB-CA_Passord
pki_ds_bind_dn=cn=ldapadmin
pki_ds_password=SUB-CA_Passord
pki_security_domain_password=SUB-CA_Passord
pki_instance_name=pki-SubCA
pki_security_domain_hostname=root-ca.xxxx.xxx.xx
pki_security_domain_https_port=8443
pki_security_domain_user=caadmin
[CA]
pki_subordinate=True
pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443
<https://root-ca.xxxx.xxxv.xx:8443>
pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority
L2,o=XXXXXXXXXXX,c=BR
pki_subordinate_create_new_security_domain=True
pki_subordinate_security_domain_name=EXAMPLE Certification
Authority L2
pki_admin_nickname=PKI Administrator for Example Sub-CA L2
pki_admin_subject_dn=cn=PKI Administrator CA
L2,e=admin(a)xxxxx.xxx.xx,o=XXXXXXXXXXX,c=BR
pki_admin_email=admin(a)xxxx.xxx.xx
when I run pkispawn -v -s CA -f myconfig.txt on Server02:
ERROR: Unable to access security domain: 401 Client Error:
Unauthorized
===
I tried to use the same passwords on myconfig.txt in both servers
just to test, but I receive the same message.
Can you help me please ?
many thanks!
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
9:53 p.m.
Hi Marc,
Yep, I saw it in log, but its strange because I typed the correct password
(copy and paste to avoid errors)
I also tried to use the same password of all parameters in both servers
just to test, but failed.
I don't know exactly if something is missing in myconfig.txt file on
server01 or in server02 or iI skipped some step.
The steps are configure a directory server and create a config file to be
used by pkispawn, in both servers and then run pkispawn -s Ca -f
myconfig.txt.
Is it right or is necessary to do anything else?
Many thanks!
On Aug 19, 2016 10:57 PM, "Marc Sauton" <msauton(a)redhat.com> wrote:
the password provided for the uid caadmin may have been
"incorrect"
Thanks,
M.
On 08/19/2016 10:45 AM, Leonardo Bacha Abrantes wrote:
Hi, bellow my debug log
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SessionContextInterceptor:
SecurityDomainResource.getDomainInfo()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SessionContextInterceptor:
Not authenticated.
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
SecurityDomainResource.getDomainInfo()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
mapping: default
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
required auth methods: [*]
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor:
anonymous access allowed
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor:
SecurityDomainResource.getDomainInfo()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor.filter: no
authorization required
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: No ACL
mapping; authz not required.
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SignedAuditEventFactory:
create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$
Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL
mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization
success
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor:
SecurityDomainResource.getDomainInfo()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor:
content-type: null
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor:
accept: [application/json]
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor:
response format: application/json
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: according to ccMode,
authorization for servlet: securitydomain is LDAP based, not XML {1}, use
default authz mgr: {2}.
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Creating
LdapBoundConnFactor(SecurityDomainProcessor)
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapBoundConnFactory: init
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]:
LdapBoundConnFactory:doCloning true
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init begins
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: prompt
is internaldb
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: try
getting from memory cache
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: got
password from memory
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init:
password found for prompt.
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: password ok:
store in memory cache
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init ends
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: init: before
makeConnection errorIfDown is false
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: makeConnection:
errorIfDown false
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Established LDAP
connection using basic authentication to host root-ca.xxxxx.xxx.xx port 389
as cn=ldapadmin
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: initializing with mininum
3 and maximum 15 connections to host root-ca.xxxxx.xxx.xx port 389, secure
connection, false, authentication type 1
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: increasing minimum
connections by 3
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new total available
connections 3
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new number of connections 3
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: In
LdapBoundConnFactory::getConn()
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: masterConn is connected:
true
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: conn is connected
true
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: mNumConns now 2
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
name: xxxxx.xxx.xx Security Domain
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
subtype: CA
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- cn=root-ca.xxxxx.xxx.xx:8443,cn=CAList,ou=Security
Domain,o=pki-RootCA-CA
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- objectClass: top
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- host: root-ca.xxxxx.xxx.xx
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- SecurePort: 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- SecureAgentPort: 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- SecureAdminPort: 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- SecureEEClientAuthPort: 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- UnSecurePort: 8080
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- Clone: FALSE
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- SubsystemName: CA root-ca.xxxxx.xxx.xx 8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- cn: root-ca.xxxxx.xxx.xx:8443
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
- DomainManager: TRUE
[03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor:
subtype: OCSP
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor:
subtype: KRA
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor:
subtype: RA
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor:
subtype: TKS
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor:
subtype: TPS
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: Releasing ldap connection
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PKIRealm: Authenticating
user caadmin with password.
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
PasswdUserDBAuthentication: UID: caadmin
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: In
LdapBoundConnFactory::getConn()
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: masterConn is connected:
true
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: conn is connected
true
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: mNumConns now 2
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
PasswdUserDBAuthentication: DN: uid=caadmin,ou=people,o=pki-RootCA-CA
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
LdapAnonConnFactory::getConn
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]:
LdapAnonConnFactory.getConn(): num avail conns now 2
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 2
[03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SignedAuditEventFactory:
create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][
Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin]
authentication failure
any help will be very much appreciated !
On Fri, Aug 19, 2016 at 7:28 AM, Leonardo Bacha Abrantes <
leonardo(a)lbasolutions.com> wrote:
> Hi guys,
>
> I'm trying to configure a subordinate CA, but am receiving the message
> "ERROR: Unable to access security domain: 401 Client Error:
Unauthorized".
>
>
> I follow these steps:
>
>
>
>
> ===>> On Server01 (root-ca):
>
>
> setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \
> General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
> slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \
> slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
> slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD
>
>
>
> > myconfig.txt
>
>
> [DEFAULT]
> pki_admin_password=Root-CA_pwd
> pki_client_database_password=Root-CA_pwd
> pki_client_pkcs12_password=Root-CA_pwd
> pki_ds_password=Root-CA_pwd
> pki_security_domain_password=Root-CA_pwd
> pki_admin_password=Root-CA_pwd
> pki_client_database_password=Root-CA_pwd
> pki_client_pkcs12_password=Root-CA_pwd
> pki_ds_bind_dn=cn=ldapadmin
> pki_ds_password=Root-CA_pwd
> pki_security_domain_password=Root-CA_pwd
> pki_instance_name=pki-RootCA
>
> [CA]
> pki_ca_signing_subject_dn=cn=EXAMLE Root Certification
> Authority,o=XXXXXXXXXXX,c=BR
> pki_admin_nickname=PKI Administrator for EXAMPLE
> pki_admin_subject_dn=cn=PKI Administrator Root CA,e=admin(a)XXXXX.XXX.xx,o=
> XXXXXXXXXX,c=BR
> pki_admin_email=admin(a)XXXXXX.xxx.xx
>
>
>
>
>
> ===>> On Server02 (Sub-ca):
>
>
> setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \
> General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
> slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \
> slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
> slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD
>
>
>
> > myconfig.txt
>
> [DEFAULT]
> pki_admin_password=SUB-CA_Passord
> pki_client_database_password=SUB-CA_Passord
> pki_client_pkcs12_password=SUB-CA_Passord
> pki_ds_password=SUB-CA_Passord
> pki_security_domain_password=SUB-CA_Passord
> pki_admin_password=SUB-CA_Passord
> pki_client_database_password=SUB-CA_Passord
> pki_client_pkcs12_password=SUB-CA_Passord
> pki_ds_bind_dn=cn=ldapadmin
> pki_ds_password=SUB-CA_Passord
> pki_security_domain_password=SUB-CA_Passord
> pki_instance_name=pki-SubCA
> pki_security_domain_hostname=root-ca.xxxx.xxx.xx
> pki_security_domain_https_port=8443
> pki_security_domain_user=caadmin
>
> [CA]
> pki_subordinate=True
> pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443
> pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority
> L2,o=XXXXXXXXXXX,c=BR
> pki_subordinate_create_new_security_domain=True
> pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2
> pki_admin_nickname=PKI Administrator for Example Sub-CA L2
> pki_admin_subject_dn=cn=PKI Administrator CA L2,e=admin(a)xxxxx.xxx.xx,o=
> XXXXXXXXXXX,c=BR
> pki_admin_email=admin(a)xxxx.xxx.xx
>
>
>
>
> when I run pkispawn -v -s CA -f myconfig.txt on Server02:
>
>
> ERROR: Unable to access security domain: 401 Client Error: Unauthorized
>
>
>
> ===
>
>
>
> I tried to use the same passwords on myconfig.txt in both servers just to
> test, but I receive the same message.
>
>
> Can you help me please ?
>
> many thanks!
>
>
>
_______________________________________________
Pki-users mailing
listPki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
9:03 a.m.
See inline below --
On Fri, 2016-08-19 at 07:28 -0300, Leonardo Bacha Abrantes wrote:
Hi guys,
I'm trying to configure a subordinate CA, but am receiving the
message "ERROR: Unable to access security domain: 401 Client Error:
Unauthorized".
I follow these steps:
===>> On Server01 (root-ca):
setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \
General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \
slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD
> myconfig.txt
[DEFAULT]
pki_admin_password=Root-CA_pwd
pki_client_database_password=Root-CA_pwd
pki_client_pkcs12_password=Root-CA_pwd
pki_ds_password=Root-CA_pwd
pki_security_domain_password=Root-CA_pwd
pki_admin_password=Root-CA_pwd
pki_client_database_password=Root-CA_pwd
pki_client_pkcs12_password=Root-CA_pwd
pki_ds_bind_dn=cn=ldapadmin
pki_ds_password=Root-CA_pwd
pki_security_domain_password=Root-CA_pwd
pki_instance_name=pki-RootCA
[CA]
pki_ca_signing_subject_dn=cn=EXAMLE Root Certification
Authority,o=XXXXXXXXXXX,c=BR
pki_admin_nickname=PKI Administrator for EXAMPLE
pki_admin_subject_dn=cn=PKI Administrator Root CA,
e=admin(a)XXXXX.XXX.xx,o=XXXXXXXXXX,c=BR
pki_admin_email=admin(a)XXXXXX.xxx.xx
===>> On Server02 (Sub-ca):
setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \
General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \
slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD
> myconfig.txt
[DEFAULT]
pki_admin_password=SUB-CA_Passord
pki_client_database_password=SUB-CA_Passord
pki_client_pkcs12_password=SUB-CA_Passord
pki_ds_password=SUB-CA_Passord
pki_security_domain_password=SUB-CA_Passord
pki_admin_password=SUB-CA_Passord
pki_client_database_password=SUB-CA_Passord
pki_client_pkcs12_password=SUB-CA_Passord
pki_ds_bind_dn=cn=ldapadmin
pki_ds_password=SUB-CA_Passord
pki_security_domain_password=SUB-CA_Passord
This is incorrect. The security domain
password -- which for some
reason you have listed twice
in this section -- should be the password for the admin user in the
root CA.
The subCA is contacting the rootCA - which hosts the secruity domain to
register the new subsystem
with the domain.
pki_instance_name=pki-SubCA
pki_security_domain_hostname=root-ca.xxxx.xxx.xx
pki_security_domain_https_port=8443
pki_security_domain_user=caadmin
> [CA]
pki_subordinate=True
pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443
pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority L2,o=XXXXXXXXXXX,c=BR
pki_subordinate_create_new_security_domain=True
pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2
pki_admin_nickname=PKI Administrator for Example Sub-CA L2
pki_admin_subject_dn=cn=PKI Administrator CA L2,e=admin(a)xxxxx.xxx.xx,o=XXXXXXXXXXX,c=BR
pki_admin_email=admin(a)xxxx.xxx.xx
> > > > when I run pkispawn -v -s CA -f myconfig.txt on Server02:
> > > ERROR: Unable to access security domain: 401 Client Error: Unauthorized
> > > ===
> > > I tried to use the same passwords on myconfig.txt in both servers just to
test, but I receive the same message.
> > Can you help me please ?
> many thanks!
>
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
11:45 a.m.
Hi,
It worked !!
Only the Subordinate CA has a certificate valid only for 2 years. Now I'm
looking for how to increase it.
Many thanks!
On Mon, Aug 22, 2016 at 11:03 AM, Ade Lee <alee(a)redhat.com> wrote:
See inline below --
On Fri, 2016-08-19 at 07:28 -0300, Leonardo Bacha Abrantes wrote:
Hi guys,
I'm trying to configure a subordinate CA, but am receiving the message
"ERROR: Unable to access security domain: 401 Client Error: Unauthorized".
I follow these steps:
===>> On Server01 (root-ca):
setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \
General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \
slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD
> myconfig.txt
[DEFAULT]
pki_admin_password=Root-CA_pwd
pki_client_database_password=Root-CA_pwd
pki_client_pkcs12_password=Root-CA_pwd
pki_ds_password=Root-CA_pwd
pki_security_domain_password=Root-CA_pwd
pki_admin_password=Root-CA_pwd
pki_client_database_password=Root-CA_pwd
pki_client_pkcs12_password=Root-CA_pwd
pki_ds_bind_dn=cn=ldapadmin
pki_ds_password=Root-CA_pwd
pki_security_domain_password=Root-CA_pwd
pki_instance_name=pki-RootCA
[CA]
pki_ca_signing_subject_dn=cn=EXAMLE Root Certification
Authority,o=XXXXXXXXXXX,c=BR
pki_admin_nickname=PKI Administrator for EXAMPLE
pki_admin_subject_dn=cn=PKI Administrator Root CA,e=admin(a)XXXXX.XXX.xx,o=
XXXXXXXXXX,c=BR
pki_admin_email=admin(a)XXXXXX.xxx.xx
===>> On Server02 (Sub-ca):
setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \
General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \
slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \
slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \
slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD
> myconfig.txt
[DEFAULT]
pki_admin_password=SUB-CA_Passord
pki_client_database_password=SUB-CA_Passord
pki_client_pkcs12_password=SUB-CA_Passord
pki_ds_password=SUB-CA_Passord
pki_security_domain_password=SUB-CA_Passord
pki_admin_password=SUB-CA_Passord
pki_client_database_password=SUB-CA_Passord
pki_client_pkcs12_password=SUB-CA_Passord
pki_ds_bind_dn=cn=ldapadmin
pki_ds_password=SUB-CA_Passord
pki_security_domain_password=SUB-CA_Passord
This is incorrect. The security domain password -- which for some reason
you have listed twice
in this section -- should be the password for the admin user in the root
CA.
The subCA is contacting the rootCA - which hosts the secruity domain to
register the new subsystem
with the domain.
pki_instance_name=pki-SubCA
pki_security_domain_hostname=root-ca.xxxx.xxx.xx
pki_security_domain_https_port=8443
pki_security_domain_user=caadmin
[CA]
pki_subordinate=True
pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443
pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority
L2,o=XXXXXXXXXXX,c=BR
pki_subordinate_create_new_security_domain=True
pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2
pki_admin_nickname=PKI Administrator for Example Sub-CA L2
pki_admin_subject_dn=cn=PKI Administrator CA L2,e=admin(a)xxxxx.xxx.xx,o=
XXXXXXXXXXX,c=BR
pki_admin_email=admin(a)xxxx.xxx.xx
when I run pkispawn -v -s CA -f myconfig.txt on Server02:
ERROR: Unable to access security domain: 401 Client Error: Unauthorized
===
I tried to use the same passwords on myconfig.txt in both servers just to
test, but I receive the same message.
Can you help me please ?
many thanks!
_______________________________________________
Pki-users mailing
listPki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
3042
days inactive
3046
days old
5 comments
3 participants
participants (3)
-
Ade Lee -
Leonardo Bacha Abrantes -
Marc Sauton