3:25 a.m.
Hi list,
I'm trying to use flat-file auth on certificate requests via Certmonger.
I can successfully get certificates issued when I remove authentication.
I've restricted the Certificate Profile to require flat-file authentication.
I'm running Centos7 with pki-server-10.1.2-7.el7.noarch and
certmonger-0.78.4-1.el7.centos.x86_64
The error I get is.
"[29/Sep/2015:15:31:38][http-bio-8080-exec-10]: CertProcessor:
authentication error Authentication credential for uid is null.
The request generated by Certmonger looks like this.
###
GET
/ca/ee/ca/profileSubmit?profileId=IPASubCA&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG%0ASIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q%0AnPQBQ6U0KbTKmKM81%2F2kD39eaMMzdyqBi%2BcbsPMOl93%2F%2FB88Eu8QRLis6hYMmgUF%0Av%2BcSS2JOHPOC8RY8YbkVlRYUGb%2BbMkldQEYsIOfad8xlfDBh%2Bg5ImA%2FrYS2g6MgV%0ACI0k%2F6w1nsNGJof7U2KEJpLJOvI%2F%2FwznaF%2FkuJC5kYrPLbOIEbQvM5%2F8Kcyh1W48%0AtgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67%2FAx%2FI2T34MpD5AN%0AWN1b9de3nWEce%2BMoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw%0AGwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG%0AA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX%2F%2BEWI84MCIG%0ACSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA%0AA4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T%2BkGSDgnzdK8afO8CwC6kfwAP8PZNo2L%0AcbpbiqYRSrwGOqmLpalxBG21T47c%2BonW2x8x4UYitpQH%2BUQE1P1SKiiiPA%2B6sj0f%0A5dFfPLjQGDrD1cpD!
8abY7HGPH
3
NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ%0APR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv%0AfKrckHp4AHK7B0hv%2FteB7GiqqrYA3cq9M3T6B17MnmjDF%2FyrS8uLl6DhFug0PLE2%0Afen%2FbDiCjJ3IDIqhS0hheym07ca8%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true&uid=foo&pwd=password
###
flatfile.txt looks like:
#
uid:foo
pwd:password
#
CS.cfg contains:
#
auths.instance.flatFileAuth.authAttributes=pwd
auths.instance.flatFileAuth.deferOnFailure=true
auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
auths.instance.flatFileAuth.keyAttributes=uid
auths.instance.flatFileAuth.pluginName=FlatFileAuth
#
The full error from the pki debug logs is below
thanks!
James M
###
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:service() uri
= /ca/ee/ca/profileSubmit
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='profileId' value='IPASubCA'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='cert_request_type' value='pkcs10'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='cert_request' value='-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q
nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF
v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV
CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48
tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN
WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw
GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG
A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG
CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA
A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L
cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f
5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ
PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv
fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2
fen/bDiCjJ3IDIqhS0hheym07ca8
-----END NEW CERTIFICATE REQUEST-----
'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='xml' value='true'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='uid' value='foo'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='pwd' value='(sensitive)'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:
caProfileSubmit start to service.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: xmlOutput true
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet:
isRenewal false
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: according to ccMode,
authorization for servlet: caProfileSubmit is LDAP based, not XML {1},
use default authz mgr: {2}.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: Start of CertProcessor
Input Parameters
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter profileId='IPASubCA'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter cert_request_type='pkcs10'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter isRenewal='false'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter cert_request='-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q
nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF
v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV
CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48
tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN
WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw
GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG
A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG
CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA
A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L
cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f
5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ
PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv
fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2
fen/bDiCjJ3IDIqhS0hheym07ca8
-----END NEW CERTIFICATE REQUEST-----
'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: End of CertProcessor
Input Parameters
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
isRenewal false
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
profileId IPASubCA
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set
Inputs into profile Context
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
authenticator flatFileAuth found
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]:
CertRequestSubmitter:setCredentialsIntoContext() authIds` null
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set
sslClientCertProvider
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: authenticate:
authentication required.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: in auditSubjectID
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:
auditSubjectID auditContext
{sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@5cd82562,
profileContext=com.netscape.cms.profile.common.EnrollProfileContext@727e748c}
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet
auditSubjectID: subjectID: null
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: FlatFileAuth:
concatenating string i=0 keyAttrs[0] = uid
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor:
authentication error Authentication credential for uid is null.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: SignedAuditEventFactory:
create() message=[AuditEvent=AUTH_FAIL][SubjectID=$NonRoleUser$ :
Unidentified][Outcome=Failure][AuthMgr=flatFileAuth][AttemptedCred=Unidentified]
authentication failure
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet:
authentication error in processing request: Authentication credential
for uid is null.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: curDate=Wed
Sep 30 08:14:32 UTC 2015 id=caProfileSubmit time=12
###
12:29 p.m.
Hi:
Have you modified the cert profile you are using to point to that auth instance?
See profiles/ca/caRouterCert.cfg for a sample.
Hopefully that is your issue.
----- Original Message -----
From: "James Masson" <james.masson(a)jmips.co.uk>
To: pki-users(a)redhat.com
Sent: Wednesday, September 30, 2015 1:25:41 AM
Subject: [Pki-users] Flat-file auth
Hi list,
I'm trying to use flat-file auth on certificate requests via Certmonger.
I can successfully get certificates issued when I remove authentication.
I've restricted the Certificate Profile to require flat-file authentication.
I'm running Centos7 with pki-server-10.1.2-7.el7.noarch and
certmonger-0.78.4-1.el7.centos.x86_64
The error I get is.
"[29/Sep/2015:15:31:38][http-bio-8080-exec-10]: CertProcessor:
authentication error Authentication credential for uid is null.
The request generated by Certmonger looks like this.
###
GET
/ca/ee/ca/profileSubmit?profileId=IPASubCA&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG%0ASIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q%0AnPQBQ6U0KbTKmKM81%2F2kD39eaMMzdyqBi%2BcbsPMOl93%2F%2FB88Eu8QRLis6hYMmgUF%0Av%2BcSS2JOHPOC8RY8YbkVlRYUGb%2BbMkldQEYsIOfad8xlfDBh%2Bg5ImA%2FrYS2g6MgV%0ACI0k%2F6w1nsNGJof7U2KEJpLJOvI%2F%2FwznaF%2FkuJC5kYrPLbOIEbQvM5%2F8Kcyh1W48%0AtgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67%2FAx%2FI2T34MpD5AN%0AWN1b9de3nWEce%2BMoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw%0AGwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG%0AA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX%2F%2BEWI84MCIG%0ACSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA%0AA4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T%2BkGSDgnzdK8afO8CwC6kfwAP8PZNo2L%0AcbpbiqYRSrwGOqmLpalxBG21T47c%2BonW2x8x4UYitpQH%2BUQE1P1SKiiiPA%2B6sj0f%0A5dFfPLjQGDrD1cpD!
8abY7HGPH
3
NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ%0APR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv%0AfKrckHp4AHK7B0hv%2FteB7GiqqrYA3cq9M3T6B17MnmjDF%2FyrS8uLl6DhFug0PLE2%0Afen%2FbDiCjJ3IDIqhS0hheym07ca8%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true&uid=foo&pwd=password
###
flatfile.txt looks like:
#
uid:foo
pwd:password
#
CS.cfg contains:
#
auths.instance.flatFileAuth.authAttributes=pwd
auths.instance.flatFileAuth.deferOnFailure=true
auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
auths.instance.flatFileAuth.keyAttributes=uid
auths.instance.flatFileAuth.pluginName=FlatFileAuth
#
The full error from the pki debug logs is below
thanks!
James M
###
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:service() uri
= /ca/ee/ca/profileSubmit
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='profileId' value='IPASubCA'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='cert_request_type' value='pkcs10'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='cert_request' value='-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q
nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF
v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV
CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48
tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN
WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw
GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG
A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG
CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA
A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L
cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f
5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ
PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv
fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2
fen/bDiCjJ3IDIqhS0hheym07ca8
-----END NEW CERTIFICATE REQUEST-----
'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='xml' value='true'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='uid' value='foo'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='pwd' value='(sensitive)'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:
caProfileSubmit start to service.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: xmlOutput true
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet:
isRenewal false
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: according to ccMode,
authorization for servlet: caProfileSubmit is LDAP based, not XML {1},
use default authz mgr: {2}.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: Start of CertProcessor
Input Parameters
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter profileId='IPASubCA'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter cert_request_type='pkcs10'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter isRenewal='false'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter cert_request='-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q
nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF
v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV
CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48
tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN
WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw
GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG
A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG
CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA
A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L
cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f
5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ
PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv
fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2
fen/bDiCjJ3IDIqhS0hheym07ca8
-----END NEW CERTIFICATE REQUEST-----
'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: End of CertProcessor
Input Parameters
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
isRenewal false
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
profileId IPASubCA
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set
Inputs into profile Context
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
authenticator flatFileAuth found
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]:
CertRequestSubmitter:setCredentialsIntoContext() authIds` null
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set
sslClientCertProvider
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: authenticate:
authentication required.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: in auditSubjectID
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:
auditSubjectID auditContext
{sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@5cd82562,
profileContext=com.netscape.cms.profile.common.EnrollProfileContext@727e748c}
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet
auditSubjectID: subjectID: null
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: FlatFileAuth:
concatenating string i=0 keyAttrs[0] = uid
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor:
authentication error Authentication credential for uid is null.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: SignedAuditEventFactory:
create() message=[AuditEvent=AUTH_FAIL][SubjectID=$NonRoleUser$ :
Unidentified][Outcome=Failure][AuthMgr=flatFileAuth][AttemptedCred=Unidentified]
authentication failure
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet:
authentication error in processing request: Authentication credential
for uid is null.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: curDate=Wed
Sep 30 08:14:32 UTC 2015 id=caProfileSubmit time=12
###
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
12:39 p.m.
CSR Profile does reference the flatFile provider.
I've also tried the a similar setup with client-cert based auth, which also
fails.
Ditto with Dogtag 10.2
I must be missing something here, or else Certmonger's Dogtag auth options
aren't doing what they should.
Thanks
James M
On 30 Sep 2015 6:29 pm, "John Magne" <jmagne(a)redhat.com> wrote:
Hi:
Have you modified the cert profile you are using to point to that auth
instance?
See profiles/ca/caRouterCert.cfg for a sample.
Hopefully that is your issue.
----- Original Message -----
> From: "James Masson" <james.masson(a)jmips.co.uk>
> To: pki-users(a)redhat.com
> Sent: Wednesday, September 30, 2015 1:25:41 AM
> Subject: [Pki-users] Flat-file auth
>
>
> Hi list,
>
> I'm trying to use flat-file auth on certificate requests via Certmonger.
> I can successfully get certificates issued when I remove authentication.
> I've restricted the Certificate Profile to require flat-file
authentication.
>
> I'm running Centos7 with pki-server-10.1.2-7.el7.noarch and
> certmonger-0.78.4-1.el7.centos.x86_64
>
> The error I get is.
>
> "[29/Sep/2015:15:31:38][http-bio-8080-exec-10]: CertProcessor:
> authentication error Authentication credential for uid is null.
>
> The request generated by Certmonger looks like this.
>
> ###
> GET
>
/ca/ee/ca/profileSubmit?profileId=IPASubCA&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG%0ASIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q%0AnPQBQ6U0KbTKmKM81%2F2kD39eaMMzdyqBi%2BcbsPMOl93%2F%2FB88Eu8QRLis6hYMmgUF%0Av%2BcSS2JOHPOC8RY8YbkVlRYUGb%2BbMkldQEYsIOfad8xlfDBh%2Bg5ImA%2FrYS2g6MgV%0ACI0k%2F6w1nsNGJof7U2KEJpLJOvI%2F%2FwznaF%2FkuJC5kYrPLbOIEbQvM5%2F8Kcyh1W48%0AtgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67%2FAx%2FI2T34MpD5AN%0AWN1b9de3nWEce%2BMoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw%0AGwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG%0AA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX%2F%2BEWI84MCIG%0ACSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA%0AA4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T%2BkGSDgnzdK8afO8CwC6kfwAP8PZNo2L%0AcbpbiqYRSrwGOqmLpalxBG21T47c%2BonW2x8x4UYitpQH%2BUQE1P1SKiiiPA%2B6sj0f%0A5dFfPLjQGDrD1cpD!
> 8abY7HGPH
> 3
>
NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ%0APR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv%0AfKrckHp4AHK7B0hv%2FteB7GiqqrYA3cq9M3T6B17MnmjDF%2FyrS8uLl6DhFug0PLE2%0Afen%2FbDiCjJ3IDIqhS0hheym07ca8%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true&uid=foo&pwd=password
> ###
>
> flatfile.txt looks like:
> #
> uid:foo
> pwd:password
>
>
> #
>
> CS.cfg contains:
> #
> auths.instance.flatFileAuth.authAttributes=pwd
> auths.instance.flatFileAuth.deferOnFailure=true
>
auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
> auths.instance.flatFileAuth.keyAttributes=uid
> auths.instance.flatFileAuth.pluginName=FlatFileAuth
> #
>
>
> The full error from the pki debug logs is below
>
> thanks!
>
> James M
>
> ###
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:service() uri
> = /ca/ee/ca/profileSubmit
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> param name='profileId' value='IPASubCA'
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> param name='cert_request_type' value='pkcs10'
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> param name='cert_request' value='-----BEGIN NEW CERTIFICATE
REQUEST-----
> MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG
> SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q
> nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF
> v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV
> CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48
> tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN
> WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw
> GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG
> A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG
> CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA
> A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L
> cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f
> 5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ
> PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv
> fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2
> fen/bDiCjJ3IDIqhS0hheym07ca8
> -----END NEW CERTIFICATE REQUEST-----
> '
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> param name='xml' value='true'
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> param name='uid' value='foo'
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
> param name='pwd' value='(sensitive)'
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:
> caProfileSubmit start to service.
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: xmlOutput true
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet:
> isRenewal false
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: according to ccMode,
> authorization for servlet: caProfileSubmit is LDAP based, not XML {1},
> use default authz mgr: {2}.
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: Start of CertProcessor
> Input Parameters
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
> Parameter profileId='IPASubCA'
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
> Parameter cert_request_type='pkcs10'
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
> Parameter isRenewal='false'
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
> Parameter cert_request='-----BEGIN NEW CERTIFICATE REQUEST-----
> MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG
> SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q
> nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF
> v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV
> CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48
> tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN
> WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw
> GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG
> A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG
> CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA
> A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L
> cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f
> 5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ
> PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv
> fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2
> fen/bDiCjJ3IDIqhS0hheym07ca8
> -----END NEW CERTIFICATE REQUEST-----
> '
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: End of CertProcessor
> Input Parameters
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
> isRenewal false
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
> profileId IPASubCA
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set
> Inputs into profile Context
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
> authenticator flatFileAuth found
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]:
> CertRequestSubmitter:setCredentialsIntoContext() authIds` null
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set
> sslClientCertProvider
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: authenticate:
> authentication required.
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: in
auditSubjectID
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:
> auditSubjectID auditContext
>
{sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@5cd82562
,
>
profileContext=com.netscape.cms.profile.common.EnrollProfileContext@727e748c
}
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet
> auditSubjectID: subjectID: null
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: FlatFileAuth:
> concatenating string i=0 keyAttrs[0] = uid
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor:
> authentication error Authentication credential for uid is null.
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: SignedAuditEventFactory:
> create() message=[AuditEvent=AUTH_FAIL][SubjectID=$NonRoleUser$ :
>
Unidentified][Outcome=Failure][AuthMgr=flatFileAuth][AttemptedCred=Unidentified]
> authentication failure
>
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet:
> authentication error in processing request: Authentication credential
> for uid is null.
> [30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: curDate=Wed
> Sep 30 08:14:32 UTC 2015 id=caProfileSubmit time=12
> ###
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
1:15 p.m.
Looking at the code and your logs more closely.
It looks like the proper auth manager is being invoked,
and its reading the file correctly, it just appears that the
UID and pwd are not making it to the back end.
I can do some more poking around and get back.
thanks,
jack
----- Original Message -----
From: "James Masson" <james.masson(a)jmips.co.uk>
To: pki-users(a)redhat.com
Sent: Wednesday, September 30, 2015 10:39:03 AM
Subject: Re: [Pki-users] Flat-file auth
CSR Profile does reference the flatFile provider.
I've also tried the a similar setup with client-cert based auth, which also fails.
Ditto with Dogtag 10.2
I must be missing something here, or else Certmonger's Dogtag auth options aren't
doing what they should.
Thanks
James M
On 30 Sep 2015 6:29 pm, "John Magne" < jmagne(a)redhat.com > wrote:
Hi:
Have you modified the cert profile you are using to point to that auth instance?
See profiles/ca/caRouterCert.cfg for a sample.
Hopefully that is your issue.
----- Original Message -----
From: "James Masson" < james.masson(a)jmips.co.uk >
To: pki-users(a)redhat.com
Sent: Wednesday, September 30, 2015 1:25:41 AM
Subject: [Pki-users] Flat-file auth
Hi list,
I'm trying to use flat-file auth on certificate requests via Certmonger.
I can successfully get certificates issued when I remove authentication.
I've restricted the Certificate Profile to require flat-file authentication.
I'm running Centos7 with pki-server-10.1.2-7.el7.noarch and
certmonger-0.78.4-1.el7.centos.x86_64
The error I get is.
"[29/Sep/2015:15:31:38][http-bio-8080-exec-10]: CertProcessor:
authentication error Authentication credential for uid is null.
The request generated by Certmonger looks like this.
###
GET
/ca/ee/ca/profileSubmit?profileId=IPASubCA&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG%0ASIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q%0AnPQBQ6U0KbTKmKM81%2F2kD39eaMMzdyqBi%2BcbsPMOl93%2F%2FB88Eu8QRLis6hYMmgUF%0Av%2BcSS2JOHPOC8RY8YbkVlRYUGb%2BbMkldQEYsIOfad8xlfDBh%2Bg5ImA%2FrYS2g6MgV%0ACI0k%2F6w1nsNGJof7U2KEJpLJOvI%2F%2FwznaF%2FkuJC5kYrPLbOIEbQvM5%2F8Kcyh1W48%0AtgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67%2FAx%2FI2T34MpD5AN%0AWN1b9de3nWEce%2BMoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw%0AGwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG%0AA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX%2F%2BEWI84MCIG%0ACSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA%0AA4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T%2BkGSDgnzdK8afO8CwC6kfwAP8PZNo2L%0AcbpbiqYRSrwGOqmLpalxBG21T47c%2BonW2x8x4UYitpQH%2BUQE1P1SKiiiPA%2B6sj0f%0A5dFfPLjQGDrD1cpD!
8abY7HGPH
3
NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ%0APR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv%0AfKrckHp4AHK7B0hv%2FteB7GiqqrYA3cq9M3T6B17MnmjDF%2FyrS8uLl6DhFug0PLE2%0Afen%2FbDiCjJ3IDIqhS0hheym07ca8%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true&uid=foo&pwd=password
###
flatfile.txt looks like:
#
uid:foo
pwd:password
#
CS.cfg contains:
#
auths.instance.flatFileAuth.authAttributes=pwd
auths.instance.flatFileAuth.deferOnFailure=true
auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
auths.instance.flatFileAuth.keyAttributes=uid
auths.instance.flatFileAuth.pluginName=FlatFileAuth
#
The full error from the pki debug logs is below
thanks!
James M
###
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:service() uri
= /ca/ee/ca/profileSubmit
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='profileId' value='IPASubCA'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='cert_request_type' value='pkcs10'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='cert_request' value='-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q
nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF
v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV
CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48
tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN
WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw
GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG
A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG
CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA
A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L
cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f
5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ
PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv
fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2
fen/bDiCjJ3IDIqhS0hheym07ca8
-----END NEW CERTIFICATE REQUEST-----
'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='xml' value='true'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='uid' value='foo'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet::service()
param name='pwd' value='(sensitive)'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:
caProfileSubmit start to service.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: xmlOutput true
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet:
isRenewal false
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: according to ccMode,
authorization for servlet: caProfileSubmit is LDAP based, not XML {1},
use default authz mgr: {2}.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: Start of CertProcessor
Input Parameters
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter profileId='IPASubCA'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter cert_request_type='pkcs10'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter isRenewal='false'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor Input
Parameter cert_request='-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC4TCCAckCAQAwGTEXMBUGA1UEChMORk9PLlRFU1QuTkVXMjIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDvLTtJB6lkQfN9XSu0LLwIdRE7A7Cb2q
nPQBQ6U0KbTKmKM81/2kD39eaMMzdyqBi+cbsPMOl93//B88Eu8QRLis6hYMmgUF
v+cSS2JOHPOC8RY8YbkVlRYUGb+bMkldQEYsIOfad8xlfDBh+g5ImA/rYS2g6MgV
CI0k/6w1nsNGJof7U2KEJpLJOvI//wznaF/kuJC5kYrPLbOIEbQvM5/8Kcyh1W48
tgGks2vEZCZx3Ql3ZiOkFQKJ1d0S9zoeLJgAgpGjeU8RhMf67/Ax/I2T34MpD5AN
WN1b9de3nWEce+MoyiqvmxcIpOKfzTBEvlQFP7u2he9zD0ndSCm5AgMBAAGggYIw
GwYJKoZIhvcNAQkUMQ4eDAB0AGUAcwB0ADIAMjBjBgkqhkiG9w0BCQ4xVjBUMAwG
A1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFAT8lnV1XXyD4JKNwCooX/+EWI84MCIG
CSsGAQQBgjcUAgEBAAQSHhAASQBQAEEAUwB1AGIAQwBBMA0GCSqGSIb3DQEBCwUA
A4IBAQB6MQffSUfOG8OvvlpTq1GU8vw9T+kGSDgnzdK8afO8CwC6kfwAP8PZNo2L
cbpbiqYRSrwGOqmLpalxBG21T47c+onW2x8x4UYitpQH+UQE1P1SKiiiPA+6sj0f
5dFfPLjQGDrD1cpD8abY7HGPH3NikpvxXEsn6WpMc1hGFpFzHyQT8lviap3r8wSJ
PR4NVZLFBSqi1lcM72PQg6oIh9dHIiXo7aisPmQ4HqhPsBXhRICnuViFXGq0TDWv
fKrckHp4AHK7B0hv/teB7GiqqrYA3cq9M3T6B17MnmjDF/yrS8uLl6DhFug0PLE2
fen/bDiCjJ3IDIqhS0hheym07ca8
-----END NEW CERTIFICATE REQUEST-----
'
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: End of CertProcessor
Input Parameters
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
isRenewal false
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
profileId IPASubCA
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set
Inputs into profile Context
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter:
authenticator flatFileAuth found
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]:
CertRequestSubmitter:setCredentialsIntoContext() authIds` null
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: EnrollmentSubmitter: set
sslClientCertProvider
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: authenticate:
authentication required.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: in auditSubjectID
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet:
auditSubjectID auditContext
{sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@5cd82562,
profileContext=com.netscape.cms.profile.common.EnrollProfileContext@727e748c}
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet
auditSubjectID: subjectID: null
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: FlatFileAuth:
concatenating string i=0 keyAttrs[0] = uid
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CertProcessor:
authentication error Authentication credential for uid is null.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: SignedAuditEventFactory:
create() message=[AuditEvent=AUTH_FAIL][SubjectID=$NonRoleUser$ :
Unidentified][Outcome=Failure][AuthMgr=flatFileAuth][AttemptedCred=Unidentified]
authentication failure
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: ProfileSubmitServlet:
authentication error in processing request: Authentication credential
for uid is null.
[30/Sep/2015:08:14:32][http-bio-8080-exec-24]: CMSServlet: curDate=Wed
Sep 30 08:14:32 UTC 2015 id=caProfileSubmit time=12
###
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
3379
days inactive
3379
days old
3 comments
2 participants
participants (2)
-
James Masson -
John Magne