1:35 p.m.
Hello,
i have the problem the the CA don't accept the Administrator login. Either on
HTTPS-interface or via pkiconsole. It's a new installation and the Admin-Certificate
exists in the Browser with secret key. The problem ist that the CA first dor thier job
normal. When i now try to login i got a catalina error like this. i dont reconfigure the
CA only restart. I also configured an HSM (Luna) but dont use key's inside the HSM.
-------------------catalina.out----------------------------------
Oct 29, 2008 5:43:55 PM org.apache.catalina.core.ApplicationContext log"
INFO: caListRequests: You did not provide a valid certificate for this operation
----------------------------------------------------------------------
the debug-file shows:
---------------------debug----------------------------------------
[29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service() uri =
/ca/agent/header
[29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet::service() param
name='selected' value='ca'
[29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: caheader start to service.
[29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet.java: renderTemplate
[29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: curDate=Wed Oct 29 18:15:07 CET
2008 id=caheader time=0
[29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service() uri =
/ca/agent/ca/listRequests.html
[29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: caListRequests start to
service.
[29/Oct/2008:18:15:07][http-9443-Processor21]: DisplayHtmlServlet about to service
[29/Oct/2008:18:15:07][http-9443-Processor21]: IP: 10.94.112.222
[29/Oct/2008:18:15:07][http-9443-Processor21]: AuthMgrName: certUserDBAuthMgr
[29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: retrieving SSL certificate
[29/Oct/2008:18:15:07][http-9443-Processor21]: SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=$Unidentified$][AttemptedCred=$Unidentified$]
authentication failure
[29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: getConn: mNumConns now 2
[29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]:
ObjectStreamMapper:mapObjectToLDAPAttributeSet revokedCerts size=84
[29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]:
ObjectStreamMapper:mapObjectToLDAPAttributeSet unrevokedCerts size=84
[29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]:
ObjectStreamMapper:mapObjectToLDAPAttributeSet expiredCerts size=84
[29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: returnConn: mNumConns now 3
----------------------------------------------------------------------
certutil -L -d . shows me:
----------------------------------------------------------------------
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-ca4-1 u,u,u
subsystemCert cert-ca4-1 u,u,u
caSigningCert cert-ca4-1 CTu,Cu,Cu
Server-Cert cert-ca4-1 u,u,u
Allianz Group Root CA II - Allianz Group CT,C,C
----------------------------------------------------------------------
reagards
Klaus Heyden
2:37 p.m.
Heyden, Klaus (Allianz ASIC) wrote:
Hello,
i have the problem the the CA don't accept the Administrator login.
Either on HTTPS-interface or via pkiconsole. It's a new installation
and the Admin-Certificate exists in the Browser with secret key. The
problem ist that the CA first dor thier job normal. When i now try to
login i got a catalina error like this. i dont reconfigure the CA only
restart. I also configured an HSM (Luna) but dont use key's inside the
HSM.
You may want to collect the ca debug log when you try to do client auth
in your browser against the https agent pages.
Or review the debug log during the ca instance configuration, near the
key generation for the ca instance or when you selected either a
software token or hsm, for any errors.
I suppose the ca instance was restarted after the web based wizard
configuration was successfully completed.
It is always possible to use another client certificate for an agent or
admin user of the certificate system.
You may want to verify the browser has and trust the issuer of the agent
cert you try to use.
-------------------catalina.out----------------------------------
Oct 29, 2008 5:43:55 PM org.apache.catalina.core.ApplicationContext log"
INFO: caListRequests: You did not provide a valid certificate for this
operation
----------------------------------------------------------------------
the debug-file shows:
---------------------debug----------------------------------------
[29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service()
uri = /ca/agent/header
[29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet::service()
param name='selected' value='ca'
[29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: caheader
start to service.
[29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet.java:
renderTemplate
[29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: curDate=Wed
Oct 29 18:15:07 CET 2008 id=caheader time=0
[29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service()
uri = /ca/agent/ca/listRequests.html
[29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:
caListRequests start to service.
[29/Oct/2008:18:15:07][http-9443-Processor21]: DisplayHtmlServlet
about to service
[29/Oct/2008:18:15:07][http-9443-Processor21]: IP: 10.94.112.222
[29/Oct/2008:18:15:07][http-9443-Processor21]: AuthMgrName:
certUserDBAuthMgr
[29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: retrieving
SSL certificate
[29/Oct/2008:18:15:07][http-9443-Processor21]:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=$Unidentified$][AttemptedCred=$Unidentified$]
authentication failure
[29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: getConn: mNumConns
now 2
[29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]:
ObjectStreamMapper:mapObjectToLDAPAttributeSet revokedCerts size=84
[29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]:
ObjectStreamMapper:mapObjectToLDAPAttributeSet unrevokedCerts size=84
[29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]:
ObjectStreamMapper:mapObjectToLDAPAttributeSet expiredCerts size=84
[29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: returnConn:
mNumConns now 3
----------------------------------------------------------------------
certutil -L -d . shows me:
----------------------------------------------------------------------
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-ca4-1 u,u,u
subsystemCert cert-ca4-1 u,u,u
caSigningCert cert-ca4-1 CTu,Cu,Cu
Server-Cert cert-ca4-1 u,u,u
Allianz Group Root CA II - Allianz Group CT,C,C
----------------------------------------------------------------------
reagards
Klaus Heyden
------------------------------------------------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
5897
days inactive
5897
days old
1 comments
2 participants
participants (2)
-
Heyden, Klaus (Allianz ASIC) -
Marc Sauton