6:55 a.m.
Hello,
We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs setup for SCEP
enrollment. But, no matter whether we try the older HSMs( LunaSA 4) or the newer (LunaSA
5) we cannot complete a successful SCEP request. The following exception occurs in the
debug log:
[29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation
[29/Sep/2014:13:41:17][http-9180-1]:
message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ
KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w
ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt
dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG
SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH
7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP
RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs
HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r
SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g
rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF
Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM
X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW
m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu
udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc
AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT
l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61
JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz
cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z
gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB
dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG
NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy
MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx
MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF
gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM
rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip
9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB
gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN
L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp
e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w
GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG
OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC
MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw
OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg
hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0
QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB
gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH
eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm
/oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+
[29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: token name:
osstest'
[29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: mNickname:
'osstest:osstest:caSigningCert cert-pki-testca1'
[29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:701)
[29/Sep/2014:13:41:17][http-9180-1]: ServletException javax.servlet.ServletException:
Failed to process message in CEP servlet: Certificate not found: osstest:caSigningCert
cert-pki-testca1
What stands out is the line with mNickname. After restarting the service, with the first
request, the HSM token name appears to be listed twice in the mNickname string.
Interestingly, with each new request, the number of token names increases by one in the
string. i.e. with the 2nd attempt, the same exception occurs but the token name appears
three times:
[29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: token name:
osstest'
[29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: mNickname:
'osstest:osstest:osstest:caSigningCert cert-pki-testca1'
[29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:701)
[29/Sep/2014:13:41:17][http-9180-1]: ServletException javax.servlet.ServletException:
Failed to process message in CEP servlet: Certificate not found: osstest:caSigningCert
cert-pki-testca1
As mentioned, the exception occurs with both versions 4 and 5 of LunaSA. (We currently
have RHEL5 systems with Dogtag 1.3 operating with SCEP enrollment.) With local tokens, (no
HSMs) the error does not occur.
Any Ideas, how we can track this down? We definitely need to get this running.
Best regards!
William Elliott
s IT Solutions
Open System Services
s IT Solutions AT Spardat GmbH
A-1110 Wien, Geiselbergstraße 21 - 25
Phone: +43 (0)5 0100 - 39376
Fax: +43 (0)5 0100 9 - 39376
Mobile: +43 (0) 5 0100 6 - 39376
mailto:william.elliott at
s-itsolutions.at<mailto:william.elliott%20at%20s-itsolutions.at>
www.s-itsolutions.com<http://www.s-itsolutions.com/>
Head Office: Vienna Commercial Register No.: 152289f Commercial Court of Vienna
This message and any attached files are confidential and intended solely for the
addressee(s). Any publication, transmission or other use of the information by a person or
entity other than the intended addressee is prohibited. If you receive this in error
please contact the sender and delete the material. The sender does not accept liability
for any errors or omissions as a result of the transmission.
7 p.m.
What's your scep config values, specifically:
ca.scep.nickname
ca.scep.tokenname
Christina
On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote:
Hello,
We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs
setup for SCEP enrollment. But, no matter whether we try the older
HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a
successful SCEP request. The following exception occurs in the debug log:
[29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation
[29/Sep/2014:13:41:17][http-9180-1]:
message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ
KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w
ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt
dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG
SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH
7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP
RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs
HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r
SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g
rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF
Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM
X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW
m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu
udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc
AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT
l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61
JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz
cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z
gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB
dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG
NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy
MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx
MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF
gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM
rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip
9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB
gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN
L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp
e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w
GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG
OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC
MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw
OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg
hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0
QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB
gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH
eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm
/oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+
[29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
token name: osstest'
[29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1'
[29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:701)
[29/Sep/2014:13:41:17][http-9180-1]: ServletException
javax.servlet.ServletException: Failed to process message in CEP
servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
What stands out is the line with mNickname. After restarting the
service, with the first request, the HSM token name appears to be
listed twice in the *mNickname* string. Interestingly, with each new
request, the number of token names increases by one in the string.
i.e. with the 2^nd attempt, the same exception occurs but the token
name appears three times:
[29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
token name: osstest'
[29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1'
[29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:701)
[29/Sep/2014:13:41:17][http-9180-1]: ServletException
javax.servlet.ServletException: Failed to process message in CEP
servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
As mentioned, the exception occurs with both versions 4 and 5 of
LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating
with SCEP enrollment.) With local tokens, (no HSMs) the error does not
occur.
Any Ideas, how we can track this down? We definitely need to get this
running.
Best regards!
William Elliott
s IT Solutions
Open System Services
s IT Solutions AT Spardat GmbH
A-1110 Wien, Geiselbergstraße 21 - 25
Phone: +43 (0)5 0100 - 39376
Fax: +43 (0)5 0100 9 - 39376
Mobile: +43 (0)5 0100 6 - 39376
_mailto:william.elliott at s-itsolutions.at
<mailto:william.elliott%20at%20s-itsolutions.at>_
www.s-itsolutions.com <http://www.s-itsolutions.com/>
Head Office: Vienna Commercial Register No.: 152289f Commercial Court
of Vienna
This message and any attached files are confidential and intended
solely for the addressee(s). Any publication, transmission or other
use of the information by a person or entity other than the intended
addressee is prohibited. If you receive this in error please contact
the sender and delete the material. The sender does not accept
liability for any errors or omissions as a result of the transmission.
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
7:14 p.m.
btw, I'm not suggesting that you need either or both config params.
three sets of config you can try:
1. don't specify either ca.scep.nickname or ca.scep.tokenname
(I think by default it takes the ca signing cert, if that's what you
intend to use anyway)
2. specify nickname only ca.scep.nickname (without the token)
ca.scep.nickname=caSigningCert cert-pki-testca1
(I think by default, if the nickname you specified matches that of the
ca, it will find the token for you)
3. specify both nickname and token:
ca.scep.nickname=caSigningCert cert-pki-testca1
ca.scep.tokenname=osstest
(last resort, because when you do this, it thinks it's not using the ca
signing cert.. )
Let us know.
Christina
On 10/01/2014 05:00 PM, Christina Fu wrote:
What's your scep config values, specifically:
ca.scep.nickname
ca.scep.tokenname
Christina
On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote:
>
> Hello,
>
> We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs
> setup for SCEP enrollment. But, no matter whether we try the older
> HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a
> successful SCEP request. The following exception occurs in the debug log:
>
> [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation
>
> [29/Sep/2014:13:41:17][http-9180-1]:
> message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ
>
> KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w
>
> ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt
>
> dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG
>
> SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH
>
> 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP
>
> RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs
>
> HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r
>
> SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g
>
> rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF
>
> Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM
>
> X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW
>
> m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu
>
> udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc
>
> AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT
>
> l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61
>
> JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz
>
> cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z
>
> gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB
>
> dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG
>
> NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy
>
> MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx
>
> MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF
>
> gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM
>
> rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip
>
> 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB
>
> gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN
>
> L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp
>
> e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w
>
> GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG
>
> OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC
>
> MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw
>
> OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg
>
> hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0
>
> QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB
>
> gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH
>
> eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm
>
> /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
> token name: osstest'
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
> mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1'
>
> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> at
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>
> at
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>
> at
> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
> at
> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>
> at
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>
> at java.lang.Thread.run(Thread.java:701)
>
> [29/Sep/2014:13:41:17][http-9180-1]: ServletException
> javax.servlet.ServletException: Failed to process message in CEP
> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> What stands out is the line with mNickname. After restarting the
> service, with the first request, the HSM token name appears to be
> listed twice in the *mNickname* string. Interestingly, with each new
> request, the number of token names increases by one in the string.
> i.e. with the 2^nd attempt, the same exception occurs but the token
> name appears three times:
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
> token name: osstest'
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
> mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1'
>
> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> at
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>
> at
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>
> at
> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
> at
> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>
> at
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>
> at java.lang.Thread.run(Thread.java:701)
>
> [29/Sep/2014:13:41:17][http-9180-1]: ServletException
> javax.servlet.ServletException: Failed to process message in CEP
> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> As mentioned, the exception occurs with both versions 4 and 5 of
> LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating
> with SCEP enrollment.) With local tokens, (no HSMs) the error does
> not occur.
>
> Any Ideas, how we can track this down? We definitely need to get this
> running.
>
> Best regards!
>
> William Elliott
>
> s IT Solutions
>
> Open System Services
>
> s IT Solutions AT Spardat GmbH
>
> A-1110 Wien, Geiselbergstraße 21 - 25
>
> Phone: +43 (0)5 0100 - 39376
>
> Fax: +43 (0)5 0100 9 - 39376
>
> Mobile: +43 (0)5 0100 6 - 39376
>
> _mailto:william.elliott at s-itsolutions.at
> <mailto:william.elliott%20at%20s-itsolutions.at>_
>
> www.s-itsolutions.com <http://www.s-itsolutions.com/>
>
> Head Office: Vienna Commercial Register No.: 152289f Commercial Court
> of Vienna
>
> This message and any attached files are confidential and intended
> solely for the addressee(s). Any publication, transmission or other
> use of the information by a person or entity other than the intended
> addressee is prohibited. If you receive this in error please contact
> the sender and delete the material. The sender does not accept
> liability for any errors or omissions as a result of the transmission.
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
7:54 a.m.
(sorry for the delay - I was out of the office for some time)
The package version we're trying is pki-ca-9.0.3-32.el6.noarch, on RHEL6 as I said.
But since the last email we've also tried 9.0.3-38, with the same result.
We always ran through the wizard panels using all default values, changing nothing, but
now we configure the ca with pkisilent with the same default values to make sure the
configuration doesn't change from one test to the next.
The only change we make is afterwords to enable scep in the config:
ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
ca.scep.enable=true
ca.scep.encryptionAlgorithm=DES3
ca.scep.hashAlgorithm=SHA1
ca.scep.nonceSizeLimit=16
The whole thing always works fine when we use the internal token (and with RHEL5/Dogtag
1.3 on the hsm), but throws the exception when the hsm is used as token.
We use sscep to submit requests to the ca.
We had never set the two parameters (scep.nickname, scep.tokenname) you suggested trying.
Here are the results of your suggestions below :
** 1. This is our current configuration which always produces the exception.
From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: Token name: osstest
CRSEnrollment: init: Is SCEP using CA keys: true
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: token name: osstest'
CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert
cert-pki-testca1'
handlePKIMessage exception
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
...
** 2. Setting ca.scep.nickname at first produced no discernable change,
other than, requests for the ca cert. with "sscep getca" then fail
reliably.
Due to token name not being set:
From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-testca1
CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: Token name:
CRSEnrollment: init: Is SCEP using CA keys: false
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: internal token name: ''
CRSEnrollment: CryptoContext: mNickname: 'caSigningCert cert-pki-testca1'
handlePKIMessage exception
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
...
** 3. setting both ca.scep.nickname and ca.scep.tokenname also does not get around the
problem.
From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-testca1
CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: Token name: osstest
CRSEnrollment: init: Is SCEP using CA keys: false
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: token name: osstest'
<-- from sscep getca request
CRSEnrollment: CryptoContext: mNickname: 'osstest:caSigningCert cert-pki-testca1'
...
CRSEnrollment: CryptoContext: token name: osstest'
CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert
cert-pki-testca1' <-- from sscep enroll request
handlePKIMessage exception
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
best regards,
William
-----Original Message-----
From: pki-users-bounces(a)redhat.com [mailto:pki-users-bounces@redhat.com] On Behalf Of
Christina Fu
Sent: Donnerstag, 02. Oktober 2014 02:15
To: pki-users(a)redhat.com
Subject: Re: [Pki-users] SCEP Enrollment fails with Certificate not found .
[heur][html-removed]
btw, I'm not suggesting that you need either or both config params.
three sets of config you can try:
1. don't specify either ca.scep.nickname or ca.scep.tokenname
(I think by default it takes the ca signing cert, if that's what you
intend to use anyway)
2. specify nickname only ca.scep.nickname (without the token)
ca.scep.nickname=caSigningCert cert-pki-testca1
(I think by default, if the nickname you specified matches that of the
ca, it will find the token for you)
3. specify both nickname and token:
ca.scep.nickname=caSigningCert cert-pki-testca1
ca.scep.tokenname=osstest
(last resort, because when you do this, it thinks it's not using the ca
signing cert.. )
Let us know.
Christina
On 10/01/2014 05:00 PM, Christina Fu wrote:
What's your scep config values, specifically:
ca.scep.nickname
ca.scep.tokenname
Christina
On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote:
>
> Hello,
>
> We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs
> setup for SCEP enrollment. But, no matter whether we try the older
> HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a
> successful SCEP request. The following exception occurs in the debug log:
>
> [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation
>
> [29/Sep/2014:13:41:17][http-9180-1]:
> message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ
>
> KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w
>
> ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt
>
> dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG
>
> SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH
>
> 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP
>
> RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs
>
> HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r
>
> SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g
>
> rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF
>
> Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM
>
> X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW
>
> m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu
>
> udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc
>
> AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT
>
> l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61
>
> JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz
>
> cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z
>
> gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB
>
> dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG
>
> NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy
>
> MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx
>
> MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF
>
> gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM
>
> rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip
>
> 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB
>
> gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN
>
> L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp
>
> e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w
>
> GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG
>
> OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC
>
> MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw
>
> OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg
>
> hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0
>
> QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB
>
> gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH
>
> eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm
>
> /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
> token name: osstest'
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
> mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1'
>
> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> at
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>
> at
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>
> at
> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
> at
> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>
> at
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>
> at java.lang.Thread.run(Thread.java:701)
>
> [29/Sep/2014:13:41:17][http-9180-1]: ServletException
> javax.servlet.ServletException: Failed to process message in CEP
> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> What stands out is the line with mNickname. After restarting the
> service, with the first request, the HSM token name appears to be
> listed twice in the *mNickname* string. Interestingly, with each new
> request, the number of token names increases by one in the string.
> i.e. with the 2^nd attempt, the same exception occurs but the token
> name appears three times:
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
> token name: osstest'
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
> mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1'
>
> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> at
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>
> at
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>
> at
> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
> at
> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>
> at
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>
> at java.lang.Thread.run(Thread.java:701)
>
> [29/Sep/2014:13:41:17][http-9180-1]: ServletException
> javax.servlet.ServletException: Failed to process message in CEP
> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> As mentioned, the exception occurs with both versions 4 and 5 of
> LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating
> with SCEP enrollment.) With local tokens, (no HSMs) the error does
> not occur.
>
> Any Ideas, how we can track this down? We definitely need to get this
> running.
>
> Best regards!
>
> William Elliott
>
> s IT Solutions
>
> Open System Services
>
> s IT Solutions AT Spardat GmbH
>
> A-1110 Wien, Geiselbergstraße 21 - 25
>
> Phone: +43 (0)5 0100 - 39376
>
> Fax: +43 (0)5 0100 9 - 39376
>
> Mobile: +43 (0)5 0100 6 - 39376
>
> _mailto:william.elliott at s-itsolutions.at
> <mailto:william.elliott%20at%20s-itsolutions.at>_
>
> www.s-itsolutions.com <http://www.s-itsolutions.com/>
>
> Head Office: Vienna Commercial Register No.: 152289f Commercial Court
> of Vienna
>
> This message and any attached files are confidential and intended
> solely for the addressee(s). Any publication, transmission or other
> use of the information by a person or entity other than the intended
> addressee is prohibited. If you receive this in error please contact
> the sender and delete the material. The sender does not accept
> liability for any errors or omissions as a result of the transmission.
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
6:23 a.m.
We want to post the results of our solution to problem(s) we were having.
In all, we had three different issues to overcome to get SCEP Enrollment working under
RHEL6/Dogtag 9 when using Safenet HSMs.
1. "Certificate not found: osstest:caSigningCert cert-pki-testca1"
This message is somewhat misleading because the correct combination of token and CA
nickname are displayed. However the debug messages from
method CryptoContext show that mNickname incorrectly has the token name prepended twice,
and is what throws the exception:
[05/Nov/2014:13:29:59][http-9180-1]: CRSEnrollment: CryptoContext: token name:
osstest'
[05/Nov/2014:13:29:59][http-9180-1]: CRSEnrollment: CryptoContext: mNickname:
'osstest:osstest:caSigningCert cert-pki-testca1'
As described in my first post, mNickname is modified with every call to CryptoContext - an
additional token name is then prepended with every call.
In fact, using a HSM, the CA nickname already contains the token name when mNickname is
set in init(), and needs never be prepended.
Commenting out the offending line in CrypoContext() resolves the issue, when a HSM is
used:
pki-core-9.0.3-38.el6_6.src.rpm and pki-core-9.0.3-32.el6.src.rpm - both are identical
in CRSEnrollment.java:
1973 if (mTokenName.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) ||
1974 mTokenName.equalsIgnoreCase("Internal Key Storage
Token") ||
1975 mTokenName.length() == 0) {
1976 keyStorageToken = cm.getInternalKeyStorageToken();
1977 internalKeyStorageToken = keyStorageToken;
1978 CMS.debug("CRSEnrollment: CryptoContext: internal token
name: '"+mTokenName+"'");
1979 } else {
1980 keyStorageToken = cm.getTokenByName(mTokenName);
1981 internalKeyStorageToken = null;
1982 // mNickname = mTokenName + ":" + mNickname;
1983 CMS.debug("CRSEnrollment: CryptoContext: token name:
"+mTokenName+"'");
1984 }
For some reason, the following relatively careful conditional prepending of the token name
was removed from the init() methond and placed into CryptoContext() in version 9.0.3 that
is packaged with RHEL6. In these versions we tested, mNickname is brutally prepended with
every call.
The following version 9 in the Dogtag git repository still had it right, and also in
version 10 it's also correct again:
DOGTAG_9_0_FEDORA_15_16_17_20111028
176 if (!(mTokenName.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) ||
177 mTokenName.equalsIgnoreCase("Internal Key Storage
Token") ||
178 mTokenName.length() == 0)) {
179 int i = mNickname.indexOf(':');
180 if (!((i > -1) && (mTokenName.length() == i)
&& (mNickname.startsWith(mTokenName)))) {
181 mNickname = mTokenName + ":" + mNickname;
182 }
183 }
DOGTAG_10_1_1_1_FEDORA_20_20140321
248 if (!(mTokenName.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) ||
249 mTokenName.equalsIgnoreCase("Internal Key Storage
Token") || mTokenName.length() == 0)) {
250 int i = mNickname.indexOf(':');
251 if (!((i > -1) && (mTokenName.length() == i)
&& (mNickname.startsWith(mTokenName)))) {
252 mNickname = mTokenName + ":" + mNickname;
253 }
254 }
*******************
Should we submit a bug report for this in the current RHEL6 packages?
We'd love to see this fixed in the RH packages and not have to compile our own
packages with every update of RHEL6.
*******************
2. Could not to unwrap PKCS10 blob
[14/Nov/2014:08:30:08][http-9180-1]: failed to unwrap PKCS10
org.mozilla.jss.crypto.SymmetricKey$NotExtractableException
[14/Nov/2014:08:30:08][http-9180-1]: ServletException javax.servlet.ServletException:
Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: null
Here, the CA is unable to process requests from the client (again sscep) encrypted with
3DES although this is the single allowed algorithm enabled by default.
I have no idea what is causing this error, but the workaround is to fall back to DES:
allow DES in CS.cfg and configure it on the client.
When using no HSM, just a local nss keystore, the error doesn't occur.
3. FIPS 140-2 mode
The same error message in 2. occurs when the HSM is _not_ in FIPS mode. Both RHEL6/Dogtag
9 and RHEL5/Dogtag 1.3 LunaSA 4 and 5. Without FIPS mode activated, all requests fail with
Could not unwrap PKCS10 blob: null. (also when des is used for request)
Workaround: activate FIPS mode on the HSM. -
Case 3. (and maybe case 2.) is very similar to, if not related to [the still open] Bug
825887 (https://bugzilla.redhat.com/show_bug.cgi?id=825887). There, it was the activation
of FIPS mode for a local NSS database which triggered the issue. (I assume that FIPS mode
for NSS prevents the cloning/exporting of keys - which is of course always the behavior of
the HSM, regardless of FIPS mode. ) Our requests also failed at exactly the same call
getDESKeyGenerator().clone as described in the Bug 825887.
Best regards,
William
-----Original Message-----
From: Elliott William C OSS sIT
Sent: Dienstag, 21. Oktober 2014 14:55
To: pki-users(a)redhat.com
Subject: RE: [Pki-users] SCEP Enrollment fails with Certificate not found .
[heur][html-removed]
(sorry for the delay - I was out of the office for some time)
The package version we're trying is pki-ca-9.0.3-32.el6.noarch, on RHEL6 as I said.
But since the last email we've also tried 9.0.3-38, with the same result.
We always ran through the wizard panels using all default values, changing nothing, but
now we configure the ca with pkisilent with the same default values to make sure the
configuration doesn't change from one test to the next.
The only change we make is afterwords to enable scep in the config:
ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
ca.scep.enable=true
ca.scep.encryptionAlgorithm=DES3
ca.scep.hashAlgorithm=SHA1
ca.scep.nonceSizeLimit=16
The whole thing always works fine when we use the internal token (and with RHEL5/Dogtag
1.3 on the hsm), but throws the exception when the hsm is used as token.
We use sscep to submit requests to the ca.
We had never set the two parameters (scep.nickname, scep.tokenname) you suggested trying.
Here are the results of your suggestions below :
** 1. This is our current configuration which always produces the exception.
From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: Token name: osstest
CRSEnrollment: init: Is SCEP using CA keys: true
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: token name: osstest'
CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert
cert-pki-testca1'
handlePKIMessage exception
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
...
** 2. Setting ca.scep.nickname at first produced no discernable change,
other than, requests for the ca cert. with "sscep getca" then fail
reliably.
Due to token name not being set:
From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-testca1
CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: Token name:
CRSEnrollment: init: Is SCEP using CA keys: false
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: internal token name: ''
CRSEnrollment: CryptoContext: mNickname: 'caSigningCert cert-pki-testca1'
handlePKIMessage exception
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
...
** 3. setting both ca.scep.nickname and ca.scep.tokenname also does not get around the
problem.
From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-testca1
CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: Token name: osstest
CRSEnrollment: init: Is SCEP using CA keys: false
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: token name: osstest'
<-- from sscep getca request
CRSEnrollment: CryptoContext: mNickname: 'osstest:caSigningCert cert-pki-testca1'
...
CRSEnrollment: CryptoContext: token name: osstest'
CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert
cert-pki-testca1' <-- from sscep enroll request
handlePKIMessage exception
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
best regards,
William
-----Original Message-----
From: pki-users-bounces(a)redhat.com [mailto:pki-users-bounces@redhat.com] On Behalf Of
Christina Fu
Sent: Donnerstag, 02. Oktober 2014 02:15
To: pki-users(a)redhat.com
Subject: Re: [Pki-users] SCEP Enrollment fails with Certificate not found .
[heur][html-removed]
btw, I'm not suggesting that you need either or both config params.
three sets of config you can try:
1. don't specify either ca.scep.nickname or ca.scep.tokenname
(I think by default it takes the ca signing cert, if that's what you
intend to use anyway)
2. specify nickname only ca.scep.nickname (without the token)
ca.scep.nickname=caSigningCert cert-pki-testca1
(I think by default, if the nickname you specified matches that of the
ca, it will find the token for you)
3. specify both nickname and token:
ca.scep.nickname=caSigningCert cert-pki-testca1
ca.scep.tokenname=osstest
(last resort, because when you do this, it thinks it's not using the ca
signing cert.. )
Let us know.
Christina
On 10/01/2014 05:00 PM, Christina Fu wrote:
What's your scep config values, specifically:
ca.scep.nickname
ca.scep.tokenname
Christina
On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote:
>
> Hello,
>
> We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs
> setup for SCEP enrollment. But, no matter whether we try the older
> HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a
> successful SCEP request. The following exception occurs in the debug log:
>
> [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation
>
> [29/Sep/2014:13:41:17][http-9180-1]:
> message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ
>
> KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w
>
> ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt
>
> dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG
>
> SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH
>
> 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP
>
> RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs
>
> HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r
>
> SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g
>
> rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF
>
> Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM
>
> X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW
>
> m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu
>
> udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc
>
> AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT
>
> l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61
>
> JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz
>
> cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z
>
> gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB
>
> dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG
>
> NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy
>
> MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx
>
> MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF
>
> gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM
>
> rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip
>
> 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB
>
> gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN
>
> L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp
>
> e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w
>
> GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG
>
> OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC
>
> MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw
>
> OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg
>
> hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0
>
> QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB
>
> gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH
>
> eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm
>
> /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
> token name: osstest'
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
> mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1'
>
> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> at
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>
> at
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>
> at
> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
> at
> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>
> at
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>
> at java.lang.Thread.run(Thread.java:701)
>
> [29/Sep/2014:13:41:17][http-9180-1]: ServletException
> javax.servlet.ServletException: Failed to process message in CEP
> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> What stands out is the line with mNickname. After restarting the
> service, with the first request, the HSM token name appears to be
> listed twice in the *mNickname* string. Interestingly, with each new
> request, the number of token names increases by one in the string.
> i.e. with the 2^nd attempt, the same exception occurs but the token
> name appears three times:
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
> token name: osstest'
>
> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
> mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1'
>
> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
> Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> at
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>
> at
>
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>
> at
> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
> at
> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>
> at
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>
> at java.lang.Thread.run(Thread.java:701)
>
> [29/Sep/2014:13:41:17][http-9180-1]: ServletException
> javax.servlet.ServletException: Failed to process message in CEP
> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>
> As mentioned, the exception occurs with both versions 4 and 5 of
> LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating
> with SCEP enrollment.) With local tokens, (no HSMs) the error does
> not occur.
>
> Any Ideas, how we can track this down? We definitely need to get this
> running.
>
> Best regards!
>
> William Elliott
>
> s IT Solutions
>
> Open System Services
>
> s IT Solutions AT Spardat GmbH
>
> A-1110 Wien, Geiselbergstraße 21 - 25
>
> Phone: +43 (0)5 0100 - 39376
>
> Fax: +43 (0)5 0100 9 - 39376
>
> Mobile: +43 (0)5 0100 6 - 39376
>
> _mailto:william.elliott at s-itsolutions.at
> <mailto:william.elliott%20at%20s-itsolutions.at>_
>
> www.s-itsolutions.com <http://www.s-itsolutions.com/>
>
> Head Office: Vienna Commercial Register No.: 152289f Commercial Court
> of Vienna
>
> This message and any attached files are confidential and intended
> solely for the addressee(s). Any publication, transmission or other
> use of the information by a person or entity other than the intended
> addressee is prohibited. If you receive this in error please contact
> the sender and delete the material. The sender does not accept
> liability for any errors or omissions as a result of the transmission.
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
11:57 a.m.
Hi William,
Thank you very much for your feedback. I find helping people like you
very rewarding.
I do not have time to read it through carefully at the moment, but
could you please file two bug? One for #1 and one for the LunaSA
unwrapping related issues. You can just copy and paste the relevant
portion of your email into each bug.
Here is the info: http://pki.fedoraproject.org/wiki/PKI_Bugs
btw, out of curiosity, can you search in your debug log for the string:
"handlePKIOperation: Encryption algorithm"
What algorithm does it say? Please put that in bug #2 as well.
Each HSM actually requires different flags and attributes to work. For
example, to unwrap, Lunasa would require sensitive to be false and
extractable to be true, while Thales nethsm would require sensitive to
be false and extractable to be false. key types make a difference too
for rsa and ecc keys need different attributes. I suspect the code in
the SCEP part of the woods might not have been tuned to handle such
differences.
thanks,
Christina
On 11/25/2014 04:23 AM, Elliott William C OSS sIT wrote:
We want to post the results of our solution to problem(s) we were
having.
In all, we had three different issues to overcome to get SCEP Enrollment working under
RHEL6/Dogtag 9 when using Safenet HSMs.
1. "Certificate not found: osstest:caSigningCert cert-pki-testca1"
This message is somewhat misleading because the correct combination of token and CA
nickname are displayed. However the debug messages from
method CryptoContext show that mNickname incorrectly has the token name prepended twice,
and is what throws the exception:
[05/Nov/2014:13:29:59][http-9180-1]: CRSEnrollment: CryptoContext: token name:
osstest'
[05/Nov/2014:13:29:59][http-9180-1]: CRSEnrollment: CryptoContext: mNickname:
'osstest:osstest:caSigningCert cert-pki-testca1'
As described in my first post, mNickname is modified with every call to CryptoContext -
an additional token name is then prepended with every call.
In fact, using a HSM, the CA nickname already contains the token name when mNickname is
set in init(), and needs never be prepended.
Commenting out the offending line in CrypoContext() resolves the issue, when a HSM is
used:
pki-core-9.0.3-38.el6_6.src.rpm and pki-core-9.0.3-32.el6.src.rpm - both are
identical in CRSEnrollment.java:
1973 if (mTokenName.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) ||
1974 mTokenName.equalsIgnoreCase("Internal Key Storage
Token") ||
1975 mTokenName.length() == 0) {
1976 keyStorageToken = cm.getInternalKeyStorageToken();
1977 internalKeyStorageToken = keyStorageToken;
1978 CMS.debug("CRSEnrollment: CryptoContext: internal token
name: '"+mTokenName+"'");
1979 } else {
1980 keyStorageToken = cm.getTokenByName(mTokenName);
1981 internalKeyStorageToken = null;
1982 // mNickname = mTokenName + ":" + mNickname;
1983 CMS.debug("CRSEnrollment: CryptoContext: token name:
"+mTokenName+"'");
1984 }
For some reason, the following relatively careful conditional prepending of the token
name was removed from the init() methond and placed into CryptoContext() in version 9.0.3
that is packaged with RHEL6. In these versions we tested, mNickname is brutally prepended
with every call.
The following version 9 in the Dogtag git repository still had it right, and also in
version 10 it's also correct again:
DOGTAG_9_0_FEDORA_15_16_17_20111028
176 if (!(mTokenName.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) ||
177 mTokenName.equalsIgnoreCase("Internal Key Storage
Token") ||
178 mTokenName.length() == 0)) {
179 int i = mNickname.indexOf(':');
180 if (!((i > -1) && (mTokenName.length() == i)
&& (mNickname.startsWith(mTokenName)))) {
181 mNickname = mTokenName + ":" + mNickname;
182 }
183 }
DOGTAG_10_1_1_1_FEDORA_20_20140321
248 if (!(mTokenName.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN)
||
249 mTokenName.equalsIgnoreCase("Internal Key Storage
Token") || mTokenName.length() == 0)) {
250 int i = mNickname.indexOf(':');
251 if (!((i > -1) && (mTokenName.length() == i)
&& (mNickname.startsWith(mTokenName)))) {
252 mNickname = mTokenName + ":" + mNickname;
253 }
254 }
*******************
Should we submit a bug report for this in the current RHEL6 packages?
We'd love to see this fixed in the RH packages and not have to compile our own
packages with every update of RHEL6.
*******************
2. Could not to unwrap PKCS10 blob
[14/Nov/2014:08:30:08][http-9180-1]: failed to unwrap PKCS10
org.mozilla.jss.crypto.SymmetricKey$NotExtractableException
[14/Nov/2014:08:30:08][http-9180-1]: ServletException javax.servlet.ServletException:
Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: null
Here, the CA is unable to process requests from the client (again sscep) encrypted with
3DES although this is the single allowed algorithm enabled by default.
I have no idea what is causing this error, but the workaround is to fall back to DES:
allow DES in CS.cfg and configure it on the client.
When using no HSM, just a local nss keystore, the error doesn't occur.
3. FIPS 140-2 mode
The same error message in 2. occurs when the HSM is _not_ in FIPS mode. Both
RHEL6/Dogtag 9 and RHEL5/Dogtag 1.3 LunaSA 4 and 5. Without FIPS mode activated, all
requests fail with Could not unwrap PKCS10 blob: null. (also when des is used for
request)
Workaround: activate FIPS mode on the HSM. -
Case 3. (and maybe case 2.) is very similar to, if not related to [the still open] Bug
825887 (https://bugzilla.redhat.com/show_bug.cgi?id=825887). There, it was the activation
of FIPS mode for a local NSS database which triggered the issue. (I assume that FIPS mode
for NSS prevents the cloning/exporting of keys - which is of course always the behavior of
the HSM, regardless of FIPS mode. ) Our requests also failed at exactly the same call
getDESKeyGenerator().clone as described in the Bug 825887.
Best regards,
William
-----Original Message-----
From: Elliott William C OSS sIT
Sent: Dienstag, 21. Oktober 2014 14:55
To: pki-users(a)redhat.com
Subject: RE: [Pki-users] SCEP Enrollment fails with Certificate not found .
[heur][html-removed]
(sorry for the delay - I was out of the office for some time)
The package version we're trying is pki-ca-9.0.3-32.el6.noarch, on RHEL6 as I said.
But since the last email we've also tried 9.0.3-38, with the same result.
We always ran through the wizard panels using all default values, changing nothing, but
now we configure the ca with pkisilent with the same default values to make sure the
configuration doesn't change from one test to the next.
The only change we make is afterwords to enable scep in the config:
ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
ca.scep.enable=true
ca.scep.encryptionAlgorithm=DES3
ca.scep.hashAlgorithm=SHA1
ca.scep.nonceSizeLimit=16
The whole thing always works fine when we use the internal token (and with RHEL5/Dogtag
1.3 on the hsm), but throws the exception when the hsm is used as token.
We use sscep to submit requests to the ca.
We had never set the two parameters (scep.nickname, scep.tokenname) you suggested
trying.
Here are the results of your suggestions below :
** 1. This is our current configuration which always produces the exception.
From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: Token name: osstest
CRSEnrollment: init: Is SCEP using CA keys: true
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: token name: osstest'
CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert
cert-pki-testca1'
handlePKIMessage exception
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
...
** 2. Setting ca.scep.nickname at first produced no discernable change,
other than, requests for the ca cert. with "sscep getca" then fail
reliably.
Due to token name not being set:
From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-testca1
CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: Token name:
CRSEnrollment: init: Is SCEP using CA keys: false
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: internal token name: ''
CRSEnrollment: CryptoContext: mNickname: 'caSigningCert cert-pki-testca1'
handlePKIMessage exception
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
...
** 3. setting both ca.scep.nickname and ca.scep.tokenname also does not get around the
problem.
From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-testca1
CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: Token name: osstest
CRSEnrollment: init: Is SCEP using CA keys: false
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: token name: osstest'
<-- from sscep getca request
CRSEnrollment: CryptoContext: mNickname: 'osstest:caSigningCert
cert-pki-testca1'
...
CRSEnrollment: CryptoContext: token name: osstest'
CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert
cert-pki-testca1' <-- from sscep enroll request
handlePKIMessage exception
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
Certificate not found: osstest:caSigningCert cert-pki-testca1
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
best regards,
William
-----Original Message-----
From: pki-users-bounces(a)redhat.com [mailto:pki-users-bounces@redhat.com] On Behalf Of
Christina Fu
Sent: Donnerstag, 02. Oktober 2014 02:15
To: pki-users(a)redhat.com
Subject: Re: [Pki-users] SCEP Enrollment fails with Certificate not found .
[heur][html-removed]
btw, I'm not suggesting that you need either or both config params.
three sets of config you can try:
1. don't specify either ca.scep.nickname or ca.scep.tokenname
(I think by default it takes the ca signing cert, if that's what you
intend to use anyway)
2. specify nickname only ca.scep.nickname (without the token)
ca.scep.nickname=caSigningCert cert-pki-testca1
(I think by default, if the nickname you specified matches that of the
ca, it will find the token for you)
3. specify both nickname and token:
ca.scep.nickname=caSigningCert cert-pki-testca1
ca.scep.tokenname=osstest
(last resort, because when you do this, it thinks it's not using the ca
signing cert.. )
Let us know.
Christina
On 10/01/2014 05:00 PM, Christina Fu wrote:
> What's your scep config values, specifically:
> ca.scep.nickname
> ca.scep.tokenname
>
> Christina
>
> On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote:
>> Hello,
>>
>> We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs
>> setup for SCEP enrollment. But, no matter whether we try the older
>> HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a
>> successful SCEP request. The following exception occurs in the debug log:
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation
>>
>> [29/Sep/2014:13:41:17][http-9180-1]:
>> message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ
>>
>> KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w
>>
>> ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt
>>
>> dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG
>>
>> SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH
>>
>> 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP
>>
>> RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs
>>
>> HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r
>>
>> SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g
>>
>> rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF
>>
>> Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM
>>
>> X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW
>>
>> m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu
>>
>> udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc
>>
>> AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT
>>
>> l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61
>>
>> JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz
>>
>> cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z
>>
>> gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB
>>
>> dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG
>>
>> NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy
>>
>> MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx
>>
>> MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF
>>
>> gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM
>>
>> rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip
>>
>> 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB
>>
>> gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN
>>
>> L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp
>>
>> e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w
>>
>> GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG
>>
>> OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC
>>
>> MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw
>>
>> OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg
>>
>> hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0
>>
>> QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB
>>
>> gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH
>>
>> eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm
>>
>> /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
>> token name: osstest'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
>> mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
>>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> at
>>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>>
>> at
>>
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>>
>> at
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>>
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>
>> at
>>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>
>> at
>>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>> at
>>
com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>>
>> at
>>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>
>> at
>>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>> at
>>
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>
>> at
>>
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>
>> at
>>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>>
>> at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>>
>> at
>>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>>
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>>
>> at java.lang.Thread.run(Thread.java:701)
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: ServletException
>> javax.servlet.ServletException: Failed to process message in CEP
>> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> What stands out is the line with mNickname. After restarting the
>> service, with the first request, the HSM token name appears to be
>> listed twice in the *mNickname* string. Interestingly, with each new
>> request, the number of token names increases by one in the string.
>> i.e. with the 2^nd attempt, the same exception occurs but the token
>> name appears three times:
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
>> token name: osstest'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
>> mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
>>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> at
>>
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>>
>> at
>>
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>>
>> at
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>>
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>
>> at
>>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>
>> at
>>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>> at
>>
com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>>
>> at
>>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>
>> at
>>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>> at
>>
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>
>> at
>>
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>
>> at
>>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>>
>> at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>>
>> at
>>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>>
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>>
>> at java.lang.Thread.run(Thread.java:701)
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: ServletException
>> javax.servlet.ServletException: Failed to process message in CEP
>> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> As mentioned, the exception occurs with both versions 4 and 5 of
>> LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating
>> with SCEP enrollment.) With local tokens, (no HSMs) the error does
>> not occur.
>>
>> Any Ideas, how we can track this down? We definitely need to get this
>> running.
>>
>> Best regards!
>>
>> William Elliott
>>
>> s IT Solutions
>>
>> Open System Services
>>
>> s IT Solutions AT Spardat GmbH
>>
>> A-1110 Wien, Geiselbergstraße 21 - 25
>>
>> Phone: +43 (0)5 0100 - 39376
>>
>> Fax: +43 (0)5 0100 9 - 39376
>>
>> Mobile: +43 (0)5 0100 6 - 39376
>>
>> _mailto:william.elliott at s-itsolutions.at
>> <mailto:william.elliott%20at%20s-itsolutions.at>_
>>
>> www.s-itsolutions.com <http://www.s-itsolutions.com/>
>>
>> Head Office: Vienna Commercial Register No.: 152289f Commercial Court
>> of Vienna
>>
>> This message and any attached files are confidential and intended
>> solely for the addressee(s). Any publication, transmission or other
>> use of the information by a person or entity other than the intended
>> addressee is prohibited. If you receive this in error please contact
>> the sender and delete the material. The sender does not accept
>> liability for any errors or omissions as a result of the transmission.
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
3679
days inactive
3736
days old
5 comments
2 participants
participants (2)
-
Christina Fu -
Elliott William C OSS sIT