Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

Unable to invoke EJBCA API - Facing error

Manmay
2012-12-05
2013-08-01
  • Manmay
    Manmay
    2012-12-05

    Here is the error I am facing:
    *** Could not connect to non-authenticated web service call getEjbcaVersion()

    I am using the RAAdmin.jar to invoke the webservice API of my EJBCA setup.

    EJBCA Setup Details:
    - Deployed on JBoss5
    - Hold a valid multi-domain SSL certificate from GoDaddy.
    - Configured the SSL(Generated KeyStore from GoDaddy SSL) in JBoss Server.xml

    <Connector port="8442" address="0.0.0.0"
             maxThreads="150" strategy="ms" maxHttpHeaderSize="8192"
             emptySessionPath="true" protocol="HTTP/1.1" SSLEnabled="true"
             scheme="https" secure="true" clientAuth="false"
             keystoreFile="${jboss.server.home.dir}/conf/keystore/keystore.jks"
             keystorePass="xxxx" sslProtocol="TLS"
             truststoreFile="${jboss.server.home.dir}/conf/keystore/truststore.jks" truststorePass="xxxxx" truststoreType="JKS"
             URIEncoding="UTF-8" />
        <!-- HTTPS Connector requiring client cert on port 8443 -->
        <Connector port="8443" address="0.0.0.0"
             maxThreads="150" strategy="ms" maxHttpHeaderSize="8192"
             emptySessionPath="true" protocol="HTTP/1.1" SSLEnabled="true"
             scheme="https" secure="true" clientAuth="true"
             keystoreFile="/etc/httpd/certs/wildcard.mydomain.jks"
             keystorePass="xxxx" sslProtocol="TLS" 
             truststoreFile="${jboss.server.home.dir}/conf/keystore/truststore.jks" truststorePass="xxxx" truststoreType="JKS"
             URIEncoding="UTF-8" />
    

    Currently I are able to perform all the EJBCA admin actions via Web GUI.

    Question I have:
    1. To make RAAdmin.jar work what do I need to provide as KeyStore and Trusted KeyStore?
    2. Do I need to import GoDaddy SSL certificates of my subdomain into EJBCA?
    3. Once #1 is resolved I will be writing the API client in PHP. Which P12 certificate I should use?

    Things I have tried so far in the RAAdmin client but didn't work:
    1. Used superAdmin user's jks as KeyStore and Trusted KeyStore.
    2. Used superAdmin user's jks i as KeyStore and default generated ttruststore.jks as Trusted KeyStore.
    3. Created an End Entity and assigned Admin previlages. Used the created EndEntities jks as eyStore and Trusted KeyStore.
    4. Added SSL certs to superAdmin user's jks and used it as KeyStore and Trusted KeyStore.

     
  • Manmay
    Manmay
    2012-12-06

    Thanks a lot for your quick response..

    We already have the commented out <property name="webServiceHost">${jboss.bind.address}</property> from boss-beans.xml.

    We are able to see the wsdl file xml contents on a browser holding valid admin certificates.

    Do we need to make any other configuration level changes to authenticate the wsdl for using in webservice API?
    Also the EJBCA is fully functional on Web with Admin GUI. Its just we are not able to initialize the webservice for the same EJBCA setup.
    We now just want to use the webservices for the below 2 tasks:
    1. Add End Entity
    2. Retrive certificates for an End Entity.

    Please do let us know what changes do we need in the EJBCA setup for getting the webservice run.

     
  • you should try the clientToolBox, it has a command line interface with all the right configurations för web service commands.
    see the doc för clientToolBox in the WS section of the admin guide.

     
  • Manmay
    Manmay
    2012-12-06

    We will definitely try, but it will not help. The reason being, our setup is distributed i.e. EJBCA is on a standalone server and our php client will be on a physically separate server. So for us API's is the only way.

    On a side note, we have been able to add an End Entity successfully using clientToolBox.

     

  • Anonymous
    2012-12-06

    the clientToolBox uses the WS API and is therefore a good starting point for a client.  The JARs should be usable as is from any application compatible with the JVM.

    Cheers,
    Anders
    tech support

     
  • Manmay
    Manmay
    2012-12-06

    Anders thank you for the response.
    Pardon my limited knowledge, but are you suggesting to use the clientToolBox JARs as is? i.e. copy them on my PHP server (which is the client of EJBCA)?

    Additionally, my end client is going to be written in PHP and I would like to invoke Web API directly for better integration, error handling and scalability.

     

  • Anonymous
    2012-12-06

    Yes, I meant using the JAR + lib/ as is after studying the source.

    http://www.ejbca.org/adminguide.html#EJBCA Web Service Interface

    If you need to use PHP and not java you must create a WS-client from the WSDL.  This is unfortunately outside of my competence but all platforms have some way of doing this.  The SSL part may be tricky, not all platforms offer good client solutions.

    Cheers
    Anders
    tech support

     
  • ps. the client toolbox can be used from any other host, remote from ejbca.

     
  • Manmay
    Manmay
    2012-12-06

    **Finally I am able to use the API.. Using ClientToolBox directly in my PHP code.

    Tomas Gustavsson and Ander… Thanks a lot for your support!!**

     
    • Jordi Monsó
      Jordi Monsó
      2013-08-01

      Hi manmay,

      I need to, for example, revoke a certificate to my ejbca, but I use PHP. How can I use EJBCA Ws or other to do these operations??

      Please help me if you can, because I'm desperado.

      Thank you