Enabling Log Signing using TSA on VA Breaks it!

E-Sharifi
2013-03-02
2013-03-02
  • E-Sharifi
    E-Sharifi
    2013-03-02

    Hi Every Body
    i enabled Log Signing using TSA In JBoss according to following instruction found in ejbca website:
    http://wiki.ejbca.org/logsigning#toc5
    note that i copied some other jar file from lib/ to jboss.home/server/default/lib due to dependency problems solve.

    this work perfectly on ejbca installed as CA, but on ejbca installed as VA, after ant jbosslogsigning something strange happened! this breaks VA with following Error in jboss:
    ERROR [SigningEntityContainer] No valid keys. Key directory /opt/jboss/bin/keys. No P11 defined.

    log signing works perfectly(Rotates and Signs file correctly) but VA breaks and can not response OCSP requests with following Log:
    INFO [OCSPServletBase] Received OCSP request for certificate with serNo: 1474e75b8bcdaa68, and issuerNameHash: 8fb5a155ea28aebd71311009da2c2065f59b447f. Client ip 192.168.50.3.
    INFO [OCSPServletBase] Adding status information (good) for certificate with serial '1474e75b8bcdaa68' from issuer 'CN=RootCA1'.
    ERROR [OCSPServletBase] Error processing OCSP request. Message: .
    java.lang.NullPointerException
    at org.ejbca.core.protocol.ocsp.OCSPData.getCaid(OCSPData.java:65)
    at org.ejbca.core.protocol.ocsp.standalonesession.StandAloneSession.extendedService(StandAloneSession.java:312)
    at org.ejbca.ui.web.protocol.OCSPServletStandAlone.extendedService(OCSPServletStandAlone.java:126)
    at org.ejbca.ui.web.protocol.OCSPServletBase.signOCSPResponse(OCSPServletBase.java:196)
    at org.ejbca.ui.web.protocol.OCSPServletBase.serviceOCSP(OCSPServletBase.java:826)
    at org.ejbca.ui.web.protocol.OCSPServletBase.doPost(OCSPServletBase.java:345)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:679)

    my appender configuration for log signing in jboss-log4j.xml is:

    <appender name="MY" class="org.ejbca.appserver.jboss.SigningDailyRollingFileAppender">
    
      <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
    
      <param name="File" value="/opt/jboss/log/my.log"/>
      <param name="Append" value="false"/>
      <param name="SignMethod" value="tsa"/>
      <param name="TsaUrl" value="http://192.168.50.6:8080/signserver/tsa?signerId=1"/>
    
      <!-- Rollover at the top of each hour -->
      <param name="DatePattern" value="'.'yyyy-MM-dd-HH"/>
    
      <layout class="org.apache.log4j.PatternLayout">
    
     <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>
    
      </layout>
    

    </appender>

    my development environment is: ejbca 4.0.12 on Jboss 5.1.0.GA on Opensuse.

    any one has deployed log signing using TSA on VA successfully?

    any help is appreciated in advance.

     
    • ejbca-support
      ejbca-support
      2013-03-02

      Hi,
      As far as I know log-signing isn't supported by the VA.

      Cheers
      Anders
      tech support

      On 2013-03-02 07:34, E-Sharifi wrote:

      Hi Every Body
      i enabled Log Signing using TSA In JBoss according to following instruction found in ejbca website:
      http://wiki.ejbca.org/logsigning#toc5
      note that i copied some other jar file from lib/ to jboss.home/server/default/lib due to dependency problems solve.

      this work perfectly on ejbca installed as CA, but on ejbca installed as VA, after ant jbosslogsigning something strange happened! this breaks VA with following Error in jboss:
      ERROR [SigningEntityContainer] No valid keys. Key directory /opt/jboss/bin/keys. No P11 defined.

      log signing works perfectly(Rotates and Signs file correctly) but VA breaks and can not response OCSP requests with following Log:
      INFO [OCSPServletBase] Received OCSP request for certificate with serNo: 1474e75b8bcdaa68, and issuerNameHash: 8fb5a155ea28aebd71311009da2c2065f59b447f. Client ip 192.168.50.3.
      INFO [OCSPServletBase] Adding status information (good) for certificate with serial '1474e75b8bcdaa68' from issuer 'CN=RootCA1'.
      ERROR [OCSPServletBase] Error processing OCSP request. Message: .
      java.lang.NullPointerException
      at org.ejbca.core.protocol.ocsp.OCSPData.getCaid(OCSPData.java:65)
      at org.ejbca.core.protocol.ocsp.standalonesession.StandAloneSession.extendedService(StandAloneSession.java:312)
      at org.ejbca.ui.web.protocol.OCSPServletStandAlone.extendedService(OCSPServletStandAlone.java:126)
      at org.ejbca.ui.web.protocol.OCSPServletBase.signOCSPResponse(OCSPServletBase.java:196)
      at org.ejbca.ui.web.protocol.OCSPServletBase.serviceOCSP(OCSPServletBase.java:826)
      at org.ejbca.ui.web.protocol.OCSPServletBase.doPost(OCSPServletBase.java:345)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
      at java.lang.Thread.run(Thread.java:679)

      my appender configuration for log signing in jboss-log4j.xml is:

      <appender name="MY" class="org.ejbca.appserver.jboss.SigningDailyRollingFileAppender">

      <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>

      <param name="File" value="/opt/jboss/log/my.log"/>
      <param name="Append" value="false"/>
      <param name="SignMethod" value="tsa"/>
      <param name="TsaUrl" value="http://192.168.50.6:8080/signserver/tsa?signerId=1"/>


      <param name="DatePattern" value="'.'yyyy-MM-dd-HH"/>

      <layout class="org.apache.log4j.PatternLayout">

      <param name="ConversionPattern" value="%d %-5p &lt;span&gt;[%c]&lt;/span&gt; %m%n"/>

      </layout>

      my development environment is: ejbca 4.0.12 on Jboss 5.1.0.GA on Opensuse.

      any one has deployed log signing using TSA on VA successfully?

      any help is appreciated in advance.
      

      Enabling Log Signing using TSA on VA Breaks it! https://sourceforge.net/p/ejbca/discussion/132019/thread/815c683a/?limit=25#ad50


      Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/ejbca/discussion/132019/

      To unsubscribe from further messages, please visit https://sourceforge.net/auth/prefs/

       
  • E-Sharifi
    E-Sharifi
    2013-03-02

    Thanks for your Rapid Answer.
    So what can i do now for signing Logs in VA? what is the best solution in your Idea?

    Thanks in Advance

     
    Last edit: E-Sharifi 2013-03-02
  • You have to o some testing. Remove your extra jars from server/default/lib.

    If the VA works fine then, you have some class collissions that you do not want.