From: Manuel R. <MR...@e-...> - 2002-07-04 11:08:03
|
>This may be a bug in directory creation or something... >When I try a direcotry is created 'ejbca/p12/pem' where all pem files >are stored. Looks like you are right, as mentioned previous the batch.sh -pem command does create the ejbca/pem directory but this is empty, but the necessary files can be found in ejbca/p12/pem/. In fact it creates 3 files (JOHN DOE-CA.pem, JOHN DOE-Key.pem, JOHN DOE.pem), I used JOHN DOE.pem to concatenate. Following on from there, I have now reached the end of the documentation regarding RAADMIN in ejbca/doc/README but I have still come up agaisnt the original errors : 1) javax.servlet.ServletException: Client certificate required. 2) se.anatom.ejbca.webdist.ejbcaathorization.AuthorizationDeniedException: Client certificate required. The only point which I didnt fully understand was : 6. Create a PKCS12 file with EJBCA for a user with CN=walter and the RAADMIN bit (temporarily CN=walter gives adminrights). What exactly is the "RAADMIN bit" Also there seems to be a discrepency in that the initial keytool commands (point 3) use .keystore, this same keystore name doesnt work in point 3 - "Import to the keystore" (see [COMMENTS] below for notes), so .keystore needs to be changed to simply "keystore". This is then renamed (point 4) to .keystore which I assume would overwrite the .keystore generated at the beginning of point 3. (I am currently looking at this, and will try using all keytool commands with simply "keystore", and then renaming) Did that last paragraph make sense ? :-) Also, just incase anybody else is following this thread, these are my notes from the expedition into the RA Admin Web Interface (not sure how these will display in your mail reader, so I have also attach a plain text document) : ========================================================= RA Admin Web Interface - Installation/Configuration Notes ========================================================= ========================================================= Guidelines from /usr/local/ejbca/doc/README : ========================================================= Preliminary documentation - TODO: Installation procedure will be enhanced. 1. Copy src/ra/web/raadmin/WEB-INF/tomcat-services.xml to JBOSS_HOME/server/default/deploy 2. Edit parameters in src/ra/web/raadmin/WEB-INF/web.xml. 3. Create a tomcat server keystore with 'keytool' (create a certificate request that is processed by EJBCA and import the returned certificate). keytool -genkey -keyalg RSA -alias tomcat -keystore .keystore -storepass foo123 keytool -certreq -alias tomcat -file tomcat.req -keystore .keystore -storepass foo123 Create a user in EJBCA, DN="C=SE,O=PrimeKEy,CN=localhost" or similar. Process the request from keytool and write the certificate to 'tomcat.pem'. Download the CA certificate, transfer to PEM-format and concatenate the certificates together in 'tomcat.pem.' Import to the keystore: keytool -import -alias tomcat -file tomcat.pem -keystore .keystore -storepass foo123 4. Name the keystore '.keystore' and put in $JBOSS_HOME. 5. Add the EJBCA CA certificate to the trust-keystore in $JAVA_HOME/jre/lib/security/cacerts keytool -import -trustcacerts -file ejbca-ca.pem -keystore cacerts -storepass changeit 6. Create a PKCS12 file with EJBCA for a user with CN=walter and the RAADMIN bit (temporarily CN=walter gives adminrights). 7. Install the PKCS12 file in the browser. 8. Start JBoss. 11. Go to https://localhost:8443/raadmin ========================================================= ========================================================= Notes ========================================================= [ACTION] cp /usr/local/src/ra/web/raadmin/WEB-INF/tomcat-services.xml $JBOSS_HOME/server/default/deploy [ACTION] Edit parameters in src/ra/web/raadmin/WEB-INF/web.xml [NOTES] Create a tomcat server keystore with 'keytool' (create a certificate request that is processed by EJBCA and import the returned certificate). [COMMAND] keytool -genkey -keyalg RSA -alias raadmin-alias -keystore .keystore -storepass 1qaz1qaz [OUTPUT] What is your first and last name? : JOHN DOE [OUTPUT] What is the name of your organizational unit? : ORG-UNIT [OUTPUT] What is the name of your organization?]: ORG [OUTPUT] What is the name of your City or Locality? : SMALLVILLE [OUTPUT] What is the name of your State or Province? : SMALLSHIRE [OUTPUT] What is the two-letter country code for this unit? : GB [OUTPUT] Is CN=JOHN DOE, OU=ORG-UNIT, O=ORG, L=SMALLVILLE, ST=SMALLSHIRE, C=GB correct? : yes [OUTPUT] [OUTPUT] Enter key password for <raa-alias> [OUTPUT] (RETURN if same as keystore password): [COMMAND] keytool -certreq -alias raa-alias -file raadmin.req -keystore .keystore -storepass 1qaz1qaz [NOTES] Create a user in EJBCA, DN="C=SE,O=PrimeKEy,CN=localhost" or similar. [COMMAND] ./ra.sh adduser raadmin-user 1qaz1qaz "CN=JOHN DOE, OU=ORG-UNIT, O=ORG, C=GB" "na...@se..." 32 [OUTPUT] Trying to add user: [OUTPUT] Username: raa-users [OUTPUT] Password (hashed only): 1qaz1qaz [OUTPUT] DN: CN=JOHN DOE, OU=ORG-UNIT, O=ORG, C=GB [OUTPUT] Email: na...@se... [OUTPUT] Type: 32 [OUTPUT] User 'raa-users' has been added. [OUTPUT] [OUTPUT] Note: If batch processing should be possible, [OUTPUT] also use 'ra setclearpwd raa-users <pwd>'. [NOTES] Process the request from keytool and write the certificate to 'raadmin.pem'. [COMMAND] ./ca.sh processreq raadmin-user 1qaz1qaz raadmin.req raadmin.pem [OUTPUT] Processing cert request: [OUTPUT] Username: raa-users [OUTPUT] Password: 1qaz1qaz [OUTPUT] Request file: raa-admin.req [OUTPUT] Wrote certificate (PEM-format) to file raa-admin.pem [NOTES] Set user password to clear text [COMMAND] ./ra.sh setclearpwd raadmin-user 1qaz1qaz [OUTPUT] Setting clear text password 1qaz1qaz for user raa-users [NOTES] [sh ./batch.sh -pem searches for users with status 10 (new) follow the above creates a user with status 40] [COMMAND] ./ra.sh setuserstatus raadmin-user 10 [OUTPUT] New status for user raa-users is 10 [NOTES] Download the CA certificate, transfer to PEM-format and concatenate the certificates together in 'raadmin.pem.' [COMMAND] sh ./batch.sh -pem [OUTPUT] 0 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating PEM-files. [OUTPUT] 7 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating for all NEW. [OUTPUT] 285 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating keys for raa-users [OUTPUT] 11421 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Created P12 for raa-users. [OUTPUT] 11486 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - 1 new users generated successfully - :raa-users [OUTPUT] 11487 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating for all FAILED. [OUTPUT] 11568 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - 0 new users generated successfully - [ACTION] Concatenate ejbca/p12/pem/JOHN DOE.pem to ejbca/raadmin.pem [NOTES] Import to the keystore [COMMAND] keytool -import -alias raadmin-alias -file raadmin.pem -keystore keystore -storepass 1qaz1qaz [OUTPUT] Owner: C=GB, O=ORG, OU=ORG-UNIT, CN=JOHN DOE [OUTPUT] Issuer: C=GB, O=ETrusted, OU=Security Department, CN=ETrusted Certificate Authority [OUTPUT] Serial number: 3dc8221452bc4c99 [OUTPUT] Valid from: Thu Jul 04 09:54:01 BST 2002 until: Sat Jul 03 10:04:01 BST 2004 [OUTPUT] Certificate fingerprints: [OUTPUT] MD5: 98:F9:32:D7:85:AF:58:C0:C3:39:AE:E9:33:14:7F:FB [OUTPUT] SHA1: F7:06:60:56:9F:D3:81:A8:8C:E7:30:A4:8A:14:81:63:E1:34:E9:3B [OUTPUT] Trust this certificate? [no]: yes [OUTPUT] Certificate was added to keystore [COMMENTS] Point 3 advises the following command [COMMENTS] keytool -import -alias raadmin-alias -file raadmin.pem -keystore .keystore -storepass 1qaz1qaz [COMMENTS] This fails with : [COMMENTS] keytool error: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: insufficient data [COMMENTS] Changing the command to : [COMMENTS] keytool -import -alias raadmin-alias -file raadmin.pem -keystore keystore -storepass 1qaz1qaz [COMMENTS] seems to work fine, but does this effect the initial commands using .keystore [NOTES] Name the keystore '.keystore' and put in $JBOSS_HOME. [ACTION] mv keystore .keystore [ACTION] cp .keystore $JBOSS_HOME [NOTES] Add the EJBCA CA certificate to the trust-keystore in $JAVA_HOME/jre/lib/security/cacerts [COMMAND] ./ca.sh getrootcert rootcert.cer [OUTPUT] Wrote Root CA certificate to 'rootcert.cer' [COMMAND] keytool -import -trustcacerts -file rootcert.cer -keystore cacerts -storepass 1qaz1qaz [OUTPUT] Owner: C=GB, O=ETrusted, OU=Security Department, CN=ETrusted Certificate Authority [OUTPUT] Issuer: C=GB, O=ETrusted, OU=Security Department, CN=ETrusted Certificate Authority [OUTPUT] Serial number: 45d3f0c305d5429c [OUTPUT] Valid from: Tue Jun 25 14:06:49 BST 2002 until: Wed Jun 25 14:16:49 BST 2003 [OUTPUT] Certificate fingerprints: [OUTPUT] MD5: 70:31:88:BB:79:76:D3:4B:D4:98:97:10:9F:32:52:30 [OUTPUT] SHA1: A8:B8:D2:18:85:33:A7:F8:D8:3F:DD:2B:96:5D:8D:4A:43:1D:3B:B7 [OUTPUT] Trust this certificate? [no]: yes [OUTPUT] Certificate was added to keystore [ACTION] cp cacerts $JAVA_HOME/jre/lib/security/cacerts ?[NOTES] Create a PKCS12 file with EJBCA for a user with CN=walter and the RAADMIN bit (temporarily CN=walter gives adminrights). [COMMAND] ./ra.sh adduser raadmin-user2 1qaz1qaz "CN=walter, OU=ORG-UNIT, O=ORG, C=GB" "na...@se..." 32 [OUTPUT] Trying to add user: [OUTPUT] Username: raadmin-user2 [OUTPUT] Password (hashed only): 1qaz1qaz [OUTPUT] DN: CN=walter, OU=ORG-UNIT, O=ORG, C=GB [OUTPUT] Email: na...@se... [OUTPUT] Type: 32 [OUTPUT] User 'raadmin-user2' has been added. [OUTPUT] [OUTPUT] Note: If batch processing should be possible, [OUTPUT] also use 'ra setclearpwd raadmin-user2 <pwd>'. [COMMAND] ./ra.sh setclearpwd raadmin-user 1qaz1qaz [OUTPUT] Setting clear text password 1qaz1qaz for user raadmin-user2 [COMMAND] sh ./batch.sh [OUTPUT] 1 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating for all NEW. [OUTPUT] 278 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating keys for raadmin-user2 [OUTPUT] 11562 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Created P12 for raadmin-user2. [OUTPUT] 11629 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - 1 new users generated successfully - :raadmin-user2 [OUTPUT] 11629 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating for all FAILED. [OUTPUT] 11716 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - 0 new users generated successfully - [ACTION] Restart JBOSS [NOTES] Install the PKCS12 file in the browser. [NOTES] Reset raadmin-user2 to status 10 to allow browser to install cert [COMMAND] ./ra.sh setuserstatus raadmin-user2 10 [ACTION] Goto http://servername:8080/apply/apply_exp.jsp install Root CA and get cert for raadmin-user2/1qaz1qaz [ACTION] Goto https://servername:8443/raadmin [FAILURE] Browser IE : Page cannot be displayed [ACTION] Goto http://servername:8080/raadmin/ [FAILURE] javax.servlet.ServletException: Client certificate required. [FAILURE] se.anatom.ejbca.webdist.ejbcaathorization.AuthorizationDeniedException: Client certificate required. -----Original Message----- From: Tomas Gustavsson [mailto:to...@pr...] Sent: 03 July 2002 08:47 To: Manuel Reyes Cc: ejb...@li... Subject: Re: [Ejbca-develop] RA Admin Web Interface > Something seems to be failing when I try to create the PEM file with the CA > Certificate (unfortunaly I do not have openssl to try the second method of > creating this), the batch.sh file processes correctly (i.e. no errors) and > creates a "pem" directory in ejbca/ but this is empty so I have nothing to > concatenate. This may be a bug in directory creation or something... When I try a direcotry is created 'ejbca/p12/pem' where all pem files are stored. Regards, Tomas |