External OCSP/VA 6.0.4 problems accessing the Admin GUI

Help
2014-04-16
2014-04-23
  • Baptiste Grenier

    Hi all,
    Following the OCSP/VA official documentation, I am trying to setup an external OCSP responder/VA for an EJBCA CA server that is on a protected network.

    The CA certificates, CRLs and user certificates seem to be correctly published to the OCSP and the /crls/search.cfi and /certificates/search.cgi do present the crls/CA certificates.

    I am now trying to setup the AdminGUI, but I am unable to access it, I get the following error message:

    15:44:55,067 INFO  [org.ejbca.core.ejb.ra.EndEntityManagementSessionBean] (http--0.0.0.0-8443-1) Your certificate does not belong to any user. Issuer CN=Manage
    mentCA,O=gnubila,C=FR, serialNo 415fe3c3639248b2.
    15:44:55,396 ERROR [errorpage.jsp] (http--0.0.0.0-8443-1) Certificate with SN 4710734163581487282 did not belong to user CN=ManagementCA,O=XXXXX,C=FR: java.l
    ang.RuntimeException: Certificate with SN 4710734163581487282 did not belong to user CN=ManagementCA,O=XXXXX,C=FR
            at org.ejbca.ui.web.admin.configuration.EjbcaWebBean.initialize(EjbcaWebBean.java:216) [classes:]
            at org.apache.jsp.index_jsp._jspService(index_jsp.java:84)
            at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [jbossweb-7.0.13.Final.jar:]
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
            at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:369) [jbossweb-7.0.13.Final.jar:]
    

    I used the following commands to import the ManagementCA CA certificate and assign a role to the certificate:

    jboss@ra:/opt/ejbca$ bin/ejbca.sh ca importcacert ManagementCA ManagementCA.cacert.pem
    Imported CA ManagementCA
    jboss@ra:/opt/ejbca$ bin/ejbca.sh roles addadmin "Super Administrator Role" Man
    agementCA WITH_COMMONNAME TYPE_EQUALCASE 'Baptiste Grenier'
    No database integrity protection available in this version of EJBCA.
    jboss@ra:/opt/ejbca$ bin/ejbca.sh ca info ManagementCA
    CA name: ManagementCA
    CA type: 1
    CA ID: -379989233
    CA CRL Expiration Period: 0
    CA CRL Issue Interval: 0
    CA Description: CA created by certificate import.
    This is a Root CA.
    Size of chain: 1
    Root CA DN: CN=ManagementCA,O=XXXXX,C=FR
    Root CA id: -379989233
    Certificate valid from: Fri Mar 21 11:24:26 CET 2014
    Certificate valid to: Mon Mar 18 11:24:26 CET 2024
    Root CA key algorithm: RSA
    Root CA key size: 2048
    jboss@ra:/opt/ejbca$ bin/ejbca.sh roles listadmins 'Super Administrator Role'
    No database integrity protection available in this version of EJBCA.
    "ManagementCA" WITH_COMMONNAME TYPE_EQUALCASE "Baptiste Grenier"
    

    I also published the user certificate to the OCSP responder (using the republish button on the certificate page).

    I think that the problem might be an incorect configuration of the keystores.
    I created a servercert keystore signed by the management CA used for the tomcat.jks, but for me it wasn't clear at all how the p12/truststore.jks has to be created... I tried to copy the one from the CA server (containing the certificate for the ManagementCA generated by ant) but I am very doubtfull about the fact that this is correct...

    It is also completely unclear if a VA/OCSP responder can be used as a RA service, allowing users to retrieve their certificates and request new ones using self registration, the web gui of the VA seems to offer all the required components, but I wonder if it just a side effect ot the setup or if they can effectively be used... :/ Will we need to install an external-ra GUI for the users or will the external VA/OCSP be sufficient?

    Thanks for any help!

    Best,
    Baptiste

     
    Last edit: Baptiste Grenier 2014-04-16
  • Tomas Gustavsson

    To solve the first error:
    An End Entity needs to exist in the database (or you need to configure to not require user cert in database in web.properties).

    The VA/OCSP can not be used as an RA.

    Cheers,
    Tomas


    Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information.
    http://www.primekey.se/Products/EJBCA+PKI/
    http://www.primekey.se/Services/Support/

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks