How to cerrectly configure sending notifications and access rules

Help
Roman
2013-10-10
2013-10-29
  • Roman

    Roman - 2013-10-10

    I have two CAs that I'm using for different purposes:
    1. AdminCA - issuing certificates for any kind of administrators
    2. TestCA - issuing certificates for users

    I would like to send email notification to a new user so I configured it in the end entity profile.
    I have issued a certificate for TestRA administrator and set the following access rules:
    - TestRA is in the group RA administrators
    - TestRA has access only to TestCA with the full privileges

    When I added a new user the following error occurs:

    Error sending notification to user 12345 with email test@test.com.
    org.ejbca.core.model.authorization.AuthorizationDeniedException: Administrator not authorized to CA -963150219 (which is AdminCA) that existing user TestRA was created with.

    How should I configure sending email configuration to solve this error?
    When I add access to TestRA also for AdminCA then everything works fine without any error.
    But I want to give TestRA access only for TestCA.

    Is it something connected with that the TestRA is issued by AdminCA?

    I would appreciate any help.

     
  • Tomas Gustavsson

    Can you provide the full stacktrace from server.log, and the version of EJBCA you are using.

    Cheers,
    Tomas

     
    • Roman

      Roman - 2013-10-14

      Hi Tomas,

      I'm using EJCBA 4.0.16 and here is my stacktrace:

      2013-10-10 12:26:58,630 INFO [org.ejbca.extra.caservice.ExtRACAServiceWorker] (EJB-Timer-1381400415772[target=jboss.j2ee:ear=ejbca.ear,jar=ejbca-ejb.jar,name=ServiceSessionBean,service=EJB3]) Started processing message with messageId: 123456789, and uniqueId: -18673786351
      2013-10-10 12:26:59,171 WARN [org.jboss.ejb3.interceptors.aop.InterceptorsFactory] (EJB-Timer-1381400415772[target=jboss.j2ee:ear=ejbca.ear,jar=ejbca-ejb.jar,name=ServiceSessionBean,service=EJB3]) EJBTHREE-1246: Do not use InterceptorsFactory with a ManagedObjectAdvisor, InterceptorRegistry should be used via the bean container
      2013-10-10 12:26:59,171 WARN [org.jboss.ejb3.interceptors.aop.InterceptorsFactory] (EJB-Timer-1381400415772[target=jboss.j2ee:ear=ejbca.ear,jar=ejbca-ejb.jar,name=ServiceSessionBean,service=EJB3]) EJBTHREE-1246: Do not use InterceptorsFactory with a ManagedObjectAdvisor, InterceptorRegistry should be used via the bean container
      2013-10-10 12:26:59,489 INFO [org.ejbca.core.ejb.ra.UserAdminSessionBean] (EJB-Timer-1381400415772[target=jboss.j2ee:ear=ejbca.ear,jar=ejbca-ejb.jar,name=ServiceSessionBean,service=EJB3]) Admin TestRA not authorized to resource /ca/-963150219
      2013-10-10 12:26:59,489 ERROR [org.ejbca.core.ejb.ra.UserAdminSessionBean] (EJB-Timer-1381400415772[target=jboss.j2ee:ear=ejbca.ear,jar=ejbca-ejb.jar,name=ServiceSessionBean,service=EJB3]) Error sending notification to user 12345 with email test@test.com.
      org.ejbca.core.model.authorization.AuthorizationDeniedException: Administrator not authorized to CA -963150219 that existing user TestRA was created with.
      at org.ejbca.core.ejb.ra.UserAdminSessionBean.returnUserDataVO(UserAdminSessionBean.java:1430)
      at org.ejbca.core.ejb.ra.UserAdminSessionBean.findUser(UserAdminSessionBean.java:1354)
      at org.ejbca.core.ejb.ra.UserAdminSessionBean.sendNotification(UserAdminSessionBean.java:1862)
      at org.ejbca.core.ejb.ra.UserAdminSessionBean.addUser(UserAdminSessionBean.java:333)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:616)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
      at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
      at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:73)
      at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:59)
      at sun.reflect.GeneratedMethodAccessor340.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:616)
      at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72)
      at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_1108267618.invoke(InvocationContextInterceptor_z_fillMethod_1108267618.java)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88)
      at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_1108267618.invoke(InvocationContextInterceptor_z_setup_1108267618.java)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79)
      at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:190)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:176)
      at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:216)
      at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:207)
      at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:164)
      at sun.proxy.$Proxy409.addUser(Unknown Source)
      at org.ejbca.extra.caservice.processor.MessageProcessor.storeUserData(MessageProcessor.java:305)
      at org.ejbca.extra.caservice.processor.EditUserRequestProcessor.processExtRAEditUserRequest(EditUserRequestProcessor.java:70)
      at org.ejbca.extra.caservice.processor.EditUserRequestProcessor.process(EditUserRequestProcessor.java:38)
      at org.ejbca.extra.caservice.processor.MessageProcessor.processSubMessage(MessageProcessor.java:160)
      at org.ejbca.extra.caservice.ExtRACAServiceWorker.processWaitingMessages(ExtRACAServiceWorker.java:255)
      at org.ejbca.extra.caservice.ExtRACAServiceWorker.work(ExtRACAServiceWorker.java:94)
      at org.ejbca.core.ejb.services.ServiceSessionBean.executeServiceInNoTransaction(ServiceSessionBean.java:578)
      at sun.reflect.GeneratedMethodAccessor533.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:616)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
      at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
      at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:73)
      at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:59)
      at sun.reflect.GeneratedMethodAccessor340.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:616)
      at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72)
      at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_1108267618.invoke(InvocationContextInterceptor_z_fillMethod_1108267618.java)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88)
      at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_1108267618.invoke(InvocationContextInterceptor_z_setup_1108267618.java)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.aspects.tx.TxPolicy.invokeInNoTx(TxPolicy.java:66)
      at org.jboss.ejb3.tx.TxInterceptor$NotSupported.invoke(TxInterceptor.java:114)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:176)
      at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:216)
      at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:207)
      at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:164)
      at sun.proxy.$Proxy433.executeServiceInNoTransaction(Unknown Source)
      at org.ejbca.core.ejb.services.ServiceSessionBean.timeoutHandler(ServiceSessionBean.java:457)
      at sun.reflect.GeneratedMethodAccessor528.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:616)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
      at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
      at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:73)
      at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:59)
      at sun.reflect.GeneratedMethodAccessor340.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:616)
      at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72)
      at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_1108267618.invoke(InvocationContextInterceptor_z_fillMethod_1108267618.java)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88)
      at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_1108267618.invoke(InvocationContextInterceptor_z_setup_1108267618.java)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.aspects.tx.TxPolicy.invokeInNoTx(TxPolicy.java:66)
      at org.jboss.ejb3.tx.TxInterceptor$NotSupported.invoke(TxInterceptor.java:114)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:138)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:80)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
      at org.jboss.ejb3.stateless.StatelessContainer.callTimeout(StatelessContainer.java:249)
      at org.jboss.as.ejb3.timerservice.TimedObjectInvokerBridge.callTimeout(TimedObjectInvokerBridge.java:44)
      at org.jboss.ejb.txtimer.TimerImpl$TimerTaskImpl.run(TimerImpl.java:561)
      at java.util.TimerThread.mainLoop(Timer.java:534)
      at java.util.TimerThread.run(Timer.java:484)

       
  • Tomas Gustavsson

    Are you sure you are using 4.0.16? The line numbers in your stack trace (for example UserAdminSessionBean, line 1430, does not match the source code of EJBCA 4.0.16.

     
  • Roman

    Roman - 2013-10-15

    Yes, I'm using version 4.0.16.

    I realized that I slightly modified UsedAdminSessionBean but it shouldn't have any influence on how it works (I just added information about revocation reason to revokeUser to be able to send it through email...)

    In the attachment you can find my UserAdminSessionBean.

     
  • Tomas Gustavsson

    It unfortunately looks like the code is constructed so that the admin needs to be authorized to the CA that the admin certificate was issued from.

    If it's any comfort, this will work better (already fixed, probably as a side effect) in the upcoming EJBCA 6.0, later this year.

    Cheers,
    Tomas

     
  • Tonio

    Tonio - 2013-10-29

    Hello,
    I am experiencing exactely the same issue :
    Email notification can't be sent by a RA admin which is not authorized on the CA that issued his certificate.

    We found a workaround (Use at your own risks )

    In function sendNotification on line 1854 of the file UserAdminSessionBean.java replace
    UserNotificationParamGen paramGen = new UserNotificationParamGen(data, approvalAdminDN, findUser(admin, admin.getUsername()));
    by
    UserNotificationParamGen paramGen = new UserNotificationParamGen(data, approvalAdminDN, data);

    I did not encountered side effect for the moment.

    regards,

    Tonio

     

Log in to post a comment.