throw away CA mode not working

Help
Michal
2012-12-13
2013-02-18
  • Michal

    Michal - 2012-12-13

    Hi,

    I'm trying to use EJBCA in throw away CA mode - I created a CA and disabled everything under "Directives" section (use user storage etc). Now, I'm trying to enroll an iPhone using SCEP and I get an exception pasted below. I did not create any end entities for this CA, I want EJBCA to be able to issue a certificate to many devices and not have to add users to EJBCA for each one, but I do want the certificates issues to uniquely identify the device (i.e. the subject name will be different and probably be some id from the device) - is this possible? I thought maybe the way to do it is using the throw away CA mode.

    Note - I was able to issue a certificate to the device in the regular mode, for a CA that has an end user etc. So the basic integration works, I just want to know how can I achieve the functionality I described above.

    Thanks!

    2012-12-13 17:31:04,007 INFO   (http-0.0.0.0-8080-3) Received a SCEP message from 82.166.134.215.
    2012-12-13 17:31:04,016 INFO   (http-0.0.0.0-8080-3) Sent a SCEP GetCACert response to 82.166.134.215.
    2012-12-13 17:31:04,122 INFO   (http-0.0.0.0-8080-3) Received a SCEP message from 82.166.134.215.
    2012-12-13 17:31:04,341 INFO   (http-0.0.0.0-8080-3) Received a SCEP message from 82.166.134.215.
    2012-12-13 17:31:04,362 ERROR  (http-0.0.0.0-8080-3) Error processing SCEP request.
    javax.ejb.EJBException: java.lang.NullPointerException
            at org.jboss.ejb3.tx.Ejb3TxPolicy.handleExceptionInOurTx(Ejb3TxPolicy.java:77)
            at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:83)
            at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:190)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
            at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
            at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
            at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
            at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
            at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
            at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
            at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
            at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:176)
            at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:216)
            at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:207)
            at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:164)
            at $Proxy467.createCertificate(Unknown Source)
            at org.ejbca.ui.web.protocol.ScepPkiOpHelper.scepCertRequest(ScepPkiOpHelper.java:73)
            at org.ejbca.ui.web.protocol.ScepServlet.service(ScepServlet.java:186)
            at org.ejbca.ui.web.protocol.ScepServlet.doPost(ScepServlet.java:127)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
            at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
            at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
            at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
            at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
            at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
            at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
            at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
            at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
            at java.lang.Thread.run(Thread.java:679)
    Caused by: java.lang.NullPointerException
            at org.ejbca.core.ejb.ca.sign.RSASignSessionBean.createCertificate(RSASignSessionBean.java:296)
            at sun.reflect.GeneratedMethodAccessor503.invoke(Unknown Source)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
            at java.lang.reflect.Method.invoke(Method.java:616)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
            at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
            at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:73)
            at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:59)
            at sun.reflect.GeneratedMethodAccessor330.invoke(Unknown Source)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
            at java.lang.reflect.Method.invoke(Method.java:616)
            at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
            at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72)
            at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_1889382573.invoke(InvocationContextInterceptor_z_fillMethod_1889382573.java)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
            at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88)
            at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_1889382573.invoke(InvocationContextInterceptor_z_setup_1889382573.java)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
            at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
            at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
            at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
            at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
            at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
            at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79)
            … 47 more

     
  • Anonymous

    Anonymous - 2012-12-13

    I don't think the throw away mode have been tested with other protocols than Web Services.

    PrimeKey has recently built a Mobile RA that does automatic creation of users as well as sending sign-up notifications via Email or SMS that works for iOS and Android.  This component is currently not available for community customers.

    Cheers
    Anders
    tech support

     
  • Tomas Gustavsson

    yes webservices and cmp. throw away mode does not work with svep, only with rå-type protocols.

     
  • Michal

    Michal - 2012-12-13

    Thank you both for the quick answer. So if I understand correctly, there's no other configuration I can do to a CA so I can issue identity certificates to iOS devices using SCEP (certificates which will be different for each device) without creating an end entity first (using web services APIs I assume)?

    Thanks,
    Michal

     
  • Anonymous

    Anonymous - 2012-12-13

    That's correct.

    In our Mobile RA the iOS profile, SCEP password and EJBCA user are created automatically for each registered device/user.

    Cheers,
    Anders
    tech suppirt

     

Log in to post a comment.