Enabling Log Signing using TSA on VA Breaks it!

[E-Sharifi]

Hi Every Body
i enabled Log Signing using TSA In JBoss according to following instruction found in ejbca website:
http://wiki.ejbca.org/logsigning#toc5
note that i copied some other jar file from lib/ to jboss.home/server/default/lib due to dependency problems solve.

this work perfectly on ejbca installed as CA, but on ejbca installed as VA, after ant jbosslogsigning something strange happened! this breaks VA with following Error in jboss:
ERROR [SigningEntityContainer] No valid keys. Key directory /opt/jboss/bin/keys. No P11 defined.

log signing works perfectly(Rotates and Signs file correctly) but VA breaks and can not response OCSP requests with following Log:
INFO [OCSPServletBase] Received OCSP request for certificate with serNo: 1474e75b8bcdaa68, and issuerNameHash: 8fb5a155ea28aebd71311009da2c2065f59b447f. Client ip 192.168.50.3.
INFO [OCSPServletBase] Adding status information (good) for certificate with serial '1474e75b8bcdaa68' from issuer 'CN=RootCA1'.
ERROR [OCSPServletBase] Error processing OCSP request. Message: .
java.lang.NullPointerException
at org.ejbca.core.protocol.ocsp.OCSPData.getCaid(OCSPData.java:65)
at org.ejbca.core.protocol.ocsp.standalonesession.StandAloneSession.extendedService(StandAloneSession.java:312)
at org.ejbca.ui.web.protocol.OCSPServletStandAlone.extendedService(OCSPServletStandAlone.java:126)
at org.ejbca.ui.web.protocol.OCSPServletBase.signOCSPResponse(OCSPServletBase.java:196)
at org.ejbca.ui.web.protocol.OCSPServletBase.serviceOCSP(OCSPServletBase.java:826)
at org.ejbca.ui.web.protocol.OCSPServletBase.doPost(OCSPServletBase.java:345)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:679)

my appender configuration for log signing in jboss-log4j.xml is:

<appender name="MY" class="org.ejbca.appserver.jboss.SigningDailyRollingFileAppender">

  <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>

  <param name="File" value="/opt/jboss/log/my.log"/>
  <param name="Append" value="false"/>
  <param name="SignMethod" value="tsa"/>
  <param name="TsaUrl" value="http://192.168.50.6:8080/signserver/tsa?signerId=1"/>

  <!-- Rollover at the top of each hour -->
  <param name="DatePattern" value="'.'yyyy-MM-dd-HH"/>

  <layout class="org.apache.log4j.PatternLayout">

 <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>

  </layout>

</appender>

my development environment is: ejbca 4.0.12 on Jboss 5.1.0.GA on Opensuse.

any one has deployed log signing using TSA on VA successfully?

any help is appreciated in advance.

[ejbca-support]

Hi,
As far as I know log-signing isn't supported by the VA.

Cheers
Anders
tech support

On 2013-03-02 07:34, E-Sharifi wrote:

Hi Every Body
i enabled Log Signing using TSA In JBoss according to following instruction found in ejbca website:
http://wiki.ejbca.org/logsigning#toc5
note that i copied some other jar file from lib/ to jboss.home/server/default/lib due to dependency problems solve.

this work perfectly on ejbca installed as CA, but on ejbca installed as VA, after ant jbosslogsigning something strange happened! this breaks VA with following Error in jboss:
ERROR [SigningEntityContainer] No valid keys. Key directory /opt/jboss/bin/keys. No P11 defined.

log signing works perfectly(Rotates and Signs file correctly) but VA breaks and can not response OCSP requests with following Log:
INFO [OCSPServletBase] Received OCSP request for certificate with serNo: 1474e75b8bcdaa68, and issuerNameHash: 8fb5a155ea28aebd71311009da2c2065f59b447f. Client ip 192.168.50.3.
INFO [OCSPServletBase] Adding status information (good) for certificate with serial '1474e75b8bcdaa68' from issuer 'CN=RootCA1'.
ERROR [OCSPServletBase] Error processing OCSP request. Message: .
java.lang.NullPointerException
at org.ejbca.core.protocol.ocsp.OCSPData.getCaid(OCSPData.java:65)
at org.ejbca.core.protocol.ocsp.standalonesession.StandAloneSession.extendedService(StandAloneSession.java:312)
at org.ejbca.ui.web.protocol.OCSPServletStandAlone.extendedService(OCSPServletStandAlone.java:126)
at org.ejbca.ui.web.protocol.OCSPServletBase.signOCSPResponse(OCSPServletBase.java:196)
at org.ejbca.ui.web.protocol.OCSPServletBase.serviceOCSP(OCSPServletBase.java:826)
at org.ejbca.ui.web.protocol.OCSPServletBase.doPost(OCSPServletBase.java:345)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:679)

my appender configuration for log signing in jboss-log4j.xml is:

<appender name="MY" class="org.ejbca.appserver.jboss.SigningDailyRollingFileAppender">

<errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>

<param name="File" value="/opt/jboss/log/my.log"/>
<param name="Append" value="false"/>
<param name="SignMethod" value="tsa"/>
<param name="TsaUrl" value="http://192.168.50.6:8080/signserver/tsa?signerId=1"/>

<param name="DatePattern" value="'.'yyyy-MM-dd-HH"/>

<layout class="org.apache.log4j.PatternLayout">

<param name="ConversionPattern" value="%d %-5p &lt;span&gt;[%c]&lt;/span&gt; %m%n"/>

</layout>

my development environment is: ejbca 4.0.12 on Jboss 5.1.0.GA on Opensuse.

any one has deployed log signing using TSA on VA successfully?

any help is appreciated in advance.

Enabling Log Signing using TSA on VA Breaks it! https://sourceforge.net/p/ejbca/discussion/132019/thread/815c683a/?limit=25#ad50

---

Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/ejbca/discussion/132019/

To unsubscribe from further messages, please visit https://sourceforge.net/auth/prefs/

[E-Sharifi]

Thanks for your Rapid Answer.
So what can i do now for signing Logs in VA? what is the best solution in your Idea?

Thanks in Advance

[Tomas Gustavsson]

You have to o some testing. Remove your extra jars from server/default/lib.

If the VA works fine then, you have some class collissions that you do not want.