Menu
▾
▴
ejbca-develop — Development discussions
You can subscribe to this list here.
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
(3) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2002 |
Jan
(3) |
Feb
(2) |
Mar
(8) |
Apr
(3) |
May
(6) |
Jun
(1) |
Jul
(15) |
Aug
(6) |
Sep
|
Oct
(10) |
Nov
(2) |
Dec
(4) |
| 2003 |
Jan
(1) |
Feb
(7) |
Mar
(3) |
Apr
(6) |
May
(7) |
Jun
(5) |
Jul
(5) |
Aug
(25) |
Sep
(14) |
Oct
(2) |
Nov
|
Dec
(2) |
| 2004 |
Jan
(7) |
Feb
(4) |
Mar
(12) |
Apr
(16) |
May
(43) |
Jun
(56) |
Jul
(43) |
Aug
(40) |
Sep
(66) |
Oct
(12) |
Nov
(26) |
Dec
(10) |
| 2005 |
Jan
(13) |
Feb
(33) |
Mar
(16) |
Apr
(7) |
May
(10) |
Jun
(34) |
Jul
(41) |
Aug
(8) |
Sep
(4) |
Oct
(32) |
Nov
(20) |
Dec
(25) |
| 2006 |
Jan
(30) |
Feb
(101) |
Mar
(5) |
Apr
(75) |
May
(74) |
Jun
(22) |
Jul
(6) |
Aug
(70) |
Sep
(19) |
Oct
(21) |
Nov
(31) |
Dec
(50) |
| 2007 |
Jan
(15) |
Feb
(20) |
Mar
(24) |
Apr
(33) |
May
(13) |
Jun
(18) |
Jul
(13) |
Aug
(7) |
Sep
(63) |
Oct
(68) |
Nov
(29) |
Dec
(68) |
| 2008 |
Jan
(30) |
Feb
(33) |
Mar
(30) |
Apr
(103) |
May
(78) |
Jun
(48) |
Jul
(72) |
Aug
(24) |
Sep
(62) |
Oct
(63) |
Nov
(70) |
Dec
(37) |
| 2009 |
Jan
(34) |
Feb
(35) |
Mar
(64) |
Apr
(34) |
May
(34) |
Jun
(58) |
Jul
(30) |
Aug
(30) |
Sep
(46) |
Oct
(52) |
Nov
(12) |
Dec
(23) |
| 2010 |
Jan
(121) |
Feb
(18) |
Mar
(53) |
Apr
(62) |
May
(62) |
Jun
(20) |
Jul
(33) |
Aug
(20) |
Sep
(36) |
Oct
(35) |
Nov
(44) |
Dec
(63) |
| 2011 |
Jan
(19) |
Feb
(32) |
Mar
(94) |
Apr
(41) |
May
(47) |
Jun
(25) |
Jul
(34) |
Aug
(20) |
Sep
(9) |
Oct
(41) |
Nov
(33) |
Dec
(24) |
| 2012 |
Jan
(12) |
Feb
(36) |
Mar
(48) |
Apr
(32) |
May
(20) |
Jun
(15) |
Jul
(32) |
Aug
(13) |
Sep
(33) |
Oct
(54) |
Nov
(25) |
Dec
(16) |
| 2013 |
Jan
(45) |
Feb
(39) |
Mar
(38) |
Apr
(50) |
May
(29) |
Jun
(30) |
Jul
(33) |
Aug
(12) |
Sep
(9) |
Oct
(25) |
Nov
(29) |
Dec
(20) |
| 2014 |
Jan
(25) |
Feb
(19) |
Mar
(16) |
Apr
(33) |
May
(27) |
Jun
(37) |
Jul
(29) |
Aug
(27) |
Sep
(37) |
Oct
(58) |
Nov
(109) |
Dec
(26) |
| 2015 |
Jan
(4) |
Feb
(35) |
Mar
(22) |
Apr
(35) |
May
(28) |
Jun
(20) |
Jul
(4) |
Aug
(16) |
Sep
(37) |
Oct
(13) |
Nov
(13) |
Dec
(14) |
| 2016 |
Jan
(22) |
Feb
(7) |
Mar
(23) |
Apr
(30) |
May
(10) |
Jun
(10) |
Jul
(15) |
Aug
(12) |
Sep
(22) |
Oct
(31) |
Nov
(5) |
Dec
(5) |
| 2017 |
Jan
(30) |
Feb
(25) |
Mar
(28) |
Apr
(4) |
May
(19) |
Jun
(13) |
Jul
(7) |
Aug
(1) |
Sep
(2) |
Oct
(5) |
Nov
(12) |
Dec
(2) |
| 2018 |
Jan
(7) |
Feb
|
Mar
(7) |
Apr
(2) |
May
(8) |
Jun
(18) |
Jul
(6) |
Aug
(3) |
Sep
(15) |
Oct
(33) |
Nov
(13) |
Dec
(7) |
| 2019 |
Jan
(5) |
Feb
(7) |
Mar
(30) |
Apr
(5) |
May
(4) |
Jun
(69) |
Jul
(86) |
Aug
(22) |
Sep
(6) |
Oct
(7) |
Nov
(5) |
Dec
(3) |
| 2020 |
Jan
(10) |
Feb
(12) |
Mar
(22) |
Apr
(5) |
May
(1) |
Jun
(4) |
Jul
(6) |
Aug
|
Sep
(9) |
Oct
|
Nov
|
Dec
(1) |
| 2021 |
Jan
(4) |
Feb
(11) |
Mar
(7) |
Apr
(7) |
May
|
Jun
(3) |
Jul
(10) |
Aug
(6) |
Sep
|
Oct
|
Nov
(18) |
Dec
(2) |
| 2022 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(1) |
Jun
|
Jul
|
Aug
(5) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Shrikant P. <SP...@pd...> - 2017-03-16 16:45:41
|
Anders It seems I can set the end entity profile name (string) in the UserDataVOWS. And this use UserDataVOWS in EjbcaWS.certificateRequest(). This make me think one has to manually create the end entity profile from EJBCA GUI. We wanted to avoid that. Instead, we are looking for functionality to programmatically (dynamically using code) create end entity profile. Thank you and appreciate it. Shri __________________________________________________ Shrikant Patel | 817.367.4302 -----Original Message----- From: Anders Rundgren [mailto:and...@gm...] Sent: Thursday, March 16, 2017 12:52 AM To: ejb...@li... Subject: Re: [Ejbca-develop] API for adding EndEntity programmatically. On 2017-03-15 23:14, Shrikant Patel wrote: > > Hi Experts, > > > From documentation, it seems for every entity\user we need to create the certificate, we need to have End Entity in EJB CA. > > > From looking at EjbcaWS documentation I don't see API for adding end entity programmatically. Am I missing anything?? Hi Shri, This is what you are looking for: https://www.ejbca.org/docs/ws/org/ejbca/core/protocol/ws/client/gen/UserDataVOWS.html Anders > > Thanks, > > Shri > > This e-mail and its contents (to include attachments) are the property of National Health Systems, Inc., its subsidiaries and affiliates, including but not limited to Rx.com Community Healthcare Network, Inc. and its subsidiaries, and may contain confidential and proprietary or privileged information. If you are not the intended recipient of this e-mail, you are hereby notified that any unauthorized disclosure, copying, or distribution of this e-mail or of its attachments, or the taking of any unauthorized action based on information contained herein is strictly prohibited. Unauthorized use of information contained herein may subject you to civil and criminal prosecution and penalties. If you are not the intended recipient, please immediately notify the sender by telephone at 800-433-5719 or return e-mail and permanently delete the original e-mail. > > > ---------------------------------------------------------------------- > -------- Check out the vibrant tech community on one of the world's > most engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Ejbca-develop mailing list Ejb...@li... https://lists.sourceforge.net/lists/listinfo/ejbca-develop This e-mail and its contents (to include attachments) are the property of National Health Systems, Inc., its subsidiaries and affiliates, including but not limited to Rx.com Community Healthcare Network, Inc. and its subsidiaries, and may contain confidential and proprietary or privileged information. If you are not the intended recipient of this e-mail, you are hereby notified that any unauthorized disclosure, copying, or distribution of this e-mail or of its attachments, or the taking of any unauthorized action based on information contained herein is strictly prohibited. Unauthorized use of information contained herein may subject you to civil and criminal prosecution and penalties. If you are not the intended recipient, please immediately notify the sender by telephone at 800-433-5719 or return e-mail and permanently delete the original e-mail. |
|
From: Anders R. <and...@gm...> - 2017-03-16 05:52:00
|
On 2017-03-15 23:14, Shrikant Patel wrote: > > Hi Experts, > > > From documentation, it seems for every entity\user we need to create the certificate, we need to have End Entity in EJB CA. > > > From looking at EjbcaWS documentation I don’t see API for adding end entity programmatically. Am I missing anything?? Hi Shri, This is what you are looking for: https://www.ejbca.org/docs/ws/org/ejbca/core/protocol/ws/client/gen/UserDataVOWS.html Anders > > Thanks, > > Shri > > This e-mail and its contents (to include attachments) are the property of National Health Systems, Inc., its subsidiaries and affiliates, including but not limited to Rx.com Community Healthcare Network, Inc. and its subsidiaries, and may contain confidential and proprietary or privileged information. If you are not the intended recipient of this e-mail, you are hereby notified that any unauthorized disclosure, copying, or distribution of this e-mail or of its attachments, or the taking of any unauthorized action based on information contained herein is strictly prohibited. Unauthorized use of information contained herein may subject you to civil and criminal prosecution and penalties. If you are not the intended recipient, please immediately notify the sender by telephone at 800-433-5719 or return e-mail and permanently delete the original e-mail. > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Shrikant P. <SP...@pd...> - 2017-03-15 22:48:55
|
Hi Experts, >From documentation, it seems for every entity\user we need to create the certificate, we need to have End Entity in EJB CA. >From looking at EjbcaWS documentation I don't see API for adding end entity programmatically. Am I missing anything?? Thanks, Shri This e-mail and its contents (to include attachments) are the property of National Health Systems, Inc., its subsidiaries and affiliates, including but not limited to Rx.com Community Healthcare Network, Inc. and its subsidiaries, and may contain confidential and proprietary or privileged information. If you are not the intended recipient of this e-mail, you are hereby notified that any unauthorized disclosure, copying, or distribution of this e-mail or of its attachments, or the taking of any unauthorized action based on information contained herein is strictly prohibited. Unauthorized use of information contained herein may subject you to civil and criminal prosecution and penalties. If you are not the intended recipient, please immediately notify the sender by telephone at 800-433-5719 or return e-mail and permanently delete the original e-mail. |
|
From: Tomas G. <to...@pr...> - 2017-03-03 01:39:58
|
As far as I can see the WS method will create both a full CRL and a
deltaCRL, if delta CRLs are enabled.
publishingCrlSession.forceCRL(admin, cainfo.getCAId());
publishingCrlSession.forceDeltaCRL(admin, cainfo.getCAId());
Regard,
Tomas
On 2017-03-02 17:53, Nikita Bedmutha wrote:
> Hi,
>
> I am using EJBCA 6.5.0.4 and have configured the Delta CRL Period
> greater than 0 for a CA, so that it supports issuing delta CRLs.
> I am unable to locate any webservice SOAP call to create the delta CRL
> for a CA. The createCRL WS call does not have any 'delta' option, it
> takes only CA name and creates the complete CRL.
> The getLatestCRL method does support fetching delta CRL using 'delta' as
> one of the boolean parameter. However, to fetch it, the delta CRL must
> be created first.
> Hence, every time I fetch the latest delta CRL, it comes out to be a CRL
> with no revoked certificates in it, as the delta CRL must have not been
> created.
>
> When I tried creating the delta CRL through CLI (createcrl -delta) and
> then getLatestCRL using delta, it worked fine.
> But I want to trigger the createCRL with delta option through WS call,
> is there any way to do so?
>
>
> Regards,
> Nikita Bedmutha
> Software Engineer | m: +91 94042 02790 | G
> G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
> <http://www.gslab.com/>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
|
|
From: Tomas G. <to...@pr...> - 2017-03-03 01:28:22
|
Hi, Your issue is that you don'e have an EJBCA datasource at all. In the log file JBoss logs when creating datasources (i.e. connections to the database). It only logs: 2017-03-02 12:54:01,152 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0018: Host default-host starting 2017-03-02 12:54:01,722 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS] 2017-03-02 12:54:02,545 INFO [org.jboss.ws.common.management] (MSC service thread 1-1) JBWS022052: Starting JBossWS 5.1.5.Final (Apache CXF 3.1.6) In the installation documentation: https://www.ejbca.org/docs/installation.html#WildFly%2010%20/%20JBoss%20EAP%207 There is a part for "Add datasource" which must complete succesfully. In order for that to complete succesfully the previous steps, adding database driver and creating database must have been done. Regards, Tomas On 2017-03-03 01:14, Fabian Santiago wrote: > hello tomas, > > i've attached my server.log. i think you'll see that there are no > obvious error messages that could pertain to this other than what I've > sent you already. i also re-tried it, going over all steps again, to > no avail. what do you think? Thanks. > > - Fabian S. > > > On Thu, Mar 2, 2017 at 1:14 AM, Tomas Gustavsson <to...@pr...> wrote: >> >> This means you don't have a datasource. >> >> - Have you run the commands for WildFly to create the datasource? >> - If you have, there are probalby errors much earlier in the log >> (causing errors are always early, the last thing you see is only a >> symtom of database error, which is shown earlier in the log) >> >> /Tomas >> >> On 2017-03-02 12:22, Fabian Santiago wrote: >>> Thank you. >>> >>> This is the only error, which matches my previous email: >>> >>> 2017-03-01 23:55:30,589 ERROR >>> [org.jboss.as.controller.management-operation] >>> (DeploymentScanner-threads - 2) WFLYCTL0013: Operation ("deploy") >>> failed - address: ([("deployment" => "ejbca.ear")]) - failure >>> description: { >>> "WFLYCTL0412: Required services that are not installed:" => >>> ["jboss.naming.context.java.EjbcaDS"], >>> "WFLYCTL0180: Services with missing/unavailable dependencies" => [ >>> "jboss.persistenceunit.\"ejbca.ear#ejbca\" is missing >>> [jboss.naming.context.java.EjbcaDS]", >>> "jboss.persistenceunit.\"ejbca.ear#ejbca\".__FIRST_PHASE__ is >>> missing [jboss.naming.context.java.EjbcaDS]" >>> ] >>> } >>> >>> >>> - Fabian S. >>> >>> >>> On Thu, Mar 2, 2017 at 12:18 AM, Tomas Gustavsson <to...@pr...> wrote: >>>> Then you should check the wildfly server.log. You will see errors in there >>>> why ejbca is not deployed correctly. For example database errors if there >>>> are any. >>>> >>>> Regards, >>>> Tomas >>>> >>>> >>>> On 2 March 2017 11:59:48 GMT+07:00, Fabian Santiago >>>> <fsa...@ga...> wrote: >>>>> >>>>> No, >>>>> >>>>> when i reach the step 'ant runinstall', a similar error occurs: >>>>> >>>>> ejbca:initCA: >>>>> [echo] Initializing CA with 'GardenCA' >>>>> 'CN=pki.garden-mums.com,O=Garden-lan com,C=NJ' 'soft' >>>>> <ca.tokenpassword hidden> 'prime256v1' 'ECDSA' '3650' '2.5.29.32.0' >>>>> 'SHA256WithECDSA' -superadmincn 'SuperAdmin'... >>>>> [java] Exception in thread "main" >>>>> java.util.ServiceConfigurationError: >>>>> org.ejbca.ui.cli.infrastructure.command.CliCommandPlugin: Provider >>>>> org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand could not be >>>>> instantiated >>>>> [java] at java.util.ServiceLoader.fail(ServiceLoader.java:232) >>>>> [java] at java.util.ServiceLoader.access$100(ServiceLoader.java:185) >>>>> [java] at >>>>> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:384) >>>>> [java] at >>>>> java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) >>>>> [java] at java.util.ServiceLoader$1.next(ServiceLoader.java:480) >>>>> [java] at >>>>> org.ejbca.ui.cli.infrastructure.library.CommandLibrary.<init>(CommandLibrary.java:53) >>>>> [java] at >>>>> org.ejbca.ui.cli.infrastructure.library.CommandLibrary.<clinit>(CommandLibrary.java:38) >>>>> [java] at org.ejbca.ui.cli.EjbcaEjbCli.main(EjbcaEjbCli.java:29) >>>>> [java] Caused by: java.lang.IllegalStateException: >>>>> EJBCLIENT000025: No EJB receiver available for handling >>>>> [appName:ejbca, moduleName:cesecore-ejb, distinctName:] combination >>>>> for invocation context >>>>> org.jboss.ejb.client.EJBClientInvocationContext@3b938003 >>>>> [java] at >>>>> org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:798) >>>>> [java] at >>>>> org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:128) >>>>> [java] at >>>>> org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:186) >>>>> [java] at >>>>> org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:255) >>>>> [java] at >>>>> org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:200) >>>>> [java] at >>>>> org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:183) >>>>> [java] at >>>>> org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:146) >>>>> [java] at >>>>> com.sun.proxy.$Proxy0.getAvailableTypesAndProperties(Unknown >>>>> Source) >>>>> [java] at >>>>> org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand.<init>(InternalKeyBindingCreateCommand.java:69) >>>>> [java] at >>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>>>> Method) >>>>> [java] at >>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>>>> [java] at >>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>>>> [java] at >>>>> java.lang.reflect.Constructor.newInstance(Constructor.java:423) >>>>> [java] at java.lang.Class.newInstance(Class.java:442) >>>>> [java] at >>>>> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) >>>>> [java] ... 5 more >>>>> >>>>> BUILD FAILED >>>>> /ejbca_664/ejbca/build.xml:70: The following error occurred while >>>>> executing this line: >>>>> /ejbca_664/ejbca/bin/cli.xml:97: The following error occurred while >>>>> executing this line: >>>>> /ejbca_664/ejbca/bin/cli.xml:115: The following error occurred while >>>>> executing this line: >>>>> /ejbca_664/ejbca/bin/cli.xml:189: Java returned: 1 >>>>> >>>>> this after switching back to wildfly and following your doc to the latter. >>>>> >>>>> I suspect it's due to the error i received from the cli during the >>>>> "Add datasource" step: >>>>> >>>>> {"WFLYCTL0412: Required services that are not installed:" => >>>>> ["jboss.jdbc-driver.mysql-connector-java-5_1_41-bin_jar"],"WFLYCTL0180: >>>>> Services with missing/unavailable dependencies" => >>>>> ["org.wildfly.data-source.ejbcads is missing >>>>> >>>>> [jboss.jdbc-driver.mysql-connector-java-5_1_41-bin_jar]","jboss.driver-demander.java:/EjbcaDS >>>>> is missing [jboss.jdbc-driver.mysql-connector-java-5_1_41-bin_jar]"]} >>>>> >>>>> >>>>> now what? >>>>> >>>>> >>>>> - Fabian S. >>>>> >>>>> On Wed, Mar 1, 2017 at 9:53 PM, Tomas Gustavsson <to...@pr...> >>>>> wrote: >>>>>> >>>>>> >>>>>> Don't do "ant deploy", follow the WildFly 10/EAP 7 installation >>>>>> instructions :-) >>>>>> >>>>>> /Tomas >>>>>> >>>>>> On 2017-03-02 09:34, Fabian Santiago wrote: >>>>>>> >>>>>>> I found an error in server.log (jboss-eap-7.0 I am now trying) after >>>>>>> ant deploy / clean deployear: >>>>>>> >>>>>>> ERROR [org.jboss.as.controller.management-operation] >>>>>>> (DeploymentScanner-threads - 2) WFLYCTL0013: Operation ("deploy") >>>>>>> failed - address: ([("deployment" => "ejbca.ear")]) - failure >>>>>>> description: {"WFLYCTL0180: Services with missing/unavailable >>>>>>> dependencies" => [ >>>>>>> "jboss.persistenceunit.\"ejbca.ear#ejbca\" is missing >>>>>>> [jboss.naming.context.java.ejbcads]", >>>>>>> "jboss.persistenceunit.\"ejbca.ear#ejbca\".__FIRST_PHASE__ is >>>>>>> missing [jboss.naming.context.java.ejbcads]" >>>>>>> ]} >>>>>>> >>>>>>> so now, how do i add this missing component and where to find? or is >>>>>>> it a simple conf file typo issue? Thanks. >>>>>>> >>>>>>> - Fabian S. >>>>>>> >>>>>>> >>>>>>> On Wed, Mar 1, 2017 at 2:45 PM, Fabian Santiago >>>>>>> <fsa...@ga...> wrote: >>>>>>>> >>> hello, >>> >>> running 'ant install', it fails with: >>> >>> ejbca:initCA: >>> [echo] Initializing CA with 'GardenCA' >>> 'CN=pki.garden-mums.com,O=Garden-lan com,C=NJ' 'soft' 'prime256v1' >>> 'ECDSA' '3650' '2.5.29.32.0' 'SHA256WithRSA' -superadmincn >>> 'SuperAdmin'... >>> [java] Exception in thread "main" >>> java.util.ServiceConfigurationError: >>> org.ejbca.ui.cli.infrastructure.command.CliCommandPlugin: Provider >>> org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand could not be >>> instantiated >>> [java] at >>>>>>>>> java.util.ServiceLoader.fail(ServiceLoader.java:232) >>> [java] at >>>>>>>>> java.util.ServiceLoader.access$100(ServiceLoader.java:185) >>> [java] at >>> >>>>>>>>> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:384) >>> [java] at >>> java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) >>> [java] at >>>>>>>>> java.util.ServiceLoader$1.next(ServiceLoader.java:480) >>> [java] at >>> >>>>>>>>> org.ejbca.ui.cli.infrastructure.library.CommandLibrary.(CommandLibrary.java:53) >>> [java] at >>> >>>>>>>>> org.ejbca.ui.cli.infrastructure.library.CommandLibrary.(CommandLibrary.java:38) >>> [java] at >>>>>>>>> org.ejbca.ui.cli.EjbcaEjbCli.main(EjbcaEjbCli.java:29) >>> [java] Caused by: java.lang.IllegalStateException: >>> EJBCLIENT000025: No EJB receiver available for handling >>> [appName:ejbca, moduleName:cesecore-ejb, distinctName:] combination >>> for invocation context >>> org.jboss.ejb.client.EJBClientInvocationContext@35fc6dc4 >>> [java] at >>> >>>>>>>>> org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:798) >>> [java] at >>> >>>>>>>>> org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:128) >>> [java] at >>> >>>>>>>>> org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:186) >>> [java] at >>> >>>>>>>>> org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:255) >>> [java] at >>> >>>>>>>>> org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:200) >>> [java] at >>> >>>>>>>>> org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:183) >>> [java] at >>> >>>>>>>>> org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:146) >>> [java] at >>> com.sun.proxy.$Proxy0.getAvailableTypesAndProperties(Unknown Source) >>> [java] at >>> >>>>>>>>> org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand.(InternalKeyBindingCreateCommand.java:69) >>> [java] at >>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >>> [java] at >>> >>>>>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>> [java] at >>> >>>>>>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>> [java] at >>> java.lang.reflect.Constructor.newInstance(Constructor.java:423) >>> [java] at java.lang.Class.newInstance(Class.java:442) >>> [java] at >>> >>>>>>>>> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) >>> [java] ... 5 more >>> >>> BUILD FAILED >>> /ejbca_ce_6_5_0_4/build.xml:64: The following error occurred while >>> executing this line: >>> /ejbca_ce_6_5_0_4/build.xml:70: The following error occurred while >>> executing this line: >>> /ejbca_ce_6_5_0_4/bin/cli.xml:97: The following error occurred while >>> executing this line: >>> /ejbca_ce_6_5_0_4/bin/cli.xml:115: The following error occurred while >>> executing this line: >>> /ejbca_ce_6_5_0_4/bin/cli.xml:189: Java returned: 1 >>> >>> i'm running: >>> >>> ubuntu 16.04 LTS >>> wildfly 10.1.0 final >>> ejbca 6.5.0.4 >>> utilizing mysql db backend >>> >>> i've seen references out there on the web to this issue being caused >>>>>>>>> by either: >>> >>> misconfigued jboss backend >>> missing code in ejbca source >>> wrong / bad version of wildfly >>> >>> Does anyone out there have a definitive fix for this? >>> >>> If i follow the quick start guide, it works fine. >>> >>> Thanks. >>> >>> - - Fabian Santiago >>>>>>> >>>>>>> >>>>>>> ________________________________ >>>>>>> >>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>>>>>> ________________________________ >>>>>>> >>>>>>> Ejbca-develop mailing list >>>>>>> Ejb...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>> >>>>>> >>>>>> >>>>>> ________________________________ >>>>>> >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>>>>> ________________________________ >>>>>> >>>>>> Ejbca-develop mailing list >>>>>> Ejb...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>> >>>>> >>>>> ________________________________ >>>>> >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>>>> ________________________________ >>>>> >>>>> Ejbca-develop mailing list >>>>> Ejb...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Nikita B. <nik...@gs...> - 2017-03-02 10:53:25
|
Hi, I am using EJBCA 6.5.0.4 and have configured the Delta CRL Period greater than 0 for a CA, so that it supports issuing delta CRLs. I am unable to locate any webservice SOAP call to create the delta CRL for a CA. The createCRL WS call does not have any 'delta' option, it takes only CA name and creates the complete CRL. The getLatestCRL method does support fetching delta CRL using 'delta' as one of the boolean parameter. However, to fetch it, the delta CRL must be created first. Hence, every time I fetch the latest delta CRL, it comes out to be a CRL with no revoked certificates in it, as the delta CRL must have not been created. When I tried creating the delta CRL through CLI (createcrl -delta) and then getLatestCRL using delta, it worked fine. But I want to trigger the createCRL with delta option through WS call, is there any way to do so? Regards, Nikita Bedmutha Software Engineer | m: +91 94042 02790 | [image: G] G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory <http://www.gslab.com/> |
|
From: Tomas G. <to...@pr...> - 2017-03-02 05:18:49
|
Then you should check the wildfly server.log. You will see errors in there why ejbca is not deployed correctly. For example database errors if there are any. Regards, Tomas On 2 March 2017 11:59:48 GMT+07:00, Fabian Santiago <fsa...@ga...> wrote: >No, > >when i reach the step 'ant runinstall', a similar error occurs: > >ejbca:initCA: > [echo] Initializing CA with 'GardenCA' >'CN=pki.garden-mums.com,O=Garden-lan com,C=NJ' 'soft' ><ca.tokenpassword hidden> 'prime256v1' 'ECDSA' '3650' '2.5.29.32.0' >'SHA256WithECDSA' -superadmincn 'SuperAdmin'... > [java] Exception in thread "main" >java.util.ServiceConfigurationError: >org.ejbca.ui.cli.infrastructure.command.CliCommandPlugin: Provider >org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand could not be >instantiated > [java] at java.util.ServiceLoader.fail(ServiceLoader.java:232) > [java] at java.util.ServiceLoader.access$100(ServiceLoader.java:185) >[java] at >java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:384) >[java] at >java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) > [java] at java.util.ServiceLoader$1.next(ServiceLoader.java:480) >[java] at >org.ejbca.ui.cli.infrastructure.library.CommandLibrary.<init>(CommandLibrary.java:53) >[java] at >org.ejbca.ui.cli.infrastructure.library.CommandLibrary.<clinit>(CommandLibrary.java:38) > [java] at org.ejbca.ui.cli.EjbcaEjbCli.main(EjbcaEjbCli.java:29) > [java] Caused by: java.lang.IllegalStateException: >EJBCLIENT000025: No EJB receiver available for handling >[appName:ejbca, moduleName:cesecore-ejb, distinctName:] combination >for invocation context >org.jboss.ejb.client.EJBClientInvocationContext@3b938003 >[java] at >org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:798) >[java] at >org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:128) >[java] at >org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:186) >[java] at >org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:255) >[java] at >org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:200) >[java] at >org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:183) >[java] at >org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:146) > [java] at com.sun.proxy.$Proxy0.getAvailableTypesAndProperties(Unknown >Source) >[java] at >org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand.<init>(InternalKeyBindingCreateCommand.java:69) >[java] at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >Method) >[java] at >sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >[java] at >sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >[java] at >java.lang.reflect.Constructor.newInstance(Constructor.java:423) > [java] at java.lang.Class.newInstance(Class.java:442) >[java] at >java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) > [java] ... 5 more > >BUILD FAILED >/ejbca_664/ejbca/build.xml:70: The following error occurred while >executing this line: >/ejbca_664/ejbca/bin/cli.xml:97: The following error occurred while >executing this line: >/ejbca_664/ejbca/bin/cli.xml:115: The following error occurred while >executing this line: >/ejbca_664/ejbca/bin/cli.xml:189: Java returned: 1 > >this after switching back to wildfly and following your doc to the >latter. > >I suspect it's due to the error i received from the cli during the >"Add datasource" step: > >{"WFLYCTL0412: Required services that are not installed:" => >["jboss.jdbc-driver.mysql-connector-java-5_1_41-bin_jar"],"WFLYCTL0180: >Services with missing/unavailable dependencies" => >["org.wildfly.data-source.ejbcads is missing >[jboss.jdbc-driver.mysql-connector-java-5_1_41-bin_jar]","jboss.driver-demander.java:/EjbcaDS >is missing [jboss.jdbc-driver.mysql-connector-java-5_1_41-bin_jar]"]} > > >now what? > > >- Fabian S. > >On Wed, Mar 1, 2017 at 9:53 PM, Tomas Gustavsson <to...@pr...> >wrote: >> >> Don't do "ant deploy", follow the WildFly 10/EAP 7 installation >> instructions :-) >> >> /Tomas >> >> On 2017-03-02 09:34, Fabian Santiago wrote: >>> I found an error in server.log (jboss-eap-7.0 I am now trying) after >>> ant deploy / clean deployear: >>> >>> ERROR [org.jboss.as.controller.management-operation] >>> (DeploymentScanner-threads - 2) WFLYCTL0013: Operation ("deploy") >>> failed - address: ([("deployment" => "ejbca.ear")]) - failure >>> description: {"WFLYCTL0180: Services with missing/unavailable >>> dependencies" => [ >>> "jboss.persistenceunit.\"ejbca.ear#ejbca\" is missing >>> [jboss.naming.context.java.ejbcads]", >>> "jboss.persistenceunit.\"ejbca.ear#ejbca\".__FIRST_PHASE__ is >>> missing [jboss.naming.context.java.ejbcads]" >>> ]} >>> >>> so now, how do i add this missing component and where to find? or is >>> it a simple conf file typo issue? Thanks. >>> >>> - Fabian S. >>> >>> >>> On Wed, Mar 1, 2017 at 2:45 PM, Fabian Santiago >>> <fsa...@ga...> wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA256 >>>> >>>> hello, >>>> >>>> running 'ant install', it fails with: >>>> >>>> ejbca:initCA: >>>> [echo] Initializing CA with 'GardenCA' >>>> 'CN=pki.garden-mums.com,O=Garden-lan com,C=NJ' 'soft' 'prime256v1' >>>> 'ECDSA' '3650' '2.5.29.32.0' 'SHA256WithRSA' -superadmincn >>>> 'SuperAdmin'... >>>> [java] Exception in thread "main" >>>> java.util.ServiceConfigurationError: >>>> org.ejbca.ui.cli.infrastructure.command.CliCommandPlugin: Provider >>>> org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand could not >be >>>> instantiated >>>> [java] at >java.util.ServiceLoader.fail(ServiceLoader.java:232) >>>> [java] at >java.util.ServiceLoader.access$100(ServiceLoader.java:185) >>>> [java] at >>>> >java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:384) >>>> [java] at >>>> java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) >>>> [java] at >java.util.ServiceLoader$1.next(ServiceLoader.java:480) >>>> [java] at >>>> >org.ejbca.ui.cli.infrastructure.library.CommandLibrary.(CommandLibrary.java:53) >>>> [java] at >>>> >org.ejbca.ui.cli.infrastructure.library.CommandLibrary.(CommandLibrary.java:38) >>>> [java] at >org.ejbca.ui.cli.EjbcaEjbCli.main(EjbcaEjbCli.java:29) >>>> [java] Caused by: java.lang.IllegalStateException: >>>> EJBCLIENT000025: No EJB receiver available for handling >>>> [appName:ejbca, moduleName:cesecore-ejb, distinctName:] combination >>>> for invocation context >>>> org.jboss.ejb.client.EJBClientInvocationContext@35fc6dc4 >>>> [java] at >>>> >org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:798) >>>> [java] at >>>> >org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:128) >>>> [java] at >>>> >org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:186) >>>> [java] at >>>> >org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:255) >>>> [java] at >>>> >org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:200) >>>> [java] at >>>> >org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:183) >>>> [java] at >>>> >org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:146) >>>> [java] at >>>> com.sun.proxy.$Proxy0.getAvailableTypesAndProperties(Unknown >Source) >>>> [java] at >>>> >org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand.(InternalKeyBindingCreateCommand.java:69) >>>> [java] at >>>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >Method) >>>> [java] at >>>> >sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>>> [java] at >>>> >sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>>> [java] at >>>> java.lang.reflect.Constructor.newInstance(Constructor.java:423) >>>> [java] at java.lang.Class.newInstance(Class.java:442) >>>> [java] at >>>> >java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) >>>> [java] ... 5 more >>>> >>>> BUILD FAILED >>>> /ejbca_ce_6_5_0_4/build.xml:64: The following error occurred while >>>> executing this line: >>>> /ejbca_ce_6_5_0_4/build.xml:70: The following error occurred while >>>> executing this line: >>>> /ejbca_ce_6_5_0_4/bin/cli.xml:97: The following error occurred >while >>>> executing this line: >>>> /ejbca_ce_6_5_0_4/bin/cli.xml:115: The following error occurred >while >>>> executing this line: >>>> /ejbca_ce_6_5_0_4/bin/cli.xml:189: Java returned: 1 >>>> >>>> i'm running: >>>> >>>> ubuntu 16.04 LTS >>>> wildfly 10.1.0 final >>>> ejbca 6.5.0.4 >>>> utilizing mysql db backend >>>> >>>> i've seen references out there on the web to this issue being >caused by either: >>>> >>>> misconfigued jboss backend >>>> missing code in ejbca source >>>> wrong / bad version of wildfly >>>> >>>> Does anyone out there have a definitive fix for this? >>>> >>>> If i follow the quick start guide, it works fine. >>>> >>>> Thanks. >>>> >>>> - - - Fabian Santiago >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: Mailvelope v1.7.1 >>>> Comment: https://www.mailvelope.com >>>> >>>> wsFcBAEBCAAQBQJYtyTXCRBVUCsO65Bw/AAAzNAQAI9VQkDj88sxNN+SoWrS >>>> sVmg7N8rJgow+HXI54MzOVS6WdiqRkEuNTmGMfQ7+STl+NsJylsfEqJBUkne >>>> vGpbwmHrFxUnc8vtCUGrnXjyAn3/tLHetB8ldUWfl1m5Gg91iyoSkQgzhxgY >>>> iqXrNnkHZkW/aOKpgjme46xpBaiSYCBwn9pD0pKRs4ZLxadYcTVb8yLsY9qW >>>> VcB3YqsJF3tMb8+Jc78P5owJfOrXUzvbHBhP/ml/3bTs+kKmSEZsE4T35k0t >>>> oIM32/gKeb22UPlv1Y0kqyPQAz6hjNUIstahggAKx+Anm2B/1BQ7v5x/42hQ >>>> KwP7b2L2xCGeAU/4DbedUfYBWIFGyEOjDNIVqWfrHDR0XZKQz+ZtRLktJpgy >>>> q41GjwKZuMhcSGv3IVhRtW2Niy9ZcizddX6rkOGIU4CSwelgCgC5xZ9hKYHs >>>> oCAxfGFSIpBk+rrq0TWE1akmZpYHj5YPYnaSs6x4uReCLopo+3LPAb8iZNqT >>>> GQdIRfrsvVc13+YdYfkX+aZchj/u4NGIoGF3E0aL+oUr61JI14j5oEJYZcxp >>>> SngoyH07X4aTP0JPk+fWKLVTfPlY+WPmWU3S4vUslf6CHWAWCP15pfmQXpi5 >>>> H9NymAesK7oNmUoKXJiWNVIhJNuZnOLXyJSRbcQBmgZ9coVzh5wrPapjVP2c >>>> v6Fa >>>> =7NwC >>>> -----END PGP SIGNATURE----- >>> >>> >------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >> >> >------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >------------------------------------------------------------------------------ >Check out the vibrant tech community on one of the world's most >engaging tech sites, SlashDot.org! http://sdm.link/slashdot >_______________________________________________ >Ejbca-develop mailing list >Ejb...@li... >https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Fabian S. <fsa...@ga...> - 2017-03-02 04:59:57
|
No,
when i reach the step 'ant runinstall', a similar error occurs:
ejbca:initCA:
[echo] Initializing CA with 'GardenCA'
'CN=pki.garden-mums.com,O=Garden-lan com,C=NJ' 'soft'
<ca.tokenpassword hidden> 'prime256v1' 'ECDSA' '3650' '2.5.29.32.0'
'SHA256WithECDSA' -superadmincn 'SuperAdmin'...
[java] Exception in thread "main"
java.util.ServiceConfigurationError:
org.ejbca.ui.cli.infrastructure.command.CliCommandPlugin: Provider
org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand could not be
instantiated
[java] at java.util.ServiceLoader.fail(ServiceLoader.java:232)
[java] at java.util.ServiceLoader.access$100(ServiceLoader.java:185)
[java] at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:384)
[java] at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
[java] at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
[java] at org.ejbca.ui.cli.infrastructure.library.CommandLibrary.<init>(CommandLibrary.java:53)
[java] at org.ejbca.ui.cli.infrastructure.library.CommandLibrary.<clinit>(CommandLibrary.java:38)
[java] at org.ejbca.ui.cli.EjbcaEjbCli.main(EjbcaEjbCli.java:29)
[java] Caused by: java.lang.IllegalStateException:
EJBCLIENT000025: No EJB receiver available for handling
[appName:ejbca, moduleName:cesecore-ejb, distinctName:] combination
for invocation context
org.jboss.ejb.client.EJBClientInvocationContext@3b938003
[java] at org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:798)
[java] at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:128)
[java] at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:186)
[java] at org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:255)
[java] at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:200)
[java] at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:183)
[java] at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:146)
[java] at com.sun.proxy.$Proxy0.getAvailableTypesAndProperties(Unknown
Source)
[java] at org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand.<init>(InternalKeyBindingCreateCommand.java:69)
[java] at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
[java] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
[java] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
[java] at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
[java] at java.lang.Class.newInstance(Class.java:442)
[java] at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380)
[java] ... 5 more
BUILD FAILED
/ejbca_664/ejbca/build.xml:70: The following error occurred while
executing this line:
/ejbca_664/ejbca/bin/cli.xml:97: The following error occurred while
executing this line:
/ejbca_664/ejbca/bin/cli.xml:115: The following error occurred while
executing this line:
/ejbca_664/ejbca/bin/cli.xml:189: Java returned: 1
this after switching back to wildfly and following your doc to the latter.
I suspect it's due to the error i received from the cli during the
"Add datasource" step:
{"WFLYCTL0412: Required services that are not installed:" =>
["jboss.jdbc-driver.mysql-connector-java-5_1_41-bin_jar"],"WFLYCTL0180:
Services with missing/unavailable dependencies" =>
["org.wildfly.data-source.ejbcads is missing
[jboss.jdbc-driver.mysql-connector-java-5_1_41-bin_jar]","jboss.driver-demander.java:/EjbcaDS
is missing [jboss.jdbc-driver.mysql-connector-java-5_1_41-bin_jar]"]}
now what?
- Fabian S.
On Wed, Mar 1, 2017 at 9:53 PM, Tomas Gustavsson <to...@pr...> wrote:
>
> Don't do "ant deploy", follow the WildFly 10/EAP 7 installation
> instructions :-)
>
> /Tomas
>
> On 2017-03-02 09:34, Fabian Santiago wrote:
>> I found an error in server.log (jboss-eap-7.0 I am now trying) after
>> ant deploy / clean deployear:
>>
>> ERROR [org.jboss.as.controller.management-operation]
>> (DeploymentScanner-threads - 2) WFLYCTL0013: Operation ("deploy")
>> failed - address: ([("deployment" => "ejbca.ear")]) - failure
>> description: {"WFLYCTL0180: Services with missing/unavailable
>> dependencies" => [
>> "jboss.persistenceunit.\"ejbca.ear#ejbca\" is missing
>> [jboss.naming.context.java.ejbcads]",
>> "jboss.persistenceunit.\"ejbca.ear#ejbca\".__FIRST_PHASE__ is
>> missing [jboss.naming.context.java.ejbcads]"
>> ]}
>>
>> so now, how do i add this missing component and where to find? or is
>> it a simple conf file typo issue? Thanks.
>>
>> - Fabian S.
>>
>>
>> On Wed, Mar 1, 2017 at 2:45 PM, Fabian Santiago
>> <fsa...@ga...> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> hello,
>>>
>>> running 'ant install', it fails with:
>>>
>>> ejbca:initCA:
>>> [echo] Initializing CA with 'GardenCA'
>>> 'CN=pki.garden-mums.com,O=Garden-lan com,C=NJ' 'soft' 'prime256v1'
>>> 'ECDSA' '3650' '2.5.29.32.0' 'SHA256WithRSA' -superadmincn
>>> 'SuperAdmin'...
>>> [java] Exception in thread "main"
>>> java.util.ServiceConfigurationError:
>>> org.ejbca.ui.cli.infrastructure.command.CliCommandPlugin: Provider
>>> org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand could not be
>>> instantiated
>>> [java] at java.util.ServiceLoader.fail(ServiceLoader.java:232)
>>> [java] at java.util.ServiceLoader.access$100(ServiceLoader.java:185)
>>> [java] at
>>> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:384)
>>> [java] at
>>> java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
>>> [java] at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
>>> [java] at
>>> org.ejbca.ui.cli.infrastructure.library.CommandLibrary.(CommandLibrary.java:53)
>>> [java] at
>>> org.ejbca.ui.cli.infrastructure.library.CommandLibrary.(CommandLibrary.java:38)
>>> [java] at org.ejbca.ui.cli.EjbcaEjbCli.main(EjbcaEjbCli.java:29)
>>> [java] Caused by: java.lang.IllegalStateException:
>>> EJBCLIENT000025: No EJB receiver available for handling
>>> [appName:ejbca, moduleName:cesecore-ejb, distinctName:] combination
>>> for invocation context
>>> org.jboss.ejb.client.EJBClientInvocationContext@35fc6dc4
>>> [java] at
>>> org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:798)
>>> [java] at
>>> org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:128)
>>> [java] at
>>> org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:186)
>>> [java] at
>>> org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:255)
>>> [java] at
>>> org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:200)
>>> [java] at
>>> org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:183)
>>> [java] at
>>> org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:146)
>>> [java] at
>>> com.sun.proxy.$Proxy0.getAvailableTypesAndProperties(Unknown Source)
>>> [java] at
>>> org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand.(InternalKeyBindingCreateCommand.java:69)
>>> [java] at
>>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>> [java] at
>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>> [java] at
>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>> [java] at
>>> java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>>> [java] at java.lang.Class.newInstance(Class.java:442)
>>> [java] at
>>> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380)
>>> [java] ... 5 more
>>>
>>> BUILD FAILED
>>> /ejbca_ce_6_5_0_4/build.xml:64: The following error occurred while
>>> executing this line:
>>> /ejbca_ce_6_5_0_4/build.xml:70: The following error occurred while
>>> executing this line:
>>> /ejbca_ce_6_5_0_4/bin/cli.xml:97: The following error occurred while
>>> executing this line:
>>> /ejbca_ce_6_5_0_4/bin/cli.xml:115: The following error occurred while
>>> executing this line:
>>> /ejbca_ce_6_5_0_4/bin/cli.xml:189: Java returned: 1
>>>
>>> i'm running:
>>>
>>> ubuntu 16.04 LTS
>>> wildfly 10.1.0 final
>>> ejbca 6.5.0.4
>>> utilizing mysql db backend
>>>
>>> i've seen references out there on the web to this issue being caused by either:
>>>
>>> misconfigued jboss backend
>>> missing code in ejbca source
>>> wrong / bad version of wildfly
>>>
>>> Does anyone out there have a definitive fix for this?
>>>
>>> If i follow the quick start guide, it works fine.
>>>
>>> Thanks.
>>>
>>> - - - Fabian Santiago
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: Mailvelope v1.7.1
>>> Comment: https://www.mailvelope.com
>>>
>>> wsFcBAEBCAAQBQJYtyTXCRBVUCsO65Bw/AAAzNAQAI9VQkDj88sxNN+SoWrS
>>> sVmg7N8rJgow+HXI54MzOVS6WdiqRkEuNTmGMfQ7+STl+NsJylsfEqJBUkne
>>> vGpbwmHrFxUnc8vtCUGrnXjyAn3/tLHetB8ldUWfl1m5Gg91iyoSkQgzhxgY
>>> iqXrNnkHZkW/aOKpgjme46xpBaiSYCBwn9pD0pKRs4ZLxadYcTVb8yLsY9qW
>>> VcB3YqsJF3tMb8+Jc78P5owJfOrXUzvbHBhP/ml/3bTs+kKmSEZsE4T35k0t
>>> oIM32/gKeb22UPlv1Y0kqyPQAz6hjNUIstahggAKx+Anm2B/1BQ7v5x/42hQ
>>> KwP7b2L2xCGeAU/4DbedUfYBWIFGyEOjDNIVqWfrHDR0XZKQz+ZtRLktJpgy
>>> q41GjwKZuMhcSGv3IVhRtW2Niy9ZcizddX6rkOGIU4CSwelgCgC5xZ9hKYHs
>>> oCAxfGFSIpBk+rrq0TWE1akmZpYHj5YPYnaSs6x4uReCLopo+3LPAb8iZNqT
>>> GQdIRfrsvVc13+YdYfkX+aZchj/u4NGIoGF3E0aL+oUr61JI14j5oEJYZcxp
>>> SngoyH07X4aTP0JPk+fWKLVTfPlY+WPmWU3S4vUslf6CHWAWCP15pfmQXpi5
>>> H9NymAesK7oNmUoKXJiWNVIhJNuZnOLXyJSRbcQBmgZ9coVzh5wrPapjVP2c
>>> v6Fa
>>> =7NwC
>>> -----END PGP SIGNATURE-----
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejb...@li...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
|
|
From: Tomas G. <to...@pr...> - 2017-03-02 02:53:29
|
Don't do "ant deploy", follow the WildFly 10/EAP 7 installation
instructions :-)
/Tomas
On 2017-03-02 09:34, Fabian Santiago wrote:
> I found an error in server.log (jboss-eap-7.0 I am now trying) after
> ant deploy / clean deployear:
>
> ERROR [org.jboss.as.controller.management-operation]
> (DeploymentScanner-threads - 2) WFLYCTL0013: Operation ("deploy")
> failed - address: ([("deployment" => "ejbca.ear")]) - failure
> description: {"WFLYCTL0180: Services with missing/unavailable
> dependencies" => [
> "jboss.persistenceunit.\"ejbca.ear#ejbca\" is missing
> [jboss.naming.context.java.ejbcads]",
> "jboss.persistenceunit.\"ejbca.ear#ejbca\".__FIRST_PHASE__ is
> missing [jboss.naming.context.java.ejbcads]"
> ]}
>
> so now, how do i add this missing component and where to find? or is
> it a simple conf file typo issue? Thanks.
>
> - Fabian S.
>
>
> On Wed, Mar 1, 2017 at 2:45 PM, Fabian Santiago
> <fsa...@ga...> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> hello,
>>
>> running 'ant install', it fails with:
>>
>> ejbca:initCA:
>> [echo] Initializing CA with 'GardenCA'
>> 'CN=pki.garden-mums.com,O=Garden-lan com,C=NJ' 'soft' 'prime256v1'
>> 'ECDSA' '3650' '2.5.29.32.0' 'SHA256WithRSA' -superadmincn
>> 'SuperAdmin'...
>> [java] Exception in thread "main"
>> java.util.ServiceConfigurationError:
>> org.ejbca.ui.cli.infrastructure.command.CliCommandPlugin: Provider
>> org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand could not be
>> instantiated
>> [java] at java.util.ServiceLoader.fail(ServiceLoader.java:232)
>> [java] at java.util.ServiceLoader.access$100(ServiceLoader.java:185)
>> [java] at
>> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:384)
>> [java] at
>> java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
>> [java] at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
>> [java] at
>> org.ejbca.ui.cli.infrastructure.library.CommandLibrary.(CommandLibrary.java:53)
>> [java] at
>> org.ejbca.ui.cli.infrastructure.library.CommandLibrary.(CommandLibrary.java:38)
>> [java] at org.ejbca.ui.cli.EjbcaEjbCli.main(EjbcaEjbCli.java:29)
>> [java] Caused by: java.lang.IllegalStateException:
>> EJBCLIENT000025: No EJB receiver available for handling
>> [appName:ejbca, moduleName:cesecore-ejb, distinctName:] combination
>> for invocation context
>> org.jboss.ejb.client.EJBClientInvocationContext@35fc6dc4
>> [java] at
>> org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:798)
>> [java] at
>> org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:128)
>> [java] at
>> org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:186)
>> [java] at
>> org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:255)
>> [java] at
>> org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:200)
>> [java] at
>> org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:183)
>> [java] at
>> org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:146)
>> [java] at
>> com.sun.proxy.$Proxy0.getAvailableTypesAndProperties(Unknown Source)
>> [java] at
>> org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand.(InternalKeyBindingCreateCommand.java:69)
>> [java] at
>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>> [java] at
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>> [java] at
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>> [java] at
>> java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>> [java] at java.lang.Class.newInstance(Class.java:442)
>> [java] at
>> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380)
>> [java] ... 5 more
>>
>> BUILD FAILED
>> /ejbca_ce_6_5_0_4/build.xml:64: The following error occurred while
>> executing this line:
>> /ejbca_ce_6_5_0_4/build.xml:70: The following error occurred while
>> executing this line:
>> /ejbca_ce_6_5_0_4/bin/cli.xml:97: The following error occurred while
>> executing this line:
>> /ejbca_ce_6_5_0_4/bin/cli.xml:115: The following error occurred while
>> executing this line:
>> /ejbca_ce_6_5_0_4/bin/cli.xml:189: Java returned: 1
>>
>> i'm running:
>>
>> ubuntu 16.04 LTS
>> wildfly 10.1.0 final
>> ejbca 6.5.0.4
>> utilizing mysql db backend
>>
>> i've seen references out there on the web to this issue being caused by either:
>>
>> misconfigued jboss backend
>> missing code in ejbca source
>> wrong / bad version of wildfly
>>
>> Does anyone out there have a definitive fix for this?
>>
>> If i follow the quick start guide, it works fine.
>>
>> Thanks.
>>
>> - - - Fabian Santiago
>> -----BEGIN PGP SIGNATURE-----
>> Version: Mailvelope v1.7.1
>> Comment: https://www.mailvelope.com
>>
>> wsFcBAEBCAAQBQJYtyTXCRBVUCsO65Bw/AAAzNAQAI9VQkDj88sxNN+SoWrS
>> sVmg7N8rJgow+HXI54MzOVS6WdiqRkEuNTmGMfQ7+STl+NsJylsfEqJBUkne
>> vGpbwmHrFxUnc8vtCUGrnXjyAn3/tLHetB8ldUWfl1m5Gg91iyoSkQgzhxgY
>> iqXrNnkHZkW/aOKpgjme46xpBaiSYCBwn9pD0pKRs4ZLxadYcTVb8yLsY9qW
>> VcB3YqsJF3tMb8+Jc78P5owJfOrXUzvbHBhP/ml/3bTs+kKmSEZsE4T35k0t
>> oIM32/gKeb22UPlv1Y0kqyPQAz6hjNUIstahggAKx+Anm2B/1BQ7v5x/42hQ
>> KwP7b2L2xCGeAU/4DbedUfYBWIFGyEOjDNIVqWfrHDR0XZKQz+ZtRLktJpgy
>> q41GjwKZuMhcSGv3IVhRtW2Niy9ZcizddX6rkOGIU4CSwelgCgC5xZ9hKYHs
>> oCAxfGFSIpBk+rrq0TWE1akmZpYHj5YPYnaSs6x4uReCLopo+3LPAb8iZNqT
>> GQdIRfrsvVc13+YdYfkX+aZchj/u4NGIoGF3E0aL+oUr61JI14j5oEJYZcxp
>> SngoyH07X4aTP0JPk+fWKLVTfPlY+WPmWU3S4vUslf6CHWAWCP15pfmQXpi5
>> H9NymAesK7oNmUoKXJiWNVIhJNuZnOLXyJSRbcQBmgZ9coVzh5wrPapjVP2c
>> v6Fa
>> =7NwC
>> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
|
|
From: Tomas G. <to...@pr...> - 2017-03-02 02:34:41
|
You need to verify that EJBCA has deployed correctly and thet JBoss starts up properly, after configuring WildFly and deploying EJBCA with "ant deployear". I see that you have not followed the WildFly 10 installation instructions. Start over from the beginning and use the install guide, for WildFly 10. https://www.ejbca.org/docs/installation.html#WildFly%2010%20/%20JBoss%20EAP%207 (i.e. "ant install" is not used in these instructions) Cheers, Tomas ********** PrimeKey Solutions AB Lundagatan 16, 171 63 Solna, Sweden Mob: +46 (0)707421096 Internet: www.primekey.se Twitter: twitter.com/primekeyPKI ********** On 2017-03-02 02:45, Fabian Santiago wrote: > hello, > > running 'ant install', it fails with: > > ejbca:initCA: > [echo] Initializing CA with 'GardenCA' > 'CN=pki.garden-mums.com,O=Garden-lan com,C=NJ' 'soft' 'prime256v1' > 'ECDSA' '3650' '2.5.29.32.0' 'SHA256WithRSA' -superadmincn > 'SuperAdmin'... > [java] Exception in thread "main" > java.util.ServiceConfigurationError: > org.ejbca.ui.cli.infrastructure.command.CliCommandPlugin: Provider > org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand could not be > instantiated > [java] at java.util.ServiceLoader.fail(ServiceLoader.java:232) > [java] at java.util.ServiceLoader.access$100(ServiceLoader.java:185) > [java] at > java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:384) > [java] at > java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) > [java] at java.util.ServiceLoader$1.next(ServiceLoader.java:480) > [java] at > org.ejbca.ui.cli.infrastructure.library.CommandLibrary.(CommandLibrary.java:53) > [java] at > org.ejbca.ui.cli.infrastructure.library.CommandLibrary.(CommandLibrary.java:38) > [java] at org.ejbca.ui.cli.EjbcaEjbCli.main(EjbcaEjbCli.java:29) > [java] Caused by: java.lang.IllegalStateException: > EJBCLIENT000025: No EJB receiver available for handling > [appName:ejbca, moduleName:cesecore-ejb, distinctName:] combination > for invocation context > org.jboss.ejb.client.EJBClientInvocationContext@35fc6dc4 > [java] at > org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:798) > [java] at > org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:128) > [java] at > org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:186) > [java] at > org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:255) > [java] at > org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:200) > [java] at > org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:183) > [java] at > org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:146) > [java] at > com.sun.proxy.$Proxy0.getAvailableTypesAndProperties(Unknown Source) > [java] at > org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand.(InternalKeyBindingCreateCommand.java:69) > [java] at > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > [java] at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > [java] at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > [java] at > java.lang.reflect.Constructor.newInstance(Constructor.java:423) > [java] at java.lang.Class.newInstance(Class.java:442) > [java] at > java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) > [java] ... 5 more > > BUILD FAILED > /ejbca_ce_6_5_0_4/build.xml:64: The following error occurred while > executing this line: > /ejbca_ce_6_5_0_4/build.xml:70: The following error occurred while > executing this line: > /ejbca_ce_6_5_0_4/bin/cli.xml:97: The following error occurred while > executing this line: > /ejbca_ce_6_5_0_4/bin/cli.xml:115: The following error occurred while > executing this line: > /ejbca_ce_6_5_0_4/bin/cli.xml:189: Java returned: 1 > > i'm running: > > ubuntu 16.04 LTS > wildfly 10.1.0 final > ejbca 6.5.0.4 > utilizing mysql db backend > > i've seen references out there on the web to this issue being caused by either: > > misconfigued jboss backend > missing code in ejbca source > wrong / bad version of wildfly > > Does anyone out there have a definitive fix for this? > > If i follow the quick start guide, it works fine. > > Thanks. > > - - Fabian Santiago > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Fabian S. <fsa...@ga...> - 2017-03-02 02:34:20
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I found an error in server.log (jboss-eap-7.0 I am now trying) after
ant deploy / clean deployear:
ERROR [org.jboss.as.controller.management-operation]
(DeploymentScanner-threads - 2) WFLYCTL0013: Operation ("deploy")
failed - address: ([("deployment" => "ejbca.ear")]) - failure
description: {"WFLYCTL0180: Services with missing/unavailable
dependencies" => [
"jboss.persistenceunit.\"ejbca.ear#ejbca\" is missing
[jboss.naming.context.java.ejbcads]",
"jboss.persistenceunit.\"ejbca.ear#ejbca\".__FIRST_PHASE__ is
missing [jboss.naming.context.java.ejbcads]"
]}
so now, how do i add this missing component and where to find? or is
it a simple conf file typo issue? Thanks.
- - Fabian S.
-----BEGIN PGP SIGNATURE-----
Version: Mailvelope v1.7.1
Comment: https://www.mailvelope.com
wsFcBAEBCAAQBQJYt4SXCRBVUCsO65Bw/AAAdG0P/3qnp/WkVSXxhN19SQpi
5ePGNrDadkndBMMsQuVMf0as/bYkmq1zqswk5TTDp4ub0zd8gI72Zn1zxV2/
y/nlJIg+pX0IFGVSpcSC25n6qzDzXsfj4Vty9YnNiKj2fzn6AYrPAbXiHNo5
o+Sv5phdUIiHPwtOjVMlk3Kf38GCj7Fk3sNL+g8aKPms5ejmjjR1XzCqhh0X
eW0WwHjoWUPoREbUz6FHv6X628Ku9Ba5jBcnzc3pEP8L1FUk/QXhHTmxKXBz
kDRCjRAQsDoj2wg+veHLItqlRWeVrGVe9fqsxlNnyoZULBytE6DPEsw8upVy
On2j0WmRWqwjoRV2nku9eAA70eMQmuHvrxlntJIdxecp3PcQigjWEqI16heu
KogvtyGi8NGxWUmiA04jb9EzhrD3bpaGnfnxyeTmTCsc7atVI3Qs2iokJO37
NbXY8vNorHSfBGi3AIWSGYfZx+NkM0MwfpuQbCuZUXkqOSYuhCGFQSvCW8AR
dWHsA5WDhq6wwPOZJFkRhYJgoT1ByXaEpvtVg7RalXnGKfOuC+fz6htNI5TW
fairXV7KBaBw4sYAgASGOnt4XtimzotUjAvhyqPR/Gb6k165MihivyTwijf2
k6SKwNcneg3N1HgKbgs2YgmaUW0bHwS0B8rSA30+z3QHD+j64tZUuZXk7C51
aM6K
=boVe
-----END PGP SIGNATURE-----
On Wed, Mar 1, 2017 at 2:45 PM, Fabian Santiago
<fsa...@ga...> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> hello,
>
> running 'ant install', it fails with:
>
> ejbca:initCA:
> [echo] Initializing CA with 'GardenCA'
> 'CN=pki.garden-mums.com,O=Garden-lan com,C=NJ' 'soft' 'prime256v1'
> 'ECDSA' '3650' '2.5.29.32.0' 'SHA256WithRSA' -superadmincn
> 'SuperAdmin'...
> [java] Exception in thread "main"
> java.util.ServiceConfigurationError:
> org.ejbca.ui.cli.infrastructure.command.CliCommandPlugin: Provider
> org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand could not be
> instantiated
> [java] at java.util.ServiceLoader.fail(ServiceLoader.java:232)
> [java] at java.util.ServiceLoader.access$100(ServiceLoader.java:185)
> [java] at
> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:384)
> [java] at
> java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
> [java] at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
> [java] at
> org.ejbca.ui.cli.infrastructure.library.CommandLibrary.(CommandLibrary.java:53)
> [java] at
> org.ejbca.ui.cli.infrastructure.library.CommandLibrary.(CommandLibrary.java:38)
> [java] at org.ejbca.ui.cli.EjbcaEjbCli.main(EjbcaEjbCli.java:29)
> [java] Caused by: java.lang.IllegalStateException:
> EJBCLIENT000025: No EJB receiver available for handling
> [appName:ejbca, moduleName:cesecore-ejb, distinctName:] combination
> for invocation context
> org.jboss.ejb.client.EJBClientInvocationContext@35fc6dc4
> [java] at
> org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:798)
> [java] at
> org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:128)
> [java] at
> org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:186)
> [java] at
> org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:255)
> [java] at
> org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:200)
> [java] at
> org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:183)
> [java] at
> org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:146)
> [java] at
> com.sun.proxy.$Proxy0.getAvailableTypesAndProperties(Unknown Source)
> [java] at
> org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand.(InternalKeyBindingCreateCommand.java:69)
> [java] at
> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> [java] at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> [java] at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> [java] at
> java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> [java] at java.lang.Class.newInstance(Class.java:442)
> [java] at
> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380)
> [java] ... 5 more
>
> BUILD FAILED
> /ejbca_ce_6_5_0_4/build.xml:64: The following error occurred while
> executing this line:
> /ejbca_ce_6_5_0_4/build.xml:70: The following error occurred while
> executing this line:
> /ejbca_ce_6_5_0_4/bin/cli.xml:97: The following error occurred while
> executing this line:
> /ejbca_ce_6_5_0_4/bin/cli.xml:115: The following error occurred while
> executing this line:
> /ejbca_ce_6_5_0_4/bin/cli.xml:189: Java returned: 1
>
> i'm running:
>
> ubuntu 16.04 LTS
> wildfly 10.1.0 final
> ejbca 6.5.0.4
> utilizing mysql db backend
>
> i've seen references out there on the web to this issue being caused by either:
>
> misconfigued jboss backend
> missing code in ejbca source
> wrong / bad version of wildfly
>
> Does anyone out there have a definitive fix for this?
>
> If i follow the quick start guide, it works fine.
>
> Thanks.
>
> - - - Fabian Santiago
> -----BEGIN PGP SIGNATURE-----
> Version: Mailvelope v1.7.1
> Comment: https://www.mailvelope.com
>
> wsFcBAEBCAAQBQJYtyTXCRBVUCsO65Bw/AAAzNAQAI9VQkDj88sxNN+SoWrS
> sVmg7N8rJgow+HXI54MzOVS6WdiqRkEuNTmGMfQ7+STl+NsJylsfEqJBUkne
> vGpbwmHrFxUnc8vtCUGrnXjyAn3/tLHetB8ldUWfl1m5Gg91iyoSkQgzhxgY
> iqXrNnkHZkW/aOKpgjme46xpBaiSYCBwn9pD0pKRs4ZLxadYcTVb8yLsY9qW
> VcB3YqsJF3tMb8+Jc78P5owJfOrXUzvbHBhP/ml/3bTs+kKmSEZsE4T35k0t
> oIM32/gKeb22UPlv1Y0kqyPQAz6hjNUIstahggAKx+Anm2B/1BQ7v5x/42hQ
> KwP7b2L2xCGeAU/4DbedUfYBWIFGyEOjDNIVqWfrHDR0XZKQz+ZtRLktJpgy
> q41GjwKZuMhcSGv3IVhRtW2Niy9ZcizddX6rkOGIU4CSwelgCgC5xZ9hKYHs
> oCAxfGFSIpBk+rrq0TWE1akmZpYHj5YPYnaSs6x4uReCLopo+3LPAb8iZNqT
> GQdIRfrsvVc13+YdYfkX+aZchj/u4NGIoGF3E0aL+oUr61JI14j5oEJYZcxp
> SngoyH07X4aTP0JPk+fWKLVTfPlY+WPmWU3S4vUslf6CHWAWCP15pfmQXpi5
> H9NymAesK7oNmUoKXJiWNVIhJNuZnOLXyJSRbcQBmgZ9coVzh5wrPapjVP2c
> v6Fa
> =7NwC
> -----END PGP SIGNATURE-----
|
|
From: Tomas G. <to...@pr...> - 2017-03-02 02:30:54
|
Yes, WS API is backwards compatible. Regards, Tomas ********** PrimeKey Solutions AB Lundagatan 16, 171 63 Solna, Sweden Mob: +46 (0)707421096 Internet: www.primekey.se Twitter: twitter.com/primekeyPKI ********** On 2017-03-02 01:35, Jaime Hablutzel Egoavil wrote: > I've been unable to find an official PrimeKey's statement about > backwards compatibility of the SOAP API across different versions. > > For example, if I have developed a client against EJBCA CE 6.3.1.1 and > now I want to migrate to EJBCA CE 6.5.0.4, will my client still work > without any modification?. > > -- > Jaime Hablutzel - RPC 994690880 > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Fabian S. <fsa...@ga...> - 2017-03-01 20:11:21
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
hello,
running 'ant install', it fails with:
ejbca:initCA:
[echo] Initializing CA with 'GardenCA'
'CN=pki.garden-mums.com,O=Garden-lan com,C=NJ' 'soft' 'prime256v1'
'ECDSA' '3650' '2.5.29.32.0' 'SHA256WithRSA' -superadmincn
'SuperAdmin'...
[java] Exception in thread "main"
java.util.ServiceConfigurationError:
org.ejbca.ui.cli.infrastructure.command.CliCommandPlugin: Provider
org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand could not be
instantiated
[java] at java.util.ServiceLoader.fail(ServiceLoader.java:232)
[java] at java.util.ServiceLoader.access$100(ServiceLoader.java:185)
[java] at
java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:384)
[java] at
java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
[java] at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
[java] at
org.ejbca.ui.cli.infrastructure.library.CommandLibrary.(CommandLibrary.java:53)
[java] at
org.ejbca.ui.cli.infrastructure.library.CommandLibrary.(CommandLibrary.java:38)
[java] at org.ejbca.ui.cli.EjbcaEjbCli.main(EjbcaEjbCli.java:29)
[java] Caused by: java.lang.IllegalStateException:
EJBCLIENT000025: No EJB receiver available for handling
[appName:ejbca, moduleName:cesecore-ejb, distinctName:] combination
for invocation context
org.jboss.ejb.client.EJBClientInvocationContext@35fc6dc4
[java] at
org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:798)
[java] at
org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:128)
[java] at
org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:186)
[java] at
org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:255)
[java] at
org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:200)
[java] at
org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:183)
[java] at
org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:146)
[java] at
com.sun.proxy.$Proxy0.getAvailableTypesAndProperties(Unknown Source)
[java] at
org.ejbca.ui.cli.keybind.InternalKeyBindingCreateCommand.(InternalKeyBindingCreateCommand.java:69)
[java] at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
[java] at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
[java] at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
[java] at
java.lang.reflect.Constructor.newInstance(Constructor.java:423)
[java] at java.lang.Class.newInstance(Class.java:442)
[java] at
java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380)
[java] ... 5 more
BUILD FAILED
/ejbca_ce_6_5_0_4/build.xml:64: The following error occurred while
executing this line:
/ejbca_ce_6_5_0_4/build.xml:70: The following error occurred while
executing this line:
/ejbca_ce_6_5_0_4/bin/cli.xml:97: The following error occurred while
executing this line:
/ejbca_ce_6_5_0_4/bin/cli.xml:115: The following error occurred while
executing this line:
/ejbca_ce_6_5_0_4/bin/cli.xml:189: Java returned: 1
i'm running:
ubuntu 16.04 LTS
wildfly 10.1.0 final
ejbca 6.5.0.4
utilizing mysql db backend
i've seen references out there on the web to this issue being caused by either:
misconfigued jboss backend
missing code in ejbca source
wrong / bad version of wildfly
Does anyone out there have a definitive fix for this?
If i follow the quick start guide, it works fine.
Thanks.
- - - Fabian Santiago
-----BEGIN PGP SIGNATURE-----
Version: Mailvelope v1.7.1
Comment: https://www.mailvelope.com
wsFcBAEBCAAQBQJYtyTXCRBVUCsO65Bw/AAAzNAQAI9VQkDj88sxNN+SoWrS
sVmg7N8rJgow+HXI54MzOVS6WdiqRkEuNTmGMfQ7+STl+NsJylsfEqJBUkne
vGpbwmHrFxUnc8vtCUGrnXjyAn3/tLHetB8ldUWfl1m5Gg91iyoSkQgzhxgY
iqXrNnkHZkW/aOKpgjme46xpBaiSYCBwn9pD0pKRs4ZLxadYcTVb8yLsY9qW
VcB3YqsJF3tMb8+Jc78P5owJfOrXUzvbHBhP/ml/3bTs+kKmSEZsE4T35k0t
oIM32/gKeb22UPlv1Y0kqyPQAz6hjNUIstahggAKx+Anm2B/1BQ7v5x/42hQ
KwP7b2L2xCGeAU/4DbedUfYBWIFGyEOjDNIVqWfrHDR0XZKQz+ZtRLktJpgy
q41GjwKZuMhcSGv3IVhRtW2Niy9ZcizddX6rkOGIU4CSwelgCgC5xZ9hKYHs
oCAxfGFSIpBk+rrq0TWE1akmZpYHj5YPYnaSs6x4uReCLopo+3LPAb8iZNqT
GQdIRfrsvVc13+YdYfkX+aZchj/u4NGIoGF3E0aL+oUr61JI14j5oEJYZcxp
SngoyH07X4aTP0JPk+fWKLVTfPlY+WPmWU3S4vUslf6CHWAWCP15pfmQXpi5
H9NymAesK7oNmUoKXJiWNVIhJNuZnOLXyJSRbcQBmgZ9coVzh5wrPapjVP2c
v6Fa
=7NwC
-----END PGP SIGNATURE-----
|
|
From: Jaime H. E. <hab...@gm...> - 2017-03-01 18:35:58
|
I've been unable to find an official PrimeKey's statement about backwards compatibility of the SOAP API across different versions. For example, if I have developed a client against EJBCA CE 6.3.1.1 and now I want to migrate to EJBCA CE 6.5.0.4, will my client still work without any modification?. -- Jaime Hablutzel - RPC 994690880 |
|
From: Tomas G. <to...@pr...> - 2017-02-20 10:46:14
|
Hi, I just wanted to inform that we have taken down the wiki.ejbca.org site and redirected it to the main ejbca.org site. The reason is that the wiki was mostly outdated and the fresh and updated information is available in regular docs. As always, contributions to the documentation is always appreciated and you can always send in patches here. Cheers, Tomas -- ********** PrimeKey Solutions AB Lundagatan 16, 171 63 Solna, Sweden Mob: +46 (0)707421096 Internet: www.primekey.se Twitter: twitter.com/primekeyPKI ********** |
|
From: Tomas G. <to...@pr...> - 2017-02-20 10:44:27
|
You need database indexes. See doc/sql-scripts. Regards, Tomas ********** PrimeKey Solutions AB Lundagatan 16, 171 63 Solna, Sweden Mob: +46 (0)707421096 Internet: www.primekey.se Twitter: twitter.com/primekeyPKI ********** On 2017-02-20 11:24, Nikita Bedmutha wrote: > > Hi, > > We were trying performance test for large number of certificates (~ 0.5 > million) using EJBCA. We tried out > a performance test and we observed that there is a notable drop in the > performance as the number of > certificate entries in the database increase. Following are the results: > > certificateRequest webservice call: > > > SR no > > > > Total new requests > > > > Total Certs already in db > > > > Total time taken(in sec) > > > > Requests per second > > 1 > > > > 1000 > > > > 15 > > > > 103 > > > > ~10 > > 2 > > > > 1000 > > > > 1015 > > > > 113 > > > > ~9 > > 3 > > > > 25000 > > > > 2500 > > > > 5555 > > > > ~4.5 > > 4 > > > > 25000 > > > > 50500 > > > > 20000 > > > > ~1.2 > > > pkcs10Request webservice call: > > > SR no > > > > Total new requests > > > > Total Certs already in db > > > > Total time taken(in sec) > > > > Requests per second > > 1 > > > > 1000 > > > > 15 > > > > 103 > > > > ~10 > > 2 > > > > 1000 > > > > 1015 > > 105 > > ~10 > > 3 > > > > 25000 > > > > 28000 > > > > 5169 > > > > ~ 4.83 > > 4 > > > > 25000 > > > > 78000 > > > > 15443 > > > > ~ 1.61 > > > Revocation numbers : > > Revocation for certs: > > > SR no > > > > Total revocation requests > > > > Total Certs already in db > > > > Total time taken > > (in sec) > > > > Requests per second > > 1 > > > > 36,500 > > > > ~140,000 > > > > 18228 > > > > ~2 > > > > We followed the configurations to maximize the performance in EJBCA as > per the recommendations > <https://www.ejbca.org/older_releases/ejbca_6_5/htdocs/docs/adminguide.html#Maximizing%20performance>. > However, most of the default settings are required by us like: > 1. Logging to database is enabled. > 2. Need to enforce uniqueness (keys, DN, Subject DN SerialNumber) in CA > configuration > 3. Disable finishUser in CA configuration. - use same user to make > multiple requests. > 4. We do not use separate certificate table. > > So we would like to know if the performance drop that we are seeing is > an expected one? How can we improve this > performance when we already have a large number of certificates in the > database? > > Regards, > Nikita Bedmutha > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Nikita B. <nik...@gs...> - 2017-02-20 10:24:10
|
Hi,
We were trying performance test for large number of certificates (~ 0.5
million) using EJBCA. We tried out
a performance test and we observed that there is a notable drop in the
performance as the number of
certificate entries in the database increase. Following are the results:
certificateRequest webservice call:
SR no
Total new requests
Total Certs already in db
Total time taken(in sec)
Requests per second
1
1000
15
103
~10
2
1000
1015
113
~9
3
25000
2500
5555
~4.5
4
25000
50500
20000
~1.2
pkcs10Request webservice call:
SR no
Total new requests
Total Certs already in db
Total time taken(in sec)
Requests per second
1
1000
15
103
~10
2
1000
1015
105
~10
3
25000
28000
5169
~ 4.83
4
25000
78000
15443
~ 1.61
Revocation numbers :
Revocation for certs:
SR no
Total revocation requests
Total Certs already in db
Total time taken
(in sec)
Requests per second
1
36,500
~140,000
18228
~2
We followed the configurations to maximize the performance in EJBCA as per
the recommendations
<https://www.ejbca.org/older_releases/ejbca_6_5/htdocs/docs/adminguide.html#Maximizing%20performance>
.
However, most of the default settings are required by us like:
1. Logging to database is enabled.
2. Need to enforce uniqueness (keys, DN, Subject DN SerialNumber) in CA
configuration
3. Disable finishUser in CA configuration. - use same user to make multiple
requests.
4. We do not use separate certificate table.
So we would like to know if the performance drop that we are seeing is an
expected one? How can we improve this
performance when we already have a large number of certificates in the
database?
Regards,
Nikita Bedmutha
|
|
From: Marc P. <liv...@gm...> - 2017-02-14 08:23:01
|
Hi Thomas, thanks a lot for the answer. I was able to use the Internal Key Binding with a certiifcate issued from the Root CA on my EJBCA instance and was able to verify the SubCA certificate. Best Regards Marc Pailloux 2017-02-01 17:47 GMT+01:00 Tomas Gustavsson <to...@pr...>: > > Hi Marc, > > If you send an OCSP request asking for status of the Sub CA certificate, > it should be answered by the Root CA. In order for the Root CA to > answer, it needs to have an OCSP Key Binding, and an OCSP signing > certificate issued by the Root CA (or asking a responder directly on the > Root CA server). > > In order to get proper OCSP reponses from the Sub CA repsonder you > should query about status of a leaf certificate issued by the Sub CA. > > Cheers, > Tomas > --- > RSA Conference 2017 > ------------------------------------------------------------------ > San Francisco | February 13-17 | Moscone Center > Come visit us in booth #627 at RSA Conference 2017! > > Want a free expo pass? > Go to https://www.rsaconference.com/events/us17/register > and use the code: XE7PRMKEY > > On 2017-01-31 14:10, Marc Pailloux wrote: > > > > > > Hello, > > > > I have an interrogation about OCSP and the way it works with an > > External Root CA. > > > > I use the default OCSP with the CA (no external OCSP responder). > > My CA architecture is a Root CA genereted on another EJBCA > > instance, that signed the SubCA installed on the instance doing also the > > OCSP. > > I created a user certificate for the test under that SubCA. > > > > I imported back the root public CA as an external Certificate, > > so here is what I have as CAs: > > Images intégrées 1 > > > > > > However, when i try to use OCSP on a reverse proxy, I have an > > error message on the EJBCA logs : > > 13:28:16,136 INFO > > [org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean] > > (http--0.0.0.0-18080-6) Received OCSP request for certificate with > > serNo: 3e3bb7fa6bbbe5ae, and issuerNameHash: > > f644d454ac3dd1cf400698318b5b8357afafad7c. Client ip 192.168.91.5. > > 13:28:16,139 ERROR > > [org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean] > > (http--0.0.0.0-18080-6) Unable to find CA certificate by issuer name > > hash: f644d454ac3dd1cf400698318b5b8357afafad7c, or even the default > > responder: . > > > > This certificate is the SubCA certificate. > > > > For what I understand about OCSP and EJBCA, it means that the > > SubCA certificate was not registered on the CA hash table and cannot be > > found. Any reason for that ? > > I tried a configuration were the root CA is on the same instance > > and it works perfectly but it is not my desired architecture. > > > > Thanks for the help > > > > Best Regards > > > > Marc Pailloux > > > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Tomas G. <to...@pr...> - 2017-02-13 14:25:56
|
Hi, We are pleased to release EJBCA Community 6.5.0.4. This release fixes an upgrade bug, and two pages that did not work in WildFly 10. In addition it has a security fix an a couple of other minor fixes. All in all, there are only 7 fixes in this release. You can also see a summary of all changes from the last Community release in the download section. https://sourceforge.net/projects/ejbca/files/ejbca6/ejbca_6_5_0/ Read the full change log (Changelog.txt) for details, and see the UPGRADE document for all functionality changes and upgrade instructions. These are both available in the download package. Regards, The EJBCA Team -- PrimeKey at RSA Conference 2017 ------------------------------------------------------------------ San Francisco | February 13-17 | Moscone Center Come visit us in booth #627 at RSA Conference 2017! Want a free expo pass? Go to https://www.rsaconference.com/events/us17/register and use the code: XE7PRMKEY |
|
From: Tomas G. <to...@pr...> - 2017-02-10 08:13:40
|
If you're able to dig into the code a patch would be appreciated. Adding a "soft" algorithm doesn't require many changes. Regards, Tomas --- RSA Conference 2017 ------------------------------------------------------------------ San Francisco | February 13-17 | Moscone Center Come visit us in booth #627 at RSA Conference 2017! Want a free expo pass? Go to https://www.rsaconference.com/events/us17/register and use the code: XE7PRMKEY On 2017-02-09 17:46, Bruce Bernstein wrote: > SHA384-PSS is our current use case. We have been able to do this with > openSSL, but want a more robust solution. We have SHA384 working in > ejbca. Now we just need to get PSS working. > We are OK with a software solution for a while, although we will need to > move to HSM in a few months. For now, a solution which enables PSS in > software is fine. > Best, > Bruce > > >> Message: 2 >> Date: Thu, 9 Feb 2017 09:33:36 +0100 >> From: Tomas Gustavsson <to...@pr...> >> Subject: Re: [Ejbca-develop] Issue certificates with SHA-384/PSS >> To: ejb...@li... >> Message-ID: <2ab...@pr...> >> Content-Type: text/plain; charset=windows-1252 >> >> >> Right, currently only SHA256 is available. Do you have a standard use >> case where SHA-384 is needed? To motivate adding the feature. Adding >> algorithms for "soft" keystores are actually quite simple, only with >> HSMs is it more tricky since currently PSS requires java patches to work >> with HSMs for that algorithm. >> >> Regards, >> Tomas >> --- >> Save time and money with an Enterprise support subscription. Please see >> www.primekey.se for more information. >> https://www.primekey.se/technologies/products-overview/ >> https://www.primekey.se/service-support/support/ >> >> On 2017-02-08 18:07, Bruce Bernstein wrote: >>> Has anyone been able to coerce ejbca community edition to issue >>> certificates signed with RSASSA-PSS format SHA-384? It seems from the >>> docs that this is only available with the enterprise edition using HSM. >>> We need a software solution, preferably with software encoding. Any >>> pointers would be appreciated. >>> >>> Thanks, >>> Bruce >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>> >>> >>> >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Tomas G. <to...@pr...> - 2017-02-10 07:40:56
|
Great. Regards, Tomas --- RSA Conference 2017 ------------------------------------------------------------------ San Francisco | February 13-17 | Moscone Center Come visit us in booth #627 at RSA Conference 2017! Want a free expo pass? Go to https://www.rsaconference.com/events/us17/register and use the code: XE7PRMKEY On 2017-02-10 07:24, Nikita Bedmutha wrote: > Hi, > > My issue is resolved with the EJBCA 6.5.0 version. The subject DN is > overriden now in web services call. > Thanks. > > Regards, > Nikita Bedmutha > Software Engineer | m: +91 94042 02790 | G > G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory > <http://www.gslab.com/> > > > On Thu, Feb 9, 2017 at 7:18 PM, Nikita Bedmutha > <nik...@gs... <mailto:nik...@gs...>> wrote: > > Sure. I will try on latest version. Thanks. > > Regards, > Nikita Bedmutha > Software Engineer | m: +91 94042 02790 | G > G <http://www.linkedin.com/in/nikitabedmutha>reat Software > Laboratory <http://www.gslab.com/> > > > On Thu, Feb 9, 2017 at 7:04 PM, Tomas Gustavsson <to...@pr... > <mailto:to...@pr...>> wrote: > > > Might be a new feature. Can you test 6.5.0? > > (I will update 6.5.0 release in a few days with a small upgrade > fix, see > other issue in forums) > > Cheers, > Tomas > > On 2017-02-09 14:10, Nikita Bedmutha wrote: > > Hi, > > > > Thanks for the pointers. > > > > I am using EJBCA 6.3.1.1 Community (r21429) > > > > I tried clientToolBox today on this version of EJBCA. > > My command looked : ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq > > mgmtUser "CN=mgmtUser,C=SE" NULL ICA12 "Client EndEntity Profile" > > "Client Cert Profile" ./csr.pem PKCS10 PEM NONE . > > which generated the mgmtUser.pem certificate file. However this > > certificate did not have the subjectDN overriden. It was same > > 'CN=mgmtUser,C=SE' given in the request and not the one given > while > > creating CSR. > > Again, when trying this same csr file with public web call, it > returned > > overridden subjectDN in certificate. > > > > > > I tried then the DER format for the above request: > > ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq mgmtUser > "CN=mgmtUser,C=SE" > > NULL ICA12 "Client EndEntity Profile" "Client Cert Profile" > ./dercsr.der > > PKCS10 DER NONE . > > > > However it returned: > > com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client > received > > SOAP Fault from server: Unmarshalling Error: Illegal character > > ((CTRL-CHAR, code 2)) > > at [row,col {unknown-source}]: [1,530] Please see the server > log to > > find more detail regarding exact cause of the failure. > > org.ejbca.ui.cli.ErrorAdminCommandException: > > com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client > received > > SOAP Fault from server: Unmarshalling Error: Illegal character > > ((CTRL-CHAR, code 2)) > > at [row,col {unknown-source}]: [1,530] Please see the server > log to > > find more detail regarding exact cause of the failure. > > at > > org.ejbca.core.protocol.ws > <http://org.ejbca.core.protocol.ws>.client.CertificateRequestCommand.execute(CertificateRequestCommand.java:146) > > at > > org.ejbca.core.protocol.ws > <http://org.ejbca.core.protocol.ws>.client.ejbcawsracli.main(ejbcawsracli.java:36) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > org.ejbca.ui.cli.EjbcaWsRaCli.execute(EjbcaWsRaCli.java:36) > > at > > > org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40) > > at > org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:66) > > Caused by: com.sun.xml.internal.ws.fault.ServerSOAPFaultException: > > Client received SOAP Fault from server: Unmarshalling Error: > Illegal > > character ((CTRL-CHAR, code 2)) > > at [row,col {unknown-source}]: [1,530] Please see the server > log to > > find more detail regarding exact cause of the failure. > > at > > > com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178) > > at > > > com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116) > > at > > com.sun.xml.internal.ws > <http://com.sun.xml.internal.ws>.client.sei.StubHandler.readResponse(StubHandler.java:238) > > at > > > com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(DatabindingImpl.java:189) > > at > > > com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(DatabindingImpl.java:276) > > at > > com.sun.xml.internal.ws > <http://com.sun.xml.internal.ws>.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:104) > > at > > com.sun.xml.internal.ws > <http://com.sun.xml.internal.ws>.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:77) > > at > > com.sun.xml.internal.ws > <http://com.sun.xml.internal.ws>.client.sei.SEIStub.invoke(SEIStub.java:147) > > at com.sun.proxy.$Proxy32.certificateRequest(Unknown > Source) > > at > > org.ejbca.core.protocol.ws > <http://org.ejbca.core.protocol.ws>.client.CertificateRequestCommand.execute(CertificateRequestCommand.java:111) > > ... 8 more > > > > > > I did make sure that the CSR generated is in proper DER > format. However > > will look into it more. > > > > > > > > > > > > > > Regards, > > Nikita Bedmutha > > Software Engineer | m: +91 94042 02790 | G > > G <http://www.linkedin.com/in/nikitabedmutha > <http://www.linkedin.com/in/nikitabedmutha>>reat Software Laboratory > > <http://www.gslab.com/> > > > > > > On Thu, Feb 9, 2017 at 2:46 PM, Tomas Gustavsson <to...@pr... <mailto:to...@pr...> > > <mailto:to...@pr... <mailto:to...@pr...>>> wrote: > > > > > > What version of EJBCA are you using btw? > > > > I'm using this WS command: > > > > ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq req9 > > "CN=req9,O=Edited,C=SE" NULL ManagementCA User Client > ./p10.der PKCS10 > > DER NONE . > > > > My CSR have subjectDN: > > C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=req9 > > > > If I have enabled "Allow Subject DN Override by CSR" in > the Certificate > > Profile "Client". My issued certificate gets the DN from > the p10. > > > > If you try using clientToolBox first, than you will know > if/how the > > feature works, and then you can try to translate it to > SOAP-UI (you can > > even debug log the full soap messages). > > > > Regards, > > Tomas > > --- > > RSA Conference 2017 > > > ------------------------------------------------------------------ > > San Francisco | February 13-17 | Moscone Center > > Come visit us in booth #627 at RSA Conference 2017! > > > > Want a free expo pass? > > Go to https://www.rsaconference.com/events/us17/register > <https://www.rsaconference.com/events/us17/register> > > <https://www.rsaconference.com/events/us17/register > <https://www.rsaconference.com/events/us17/register>> > > and use the code: XE7PRMKEY > > > > On 2017-02-08 14:35, Nikita Bedmutha wrote: > > > Serious apologies for sending incomplete data. Well, I > observed the > > > Debug logs for both the calls, call from web service and > call from > > > public web. Here are my observations: > > > > > > 1. For the pkcs10Request webservice call through SOAP > UI, the INFO log > > > has an entry: > > > CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My > > > > > > Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU=GSL,C=IN;requestX500name=null;certprofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB > > > > > > where, requestX500name=null > > > > > > 2. For public web 'Create Certificate from CSR' call: > > > CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;RequestInstance: > > > > > > 123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU=GSL,C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK;certprofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB > > > > > > where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK > > > > > > Both the calls use same CSR, also same certificate > profile is > > being used > > > in both cases and the public key extracted from CSR also > looks same. > > > > > > However, in case of public web call we see a log > statement, 'Using > > > X509Name from request instead of user's registered.' > which is > > missing in > > > webservice call log and only 'Using subjectDN: > > CN=user1,OU=GSL,C=IN' can > > > be seen. > > > I suspect this could be because requestX500name is null > in case of > > > webservice call. > > > > > > However, we are using same CSR and so this behaviour is bit > > confusing. > > > If this info can help. Thanks. > > > > > > Regards, > > > Nikita Bedmutha > > > Software Engineer | m: +91 94042 02790 | G > > > G <http://www.linkedin.com/in/nikitabedmutha > <http://www.linkedin.com/in/nikitabedmutha> > > <http://www.linkedin.com/in/nikitabedmutha > <http://www.linkedin.com/in/nikitabedmutha>>>reat Software > Laboratory > > > <http://www.gslab.com/> > > > On Wed, Feb 8, 2017 at 3:21 PM, Tomas Gustavsson > <to...@pr... <mailto:to...@pr...> > <mailto:to...@pr... <mailto:to...@pr...>> > > > <mailto:to...@pr... <mailto:to...@pr...> > <mailto:to...@pr... <mailto:to...@pr...>>>> wrote: > > > > > > > > > I can only re-iterate here: > > > > > > --- > > > Debug logging will show in detail all decisions egarding > > override or not > > > that is takes during certificate issuance. > > > --- > > > > > > For more information about logging, how to configure > debug > > etc, see > > > https://www.ejbca.org/docs/adminguide.html#Logging > <https://www.ejbca.org/docs/adminguide.html#Logging> > > <https://www.ejbca.org/docs/adminguide.html#Logging > <https://www.ejbca.org/docs/adminguide.html#Logging>> > > > <https://www.ejbca.org/docs/adminguide.html#Logging > <https://www.ejbca.org/docs/adminguide.html#Logging> > > <https://www.ejbca.org/docs/adminguide.html#Logging > <https://www.ejbca.org/docs/adminguide.html#Logging>>> > > > > > > /Tomas > > > > > > On 2017-02-08 10:10, Nikita Bedmutha wrote: > > > > Hi, > > > > > > > > I know this must be the very basic requirement to > get the > > certificate > > > > with subject DN overridden. But I have tried my > best with > > all settings > > > > but no clue whats going wrong. > > > > I have a user 'user1' which is created with a > 'Client endentity > > > profile' > > > > which uses default cert profile as 'Client Cert > Profile'. This > > > > certificate profile has 'Allow subject DN override > by CSR' > > and 'Allow > > > > subject DN override by End Entity Information' > checked. In > > the case > > > > where both are checked, documentation says that DN > will be > > > overriden by CSR. > > > > > > > > Now I make this SOAP call for pkcs10Request: > > > > Body: > > > > <soapenv:Envelope > > > > > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > <http://schemas.xmlsoap.org/soap/envelope/> > > <http://schemas.xmlsoap.org/soap/envelope/ > <http://schemas.xmlsoap.org/soap/envelope/>> > > > <http://schemas.xmlsoap.org/soap/envelope/ > <http://schemas.xmlsoap.org/soap/envelope/> > > <http://schemas.xmlsoap.org/soap/envelope/ > <http://schemas.xmlsoap.org/soap/envelope/>>>" > > > > xmlns:ws="http://ws.protocol.core.ejbca.org/ > <http://ws.protocol.core.ejbca.org/> > > <http://ws.protocol.core.ejbca.org/ > <http://ws.protocol.core.ejbca.org/>> > > > <http://ws.protocol.core.ejbca.org/ > <http://ws.protocol.core.ejbca.org/> > > <http://ws.protocol.core.ejbca.org/ > <http://ws.protocol.core.ejbca.org/>>>"> > > > > <soapenv:Header/> > > > > <soapenv:Body> > > > > <ws:pkcs10Request> > > > > <!--Optional:--> > > > > <arg0>user1</arg0> > > > > <!--Optional:--> > > > > <arg1>password</arg1> > > > > <!--Optional:--> > > > > <arg2>-----BEGIN CERTIFICATE REQUEST----- > > > > > MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH > > > > > DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw > > > > > DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ > > > > > nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF > > > > > Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0 > > > > > 2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB > > > > > fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW > > > > > LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA > > > > > AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk > > > > > RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp > > > > > 1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC > > > > > EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z > > > > > ++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/ > > > > fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu > > > > -----END CERTIFICATE REQUEST-----</arg2> > > > > <!--Optional:--> > > > > <arg3></arg3> > > > > <!--Optional:--> > > > > <arg4>CERTIFICATE</arg4> > > > > </ws:pkcs10Request> > > > > </soapenv:Body> > > > > </soapenv:Envelope> > > > > > > > > > > > > I even made call without '-----BEGIN CERTIFICATE > > REQUEST-----' and > > > > '-----END CERTIFICATE REQUEST-----' but no success. > > > > In both cases, the certificate generated still > uses the > > subject DN > > > which > > > > was used while creating the user. I tried this > webservice > > call using > > > > SOAP-UI as well as eclipse code. Only when the > call is made > > using > > > public > > > > web 'Create certificate from CSR' or cli command, the > > subject DN is > > > > overriden. For some reason unable to achieve it > through web > > service > > > > call. Kindly guide me if I am doing anything wrong > here. > > > > > > > > > > > > > > > > Regards, > > > > Nikita Bedmutha > > > > Software Engineer | m: +91 94042 02790 | G > > > > G <http://www.linkedin.com/in/nikitabedmutha > <http://www.linkedin.com/in/nikitabedmutha> > > <http://www.linkedin.com/in/nikitabedmutha > <http://www.linkedin.com/in/nikitabedmutha>> > > > <http://www.linkedin.com/in/nikitabedmutha > <http://www.linkedin.com/in/nikitabedmutha> > > <http://www.linkedin.com/in/nikitabedmutha > <http://www.linkedin.com/in/nikitabedmutha>>>>reat Software > Laboratory > > > > <http://www.gslab.com/> > > > > > > > > > > > > On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson > > <to...@pr... <mailto:to...@pr...> > <mailto:to...@pr... <mailto:to...@pr...>> > > <mailto:to...@pr... <mailto:to...@pr...> > <mailto:to...@pr... <mailto:to...@pr...>>> > > > > <mailto:to...@pr... > <mailto:to...@pr...> <mailto:to...@pr... > <mailto:to...@pr...>> > > <mailto:to...@pr... <mailto:to...@pr...> > <mailto:to...@pr... <mailto:to...@pr...>>>>> wrote: > > > > > > > > > > > > This is very common to do this using WS so > there is probably > > > something > > > > wrong with your call. Are you using the > correct certificate > > > profile in > > > > your WS call? > > > > > > > > Debug logging will show in detail all > decisions egarding > > > override or not > > > > that is takes during certificate issuance. > > > > > > > > Regards, > > > > Tomas > > > > --- > > > > RSA Conference 2017 > > > > > > > ------------------------------------------------------------------ > > > > San Francisco | February 13-17 | Moscone Center > > > > Come visit us in booth #627 at RSA Conference > 2017! > > > > > > > > Want a free expo pass? > > > > Go to > https://www.rsaconference.com/events/us17/register > <https://www.rsaconference.com/events/us17/register> > > <https://www.rsaconference.com/events/us17/register > <https://www.rsaconference.com/events/us17/register>> > > > <https://www.rsaconference.com/events/us17/register > <https://www.rsaconference.com/events/us17/register> > > <https://www.rsaconference.com/events/us17/register > <https://www.rsaconference.com/events/us17/register>>> > > > > > <https://www.rsaconference.com/events/us17/register > <https://www.rsaconference.com/events/us17/register> > > <https://www.rsaconference.com/events/us17/register > <https://www.rsaconference.com/events/us17/register>> > > > <https://www.rsaconference.com/events/us17/register > <https://www.rsaconference.com/events/us17/register> > > <https://www.rsaconference.com/events/us17/register > <https://www.rsaconference.com/events/us17/register>>>> > > > > and use the code: XE7PRMKEY > > > > > > > > On 2017-02-02 04:44, Nikita Bedmutha wrote: > > > > > Sorry for spamming, but just correcting the > query: > > > > > > > > > > I want to make a certificate request which > uses the > > subject > > > DN from CSR > > > > > and not the registered end entity subject DN > . I am > > using the > > > > > certificate profile which has 'Allow subject DN > > override by CSR' > > > > > checked. However the web service requests > > 'pkcs10Request' as > > > well as > > > > > 'certificateRequest' do not return > certificates with > > subject DN > > > > > overridden by the CSR but uses the > registered DN only. > > > > > > > > > > On the other hand, using the same CSR, the > public web call > > > 'Create > > > > > Certificate from CSR' as well as the > 'createcert' CLI > > > command generates > > > > > a certificate which has the subject DN > overridden by > > the CSR. > > > > > > > > > > Your inputs would really be very helpful. > > > > > Thanks. > > > > > > > > > > Regards, > > > > > Nikita Bedmutha > > > > > > > > > > > > > > > > > > > > On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha > > > > > <nik...@gs... > <mailto:nik...@gs...> > > <mailto:nik...@gs... > <mailto:nik...@gs...>> > > > <mailto:nik...@gs... > <mailto:nik...@gs...> > > <mailto:nik...@gs... > <mailto:nik...@gs...>>> > > <mailto:nik...@gs... > <mailto:nik...@gs...> > <mailto:nik...@gs... > <mailto:nik...@gs...>> > > > <mailto:nik...@gs... > <mailto:nik...@gs...> > > <mailto:nik...@gs... > <mailto:nik...@gs...>>>> > > > > <mailto:nik...@gs... > <mailto:nik...@gs...> > > <mailto:nik...@gs... > <mailto:nik...@gs...>> > > > <mailto:nik...@gs... > <mailto:nik...@gs...> > > <mailto:nik...@gs... > <mailto:nik...@gs...>>> > > > > <mailto:nik...@gs... > <mailto:nik...@gs...> > <mailto:nik...@gs... > <mailto:nik...@gs...>> > > <mailto:nik...@gs... > <mailto:nik...@gs...> > > <mailto:nik...@gs... > <mailto:nik...@gs...>>>>>> wrote: > > > > > > > > > > Hi, > > > > > > > > > > I have a user(end-entity) created using > a certificate profile which > > > > > has 'Allow Subject DN override' checked. > This end-entity is > > > > > registered with Token as User Generated. > > > > > When I use 'Create Certificate from CSR' > option on public web, I get > > > > > the certificate with the subject DN used > while creating the CSR and > > > > > not the registered DN. > > > > > Now I want to achieve same using web > service call. I tried the > > > > > 'certificateRequest' and 'pkcs10' > request with the same CSR that I > > > > > used in previous Public web call. But in > the web service call case, > > > > > I get certificate with the registered DN > and not overridden by the CSR. > > > > > > > > > > Kindly guide me how to achieve this. > > > > > > > > > > Thanks and Regards, > > > > > Nikita > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > Check out the vibrant tech community on one > of the world's most > > > > > engaging tech sites, SlashDot.org! > http://sdm.link/slashdot > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > Ejbca-develop mailing list > > > > > Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>>> > > > > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>>>> > > > > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> > > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>> > > > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> > > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>>> > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > Check out the vibrant tech community on one of > the world's most > > > > engaging tech sites, SlashDot.org! > http://sdm.link/slashdot > > > > _______________________________________________ > > > > Ejbca-develop mailing list > > > > Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>>> > > > > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>>>> > > > > > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> > > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>> > > > > > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> > > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>>> > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > Check out the vibrant tech community on one of the > world's most > > > > engaging tech sites, SlashDot.org! > http://sdm.link/slashdot > > > > > > > > > > > > > > > > _______________________________________________ > > > > Ejbca-develop mailing list > > > > Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>>> > > > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> > > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>> > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Check out the vibrant tech community on one of the > world's most > > > engaging tech sites, SlashDot.org! > http://sdm.link/slashdot > > > _______________________________________________ > > > Ejbca-develop mailing list > > > Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>>> > > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> > > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>> > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Check out the vibrant tech community on one of the > world's most > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > > > > > _______________________________________________ > > > Ejbca-develop mailing list > > > Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> > > > > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's > most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> > > > > > > > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Nikita B. <nik...@gs...> - 2017-02-10 06:24:23
|
Hi, My issue is resolved with the EJBCA 6.5.0 version. The subject DN is overriden now in web services call. Thanks. Regards, Nikita Bedmutha Software Engineer | m: +91 94042 02790 | [image: G] G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory <http://www.gslab.com/> On Thu, Feb 9, 2017 at 7:18 PM, Nikita Bedmutha <nik...@gs...> wrote: > Sure. I will try on latest version. Thanks. > > Regards, > Nikita Bedmutha > Software Engineer | m: +91 94042 02790 | [image: G] > G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory > <http://www.gslab.com/> > > > On Thu, Feb 9, 2017 at 7:04 PM, Tomas Gustavsson <to...@pr...> > wrote: > >> >> Might be a new feature. Can you test 6.5.0? >> >> (I will update 6.5.0 release in a few days with a small upgrade fix, see >> other issue in forums) >> >> Cheers, >> Tomas >> >> On 2017-02-09 14:10, Nikita Bedmutha wrote: >> > Hi, >> > >> > Thanks for the pointers. >> > >> > I am using EJBCA 6.3.1.1 Community (r21429) >> > >> > I tried clientToolBox today on this version of EJBCA. >> > My command looked : ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq >> > mgmtUser "CN=mgmtUser,C=SE" NULL ICA12 "Client EndEntity Profile" >> > "Client Cert Profile" ./csr.pem PKCS10 PEM NONE . >> > which generated the mgmtUser.pem certificate file. However this >> > certificate did not have the subjectDN overriden. It was same >> > 'CN=mgmtUser,C=SE' given in the request and not the one given while >> > creating CSR. >> > Again, when trying this same csr file with public web call, it returned >> > overridden subjectDN in certificate. >> > >> > >> > I tried then the DER format for the above request: >> > ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq mgmtUser "CN=mgmtUser,C=SE" >> > NULL ICA12 "Client EndEntity Profile" "Client Cert Profile" ./dercsr.der >> > PKCS10 DER NONE . >> > >> > However it returned: >> > com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received >> > SOAP Fault from server: Unmarshalling Error: Illegal character >> > ((CTRL-CHAR, code 2)) >> > at [row,col {unknown-source}]: [1,530] Please see the server log to >> > find more detail regarding exact cause of the failure. >> > org.ejbca.ui.cli.ErrorAdminCommandException: >> > com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received >> > SOAP Fault from server: Unmarshalling Error: Illegal character >> > ((CTRL-CHAR, code 2)) >> > at [row,col {unknown-source}]: [1,530] Please see the server log to >> > find more detail regarding exact cause of the failure. >> > at >> > org.ejbca.core.protocol.ws.client.CertificateRequestCommand. >> execute(CertificateRequestCommand.java:146) >> > at >> > org.ejbca.core.protocol.ws.client.ejbcawsracli.main(ejbcawsr >> acli.java:36) >> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> > at >> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >> ssorImpl.java:62) >> > at >> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >> thodAccessorImpl.java:43) >> > at java.lang.reflect.Method.invoke(Method.java:498) >> > at org.ejbca.ui.cli.EjbcaWsRaCli.execute(EjbcaWsRaCli.java:36) >> > at >> > org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40) >> > at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:66) >> > Caused by: com.sun.xml.internal.ws.fault.ServerSOAPFaultException: >> > Client received SOAP Fault from server: Unmarshalling Error: Illegal >> > character ((CTRL-CHAR, code 2)) >> > at [row,col {unknown-source}]: [1,530] Please see the server log to >> > find more detail regarding exact cause of the failure. >> > at >> > com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolExcepti >> on(SOAP11Fault.java:178) >> > at >> > com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createExcepti >> on(SOAPFaultBuilder.java:116) >> > at >> > com.sun.xml.internal.ws.client.sei.StubHandler.readResponse( >> StubHandler.java:238) >> > at >> > com.sun.xml.internal.ws.db.DatabindingImpl.deserializeRespon >> se(DatabindingImpl.java:189) >> > at >> > com.sun.xml.internal.ws.db.DatabindingImpl.deserializeRespon >> se(DatabindingImpl.java:276) >> > at >> > com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke( >> SyncMethodHandler.java:104) >> > at >> > com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke( >> SyncMethodHandler.java:77) >> > at >> > com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147) >> > at com.sun.proxy.$Proxy32.certificateRequest(Unknown Source) >> > at >> > org.ejbca.core.protocol.ws.client.CertificateRequestCommand. >> execute(CertificateRequestCommand.java:111) >> > ... 8 more >> > >> > >> > I did make sure that the CSR generated is in proper DER format. However >> > will look into it more. >> > >> > >> > >> > >> > >> > >> > Regards, >> > Nikita Bedmutha >> > Software Engineer | m: +91 94042 02790 | G >> > G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory >> > <http://www.gslab.com/> >> > >> > >> > On Thu, Feb 9, 2017 at 2:46 PM, Tomas Gustavsson <to...@pr... >> > <mailto:to...@pr...>> wrote: >> > >> > >> > What version of EJBCA are you using btw? >> > >> > I'm using this WS command: >> > >> > ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq req9 >> > "CN=req9,O=Edited,C=SE" NULL ManagementCA User Client ./p10.der >> PKCS10 >> > DER NONE . >> > >> > My CSR have subjectDN: >> > C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=req9 >> > >> > If I have enabled "Allow Subject DN Override by CSR" in the >> Certificate >> > Profile "Client". My issued certificate gets the DN from the p10. >> > >> > If you try using clientToolBox first, than you will know if/how the >> > feature works, and then you can try to translate it to SOAP-UI (you >> can >> > even debug log the full soap messages). >> > >> > Regards, >> > Tomas >> > --- >> > RSA Conference 2017 >> > ------------------------------------------------------------------ >> > San Francisco | February 13-17 | Moscone Center >> > Come visit us in booth #627 at RSA Conference 2017! >> > >> > Want a free expo pass? >> > Go to https://www.rsaconference.com/events/us17/register >> > <https://www.rsaconference.com/events/us17/register> >> > and use the code: XE7PRMKEY >> > >> > On 2017-02-08 14:35, Nikita Bedmutha wrote: >> > > Serious apologies for sending incomplete data. Well, I observed >> the >> > > Debug logs for both the calls, call from web service and call from >> > > public web. Here are my observations: >> > > >> > > 1. For the pkcs10Request webservice call through SOAP UI, the >> INFO log >> > > has an entry: >> > > CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My >> > > >> > Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU=G >> SL,C=IN;requestX500name=null;certprofile=1681037015;keyusage >> =-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBg >> kqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4d >> Cd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjr >> IkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTX >> lLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkM >> hDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE >> 29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJr >> nC/7TBVYijU0u6bwIDAQAB >> > > >> > > where, requestX500name=null >> > > >> > > 2. For public web 'Create Certificate from CSR' call: >> > > CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;RequestInstance: >> > > >> > 123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU=GSL >> ,C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK;certp >> rofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence= >> ;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6 >> J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlA >> zoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5 >> L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjind >> NARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6 >> JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2 >> zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB >> > > >> > > where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK >> > > >> > > Both the calls use same CSR, also same certificate profile is >> > being used >> > > in both cases and the public key extracted from CSR also looks >> same. >> > > >> > > However, in case of public web call we see a log statement, 'Using >> > > X509Name from request instead of user's registered.' which is >> > missing in >> > > webservice call log and only 'Using subjectDN: >> > CN=user1,OU=GSL,C=IN' can >> > > be seen. >> > > I suspect this could be because requestX500name is null in case of >> > > webservice call. >> > > >> > > However, we are using same CSR and so this behaviour is bit >> > confusing. >> > > If this info can help. Thanks. >> > > >> > > Regards, >> > > Nikita Bedmutha >> > > Software Engineer | m: +91 94042 02790 | G >> > > G <http://www.linkedin.com/in/nikitabedmutha >> > <http://www.linkedin.com/in/nikitabedmutha>>reat Software >> Laboratory >> > > <http://www.gslab.com/> >> > > On Wed, Feb 8, 2017 at 3:21 PM, Tomas Gustavsson < >> to...@pr... <mailto:to...@pr...> >> > > <mailto:to...@pr... <mailto:to...@pr...>>> wrote: >> > > >> > > >> > > I can only re-iterate here: >> > > >> > > --- >> > > Debug logging will show in detail all decisions egarding >> > override or not >> > > that is takes during certificate issuance. >> > > --- >> > > >> > > For more information about logging, how to configure debug >> > etc, see >> > > https://www.ejbca.org/docs/adminguide.html#Logging >> > <https://www.ejbca.org/docs/adminguide.html#Logging> >> > > <https://www.ejbca.org/docs/adminguide.html#Logging >> > <https://www.ejbca.org/docs/adminguide.html#Logging>> >> > > >> > > /Tomas >> > > >> > > On 2017-02-08 10:10, Nikita Bedmutha wrote: >> > > > Hi, >> > > > >> > > > I know this must be the very basic requirement to get the >> > certificate >> > > > with subject DN overridden. But I have tried my best with >> > all settings >> > > > but no clue whats going wrong. >> > > > I have a user 'user1' which is created with a 'Client >> endentity >> > > profile' >> > > > which uses default cert profile as 'Client Cert Profile'. >> This >> > > > certificate profile has 'Allow subject DN override by CSR' >> > and 'Allow >> > > > subject DN override by End Entity Information' checked. In >> > the case >> > > > where both are checked, documentation says that DN will be >> > > overriden by CSR. >> > > > >> > > > Now I make this SOAP call for pkcs10Request: >> > > > Body: >> > > > <soapenv:Envelope >> > > > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ >> > <http://schemas.xmlsoap.org/soap/envelope/> >> > > <http://schemas.xmlsoap.org/soap/envelope/ >> > <http://schemas.xmlsoap.org/soap/envelope/>>" >> > > > xmlns:ws="http://ws.protocol.core.ejbca.org/ >> > <http://ws.protocol.core.ejbca.org/> >> > > <http://ws.protocol.core.ejbca.org/ >> > <http://ws.protocol.core.ejbca.org/>>"> >> > > > <soapenv:Header/> >> > > > <soapenv:Body> >> > > > <ws:pkcs10Request> >> > > > <!--Optional:--> >> > > > <arg0>user1</arg0> >> > > > <!--Optional:--> >> > > > <arg1>password</arg1> >> > > > <!--Optional:--> >> > > > <arg2>-----BEGIN CERTIFICATE REQUEST----- >> > > > MIICkzCCAXsCAQAwTjELMAkGA1UEBh >> MCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH >> > > > DAJQUDELMAkGA1UECgwCSkoxCzAJBg >> NVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw >> > > > DQYJKoZIhvcNAQEBBQADggEPADCCAQ >> oCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ >> > > > nfc2T40eJPFGwek3anbgNFrLedFX0M >> FgW8k2JQM6CF14xa88z8pSaecsr46yJIhF >> > > > Cn+440zN3ecRy6k7umotmuYMtqGc7H >> l2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0 >> > > > 2O9y74yaMZgP4PCIeiGSxngybMY4p3 >> TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB >> > > > fJvVgl746KseurPG7dRXD+U+4eicDU >> 6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW >> > > > LqNnrVdDibSPcSZpEXnwotsy4MCLMh >> BmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA >> > > > AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQ >> B9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk >> > > > RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/ >> mNTrecp >> > > > 1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNw >> GJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC >> > > > EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+ >> QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z >> > > > ++VLGGTuIO4CMLuqDzhHtmnGD0Ezwd >> Kf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/ >> > > > fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu >> > > > -----END CERTIFICATE REQUEST-----</arg2> >> > > > <!--Optional:--> >> > > > <arg3></arg3> >> > > > <!--Optional:--> >> > > > <arg4>CERTIFICATE</arg4> >> > > > </ws:pkcs10Request> >> > > > </soapenv:Body> >> > > > </soapenv:Envelope> >> > > > >> > > > >> > > > I even made call without '-----BEGIN CERTIFICATE >> > REQUEST-----' and >> > > > '-----END CERTIFICATE REQUEST-----' but no success. >> > > > In both cases, the certificate generated still uses the >> > subject DN >> > > which >> > > > was used while creating the user. I tried this webservice >> > call using >> > > > SOAP-UI as well as eclipse code. Only when the call is made >> > using >> > > public >> > > > web 'Create certificate from CSR' or cli command, the >> > subject DN is >> > > > overriden. For some reason unable to achieve it through web >> > service >> > > > call. Kindly guide me if I am doing anything wrong here. >> > > > >> > > > >> > > > >> > > > Regards, >> > > > Nikita Bedmutha >> > > > Software Engineer | m: +91 94042 02790 | G >> > > > G <http://www.linkedin.com/in/nikitabedmutha >> > <http://www.linkedin.com/in/nikitabedmutha> >> > > <http://www.linkedin.com/in/nikitabedmutha >> > <http://www.linkedin.com/in/nikitabedmutha>>>reat Software >> Laboratory >> > > > <http://www.gslab.com/> >> > > > >> > > > >> > > > On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson >> > <to...@pr... <mailto:to...@pr...> >> > <mailto:to...@pr... <mailto:to...@pr...>> >> > > > <mailto:to...@pr... <mailto:to...@pr...> >> > <mailto:to...@pr... <mailto:to...@pr...>>>> wrote: >> > > > >> > > > >> > > > This is very common to do this using WS so there is >> probably >> > > something >> > > > wrong with your call. Are you using the correct >> certificate >> > > profile in >> > > > your WS call? >> > > > >> > > > Debug logging will show in detail all decisions egarding >> > > override or not >> > > > that is takes during certificate issuance. >> > > > >> > > > Regards, >> > > > Tomas >> > > > --- >> > > > RSA Conference 2017 >> > > > >> > ------------------------------------------------------------------ >> > > > San Francisco | February 13-17 | Moscone Center >> > > > Come visit us in booth #627 at RSA Conference 2017! >> > > > >> > > > Want a free expo pass? >> > > > Go to https://www.rsaconference.com/ >> events/us17/register >> > <https://www.rsaconference.com/events/us17/register> >> > > <https://www.rsaconference.com/events/us17/register >> > <https://www.rsaconference.com/events/us17/register>> >> > > > <https://www.rsaconference.com/events/us17/register >> > <https://www.rsaconference.com/events/us17/register> >> > > <https://www.rsaconference.com/events/us17/register >> > <https://www.rsaconference.com/events/us17/register>>> >> > > > and use the code: XE7PRMKEY >> > > > >> > > > On 2017-02-02 04:44, Nikita Bedmutha wrote: >> > > > > Sorry for spamming, but just correcting the query: >> > > > > >> > > > > I want to make a certificate request which uses the >> > subject >> > > DN from CSR >> > > > > and not the registered end entity subject DN . I am >> > using the >> > > > > certificate profile which has 'Allow subject DN >> > override by CSR' >> > > > > checked. However the web service requests >> > 'pkcs10Request' as >> > > well as >> > > > > 'certificateRequest' do not return certificates with >> > subject DN >> > > > > overridden by the CSR but uses the registered DN only. >> > > > > >> > > > > On the other hand, using the same CSR, the public web >> call >> > > 'Create >> > > > > Certificate from CSR' as well as the 'createcert' CLI >> > > command generates >> > > > > a certificate which has the subject DN overridden by >> > the CSR. >> > > > > >> > > > > Your inputs would really be very helpful. >> > > > > Thanks. >> > > > > >> > > > > Regards, >> > > > > Nikita Bedmutha >> > > > > >> > > > > >> > > > > >> > > > > On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha >> > > > > <nik...@gs... >> > <mailto:nik...@gs...> >> > > <mailto:nik...@gs... >> > <mailto:nik...@gs...>> >> > <mailto:nik...@gs... <mailto:nik...@gs... >> > >> > > <mailto:nik...@gs... >> > <mailto:nik...@gs...>>> >> > > > <mailto:nik...@gs... >> > <mailto:nik...@gs...> >> > > <mailto:nik...@gs... >> > <mailto:nik...@gs...>> >> > > > <mailto:nik...@gs... <mailto: >> nik...@gs...> >> > <mailto:nik...@gs... >> > <mailto:nik...@gs...>>>>> wrote: >> > > > > >> > > > > Hi, >> > > > > >> > > > > I have a user(end-entity) created using a >> certificate profile which >> > > > > has 'Allow Subject DN override' checked. This >> end-entity is >> > > > > registered with Token as User Generated. >> > > > > When I use 'Create Certificate from CSR' option >> on public web, I get >> > > > > the certificate with the subject DN used while >> creating the CSR and >> > > > > not the registered DN. >> > > > > Now I want to achieve same using web service >> call. I tried the >> > > > > 'certificateRequest' and 'pkcs10' request with >> the same CSR that I >> > > > > used in previous Public web call. But in the web >> service call case, >> > > > > I get certificate with the registered DN and not >> overridden by the CSR. >> > > > > >> > > > > Kindly guide me how to achieve this. >> > > > > >> > > > > Thanks and Regards, >> > > > > Nikita >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > ----------------------------- >> ------------------------------------------------- >> > > > > Check out the vibrant tech community on one of the >> world's most >> > > > > engaging tech sites, SlashDot.org! >> http://sdm.link/slashdot >> > > > > >> > > > > >> > > > > >> > > > > _______________________________________________ >> > > > > Ejbca-develop mailing list >> > > > > Ejb...@li... >> > <mailto:Ejb...@li...> >> > > <mailto:Ejb...@li... >> > <mailto:Ejb...@li...>> >> > > > <mailto:Ejb...@li... >> > <mailto:Ejb...@li...> >> > > <mailto:Ejb...@li... >> > <mailto:Ejb...@li...>>> >> > > > > https://lists.sourceforge.net/ >> lists/listinfo/ejbca-develop >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> >> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> >> > > > <https://lists.sourceforge.ne >> t/lists/listinfo/ejbca-develop >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> >> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>> >> > > > > >> > > > >> > > > ----------------------------- >> ------------------------------------------------- >> > > > Check out the vibrant tech community on one of the >> world's most >> > > > engaging tech sites, SlashDot.org! >> http://sdm.link/slashdot >> > > > _______________________________________________ >> > > > Ejbca-develop mailing list >> > > > Ejb...@li... >> > <mailto:Ejb...@li...> >> > > <mailto:Ejb...@li... >> > <mailto:Ejb...@li...>> >> > > > <mailto:Ejb...@li... >> > <mailto:Ejb...@li...> >> > > <mailto:Ejb...@li... >> > <mailto:Ejb...@li...>>> >> > > > >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> >> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> >> > > > >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> >> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>> >> > > > >> > > > >> > > > >> > > > >> > > > >> > > >> > ------------------------------------------------------------ >> ------------------ >> > > > Check out the vibrant tech community on one of the world's >> most >> > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> > > > >> > > > >> > > > >> > > > _______________________________________________ >> > > > Ejbca-develop mailing list >> > > > Ejb...@li... >> > <mailto:Ejb...@li...> >> > > <mailto:Ejb...@li... >> > <mailto:Ejb...@li...>> >> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> >> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> >> > > > >> > > >> > > >> > ------------------------------------------------------------ >> ------------------ >> > > Check out the vibrant tech community on one of the world's >> most >> > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> > > _______________________________________________ >> > > Ejbca-develop mailing list >> > > Ejb...@li... >> > <mailto:Ejb...@li...> >> > > <mailto:Ejb...@li... >> > <mailto:Ejb...@li...>> >> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> >> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > ----------------------------------------------------------- >> ------------------- >> > > Check out the vibrant tech community on one of the world's most >> > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> > > >> > > >> > > >> > > _______________________________________________ >> > > Ejbca-develop mailing list >> > > Ejb...@li... >> > <mailto:Ejb...@li...> >> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> >> > > >> > >> > ----------------------------------------------------------- >> ------------------- >> > Check out the vibrant tech community on one of the world's most >> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> > _______________________________________________ >> > Ejbca-develop mailing list >> > Ejb...@li... >> > <mailto:Ejb...@li...> >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> >> > >> > >> > >> > >> > ------------------------------------------------------------ >> ------------------ >> > Check out the vibrant tech community on one of the world's most >> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> > >> > >> > >> > _______________________________________________ >> > Ejbca-develop mailing list >> > Ejb...@li... >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > |
|
From: Bruce B. <br...@id...> - 2017-02-09 16:46:38
|
SHA384-PSS is our current use case. We have been able to do this with openSSL, but want a more robust solution. We have SHA384 working in ejbca. Now we just need to get PSS working. We are OK with a software solution for a while, although we will need to move to HSM in a few months. For now, a solution which enables PSS in software is fine. Best, Bruce > Message: 2 > Date: Thu, 9 Feb 2017 09:33:36 +0100 > From: Tomas Gustavsson <to...@pr...> > Subject: Re: [Ejbca-develop] Issue certificates with SHA-384/PSS > To: ejb...@li... > Message-ID: <2ab...@pr...> > Content-Type: text/plain; charset=windows-1252 > > > Right, currently only SHA256 is available. Do you have a standard use > case where SHA-384 is needed? To motivate adding the feature. Adding > algorithms for "soft" keystores are actually quite simple, only with > HSMs is it more tricky since currently PSS requires java patches to work > with HSMs for that algorithm. > > Regards, > Tomas > --- > Save time and money with an Enterprise support subscription. Please see > www.primekey.se for more information. > https://www.primekey.se/technologies/products-overview/ > https://www.primekey.se/service-support/support/ > > On 2017-02-08 18:07, Bruce Bernstein wrote: >> Has anyone been able to coerce ejbca community edition to issue >> certificates signed with RSASSA-PSS format SHA-384? It seems from the >> docs that this is only available with the enterprise edition using HSM. >> We need a software solution, preferably with software encoding. Any >> pointers would be appreciated. >> >> Thanks, >> Bruce >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> |
|
From: Nikita B. <nik...@gs...> - 2017-02-09 13:48:26
|
Sure. I will try on latest version. Thanks. Regards, Nikita Bedmutha Software Engineer | m: +91 94042 02790 | [image: G] G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory <http://www.gslab.com/> On Thu, Feb 9, 2017 at 7:04 PM, Tomas Gustavsson <to...@pr...> wrote: > > Might be a new feature. Can you test 6.5.0? > > (I will update 6.5.0 release in a few days with a small upgrade fix, see > other issue in forums) > > Cheers, > Tomas > > On 2017-02-09 14:10, Nikita Bedmutha wrote: > > Hi, > > > > Thanks for the pointers. > > > > I am using EJBCA 6.3.1.1 Community (r21429) > > > > I tried clientToolBox today on this version of EJBCA. > > My command looked : ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq > > mgmtUser "CN=mgmtUser,C=SE" NULL ICA12 "Client EndEntity Profile" > > "Client Cert Profile" ./csr.pem PKCS10 PEM NONE . > > which generated the mgmtUser.pem certificate file. However this > > certificate did not have the subjectDN overriden. It was same > > 'CN=mgmtUser,C=SE' given in the request and not the one given while > > creating CSR. > > Again, when trying this same csr file with public web call, it returned > > overridden subjectDN in certificate. > > > > > > I tried then the DER format for the above request: > > ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq mgmtUser "CN=mgmtUser,C=SE" > > NULL ICA12 "Client EndEntity Profile" "Client Cert Profile" ./dercsr.der > > PKCS10 DER NONE . > > > > However it returned: > > com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received > > SOAP Fault from server: Unmarshalling Error: Illegal character > > ((CTRL-CHAR, code 2)) > > at [row,col {unknown-source}]: [1,530] Please see the server log to > > find more detail regarding exact cause of the failure. > > org.ejbca.ui.cli.ErrorAdminCommandException: > > com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received > > SOAP Fault from server: Unmarshalling Error: Illegal character > > ((CTRL-CHAR, code 2)) > > at [row,col {unknown-source}]: [1,530] Please see the server log to > > find more detail regarding exact cause of the failure. > > at > > org.ejbca.core.protocol.ws.client.CertificateRequestCommand.execute( > CertificateRequestCommand.java:146) > > at > > org.ejbca.core.protocol.ws.client.ejbcawsracli.main( > ejbcawsracli.java:36) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at org.ejbca.ui.cli.EjbcaWsRaCli.execute(EjbcaWsRaCli.java:36) > > at > > org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40) > > at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:66) > > Caused by: com.sun.xml.internal.ws.fault.ServerSOAPFaultException: > > Client received SOAP Fault from server: Unmarshalling Error: Illegal > > character ((CTRL-CHAR, code 2)) > > at [row,col {unknown-source}]: [1,530] Please see the server log to > > find more detail regarding exact cause of the failure. > > at > > com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException( > SOAP11Fault.java:178) > > at > > com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException( > SOAPFaultBuilder.java:116) > > at > > com.sun.xml.internal.ws.client.sei.StubHandler. > readResponse(StubHandler.java:238) > > at > > com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse( > DatabindingImpl.java:189) > > at > > com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse( > DatabindingImpl.java:276) > > at > > com.sun.xml.internal.ws.client.sei.SyncMethodHandler. > invoke(SyncMethodHandler.java:104) > > at > > com.sun.xml.internal.ws.client.sei.SyncMethodHandler. > invoke(SyncMethodHandler.java:77) > > at > > com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147) > > at com.sun.proxy.$Proxy32.certificateRequest(Unknown Source) > > at > > org.ejbca.core.protocol.ws.client.CertificateRequestCommand.execute( > CertificateRequestCommand.java:111) > > ... 8 more > > > > > > I did make sure that the CSR generated is in proper DER format. However > > will look into it more. > > > > > > > > > > > > > > Regards, > > Nikita Bedmutha > > Software Engineer | m: +91 94042 02790 | G > > G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory > > <http://www.gslab.com/> > > > > > > On Thu, Feb 9, 2017 at 2:46 PM, Tomas Gustavsson <to...@pr... > > <mailto:to...@pr...>> wrote: > > > > > > What version of EJBCA are you using btw? > > > > I'm using this WS command: > > > > ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq req9 > > "CN=req9,O=Edited,C=SE" NULL ManagementCA User Client ./p10.der > PKCS10 > > DER NONE . > > > > My CSR have subjectDN: > > C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=req9 > > > > If I have enabled "Allow Subject DN Override by CSR" in the > Certificate > > Profile "Client". My issued certificate gets the DN from the p10. > > > > If you try using clientToolBox first, than you will know if/how the > > feature works, and then you can try to translate it to SOAP-UI (you > can > > even debug log the full soap messages). > > > > Regards, > > Tomas > > --- > > RSA Conference 2017 > > ------------------------------------------------------------------ > > San Francisco | February 13-17 | Moscone Center > > Come visit us in booth #627 at RSA Conference 2017! > > > > Want a free expo pass? > > Go to https://www.rsaconference.com/events/us17/register > > <https://www.rsaconference.com/events/us17/register> > > and use the code: XE7PRMKEY > > > > On 2017-02-08 14:35, Nikita Bedmutha wrote: > > > Serious apologies for sending incomplete data. Well, I observed the > > > Debug logs for both the calls, call from web service and call from > > > public web. Here are my observations: > > > > > > 1. For the pkcs10Request webservice call through SOAP UI, the INFO > log > > > has an entry: > > > CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My > > > > > Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU= > GSL,C=IN;requestX500name=null;certprofile=1681037015; > keyusage=-1;notbefore=;notafter=;sequence=;publickey= > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZi > j4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzP > ylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/ > 4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+ > Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhK > bVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyE > GY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB > > > > > > where, requestX500name=null > > > > > > 2. For public web 'Create Certificate from CSR' call: > > > CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;RequestInstance: > > > > > 123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU= > GSL,C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK; > certprofile=1681037015;keyusage=-1;notbefore=; > notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ > 8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6Tdqdu > A0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqT > u6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/ > g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9W > CXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVY > uo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB > > > > > > where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK > > > > > > Both the calls use same CSR, also same certificate profile is > > being used > > > in both cases and the public key extracted from CSR also looks > same. > > > > > > However, in case of public web call we see a log statement, 'Using > > > X509Name from request instead of user's registered.' which is > > missing in > > > webservice call log and only 'Using subjectDN: > > CN=user1,OU=GSL,C=IN' can > > > be seen. > > > I suspect this could be because requestX500name is null in case of > > > webservice call. > > > > > > However, we are using same CSR and so this behaviour is bit > > confusing. > > > If this info can help. Thanks. > > > > > > Regards, > > > Nikita Bedmutha > > > Software Engineer | m: +91 94042 02790 | G > > > G <http://www.linkedin.com/in/nikitabedmutha > > <http://www.linkedin.com/in/nikitabedmutha>>reat Software Laboratory > > > <http://www.gslab.com/> > > > On Wed, Feb 8, 2017 at 3:21 PM, Tomas Gustavsson < > to...@pr... <mailto:to...@pr...> > > > <mailto:to...@pr... <mailto:to...@pr...>>> wrote: > > > > > > > > > I can only re-iterate here: > > > > > > --- > > > Debug logging will show in detail all decisions egarding > > override or not > > > that is takes during certificate issuance. > > > --- > > > > > > For more information about logging, how to configure debug > > etc, see > > > https://www.ejbca.org/docs/adminguide.html#Logging > > <https://www.ejbca.org/docs/adminguide.html#Logging> > > > <https://www.ejbca.org/docs/adminguide.html#Logging > > <https://www.ejbca.org/docs/adminguide.html#Logging>> > > > > > > /Tomas > > > > > > On 2017-02-08 10:10, Nikita Bedmutha wrote: > > > > Hi, > > > > > > > > I know this must be the very basic requirement to get the > > certificate > > > > with subject DN overridden. But I have tried my best with > > all settings > > > > but no clue whats going wrong. > > > > I have a user 'user1' which is created with a 'Client > endentity > > > profile' > > > > which uses default cert profile as 'Client Cert Profile'. > This > > > > certificate profile has 'Allow subject DN override by CSR' > > and 'Allow > > > > subject DN override by End Entity Information' checked. In > > the case > > > > where both are checked, documentation says that DN will be > > > overriden by CSR. > > > > > > > > Now I make this SOAP call for pkcs10Request: > > > > Body: > > > > <soapenv:Envelope > > > > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > > <http://schemas.xmlsoap.org/soap/envelope/> > > > <http://schemas.xmlsoap.org/soap/envelope/ > > <http://schemas.xmlsoap.org/soap/envelope/>>" > > > > xmlns:ws="http://ws.protocol.core.ejbca.org/ > > <http://ws.protocol.core.ejbca.org/> > > > <http://ws.protocol.core.ejbca.org/ > > <http://ws.protocol.core.ejbca.org/>>"> > > > > <soapenv:Header/> > > > > <soapenv:Body> > > > > <ws:pkcs10Request> > > > > <!--Optional:--> > > > > <arg0>user1</arg0> > > > > <!--Optional:--> > > > > <arg1>password</arg1> > > > > <!--Optional:--> > > > > <arg2>-----BEGIN CERTIFICATE REQUEST----- > > > > MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYD > VQQH > > > > DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCC > ASIw > > > > DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+ > L7NIJLOHQ > > > > nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46y > JIhF > > > > Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+ > UHR1QMkD30iU15S7FVEII0 > > > > 2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZ > jsPB > > > > fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/ > RqdAZhNvVSyyEvScyF72jFW > > > > LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+ > 0wVWIo1NLum8CAwEA > > > > AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+ > o3cjk > > > > RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0 > k/mNTrecp > > > > 1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/ > WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC > > > > EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ > ZLSDtauKxpP8z > > > > ++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf > 8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/ > > > > fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu > > > > -----END CERTIFICATE REQUEST-----</arg2> > > > > <!--Optional:--> > > > > <arg3></arg3> > > > > <!--Optional:--> > > > > <arg4>CERTIFICATE</arg4> > > > > </ws:pkcs10Request> > > > > </soapenv:Body> > > > > </soapenv:Envelope> > > > > > > > > > > > > I even made call without '-----BEGIN CERTIFICATE > > REQUEST-----' and > > > > '-----END CERTIFICATE REQUEST-----' but no success. > > > > In both cases, the certificate generated still uses the > > subject DN > > > which > > > > was used while creating the user. I tried this webservice > > call using > > > > SOAP-UI as well as eclipse code. Only when the call is made > > using > > > public > > > > web 'Create certificate from CSR' or cli command, the > > subject DN is > > > > overriden. For some reason unable to achieve it through web > > service > > > > call. Kindly guide me if I am doing anything wrong here. > > > > > > > > > > > > > > > > Regards, > > > > Nikita Bedmutha > > > > Software Engineer | m: +91 94042 02790 | G > > > > G <http://www.linkedin.com/in/nikitabedmutha > > <http://www.linkedin.com/in/nikitabedmutha> > > > <http://www.linkedin.com/in/nikitabedmutha > > <http://www.linkedin.com/in/nikitabedmutha>>>reat Software > Laboratory > > > > <http://www.gslab.com/> > > > > > > > > > > > > On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson > > <to...@pr... <mailto:to...@pr...> > > <mailto:to...@pr... <mailto:to...@pr...>> > > > > <mailto:to...@pr... <mailto:to...@pr...> > > <mailto:to...@pr... <mailto:to...@pr...>>>> wrote: > > > > > > > > > > > > This is very common to do this using WS so there is > probably > > > something > > > > wrong with your call. Are you using the correct > certificate > > > profile in > > > > your WS call? > > > > > > > > Debug logging will show in detail all decisions egarding > > > override or not > > > > that is takes during certificate issuance. > > > > > > > > Regards, > > > > Tomas > > > > --- > > > > RSA Conference 2017 > > > > > > ------------------------------------------------------------------ > > > > San Francisco | February 13-17 | Moscone Center > > > > Come visit us in booth #627 at RSA Conference 2017! > > > > > > > > Want a free expo pass? > > > > Go to https://www.rsaconference.com/events/us17/register > > <https://www.rsaconference.com/events/us17/register> > > > <https://www.rsaconference.com/events/us17/register > > <https://www.rsaconference.com/events/us17/register>> > > > > <https://www.rsaconference.com/events/us17/register > > <https://www.rsaconference.com/events/us17/register> > > > <https://www.rsaconference.com/events/us17/register > > <https://www.rsaconference.com/events/us17/register>>> > > > > and use the code: XE7PRMKEY > > > > > > > > On 2017-02-02 04:44, Nikita Bedmutha wrote: > > > > > Sorry for spamming, but just correcting the query: > > > > > > > > > > I want to make a certificate request which uses the > > subject > > > DN from CSR > > > > > and not the registered end entity subject DN . I am > > using the > > > > > certificate profile which has 'Allow subject DN > > override by CSR' > > > > > checked. However the web service requests > > 'pkcs10Request' as > > > well as > > > > > 'certificateRequest' do not return certificates with > > subject DN > > > > > overridden by the CSR but uses the registered DN only. > > > > > > > > > > On the other hand, using the same CSR, the public web > call > > > 'Create > > > > > Certificate from CSR' as well as the 'createcert' CLI > > > command generates > > > > > a certificate which has the subject DN overridden by > > the CSR. > > > > > > > > > > Your inputs would really be very helpful. > > > > > Thanks. > > > > > > > > > > Regards, > > > > > Nikita Bedmutha > > > > > > > > > > > > > > > > > > > > On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha > > > > > <nik...@gs... > > <mailto:nik...@gs...> > > > <mailto:nik...@gs... > > <mailto:nik...@gs...>> > > <mailto:nik...@gs... <mailto:nik...@gs...> > > > <mailto:nik...@gs... > > <mailto:nik...@gs...>>> > > > > <mailto:nik...@gs... > > <mailto:nik...@gs...> > > > <mailto:nik...@gs... > > <mailto:nik...@gs...>> > > > > <mailto:nik...@gs... <mailto: > nik...@gs...> > > <mailto:nik...@gs... > > <mailto:nik...@gs...>>>>> wrote: > > > > > > > > > > Hi, > > > > > > > > > > I have a user(end-entity) created using a > certificate profile which > > > > > has 'Allow Subject DN override' checked. This > end-entity is > > > > > registered with Token as User Generated. > > > > > When I use 'Create Certificate from CSR' option on > public web, I get > > > > > the certificate with the subject DN used while > creating the CSR and > > > > > not the registered DN. > > > > > Now I want to achieve same using web service call. > I tried the > > > > > 'certificateRequest' and 'pkcs10' request with the > same CSR that I > > > > > used in previous Public web call. But in the web > service call case, > > > > > I get certificate with the registered DN and not > overridden by the CSR. > > > > > > > > > > Kindly guide me how to achieve this. > > > > > > > > > > Thanks and Regards, > > > > > Nikita > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------ > ------------------------------------------------ > > > > > Check out the vibrant tech community on one of the > world's most > > > > > engaging tech sites, SlashDot.org! > http://sdm.link/slashdot > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > Ejbca-develop mailing list > > > > > Ejb...@li... > > <mailto:Ejb...@li...> > > > <mailto:Ejb...@li... > > <mailto:Ejb...@li...>> > > > > <mailto:Ejb...@li... > > <mailto:Ejb...@li...> > > > <mailto:Ejb...@li... > > <mailto:Ejb...@li...>>> > > > > > https://lists.sourceforge.net/ > lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> > > > > <https://lists.sourceforge.net/lists/listinfo/ejbca- > develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>> > > > > > > > > > > > > > ------------------------------ > ------------------------------------------------ > > > > Check out the vibrant tech community on one of the > world's most > > > > engaging tech sites, SlashDot.org! > http://sdm.link/slashdot > > > > _______________________________________________ > > > > Ejbca-develop mailing list > > > > Ejb...@li... > > <mailto:Ejb...@li...> > > > <mailto:Ejb...@li... > > <mailto:Ejb...@li...>> > > > > <mailto:Ejb...@li... > > <mailto:Ejb...@li...> > > > <mailto:Ejb...@li... > > <mailto:Ejb...@li...>>> > > > > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> > > > > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>> > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------ > ------------------ > > > > Check out the vibrant tech community on one of the world's > most > > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > > > > > > > > > _______________________________________________ > > > > Ejbca-develop mailing list > > > > Ejb...@li... > > <mailto:Ejb...@li...> > > > <mailto:Ejb...@li... > > <mailto:Ejb...@li...>> > > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> > > > > > > > > > > > > ------------------------------------------------------------ > ------------------ > > > Check out the vibrant tech community on one of the world's most > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > _______________________________________________ > > > Ejbca-develop mailing list > > > Ejb...@li... > > <mailto:Ejb...@li...> > > > <mailto:Ejb...@li... > > <mailto:Ejb...@li...>> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------ > ------------------ > > > Check out the vibrant tech community on one of the world's most > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > > > > > _______________________________________________ > > > Ejbca-develop mailing list > > > Ejb...@li... > > <mailto:Ejb...@li...> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Tomas G. <to...@pr...> - 2017-02-09 13:34:51
|
Might be a new feature. Can you test 6.5.0?
(I will update 6.5.0 release in a few days with a small upgrade fix, see
other issue in forums)
Cheers,
Tomas
On 2017-02-09 14:10, Nikita Bedmutha wrote:
> Hi,
>
> Thanks for the pointers.
>
> I am using EJBCA 6.3.1.1 Community (r21429)
>
> I tried clientToolBox today on this version of EJBCA.
> My command looked : ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq
> mgmtUser "CN=mgmtUser,C=SE" NULL ICA12 "Client EndEntity Profile"
> "Client Cert Profile" ./csr.pem PKCS10 PEM NONE .
> which generated the mgmtUser.pem certificate file. However this
> certificate did not have the subjectDN overriden. It was same
> 'CN=mgmtUser,C=SE' given in the request and not the one given while
> creating CSR.
> Again, when trying this same csr file with public web call, it returned
> overridden subjectDN in certificate.
>
>
> I tried then the DER format for the above request:
> ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq mgmtUser "CN=mgmtUser,C=SE"
> NULL ICA12 "Client EndEntity Profile" "Client Cert Profile" ./dercsr.der
> PKCS10 DER NONE .
>
> However it returned:
> com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received
> SOAP Fault from server: Unmarshalling Error: Illegal character
> ((CTRL-CHAR, code 2))
> at [row,col {unknown-source}]: [1,530] Please see the server log to
> find more detail regarding exact cause of the failure.
> org.ejbca.ui.cli.ErrorAdminCommandException:
> com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received
> SOAP Fault from server: Unmarshalling Error: Illegal character
> ((CTRL-CHAR, code 2))
> at [row,col {unknown-source}]: [1,530] Please see the server log to
> find more detail regarding exact cause of the failure.
> at
> org.ejbca.core.protocol.ws.client.CertificateRequestCommand.execute(CertificateRequestCommand.java:146)
> at
> org.ejbca.core.protocol.ws.client.ejbcawsracli.main(ejbcawsracli.java:36)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.ejbca.ui.cli.EjbcaWsRaCli.execute(EjbcaWsRaCli.java:36)
> at
> org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
> at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:66)
> Caused by: com.sun.xml.internal.ws.fault.ServerSOAPFaultException:
> Client received SOAP Fault from server: Unmarshalling Error: Illegal
> character ((CTRL-CHAR, code 2))
> at [row,col {unknown-source}]: [1,530] Please see the server log to
> find more detail regarding exact cause of the failure.
> at
> com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178)
> at
> com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116)
> at
> com.sun.xml.internal.ws.client.sei.StubHandler.readResponse(StubHandler.java:238)
> at
> com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(DatabindingImpl.java:189)
> at
> com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(DatabindingImpl.java:276)
> at
> com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:104)
> at
> com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:77)
> at
> com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147)
> at com.sun.proxy.$Proxy32.certificateRequest(Unknown Source)
> at
> org.ejbca.core.protocol.ws.client.CertificateRequestCommand.execute(CertificateRequestCommand.java:111)
> ... 8 more
>
>
> I did make sure that the CSR generated is in proper DER format. However
> will look into it more.
>
>
>
>
>
>
> Regards,
> Nikita Bedmutha
> Software Engineer | m: +91 94042 02790 | G
> G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
> <http://www.gslab.com/>
>
>
> On Thu, Feb 9, 2017 at 2:46 PM, Tomas Gustavsson <to...@pr...
> <mailto:to...@pr...>> wrote:
>
>
> What version of EJBCA are you using btw?
>
> I'm using this WS command:
>
> ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq req9
> "CN=req9,O=Edited,C=SE" NULL ManagementCA User Client ./p10.der PKCS10
> DER NONE .
>
> My CSR have subjectDN:
> C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=req9
>
> If I have enabled "Allow Subject DN Override by CSR" in the Certificate
> Profile "Client". My issued certificate gets the DN from the p10.
>
> If you try using clientToolBox first, than you will know if/how the
> feature works, and then you can try to translate it to SOAP-UI (you can
> even debug log the full soap messages).
>
> Regards,
> Tomas
> ---
> RSA Conference 2017
> ------------------------------------------------------------------
> San Francisco | February 13-17 | Moscone Center
> Come visit us in booth #627 at RSA Conference 2017!
>
> Want a free expo pass?
> Go to https://www.rsaconference.com/events/us17/register
> <https://www.rsaconference.com/events/us17/register>
> and use the code: XE7PRMKEY
>
> On 2017-02-08 14:35, Nikita Bedmutha wrote:
> > Serious apologies for sending incomplete data. Well, I observed the
> > Debug logs for both the calls, call from web service and call from
> > public web. Here are my observations:
> >
> > 1. For the pkcs10Request webservice call through SOAP UI, the INFO log
> > has an entry:
> > CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My
> >
> Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU=GSL,C=IN;requestX500name=null;certprofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
> >
> > where, requestX500name=null
> >
> > 2. For public web 'Create Certificate from CSR' call:
> > CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;RequestInstance:
> >
> 123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU=GSL,C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK;certprofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
> >
> > where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK
> >
> > Both the calls use same CSR, also same certificate profile is
> being used
> > in both cases and the public key extracted from CSR also looks same.
> >
> > However, in case of public web call we see a log statement, 'Using
> > X509Name from request instead of user's registered.' which is
> missing in
> > webservice call log and only 'Using subjectDN:
> CN=user1,OU=GSL,C=IN' can
> > be seen.
> > I suspect this could be because requestX500name is null in case of
> > webservice call.
> >
> > However, we are using same CSR and so this behaviour is bit
> confusing.
> > If this info can help. Thanks.
> >
> > Regards,
> > Nikita Bedmutha
> > Software Engineer | m: +91 94042 02790 | G
> > G <http://www.linkedin.com/in/nikitabedmutha
> <http://www.linkedin.com/in/nikitabedmutha>>reat Software Laboratory
> > <http://www.gslab.com/>
> > On Wed, Feb 8, 2017 at 3:21 PM, Tomas Gustavsson <to...@pr... <mailto:to...@pr...>
> > <mailto:to...@pr... <mailto:to...@pr...>>> wrote:
> >
> >
> > I can only re-iterate here:
> >
> > ---
> > Debug logging will show in detail all decisions egarding
> override or not
> > that is takes during certificate issuance.
> > ---
> >
> > For more information about logging, how to configure debug
> etc, see
> > https://www.ejbca.org/docs/adminguide.html#Logging
> <https://www.ejbca.org/docs/adminguide.html#Logging>
> > <https://www.ejbca.org/docs/adminguide.html#Logging
> <https://www.ejbca.org/docs/adminguide.html#Logging>>
> >
> > /Tomas
> >
> > On 2017-02-08 10:10, Nikita Bedmutha wrote:
> > > Hi,
> > >
> > > I know this must be the very basic requirement to get the
> certificate
> > > with subject DN overridden. But I have tried my best with
> all settings
> > > but no clue whats going wrong.
> > > I have a user 'user1' which is created with a 'Client endentity
> > profile'
> > > which uses default cert profile as 'Client Cert Profile'. This
> > > certificate profile has 'Allow subject DN override by CSR'
> and 'Allow
> > > subject DN override by End Entity Information' checked. In
> the case
> > > where both are checked, documentation says that DN will be
> > overriden by CSR.
> > >
> > > Now I make this SOAP call for pkcs10Request:
> > > Body:
> > > <soapenv:Envelope
> > > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
> <http://schemas.xmlsoap.org/soap/envelope/>
> > <http://schemas.xmlsoap.org/soap/envelope/
> <http://schemas.xmlsoap.org/soap/envelope/>>"
> > > xmlns:ws="http://ws.protocol.core.ejbca.org/
> <http://ws.protocol.core.ejbca.org/>
> > <http://ws.protocol.core.ejbca.org/
> <http://ws.protocol.core.ejbca.org/>>">
> > > <soapenv:Header/>
> > > <soapenv:Body>
> > > <ws:pkcs10Request>
> > > <!--Optional:-->
> > > <arg0>user1</arg0>
> > > <!--Optional:-->
> > > <arg1>password</arg1>
> > > <!--Optional:-->
> > > <arg2>-----BEGIN CERTIFICATE REQUEST-----
> > > MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH
> > > DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw
> > > DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ
> > > nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF
> > > Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0
> > > 2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB
> > > fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW
> > > LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA
> > > AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk
> > > RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp
> > > 1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC
> > > EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z
> > > ++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/
> > > fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu
> > > -----END CERTIFICATE REQUEST-----</arg2>
> > > <!--Optional:-->
> > > <arg3></arg3>
> > > <!--Optional:-->
> > > <arg4>CERTIFICATE</arg4>
> > > </ws:pkcs10Request>
> > > </soapenv:Body>
> > > </soapenv:Envelope>
> > >
> > >
> > > I even made call without '-----BEGIN CERTIFICATE
> REQUEST-----' and
> > > '-----END CERTIFICATE REQUEST-----' but no success.
> > > In both cases, the certificate generated still uses the
> subject DN
> > which
> > > was used while creating the user. I tried this webservice
> call using
> > > SOAP-UI as well as eclipse code. Only when the call is made
> using
> > public
> > > web 'Create certificate from CSR' or cli command, the
> subject DN is
> > > overriden. For some reason unable to achieve it through web
> service
> > > call. Kindly guide me if I am doing anything wrong here.
> > >
> > >
> > >
> > > Regards,
> > > Nikita Bedmutha
> > > Software Engineer | m: +91 94042 02790 | G
> > > G <http://www.linkedin.com/in/nikitabedmutha
> <http://www.linkedin.com/in/nikitabedmutha>
> > <http://www.linkedin.com/in/nikitabedmutha
> <http://www.linkedin.com/in/nikitabedmutha>>>reat Software Laboratory
> > > <http://www.gslab.com/>
> > >
> > >
> > > On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson
> <to...@pr... <mailto:to...@pr...>
> <mailto:to...@pr... <mailto:to...@pr...>>
> > > <mailto:to...@pr... <mailto:to...@pr...>
> <mailto:to...@pr... <mailto:to...@pr...>>>> wrote:
> > >
> > >
> > > This is very common to do this using WS so there is probably
> > something
> > > wrong with your call. Are you using the correct certificate
> > profile in
> > > your WS call?
> > >
> > > Debug logging will show in detail all decisions egarding
> > override or not
> > > that is takes during certificate issuance.
> > >
> > > Regards,
> > > Tomas
> > > ---
> > > RSA Conference 2017
> > >
> ------------------------------------------------------------------
> > > San Francisco | February 13-17 | Moscone Center
> > > Come visit us in booth #627 at RSA Conference 2017!
> > >
> > > Want a free expo pass?
> > > Go to https://www.rsaconference.com/events/us17/register
> <https://www.rsaconference.com/events/us17/register>
> > <https://www.rsaconference.com/events/us17/register
> <https://www.rsaconference.com/events/us17/register>>
> > > <https://www.rsaconference.com/events/us17/register
> <https://www.rsaconference.com/events/us17/register>
> > <https://www.rsaconference.com/events/us17/register
> <https://www.rsaconference.com/events/us17/register>>>
> > > and use the code: XE7PRMKEY
> > >
> > > On 2017-02-02 04:44, Nikita Bedmutha wrote:
> > > > Sorry for spamming, but just correcting the query:
> > > >
> > > > I want to make a certificate request which uses the
> subject
> > DN from CSR
> > > > and not the registered end entity subject DN . I am
> using the
> > > > certificate profile which has 'Allow subject DN
> override by CSR'
> > > > checked. However the web service requests
> 'pkcs10Request' as
> > well as
> > > > 'certificateRequest' do not return certificates with
> subject DN
> > > > overridden by the CSR but uses the registered DN only.
> > > >
> > > > On the other hand, using the same CSR, the public web call
> > 'Create
> > > > Certificate from CSR' as well as the 'createcert' CLI
> > command generates
> > > > a certificate which has the subject DN overridden by
> the CSR.
> > > >
> > > > Your inputs would really be very helpful.
> > > > Thanks.
> > > >
> > > > Regards,
> > > > Nikita Bedmutha
> > > >
> > > >
> > > >
> > > > On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha
> > > > <nik...@gs...
> <mailto:nik...@gs...>
> > <mailto:nik...@gs...
> <mailto:nik...@gs...>>
> <mailto:nik...@gs... <mailto:nik...@gs...>
> > <mailto:nik...@gs...
> <mailto:nik...@gs...>>>
> > > <mailto:nik...@gs...
> <mailto:nik...@gs...>
> > <mailto:nik...@gs...
> <mailto:nik...@gs...>>
> > > <mailto:nik...@gs... <mailto:nik...@gs...>
> <mailto:nik...@gs...
> <mailto:nik...@gs...>>>>> wrote:
> > > >
> > > > Hi,
> > > >
> > > > I have a user(end-entity) created using a certificate profile which
> > > > has 'Allow Subject DN override' checked. This end-entity is
> > > > registered with Token as User Generated.
> > > > When I use 'Create Certificate from CSR' option on public web, I get
> > > > the certificate with the subject DN used while creating the CSR and
> > > > not the registered DN.
> > > > Now I want to achieve same using web service call. I tried the
> > > > 'certificateRequest' and 'pkcs10' request with the same CSR that I
> > > > used in previous Public web call. But in the web service call case,
> > > > I get certificate with the registered DN and not overridden by the CSR.
> > > >
> > > > Kindly guide me how to achieve this.
> > > >
> > > > Thanks and Regards,
> > > > Nikita
> > > >
> > > >
> > > >
> > > >
> > > >
> > > ------------------------------------------------------------------------------
> > > > Check out the vibrant tech community on one of the world's most
> > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Ejbca-develop mailing list
> > > > Ejb...@li...
> <mailto:Ejb...@li...>
> > <mailto:Ejb...@li...
> <mailto:Ejb...@li...>>
> > > <mailto:Ejb...@li...
> <mailto:Ejb...@li...>
> > <mailto:Ejb...@li...
> <mailto:Ejb...@li...>>>
> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>>
> > > >
> > >
> > > ------------------------------------------------------------------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > > _______________________________________________
> > > Ejbca-develop mailing list
> > > Ejb...@li...
> <mailto:Ejb...@li...>
> > <mailto:Ejb...@li...
> <mailto:Ejb...@li...>>
> > > <mailto:Ejb...@li...
> <mailto:Ejb...@li...>
> > <mailto:Ejb...@li...
> <mailto:Ejb...@li...>>>
> > >
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
> > >
> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>>
> > >
> > >
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > >
> > >
> > >
> > > _______________________________________________
> > > Ejbca-develop mailing list
> > > Ejb...@li...
> <mailto:Ejb...@li...>
> > <mailto:Ejb...@li...
> <mailto:Ejb...@li...>>
> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
> > >
> >
> >
> ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> <mailto:Ejb...@li...>
> > <mailto:Ejb...@li...
> <mailto:Ejb...@li...>>
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
> >
> >
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >
> >
> >
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> <mailto:Ejb...@li...>
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> >
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> <mailto:Ejb...@li...>
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
|
106 messages has been excluded from this view by a project administrator.
