Menu
▾
▴
ejbca-develop — Development discussions
You can subscribe to this list here.
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
(3) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2002 |
Jan
(3) |
Feb
(2) |
Mar
(8) |
Apr
(3) |
May
(6) |
Jun
(1) |
Jul
(15) |
Aug
(6) |
Sep
|
Oct
(10) |
Nov
(2) |
Dec
(4) |
| 2003 |
Jan
(1) |
Feb
(7) |
Mar
(3) |
Apr
(6) |
May
(7) |
Jun
(5) |
Jul
(5) |
Aug
(25) |
Sep
(14) |
Oct
(2) |
Nov
|
Dec
(2) |
| 2004 |
Jan
(7) |
Feb
(4) |
Mar
(12) |
Apr
(16) |
May
(43) |
Jun
(56) |
Jul
(43) |
Aug
(40) |
Sep
(66) |
Oct
(12) |
Nov
(26) |
Dec
(10) |
| 2005 |
Jan
(13) |
Feb
(33) |
Mar
(16) |
Apr
(7) |
May
(10) |
Jun
(34) |
Jul
(41) |
Aug
(8) |
Sep
(4) |
Oct
(32) |
Nov
(20) |
Dec
(25) |
| 2006 |
Jan
(30) |
Feb
(101) |
Mar
(5) |
Apr
(75) |
May
(74) |
Jun
(22) |
Jul
(6) |
Aug
(70) |
Sep
(19) |
Oct
(21) |
Nov
(31) |
Dec
(50) |
| 2007 |
Jan
(15) |
Feb
(20) |
Mar
(24) |
Apr
(33) |
May
(13) |
Jun
(18) |
Jul
(13) |
Aug
(7) |
Sep
(63) |
Oct
(68) |
Nov
(29) |
Dec
(68) |
| 2008 |
Jan
(30) |
Feb
(33) |
Mar
(30) |
Apr
(103) |
May
(78) |
Jun
(48) |
Jul
(72) |
Aug
(24) |
Sep
(62) |
Oct
(63) |
Nov
(70) |
Dec
(37) |
| 2009 |
Jan
(34) |
Feb
(35) |
Mar
(64) |
Apr
(34) |
May
(34) |
Jun
(58) |
Jul
(30) |
Aug
(30) |
Sep
(46) |
Oct
(52) |
Nov
(12) |
Dec
(23) |
| 2010 |
Jan
(121) |
Feb
(18) |
Mar
(53) |
Apr
(62) |
May
(62) |
Jun
(20) |
Jul
(33) |
Aug
(20) |
Sep
(36) |
Oct
(35) |
Nov
(44) |
Dec
(63) |
| 2011 |
Jan
(19) |
Feb
(32) |
Mar
(94) |
Apr
(41) |
May
(47) |
Jun
(25) |
Jul
(34) |
Aug
(20) |
Sep
(9) |
Oct
(41) |
Nov
(33) |
Dec
(24) |
| 2012 |
Jan
(12) |
Feb
(36) |
Mar
(48) |
Apr
(32) |
May
(20) |
Jun
(15) |
Jul
(32) |
Aug
(13) |
Sep
(33) |
Oct
(54) |
Nov
(25) |
Dec
(16) |
| 2013 |
Jan
(45) |
Feb
(39) |
Mar
(38) |
Apr
(50) |
May
(29) |
Jun
(30) |
Jul
(33) |
Aug
(12) |
Sep
(9) |
Oct
(25) |
Nov
(29) |
Dec
(20) |
| 2014 |
Jan
(25) |
Feb
(19) |
Mar
(16) |
Apr
(33) |
May
(27) |
Jun
(37) |
Jul
(29) |
Aug
(27) |
Sep
(37) |
Oct
(58) |
Nov
(109) |
Dec
(26) |
| 2015 |
Jan
(4) |
Feb
(35) |
Mar
(22) |
Apr
(35) |
May
(28) |
Jun
(20) |
Jul
(4) |
Aug
(16) |
Sep
(37) |
Oct
(13) |
Nov
(13) |
Dec
(14) |
| 2016 |
Jan
(22) |
Feb
(7) |
Mar
(23) |
Apr
(30) |
May
(10) |
Jun
(10) |
Jul
(15) |
Aug
(12) |
Sep
(22) |
Oct
(31) |
Nov
(5) |
Dec
(5) |
| 2017 |
Jan
(30) |
Feb
(25) |
Mar
(28) |
Apr
(4) |
May
(19) |
Jun
(13) |
Jul
(7) |
Aug
(1) |
Sep
(2) |
Oct
(5) |
Nov
(12) |
Dec
(2) |
| 2018 |
Jan
(7) |
Feb
|
Mar
(7) |
Apr
(2) |
May
(8) |
Jun
(18) |
Jul
(6) |
Aug
(3) |
Sep
(15) |
Oct
(33) |
Nov
(13) |
Dec
(7) |
| 2019 |
Jan
(5) |
Feb
(7) |
Mar
(30) |
Apr
(5) |
May
(4) |
Jun
(69) |
Jul
(86) |
Aug
(22) |
Sep
(6) |
Oct
(7) |
Nov
(5) |
Dec
(3) |
| 2020 |
Jan
(10) |
Feb
(12) |
Mar
(22) |
Apr
(5) |
May
(1) |
Jun
(4) |
Jul
(6) |
Aug
|
Sep
(9) |
Oct
|
Nov
|
Dec
(1) |
| 2021 |
Jan
(4) |
Feb
(11) |
Mar
(7) |
Apr
(7) |
May
|
Jun
(3) |
Jul
(10) |
Aug
(6) |
Sep
|
Oct
|
Nov
(18) |
Dec
(2) |
| 2022 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(1) |
Jun
|
Jul
|
Aug
(5) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Christian F. <pu...@fe...> - 2014-07-16 06:50:21
|
Am 15.07.14 15:29, schrieb Tomas Gustavsson: > > On 2014-07-15 13:38, Christian Felsing wrote: >> Hello, >> >> while trying to create a CVC CA in EJBCA Community I got following message: >> >> CVC CA type is not available in this version of EJBCA >> >> Does that mean community edition does not support CVC? > > That is correct. Since it's so specific for country/government usage > there is no possibility to maintain it for free, and the community is > pretty small. > > Cheers, > Tomas CVC is not only for government related applications, there is an open source project sc-hsm which also supports CVC, because that card will claim to be suitable for CVC applications. With this card ejbca may become a solution für CVC based application besides government applications. At demo.openscdp.org s a demo for EAC-PKI applications. cheers Christian |
|
From: Michael G. <mik...@ho...> - 2014-07-15 19:55:06
|
So I'm trying to deploy EJBCA 6.0.3 to JBOSS 7.1.1 with a Postgresql 9.1 backend on Wheezy. I've added the driver and created the datasource. But JBOSS gives this error at startup: 14:33:44,479 INFO [org.jboss.as.controller] (DeploymentScanner-threads - 2) JBAS014774: Service status reportJBAS014775: New missing/unsatisfied dependencies: service jboss.naming.context.java.module.ejbca.adminweb (missing) dependents: [service jboss.naming.context.java.module.ejbca.adminweb.ValidatorFactory, service jboss.naming.context.java.module.ejbca.adminweb.Validator]JBAS014777: Services which failed to start: service jboss.deployment.subunit."ejbca.ear"."ejbca-ws-ejb.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.subunit."ejbca.ear"."ejbca-ws-ejb.jar".POST_MODULE: Failed to process phase POST_MODULE of subdeployment "ejbca-ws-ejb.jar" of deployment "ejbca.ear" service jboss.deployment.subunit."ejbca.ear"."systemtests-ejb.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.subunit."ejbca.ear"."systemtests-ejb.jar".POST_MODULE: Failed to process phase POST_MODULE of subdeployment "systemtests-ejb.jar" of deployment "ejbca.ear" service jboss.deployment.subunit."ejbca.ear"."ejbca-ejb.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.subunit."ejbca.ear"."ejbca-ejb.jar".POST_MODULE: Failed to process phase POST_MODULE of subdeployment "ejbca-ejb.jar" of deployment "ejbca.ear" service jboss.deployment.subunit."ejbca.ear"."publicweb.war".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.subunit."ejbca.ear"."publicweb.war".POST_MODULE: Failed to process phase POST_MODULE of subdeployment "publicweb.war" of deployment "ejbca.ear" service jboss.deployment.subunit."ejbca.ear"."adminweb.war".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.subunit."ejbca.ear"."adminweb.war".POST_MODULE: Failed to process phase POST_MODULE of subdeployment "adminweb.war" of deployment "ejbca.ear" service jboss.deployment.subunit."ejbca.ear"."cesecore-ejb.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.subunit."ejbca.ear"."cesecore-ejb.jar".POST_MODULE: Failed to process phase POST_MODULE of subdeployment "cesecore-ejb.jar" of deployment "ejbca.ear" Full JBOSS log ---> http://pastebin.com/qzLfTMh2 ant deploy completed successfully but ant install errored out with "JAVA returned 1". |
|
From: Tomas G. <to...@pr...> - 2014-07-15 13:29:52
|
On 2014-07-15 13:38, Christian Felsing wrote: > Hello, > > while trying to create a CVC CA in EJBCA Community I got following message: > > CVC CA type is not available in this version of EJBCA > > Does that mean community edition does not support CVC? That is correct. Since it's so specific for country/government usage there is no possibility to maintain it for free, and the community is pretty small. Cheers, Tomas > > best reagrds > Christian > > > ------------------------------------------------------------------------------ > Want fast and easy access to all the code in your enterprise? Index and > search up to 200,000 lines of code with a free copy of Black Duck > Code Sight - the same software that powers the world's largest code > search on Ohloh, the Black Duck Open Hub! Try it now. > http://p.sf.net/sfu/bds > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Christian F. <pu...@fe...> - 2014-07-15 11:56:22
|
Hello, while trying to create a CVC CA in EJBCA Community I got following message: CVC CA type is not available in this version of EJBCA Does that mean community edition does not support CVC? best reagrds Christian |
|
From: Tomas G. <to...@pr...> - 2014-07-10 14:18:54
|
Hi Sriram, CMP Vendor CA certificate mode, as specified in 3GPP for example, is only available in EJBCA Enterprise. Cheers, Tomas ********** PrimeKey Solutions AB Anderstorpsvägen 16, 171 54 Solna, Sweden Mob: +46 (0)707421096 Internet: www.primekey.se Twitter: twitter.com/primekeyPKI ********** On 2014-07-10 15:36, Sriram wrote: > Hello Everyone, > > I have configured "End Entity Certificate" under CMP Authentication > Module in cmp. > while sending the Cmp IR request, protection field is generated using > RSA private key whose corresponding device certificate is sent in > extracerts. > > I have done the import of Vendor CA which has issued the device > certificate. But Cmp IR is not going through. EJBCA complains that > > "The End Entity certificate attached to the PKIMessage in the extraCert > field does not belong to user" > > How to make it work ? Any help in the configuration is appreciated. > > Regards, > Sriram. > > > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Sriram <sri...@gm...> - 2014-07-10 13:36:28
|
Hello Everyone, I have configured "End Entity Certificate" under CMP Authentication Module in cmp. while sending the Cmp IR request, protection field is generated using RSA private key whose corresponding device certificate is sent in extracerts. I have done the import of Vendor CA which has issued the device certificate. But Cmp IR is not going through. EJBCA complains that "The End Entity certificate attached to the PKIMessage in the extraCert field does not belong to user" How to make it work ? Any help in the configuration is appreciated. Regards, Sriram. |
|
From: Michael P. <M.P...@pa...> - 2014-07-04 11:52:55
|
Thanks. Just realized. The error is gone now. cheers nomike -----Ursprüngliche Nachricht----- Von: Tomas Gustavsson [mailto:to...@pr...] Gesendet: Freitag, 4. Juli 2014 12:07 An: ejb...@li... Betreff: Re: [Ejbca-develop] BUILD FAILED: /home/pscuser/ejbca_ce_6_2_0/bin/jboss.xml:568: Problem: failed to create task or type local: Cause: The name is undefined. You are not using a fresh enough version of Ant. Cheers, Tomas ----- Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information. http://www.primekey.se/Products/EJBCA+PKI/ http://www.primekey.se/Services/Support/ On 2014-07-04 11:42, Michael Postmann wrote: > Hi! > > I'm trying to install a test setup of EJBCA 6.2.0 and during "ant > deploy" I get the following error message: > > ---SNIP--- > > . > > inputDatabasePassword: > > [input] skipping input as property database.password has already > been set. > > deploy: > > customejbca.message: > > appserver.error.message: > > [echo] jndi.properties.file: > /home/pscuser/ejbca_ce_6_2_0/conf/jndi.properties.jboss7 > > jee:undeployJBoss7: > > BUILD FAILED > > /home/pscuser/ejbca_ce_6_2_0/build.xml:649: The following error > occurred while executing this line: > > /home/pscuser/ejbca_ce_6_2_0/bin/jboss.xml:443: The following error > occurred while executing this line: > > /home/pscuser/ejbca_ce_6_2_0/bin/jboss.xml:568: Problem: failed to > create task or type local > > Cause: The name is undefined. > > Action: Check the spelling. > > Action: Check that any custom tasks/types have been declared. > > Action: Check that any <presetdef>/<macrodef> declarations have taken > place > > ---SNAP--- > > (see the full build log attached) > > I'm using jBoss as-7.1.1.Final and the system is running RHEL 6.5. > > Some software versions: > > ---SNIP--- > user@server ~/ejbca_ce_6_2_0 % java -version > > java version "1.7.0_55" > > Java(TM) SE Runtime Environment (build 1.7.0_55-b13) > > Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed mode) > > user@server ~/ejbca_ce_6_2_0 % yum search jdk > > Loaded plugins: product-id, rhnplugin, security, subscription-manager > > *Note* Red Hat Network repositories are not listed below. You must run > this command as root to access RHN repositories. > > ---SNAP--- > > The versions of "ant" and "java" are the newest ones provided in the repo's. > > I found another thread on the mailinglist where the user had the same > error but with running ant-1.9.x and it was suggested to downgrade to > ant-1.8.x. > > Do you know what is the minimum required version of ant for EJBCA to > successfully build? > > Thanks! > > cheers > > nomike > > > > ---------------------------------------------------------------------- > -------- Open source business process management suite built on Java > and Eclipse Turn processes into business applications with Bonita BPM > Community Edition Quickly connect people, data, and systems into > organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Ejbca-develop mailing list Ejb...@li... https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Tomas G. <to...@pr...> - 2014-07-04 10:06:57
|
You are not using a fresh enough version of Ant. Cheers, Tomas ----- Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information. http://www.primekey.se/Products/EJBCA+PKI/ http://www.primekey.se/Services/Support/ On 2014-07-04 11:42, Michael Postmann wrote: > Hi! > > I’m trying to install a test setup of EJBCA 6.2.0 and during “ant > deploy” I get the following error message: > > ---SNIP--- > > … > > inputDatabasePassword: > > [input] skipping input as property database.password has already > been set. > > deploy: > > customejbca.message: > > appserver.error.message: > > [echo] jndi.properties.file: > /home/pscuser/ejbca_ce_6_2_0/conf/jndi.properties.jboss7 > > jee:undeployJBoss7: > > BUILD FAILED > > /home/pscuser/ejbca_ce_6_2_0/build.xml:649: The following error occurred > while executing this line: > > /home/pscuser/ejbca_ce_6_2_0/bin/jboss.xml:443: The following error > occurred while executing this line: > > /home/pscuser/ejbca_ce_6_2_0/bin/jboss.xml:568: Problem: failed to > create task or type local > > Cause: The name is undefined. > > Action: Check the spelling. > > Action: Check that any custom tasks/types have been declared. > > Action: Check that any <presetdef>/<macrodef> declarations have taken place > > ---SNAP--- > > (see the full build log attached) > > I’m using jBoss as-7.1.1.Final and the system is running RHEL 6.5. > > Some software versions: > > ---SNIP--- > user@server ~/ejbca_ce_6_2_0 % java -version > > java version "1.7.0_55" > > Java(TM) SE Runtime Environment (build 1.7.0_55-b13) > > Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed mode) > > user@server ~/ejbca_ce_6_2_0 % yum search jdk > > Loaded plugins: product-id, rhnplugin, security, subscription-manager > > *Note* Red Hat Network repositories are not listed below. You must run > this command as root to access RHN repositories. > > ---SNAP--- > > The versions of “ant” and “java” are the newest ones provided in the repo’s. > > I found another thread on the mailinglist where the user had the same > error but with running ant-1.9.x and it was suggested to downgrade to > ant-1.8.x. > > Do you know what is the minimum required version of ant for EJBCA to > successfully build? > > Thanks! > > cheers > > nomike > > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Тимур <tim...@gm...> - 2014-06-28 15:50:14
|
Hello,
I try to install EJBCA 3.11.0 with Oracle 9i EE database (9.2.0.7.0) using
ojdbc6.jar which is certified for both DB 9i and Java 6.
The database uses UTF-8 codepage.
"Ant bootstrap" has completed fine, no errors. But at jBoss starting time I
see an error:
19:51:20,391 ERROR [AbstractKernelController] Error installing to Real:
name=vfszip:/ejbca/jboss-5.0.1.GA/server/default/deploy/ejbca.ear/
state=PreReal mode=Manual requiredState=Real
org.jboss.deployment.DeploymentException: Error while creating table
HARDTOKENPROPERTYDATA
at
org.jboss.ejb.plugins.cmp.jdbc.JDBCStartCommand.createTable(JDBCStartCommand.java:580)
at
org.jboss.ejb.plugins.cmp.jdbc.JDBCStartCommand.execute(JDBCStartCommand.java:213)
at
org.jboss.ejb.plugins.cmp.jdbc.JDBCStoreManager.startStoreManager(JDBCStoreManager.java:499)
at
org.jboss.ejb.plugins.cmp.jdbc.JDBCStoreManager.start(JDBCStoreManager.java:396)
I found a discussion of similar trouble with MySql (
http://sourceforge.net/p/ejbca/discussion/123123/thread/d2a90480/) which
was fixed by editing jbosscmp-jdbc-bean_name.xml under
src/deploy/ejb/merge/mysql/se/anatom/ejbca/ directory.
Here is my
/ejbca_3_11_0/src/deploy/ejb/merge/oracle/org/ejbca/core/ejb/hardtoken/jbosscmp-jdbc-HardTokenPropertyEntityBean.xml
jboss@rootca:/ejbca$ cat
./ejbca_3_11_0/src/deploy/ejb/merge/oracle/org/ejbca/core/ejb/hardtoken/jbosscmp-jdbc-HardTokenPropertyEntityBean.xml
<cmp-field>
<field-name>id</field-name>
<jdbc-type>VARCHAR</jdbc-type>
<sql-type>VARCHAR(80) BINARY</sql-type>
</cmp-field>
<cmp-field>
<field-name>property</field-name>
</cmp-field>
<cmp-field>
<field-name>value</field-name>
</cmp-field>
<cmp-field>
<field-name>rowVersion</field-name>
</cmp-field>
<cmp-field>
<field-name>rowProtection</field-name>
<jdbc-type>LONGVARCHAR</jdbc-type>
<sql-type>CLOB</sql-type>
</cmp-field>
jboss@rootca:/ejbca$
I see "BINARY" in sql-type definition - is it wrong typing ? As it's for
MySql syntax not for Oracle DB.
I have removed "BINARY" from sql-type definition and JBoss start with DB
instantion has passed ok:
SQL> select count(*) from dba_objects where owner='EJBCA';
COUNT(*)
----------
109
Regards, Timur
2014-06-26 15:30 GMT+06:00 Tomas Gustavsson <to...@pr...>:
>
> Sorry, you'll have to investigate JBoss specifics yourself, I do not
> know that on top of my head.
>
> (or get support if you need someone to figure it out for you).
>
> Cheers,
> Tomas
>
> On 2014-06-26 11:13, Тимур wrote:
> > Hello, Tomas !
> >
> > Could you please to prompt how to switch EJBCA 6.1.1 from TLSv1 to SSLv3
> > for serving incoming requests from external java-application which tries
> > to connect to EJBCA host:8443 ? (external java-app is old enough and was
> > created for EJBCA 3.11)
> >
> > 14:29:50,458 INFO [stdout] (http--0.0.0.0-8443-1) http--0.0.0.0-8443-1,
> > SEND TLSv1 ALERT: fatal, description = unexpected_message
> > 14:29:50,460 INFO [stdout] (http--0.0.0.0-8443-1) http--0.0.0.0-8443-4,
> > SEND TLSv1 ALERT: http--0.0.0.0-8443-1, WRITE: TLSv1 Alert, length = 2
> > 14:29:50,461 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > handling exception: java.net.SocketTimeoutException: Read timed out
> > 14:29:50,463 INFO [stdout] (http--0.0.0.0-8443-1) http--0.0.0.0-8443-1,
> > called closeSocket()
> > 14:29:50,464 INFO [stdout] (http--0.0.0.0-8443-4) fatal, description =
> > unexpected_message
> >
> > 14:56:15,896 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > WRITE: TLSv1 Handshake, length = 48
> > 14:56:15,903 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > READ: TLSv1 Change Cipher Spec, length = 1
> > 14:56:15,905 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > READ: TLSv1 Handshake, length = 48
> > 14:56:15,906 INFO [stdout] (http--0.0.0.0-8443-3) *** Finished
> > 14:56:15,906 INFO [stdout] (http--0.0.0.0-8443-3) verify_data: { 107,
> > 133, 194, 246, 254, 149, 3, 99, 208, 155, 18, 181 }
> > 14:56:15,907 INFO [stdout] (http--0.0.0.0-8443-3) ***
> > 14:56:15,908 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > READ: TLSv1 Application Data, length = 32
> > 14:56:15,909 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > READ: TLSv1 Application Data, length = 528
> > 14:56:15,911 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > WRITE: TLSv1 Application Data, length = 368
> > 14:56:15,969 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > READ: TLSv1 Application Data, length = 32
> > 14:56:15,970 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > READ: TLSv1 Application Data, length = 464
> > 14:56:15,973 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > WRITE: TLSv1 Application Data, length = 32
> > 14:56:15,974 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > WRITE: TLSv1 Application Data, length = 5344
> > 14:56:21,959 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > READ: TLSv1 Alert, length = 32
> > 14:56:21,961 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > RECV TLSv1 ALERT: warning, close_notify
> > 14:56:21,962 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > called closeInternal(false)
> > 14:56:21,962 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > SEND TLSv1 ALERT: warning, description = close_notify
> > 14:56:21,964 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > WRITE: TLSv1 Alert, length = 32
> > 14:56:21,965 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > called close()
> > 14:56:21,966 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> > called closeInternal(true)
> >
> > thank you, Timur
> >
> >
> > 2014-06-24 15:14 GMT+06:00 Tomas Gustavsson <to...@pr...
> > <mailto:to...@pr...>>:
> >
> >
> > Hi Timur,
> >
> > No there is no such table available that would be very time
> consuming to
> > produce on free basis.
> >
> > Customized development help is usually a professional services
> business.
> >
> > Kind regards,
> > Tomas
> >
> > On 2014-06-24 11:03, Тимур wrote:
> > > Hello, Tomas.
> > > Thank you for your prompt.
> > > Is there any external interfaces comparison table among different
> > > versions of EJBCA to see what calls to EJBCA 6.1.1 must be
> > corrected ?
> > > For example, usual operations like check common name, check
> > certificate
> > > validity are still the same between EJBCA 3.11.x and 6.1.x ?
> > >
> > > thank you, Timur.
> > >
> > >
> > >
> > > 2014-06-24 14:43 GMT+06:00 Tomas Gustavsson <to...@pr...
> > <mailto:to...@pr...>
> > > <mailto:to...@pr... <mailto:to...@pr...>>>:
> > >
> > >
> > > Depending on what interfaces you are using, things have
> > changed. Some
> > > interfaces have not changed, while some have.
> > >
> > > Cheers,
> > > Tomas
> > > ---
> > > Save time and money with an Enterprise support subscription.
> > Please see
> > > www.primekey.se <http://www.primekey.se> <http://www.primekey.se>
> > for more information.
> > > http://www.primekey.se/Products/EJBCA+PKI/
> > > http://www.primekey.se/Services/Support/
> > >
> > > On 2014-06-24 09:32, Тимур wrote:
> > > > Dears,
> > > > (there was wrong typing in EJBCA version in my previous
> > post , so
> > > > repeating the question in a correct way)
> > > > Could you please to confirm/refute whether EJBCA 3.11.0
> > versus EJBCA
> > > > 6.1.1 has any difference in their external interfaces for
> > interaction
> > > > with external java applications ?
> > > > Is some custom java applicaton (which was designed for
> > > interaction with
> > > > EJBCA 3.11.0 (r10752) external interface) compatible with
> > EJBCA 6.1.1
> > > > external interface ?
> > > >
> > > > thanks, Timur
> > > >
> > > >
> > > >
> > > > 2014-06-08 17:26 GMT+06:00 Branko Majic <br...@ma...
> > <mailto:br...@ma...>
> > > <mailto:br...@ma... <mailto:br...@ma...>>
> > > > <mailto:br...@ma... <mailto:br...@ma...>
> > <mailto:br...@ma... <mailto:br...@ma...>>>>:
> > > >
> > > > On Sat, 7 Jun 2014 23:04:37 +0600
> > > > Тимур <tim...@gm...
> > <mailto:tim...@gm...>
> > > <mailto:tim...@gm...
> > <mailto:tim...@gm...>> <mailto:tim...@gm...
> > <mailto:tim...@gm...>
> > > <mailto:tim...@gm...
> > <mailto:tim...@gm...>>>>
> > > > wrote:
> > > >
> > > > > Hello, Branko !
> > > > > Thank you for your good advice about SSL debugging
> > on JBoss.
> > > > IP-address
> > > > > was replaced by FQDN but still JBoss rejects
> > connection.
> > > > > Then SSL debug had been enabled on JBoss 7.1.1:
> > > > >
> > > > > [oracle@duo ~]$ curl -v
> > "https://rootca.teka.kz:8442/ejbca" -E
> > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer
> > > > > --key
> > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass
> > > > welcome123
> > > > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem
> > > > > ....
> > > > > 21:10:53,179 INFO [stdout]
> > (http--0.0.0.0-8442-Acceptor-0) Is
> > > > initial
> > > > > handshake: true
> > > > > 21:10:53,180 INFO [stdout]
> > > (http--0.0.0.0-8442-Acceptor-0) Is secure
> > > > > renegotiation: false
> > > > > 21:10:53,183 INFO [stdout] (http--0.0.0.0-8442-1)
> > > > http--0.0.0.0-8442-1,
> > > > > setSoTimeout(60000) called
> > > > > 21:10:53,187 INFO [stdout] (http--0.0.0.0-8442-1)
> > > > http--0.0.0.0-8442-1,
> > > > > READ: SSL v2, contentType = Handshake, translated
> > length = 95
> > > > > 21:10:53,190 INFO [stdout] (http--0.0.0.0-8442-1)
> ***
> > > > ClientHello, TLSv1
> > > > > .....
> > > > > 21:10:53,286 INFO [stdout] (http--0.0.0.0-8442-1)
> ***
> > > > ServerHello, TLSv1
> > > > > .....
> > > > > 21:10:53,550 INFO [stdout] (http--0.0.0.0-8442-1)
> ***
> > > > ServerHelloDone
> > > > > 21:10:53,552 INFO [stdout] (http--0.0.0.0-8442-1)
> > > > http--0.0.0.0-8442-1,
> > > > > WRITE: TLSv1 Handshake, length = 2722
> > > > > 21:10:53,561 INFO [stdout] (http--0.0.0.0-8442-1)
> > > > http--0.0.0.0-8442-1,
> > > > > READ: TLSv1 Alert, length = 2
> > > > > 21:10:53,563 INFO [stdout] (http--0.0.0.0-8442-1)
> > > > http--0.0.0.0-8442-1,
> > > > > RECV TLSv1 ALERT: fatal, unknown_ca
> > > > > 21:10:53,564 INFO [stdout] (http--0.0.0.0-8442-1)
> > > > http--0.0.0.0-8442-1,
> > > > > called closeSocket()
> > > > > 21:10:53,566 INFO [stdout] (http--0.0.0.0-8442-1)
> > > > http--0.0.0.0-8442-1,
> > > > > handling exception:
> > javax.net.ssl.SSLHandshakeException:
> > > Received
> > > > fatal
> > > > > alert: unknown_ca
> > > > > 21:10:53,567 INFO [stdout] (http--0.0.0.0-8442-1)
> > > > http--0.0.0.0-8442-1,
> > > > > IOException in getSession():
> > > > javax.net.ssl.SSLHandshakeException: Received
> > > > > fatal alert:
> > > > > unknown_ca <-------!!!!!!!
> > > > > 21:10:53,577 INFO [stdout] (http--0.0.0.0-8442-1)
> > > > http--0.0.0.0-8442-1,
> > > > > called close()
> > > > >
> > > > > JBoss SSL-certificate is for CN=rootca.teka.kz
> > <http://rootca.teka.kz>
> > > <http://rootca.teka.kz>
> > > > <http://rootca.teka.kz> which belongs to the CA
> > > > > named "ROOTCA.TEKA.KZ <http://ROOTCA.TEKA.KZ>
> > <http://ROOTCA.TEKA.KZ>
> > > <http://ROOTCA.TEKA.KZ>
> > > > <http://rootca.teka.kz/>".
> > > > > BUT I run "curl" utlity for CA named "BTA Ipoteka
> > CA" - all
> > > > certificates
> > > > > used in "curl" options are emitted by CA "BTA
> > Ipoteka CA":
> > > > >
> > > > > [oracle@duo ~]$ curl -v
> > "https://rootca.teka.kz:8442/ejbca" -E
> > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer \
> > > > > --key
> > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass
> > > > welcome123 \
> > > > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem
> > > > >
> > > > > I cannot use CA "ROOTCA.TEKA.KZ
> > <http://ROOTCA.TEKA.KZ> <http://ROOTCA.TEKA.KZ>
> > > <http://ROOTCA.TEKA.KZ>
> > > > <http://rootca.teka.kz/>" as it has too
> > > > > strong key which is not supported by my eToken
> > Client; I
> > > had to
> > > > create one
> > > > > more CA "BTA Ipoteka CA" with shorter key length.
> > > > > What steps to do if certificates for customer
> > devices are
> > > emitted
> > > > by CA
> > > > > "BTA Ipoteka CA" but initial CA is "ROOTCA.TEKA.KZ
> > <http://ROOTCA.TEKA.KZ>
> > > <http://ROOTCA.TEKA.KZ>
> > > > <http://ROOTCA.TEKA.KZ> <http://rootca.teka.kz/>"
> > > > > and JBoss certificate is for initial CA.
> > > > > Probably some reconfiguration are to be done on
> > JBoss to
> > > let one
> > > > receive
> > > > > requests for new CA also ?
> > > > >
> > > > > thank you for your great job, Timur.
> > > > >
> > > > >
> > > > >
> > > > > 2014-06-07 17:07 GMT+06:00 Branko Majic
> > <br...@ma... <mailto:br...@ma...>
> > > <mailto:br...@ma... <mailto:br...@ma...>>
> > > > <mailto:br...@ma... <mailto:br...@ma...>
> > <mailto:br...@ma... <mailto:br...@ma...>>>>:
> > > > >
> > > > > > On Fri, 6 Jun 2014 23:06:26 +0600
> > > > > > Тимур <tim...@gm...
> > <mailto:tim...@gm...>
> > > <mailto:tim...@gm...
> > <mailto:tim...@gm...>>
> > > > <mailto:tim...@gm...
> > <mailto:tim...@gm...>
> > > <mailto:tim...@gm...
> > <mailto:tim...@gm...>>>> wrote:
> > > > > >
> > > > > > > Hello, dears
> > > > > > >
> > > > > > > I have successfuly installed EJBCA 6.1.1, JBoss
> > > 7.1.1.Final,
> > > > openjdk 6,
> > > > > > > Oracle 9.2.0.5, ojdbc6.jar, on Ubuntu Linux
> > ("13.04,
> > > Raring
> > > > Ringtail").
> > > > > > No
> > > > > > > any deployment and
> > > > > > > installation mistakes for this software
> > combination. I
> > > have
> > > > successfully
> > > > > > > created all profiles , add entuty and I have
> > issued my
> > > first
> > > > > > > SSL-certificate and write one to USB HSM with
> > eToken
> > > Client.
> > > > So, I have
> > > > > > > full-functional EJBCA 6.1.1 at present.
> > > > > > > I have a custom java-application which uses
> eToken
> > > > authentication and
> > > > > > this
> > > > > > > java-application worked fine with previous
> > version of
> > > EJBCA
> > > > and I need to
> > > > > > > organize connectivity between this
> > java-application and
> > > > EJBCA. There is a
> > > > > > > parameter for EJBCA URL in java-application
> config
> > > file and I
> > > > pointed out
> > > > > > > this parameter to "
> https://10.62.2.88:8443/ejbca".
> > > > > > > Java-application uses jdk cacerts and I
> > imported issued
> > > > certificate with
> > > > > > CA
> > > > > > > certificate of EJBCA to cacerts but no
> > connection yet.
> > > > > > > Checking connectivity to EJBCA by curl utility
> > also gives
> > > > negative
> > > > > > result:
> > > > > > >
> > > > > > > CA-certificate in PEM-format:
> > > > > > >
> > > > > > > [oracle@duo ~]$ curl -v
> > "https://10.62.2.88:8443/ejbca" -E
> > > > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer
> > --key
> > > > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key
> > --pass
> > > > > > >
> > > > > > > welcome123 --cacert
> > /home/oracle/BTAIpotekaCA.cacert.pem
> > > > > > > * About to connect() to 10.62.2.88 port 8443
> > > > > > > * Trying 10.62.2.88... * connected
> > > > > > > * Connected to 10.62.2.88 (10.62.2.88) port 8443
> > > > > > > * successfully set certificate verify locations:
> > > > > > > * CAfile: /home/oracle/BTAIpotekaCA.cacert.pem
> > > > > > > CApath: none
> > > > > > > * SSL certificate problem, verify that the CA
> > cert is OK.
> > > > Details:
> > > > > > > error:14090086:SSL
> > > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > > > > > verify
> > > > > > > failed
> > > > > > >
> > > > > > > CA-certificate in BASE-64 format:
> > > > > > >
> > > > > > > [oracle@duo ~]$ curl -v
> > > "https://10.62.2.88:8443/ejbca" -E
> > > > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer
> > --key
> > > > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key
> > --pass
> > > > > > >
> > > > > > > welcome123 --cacert
> > > > /home/oracle/BTAIpotekaCA.cacert-base64.cer --sslv3
> > > > > > > --trace-ascii /tmp/curl.log
> > > > > > > curl: (60) SSL certificate problem, verify that
> > the CA
> > > cert
> > > > is OK.
> > > > > > Details:
> > > > > > > error:14090086:SSL
> > > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > > > > > verify
> > > > > > > failed
> > > > > > > More details here:
> > http://curl.haxx.se/docs/sslcerts.html
> > > > > > >
> > > > > > > EJBCA console log contains no records to
> > understand why no
> > > > connectivity
> > > > > > to
> > > > > > > EJBCA.
> > > > > > > Could you please to help to find out which URL
> > must be
> > > used
> > > > to connect to
> > > > > > > EJBCA for authentication ? If
> > > "https://10.62.2.88:8443/ejbca" is
> > > > > > correct
> > > > > > > what's the reason
> > > > > > > of trouble with EJBCA connection ?
> > > > > > >
> > > > > > > thank you, Timur.
> > > > > >
> > > > > > Hello Timur,
> > > > > >
> > > > > > The problem you are facing happens during the TLS
> > handshake
> > > > between the
> > > > > > server and client, where (at least) client is
> > unable to
> > > verify the
> > > > > > certificate presented by JBoss.
> > > > > >
> > > > > > Since the TLS is handled by JBoss, you won't get
> any
> > > useful logging
> > > > > > messages from EJBCA. In fact, not even JBoss as
> > such will
> > > > produce any
> > > > > > useful debugging info. You could try enabling
> > debugging
> > > of TLS
> > > > > > handshake via JAVA_OPTS, though.
> > > > > >
> > > > > > I've noticed you are using the IP address for
> > connecting to
> > > > JBoss/EJBCA
> > > > > > - are you sure that you have this IP address
> > specified
> > > in your
> > > > server
> > > > > > certificate (on JBoss)? If not, that is your
> problem.
> > > The IP,
> > > > FQDN, or
> > > > > > hostname used for connecting has to be part of
> > > subjectAltName
> > > > DNS name
> > > > > > (or, if subjectAltName DNS name is not present,
> > CN has
> > > to be used).
> > > > > >
> > > > > > As a side-note, you should avoid using IP address
> in
> > > > certificates or
> > > > > > for TLS connections in general, and instead rely
> > on FQDN or
> > > > hostname,
> > > > > > with FQDN being the recommended thing to use.
> > > > > >
> > > > > > I hope this explanation will help you a bit :)
> > > > > >
> > > > > > Best regards
> > > > > >
> > > >
> > > > Hello Timur,
> > > >
> > > > If you are getting a validation error on port 8442,
> > that is
> > > probably
> > > > the client-side validation failing. Keep in mind that
> > if you
> > > deploy
> > > > EJBCA on JBoss using default ports, port 8442 does
> _not_
> > > require client
> > > > certificate authentication.
> > > >
> > > > You could test if JBoss will return anything at all to
> > you on
> > > port 8442
> > > > with wget --no-check-certificate (just to see if
> > content gets
> > > served),
> > > > and then try to figure out why your client fails to
> > validate
> > > the server
> > > > certificate.
> > > >
> > > > If the JBoss certificate was issued by ROOTCA.TEKA.KZ
> > <http://ROOTCA.TEKA.KZ>
> > > <http://ROOTCA.TEKA.KZ>
> > > > <http://ROOTCA.TEKA.KZ>, you will most
> > > > definitively need to have this CA certificate in the
> > > truststore of your
> > > > client.
> > > >
> > > > As for trusted client certificates on (for EJBCA
> commonly)
> > > port 8443,
> > > > you will need to update the JBoss truststore to
> > contain the
> > > new CA
> > > > certificate (used for issuing client certificates).
> > > >
> > > > Best regards
> > > >
> > > > --
> > > > Branko Majic
> > > > Jabber: br...@ma... <mailto:br...@ma...>
> > <mailto:br...@ma... <mailto:br...@ma...>>
> > > <mailto:br...@ma... <mailto:br...@ma...>
> > <mailto:br...@ma... <mailto:br...@ma...>>>
> > > > Please use only Free formats when sending attachments
> > to me.
> > > >
> > > > Бранко Мајић
> > > > Џабер: br...@ma... <mailto:br...@ma...>
> > <mailto:br...@ma... <mailto:br...@ma...>>
> > > <mailto:br...@ma... <mailto:br...@ma...>
> > <mailto:br...@ma... <mailto:br...@ma...>>>
> > > > Молим вас да додатке шаљете искључиво у слободним
> > форматима.
> > > >
> > > >
> > >
> >
> ------------------------------------------------------------------------------
> > > > Learn Graph Databases - Download FREE O'Reilly Book
> > > > "Graph Databases" is the definitive new guide to graph
> > > databases and
> > > > their
> > > > applications. Written by three acclaimed leaders in
> > the field,
> > > > this first edition is now available. Download your
> > free book
> > > today!
> > > > http://p.sf.net/sfu/NeoTech
> > > > _______________________________________________
> > > > Ejbca-develop mailing list
> > > > Ejb...@li...
> > <mailto:Ejb...@li...>
> > > <mailto:Ejb...@li...
> > <mailto:Ejb...@li...>>
> > > > <mailto:Ejb...@li...
> > <mailto:Ejb...@li...>
> > > <mailto:Ejb...@li...
> > <mailto:Ejb...@li...>>>
> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> >
> ------------------------------------------------------------------------------
> > > > Open source business process management suite built on
> > Java and
> > > Eclipse
> > > > Turn processes into business applications with Bonita BPM
> > > Community Edition
> > > > Quickly connect people, data, and systems into organized
> > workflows
> > > > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > > > http://p.sf.net/sfu/Bonitasoft
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Ejbca-develop mailing list
> > > > Ejb...@li...
> > <mailto:Ejb...@li...>
> > > <mailto:Ejb...@li...
> > <mailto:Ejb...@li...>>
> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > > >
> > >
> > >
> >
> ------------------------------------------------------------------------------
> > > Open source business process management suite built on Java
> > and Eclipse
> > > Turn processes into business applications with Bonita BPM
> > Community
> > > Edition
> > > Quickly connect people, data, and systems into organized
> > workflows
> > > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > > http://p.sf.net/sfu/Bonitasoft
> > > _______________________________________________
> > > Ejbca-develop mailing list
> > > Ejb...@li...
> > <mailto:Ejb...@li...>
> > > <mailto:Ejb...@li...
> > <mailto:Ejb...@li...>>
> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > >
> > >
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------------
> > > Open source business process management suite built on Java and
> > Eclipse
> > > Turn processes into business applications with Bonita BPM
> > Community Edition
> > > Quickly connect people, data, and systems into organized workflows
> > > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > > http://p.sf.net/sfu/Bonitasoft
> > >
> > >
> > >
> > > _______________________________________________
> > > Ejbca-develop mailing list
> > > Ejb...@li...
> > <mailto:Ejb...@li...>
> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > >
> >
> >
> ------------------------------------------------------------------------------
> > Open source business process management suite built on Java and
> Eclipse
> > Turn processes into business applications with Bonita BPM Community
> > Edition
> > Quickly connect people, data, and systems into organized workflows
> > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > http://p.sf.net/sfu/Bonitasoft
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> > <mailto:Ejb...@li...>
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Open source business process management suite built on Java and Eclipse
> > Turn processes into business applications with Bonita BPM Community
> Edition
> > Quickly connect people, data, and systems into organized workflows
> > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > http://p.sf.net/sfu/Bonitasoft
> >
> >
> >
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
|
|
From: Тимур <tim...@gm...> - 2014-06-27 02:46:10
|
Hello, Tomas. Thank you for your answers. Could you please to say whether interface EjbcaWS for EJBCA 6.1.1 is compatible with interface EjbcaWS for EJBCA 3.11 ? ( http://ejbca.org/docs/ws/org/ejbca/core/protocol/ws/client/gen/EjbcaWS.html) thank you, Timur. 2014-06-26 15:30 GMT+06:00 Tomas Gustavsson <to...@pr...>: > > Sorry, you'll have to investigate JBoss specifics yourself, I do not > know that on top of my head. > > (or get support if you need someone to figure it out for you). > > Cheers, > Tomas > > On 2014-06-26 11:13, Тимур wrote: > > Hello, Tomas ! > > > > Could you please to prompt how to switch EJBCA 6.1.1 from TLSv1 to SSLv3 > > for serving incoming requests from external java-application which tries > > to connect to EJBCA host:8443 ? (external java-app is old enough and was > > created for EJBCA 3.11) > > > > 14:29:50,458 INFO [stdout] (http--0.0.0.0-8443-1) http--0.0.0.0-8443-1, > > SEND TLSv1 ALERT: fatal, description = unexpected_message > > 14:29:50,460 INFO [stdout] (http--0.0.0.0-8443-1) http--0.0.0.0-8443-4, > > SEND TLSv1 ALERT: http--0.0.0.0-8443-1, WRITE: TLSv1 Alert, length = 2 > > 14:29:50,461 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > handling exception: java.net.SocketTimeoutException: Read timed out > > 14:29:50,463 INFO [stdout] (http--0.0.0.0-8443-1) http--0.0.0.0-8443-1, > > called closeSocket() > > 14:29:50,464 INFO [stdout] (http--0.0.0.0-8443-4) fatal, description = > > unexpected_message > > > > 14:56:15,896 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > WRITE: TLSv1 Handshake, length = 48 > > 14:56:15,903 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > READ: TLSv1 Change Cipher Spec, length = 1 > > 14:56:15,905 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > READ: TLSv1 Handshake, length = 48 > > 14:56:15,906 INFO [stdout] (http--0.0.0.0-8443-3) *** Finished > > 14:56:15,906 INFO [stdout] (http--0.0.0.0-8443-3) verify_data: { 107, > > 133, 194, 246, 254, 149, 3, 99, 208, 155, 18, 181 } > > 14:56:15,907 INFO [stdout] (http--0.0.0.0-8443-3) *** > > 14:56:15,908 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > READ: TLSv1 Application Data, length = 32 > > 14:56:15,909 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > READ: TLSv1 Application Data, length = 528 > > 14:56:15,911 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > WRITE: TLSv1 Application Data, length = 368 > > 14:56:15,969 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > READ: TLSv1 Application Data, length = 32 > > 14:56:15,970 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > READ: TLSv1 Application Data, length = 464 > > 14:56:15,973 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > WRITE: TLSv1 Application Data, length = 32 > > 14:56:15,974 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > WRITE: TLSv1 Application Data, length = 5344 > > 14:56:21,959 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > READ: TLSv1 Alert, length = 32 > > 14:56:21,961 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > RECV TLSv1 ALERT: warning, close_notify > > 14:56:21,962 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > called closeInternal(false) > > 14:56:21,962 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > SEND TLSv1 ALERT: warning, description = close_notify > > 14:56:21,964 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > WRITE: TLSv1 Alert, length = 32 > > 14:56:21,965 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > called close() > > 14:56:21,966 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3, > > called closeInternal(true) > > > > thank you, Timur > > > > > > 2014-06-24 15:14 GMT+06:00 Tomas Gustavsson <to...@pr... > > <mailto:to...@pr...>>: > > > > > > Hi Timur, > > > > No there is no such table available that would be very time > consuming to > > produce on free basis. > > > > Customized development help is usually a professional services > business. > > > > Kind regards, > > Tomas > > > > On 2014-06-24 11:03, Тимур wrote: > > > Hello, Tomas. > > > Thank you for your prompt. > > > Is there any external interfaces comparison table among different > > > versions of EJBCA to see what calls to EJBCA 6.1.1 must be > > corrected ? > > > For example, usual operations like check common name, check > > certificate > > > validity are still the same between EJBCA 3.11.x and 6.1.x ? > > > > > > thank you, Timur. > > > > > > > > > > > > 2014-06-24 14:43 GMT+06:00 Tomas Gustavsson <to...@pr... > > <mailto:to...@pr...> > > > <mailto:to...@pr... <mailto:to...@pr...>>>: > > > > > > > > > Depending on what interfaces you are using, things have > > changed. Some > > > interfaces have not changed, while some have. > > > > > > Cheers, > > > Tomas > > > --- > > > Save time and money with an Enterprise support subscription. > > Please see > > > www.primekey.se <http://www.primekey.se> <http://www.primekey.se> > > for more information. > > > http://www.primekey.se/Products/EJBCA+PKI/ > > > http://www.primekey.se/Services/Support/ > > > > > > On 2014-06-24 09:32, Тимур wrote: > > > > Dears, > > > > (there was wrong typing in EJBCA version in my previous > > post , so > > > > repeating the question in a correct way) > > > > Could you please to confirm/refute whether EJBCA 3.11.0 > > versus EJBCA > > > > 6.1.1 has any difference in their external interfaces for > > interaction > > > > with external java applications ? > > > > Is some custom java applicaton (which was designed for > > > interaction with > > > > EJBCA 3.11.0 (r10752) external interface) compatible with > > EJBCA 6.1.1 > > > > external interface ? > > > > > > > > thanks, Timur > > > > > > > > > > > > > > > > 2014-06-08 17:26 GMT+06:00 Branko Majic <br...@ma... > > <mailto:br...@ma...> > > > <mailto:br...@ma... <mailto:br...@ma...>> > > > > <mailto:br...@ma... <mailto:br...@ma...> > > <mailto:br...@ma... <mailto:br...@ma...>>>>: > > > > > > > > On Sat, 7 Jun 2014 23:04:37 +0600 > > > > Тимур <tim...@gm... > > <mailto:tim...@gm...> > > > <mailto:tim...@gm... > > <mailto:tim...@gm...>> <mailto:tim...@gm... > > <mailto:tim...@gm...> > > > <mailto:tim...@gm... > > <mailto:tim...@gm...>>>> > > > > wrote: > > > > > > > > > Hello, Branko ! > > > > > Thank you for your good advice about SSL debugging > > on JBoss. > > > > IP-address > > > > > was replaced by FQDN but still JBoss rejects > > connection. > > > > > Then SSL debug had been enabled on JBoss 7.1.1: > > > > > > > > > > [oracle@duo ~]$ curl -v > > "https://rootca.teka.kz:8442/ejbca" -E > > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer > > > > > --key > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > > > > welcome123 > > > > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > > > > .... > > > > > 21:10:53,179 INFO [stdout] > > (http--0.0.0.0-8442-Acceptor-0) Is > > > > initial > > > > > handshake: true > > > > > 21:10:53,180 INFO [stdout] > > > (http--0.0.0.0-8442-Acceptor-0) Is secure > > > > > renegotiation: false > > > > > 21:10:53,183 INFO [stdout] (http--0.0.0.0-8442-1) > > > > http--0.0.0.0-8442-1, > > > > > setSoTimeout(60000) called > > > > > 21:10:53,187 INFO [stdout] (http--0.0.0.0-8442-1) > > > > http--0.0.0.0-8442-1, > > > > > READ: SSL v2, contentType = Handshake, translated > > length = 95 > > > > > 21:10:53,190 INFO [stdout] (http--0.0.0.0-8442-1) > *** > > > > ClientHello, TLSv1 > > > > > ..... > > > > > 21:10:53,286 INFO [stdout] (http--0.0.0.0-8442-1) > *** > > > > ServerHello, TLSv1 > > > > > ..... > > > > > 21:10:53,550 INFO [stdout] (http--0.0.0.0-8442-1) > *** > > > > ServerHelloDone > > > > > 21:10:53,552 INFO [stdout] (http--0.0.0.0-8442-1) > > > > http--0.0.0.0-8442-1, > > > > > WRITE: TLSv1 Handshake, length = 2722 > > > > > 21:10:53,561 INFO [stdout] (http--0.0.0.0-8442-1) > > > > http--0.0.0.0-8442-1, > > > > > READ: TLSv1 Alert, length = 2 > > > > > 21:10:53,563 INFO [stdout] (http--0.0.0.0-8442-1) > > > > http--0.0.0.0-8442-1, > > > > > RECV TLSv1 ALERT: fatal, unknown_ca > > > > > 21:10:53,564 INFO [stdout] (http--0.0.0.0-8442-1) > > > > http--0.0.0.0-8442-1, > > > > > called closeSocket() > > > > > 21:10:53,566 INFO [stdout] (http--0.0.0.0-8442-1) > > > > http--0.0.0.0-8442-1, > > > > > handling exception: > > javax.net.ssl.SSLHandshakeException: > > > Received > > > > fatal > > > > > alert: unknown_ca > > > > > 21:10:53,567 INFO [stdout] (http--0.0.0.0-8442-1) > > > > http--0.0.0.0-8442-1, > > > > > IOException in getSession(): > > > > javax.net.ssl.SSLHandshakeException: Received > > > > > fatal alert: > > > > > unknown_ca <-------!!!!!!! > > > > > 21:10:53,577 INFO [stdout] (http--0.0.0.0-8442-1) > > > > http--0.0.0.0-8442-1, > > > > > called close() > > > > > > > > > > JBoss SSL-certificate is for CN=rootca.teka.kz > > <http://rootca.teka.kz> > > > <http://rootca.teka.kz> > > > > <http://rootca.teka.kz> which belongs to the CA > > > > > named "ROOTCA.TEKA.KZ <http://ROOTCA.TEKA.KZ> > > <http://ROOTCA.TEKA.KZ> > > > <http://ROOTCA.TEKA.KZ> > > > > <http://rootca.teka.kz/>". > > > > > BUT I run "curl" utlity for CA named "BTA Ipoteka > > CA" - all > > > > certificates > > > > > used in "curl" options are emitted by CA "BTA > > Ipoteka CA": > > > > > > > > > > [oracle@duo ~]$ curl -v > > "https://rootca.teka.kz:8442/ejbca" -E > > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer \ > > > > > --key > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > > > > welcome123 \ > > > > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > > > > > > > > > I cannot use CA "ROOTCA.TEKA.KZ > > <http://ROOTCA.TEKA.KZ> <http://ROOTCA.TEKA.KZ> > > > <http://ROOTCA.TEKA.KZ> > > > > <http://rootca.teka.kz/>" as it has too > > > > > strong key which is not supported by my eToken > > Client; I > > > had to > > > > create one > > > > > more CA "BTA Ipoteka CA" with shorter key length. > > > > > What steps to do if certificates for customer > > devices are > > > emitted > > > > by CA > > > > > "BTA Ipoteka CA" but initial CA is "ROOTCA.TEKA.KZ > > <http://ROOTCA.TEKA.KZ> > > > <http://ROOTCA.TEKA.KZ> > > > > <http://ROOTCA.TEKA.KZ> <http://rootca.teka.kz/>" > > > > > and JBoss certificate is for initial CA. > > > > > Probably some reconfiguration are to be done on > > JBoss to > > > let one > > > > receive > > > > > requests for new CA also ? > > > > > > > > > > thank you for your great job, Timur. > > > > > > > > > > > > > > > > > > > > 2014-06-07 17:07 GMT+06:00 Branko Majic > > <br...@ma... <mailto:br...@ma...> > > > <mailto:br...@ma... <mailto:br...@ma...>> > > > > <mailto:br...@ma... <mailto:br...@ma...> > > <mailto:br...@ma... <mailto:br...@ma...>>>>: > > > > > > > > > > > On Fri, 6 Jun 2014 23:06:26 +0600 > > > > > > Тимур <tim...@gm... > > <mailto:tim...@gm...> > > > <mailto:tim...@gm... > > <mailto:tim...@gm...>> > > > > <mailto:tim...@gm... > > <mailto:tim...@gm...> > > > <mailto:tim...@gm... > > <mailto:tim...@gm...>>>> wrote: > > > > > > > > > > > > > Hello, dears > > > > > > > > > > > > > > I have successfuly installed EJBCA 6.1.1, JBoss > > > 7.1.1.Final, > > > > openjdk 6, > > > > > > > Oracle 9.2.0.5, ojdbc6.jar, on Ubuntu Linux > > ("13.04, > > > Raring > > > > Ringtail"). > > > > > > No > > > > > > > any deployment and > > > > > > > installation mistakes for this software > > combination. I > > > have > > > > successfully > > > > > > > created all profiles , add entuty and I have > > issued my > > > first > > > > > > > SSL-certificate and write one to USB HSM with > > eToken > > > Client. > > > > So, I have > > > > > > > full-functional EJBCA 6.1.1 at present. > > > > > > > I have a custom java-application which uses > eToken > > > > authentication and > > > > > > this > > > > > > > java-application worked fine with previous > > version of > > > EJBCA > > > > and I need to > > > > > > > organize connectivity between this > > java-application and > > > > EJBCA. There is a > > > > > > > parameter for EJBCA URL in java-application > config > > > file and I > > > > pointed out > > > > > > > this parameter to " > https://10.62.2.88:8443/ejbca". > > > > > > > Java-application uses jdk cacerts and I > > imported issued > > > > certificate with > > > > > > CA > > > > > > > certificate of EJBCA to cacerts but no > > connection yet. > > > > > > > Checking connectivity to EJBCA by curl utility > > also gives > > > > negative > > > > > > result: > > > > > > > > > > > > > > CA-certificate in PEM-format: > > > > > > > > > > > > > > [oracle@duo ~]$ curl -v > > "https://10.62.2.88:8443/ejbca" -E > > > > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer > > --key > > > > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key > > --pass > > > > > > > > > > > > > > welcome123 --cacert > > /home/oracle/BTAIpotekaCA.cacert.pem > > > > > > > * About to connect() to 10.62.2.88 port 8443 > > > > > > > * Trying 10.62.2.88... * connected > > > > > > > * Connected to 10.62.2.88 (10.62.2.88) port 8443 > > > > > > > * successfully set certificate verify locations: > > > > > > > * CAfile: /home/oracle/BTAIpotekaCA.cacert.pem > > > > > > > CApath: none > > > > > > > * SSL certificate problem, verify that the CA > > cert is OK. > > > > Details: > > > > > > > error:14090086:SSL > > > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > > > > > verify > > > > > > > failed > > > > > > > > > > > > > > CA-certificate in BASE-64 format: > > > > > > > > > > > > > > [oracle@duo ~]$ curl -v > > > "https://10.62.2.88:8443/ejbca" -E > > > > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer > > --key > > > > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key > > --pass > > > > > > > > > > > > > > welcome123 --cacert > > > > /home/oracle/BTAIpotekaCA.cacert-base64.cer --sslv3 > > > > > > > --trace-ascii /tmp/curl.log > > > > > > > curl: (60) SSL certificate problem, verify that > > the CA > > > cert > > > > is OK. > > > > > > Details: > > > > > > > error:14090086:SSL > > > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > > > > > verify > > > > > > > failed > > > > > > > More details here: > > http://curl.haxx.se/docs/sslcerts.html > > > > > > > > > > > > > > EJBCA console log contains no records to > > understand why no > > > > connectivity > > > > > > to > > > > > > > EJBCA. > > > > > > > Could you please to help to find out which URL > > must be > > > used > > > > to connect to > > > > > > > EJBCA for authentication ? If > > > "https://10.62.2.88:8443/ejbca" is > > > > > > correct > > > > > > > what's the reason > > > > > > > of trouble with EJBCA connection ? > > > > > > > > > > > > > > thank you, Timur. > > > > > > > > > > > > Hello Timur, > > > > > > > > > > > > The problem you are facing happens during the TLS > > handshake > > > > between the > > > > > > server and client, where (at least) client is > > unable to > > > verify the > > > > > > certificate presented by JBoss. > > > > > > > > > > > > Since the TLS is handled by JBoss, you won't get > any > > > useful logging > > > > > > messages from EJBCA. In fact, not even JBoss as > > such will > > > > produce any > > > > > > useful debugging info. You could try enabling > > debugging > > > of TLS > > > > > > handshake via JAVA_OPTS, though. > > > > > > > > > > > > I've noticed you are using the IP address for > > connecting to > > > > JBoss/EJBCA > > > > > > - are you sure that you have this IP address > > specified > > > in your > > > > server > > > > > > certificate (on JBoss)? If not, that is your > problem. > > > The IP, > > > > FQDN, or > > > > > > hostname used for connecting has to be part of > > > subjectAltName > > > > DNS name > > > > > > (or, if subjectAltName DNS name is not present, > > CN has > > > to be used). > > > > > > > > > > > > As a side-note, you should avoid using IP address > in > > > > certificates or > > > > > > for TLS connections in general, and instead rely > > on FQDN or > > > > hostname, > > > > > > with FQDN being the recommended thing to use. > > > > > > > > > > > > I hope this explanation will help you a bit :) > > > > > > > > > > > > Best regards > > > > > > > > > > > > > > Hello Timur, > > > > > > > > If you are getting a validation error on port 8442, > > that is > > > probably > > > > the client-side validation failing. Keep in mind that > > if you > > > deploy > > > > EJBCA on JBoss using default ports, port 8442 does > _not_ > > > require client > > > > certificate authentication. > > > > > > > > You could test if JBoss will return anything at all to > > you on > > > port 8442 > > > > with wget --no-check-certificate (just to see if > > content gets > > > served), > > > > and then try to figure out why your client fails to > > validate > > > the server > > > > certificate. > > > > > > > > If the JBoss certificate was issued by ROOTCA.TEKA.KZ > > <http://ROOTCA.TEKA.KZ> > > > <http://ROOTCA.TEKA.KZ> > > > > <http://ROOTCA.TEKA.KZ>, you will most > > > > definitively need to have this CA certificate in the > > > truststore of your > > > > client. > > > > > > > > As for trusted client certificates on (for EJBCA > commonly) > > > port 8443, > > > > you will need to update the JBoss truststore to > > contain the > > > new CA > > > > certificate (used for issuing client certificates). > > > > > > > > Best regards > > > > > > > > -- > > > > Branko Majic > > > > Jabber: br...@ma... <mailto:br...@ma...> > > <mailto:br...@ma... <mailto:br...@ma...>> > > > <mailto:br...@ma... <mailto:br...@ma...> > > <mailto:br...@ma... <mailto:br...@ma...>>> > > > > Please use only Free formats when sending attachments > > to me. > > > > > > > > Бранко Мајић > > > > Џабер: br...@ma... <mailto:br...@ma...> > > <mailto:br...@ma... <mailto:br...@ma...>> > > > <mailto:br...@ma... <mailto:br...@ma...> > > <mailto:br...@ma... <mailto:br...@ma...>>> > > > > Молим вас да додатке шаљете искључиво у слободним > > форматима. > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > Learn Graph Databases - Download FREE O'Reilly Book > > > > "Graph Databases" is the definitive new guide to graph > > > databases and > > > > their > > > > applications. Written by three acclaimed leaders in > > the field, > > > > this first edition is now available. Download your > > free book > > > today! > > > > http://p.sf.net/sfu/NeoTech > > > > _______________________________________________ > > > > Ejbca-develop mailing list > > > > Ejb...@li... > > <mailto:Ejb...@li...> > > > <mailto:Ejb...@li... > > <mailto:Ejb...@li...>> > > > > <mailto:Ejb...@li... > > <mailto:Ejb...@li...> > > > <mailto:Ejb...@li... > > <mailto:Ejb...@li...>>> > > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > Open source business process management suite built on > > Java and > > > Eclipse > > > > Turn processes into business applications with Bonita BPM > > > Community Edition > > > > Quickly connect people, data, and systems into organized > > workflows > > > > Winner of BOSSIE, CODIE, OW2 and Gartner awards > > > > http://p.sf.net/sfu/Bonitasoft > > > > > > > > > > > > > > > > _______________________________________________ > > > > Ejbca-develop mailing list > > > > Ejb...@li... > > <mailto:Ejb...@li...> > > > <mailto:Ejb...@li... > > <mailto:Ejb...@li...>> > > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Open source business process management suite built on Java > > and Eclipse > > > Turn processes into business applications with Bonita BPM > > Community > > > Edition > > > Quickly connect people, data, and systems into organized > > workflows > > > Winner of BOSSIE, CODIE, OW2 and Gartner awards > > > http://p.sf.net/sfu/Bonitasoft > > > _______________________________________________ > > > Ejbca-develop mailing list > > > Ejb...@li... > > <mailto:Ejb...@li...> > > > <mailto:Ejb...@li... > > <mailto:Ejb...@li...>> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Open source business process management suite built on Java and > > Eclipse > > > Turn processes into business applications with Bonita BPM > > Community Edition > > > Quickly connect people, data, and systems into organized workflows > > > Winner of BOSSIE, CODIE, OW2 and Gartner awards > > > http://p.sf.net/sfu/Bonitasoft > > > > > > > > > > > > _______________________________________________ > > > Ejbca-develop mailing list > > > Ejb...@li... > > <mailto:Ejb...@li...> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > > > ------------------------------------------------------------------------------ > > Open source business process management suite built on Java and > Eclipse > > Turn processes into business applications with Bonita BPM Community > > Edition > > Quickly connect people, data, and systems into organized workflows > > Winner of BOSSIE, CODIE, OW2 and Gartner awards > > http://p.sf.net/sfu/Bonitasoft > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > > > > > > ------------------------------------------------------------------------------ > > Open source business process management suite built on Java and Eclipse > > Turn processes into business applications with Bonita BPM Community > Edition > > Quickly connect people, data, and systems into organized workflows > > Winner of BOSSIE, CODIE, OW2 and Gartner awards > > http://p.sf.net/sfu/Bonitasoft > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Tomas G. <to...@pr...> - 2014-06-26 09:30:41
|
Sorry, you'll have to investigate JBoss specifics yourself, I do not
know that on top of my head.
(or get support if you need someone to figure it out for you).
Cheers,
Tomas
On 2014-06-26 11:13, Тимур wrote:
> Hello, Tomas !
>
> Could you please to prompt how to switch EJBCA 6.1.1 from TLSv1 to SSLv3
> for serving incoming requests from external java-application which tries
> to connect to EJBCA host:8443 ? (external java-app is old enough and was
> created for EJBCA 3.11)
>
> 14:29:50,458 INFO [stdout] (http--0.0.0.0-8443-1) http--0.0.0.0-8443-1,
> SEND TLSv1 ALERT: fatal, description = unexpected_message
> 14:29:50,460 INFO [stdout] (http--0.0.0.0-8443-1) http--0.0.0.0-8443-4,
> SEND TLSv1 ALERT: http--0.0.0.0-8443-1, WRITE: TLSv1 Alert, length = 2
> 14:29:50,461 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> handling exception: java.net.SocketTimeoutException: Read timed out
> 14:29:50,463 INFO [stdout] (http--0.0.0.0-8443-1) http--0.0.0.0-8443-1,
> called closeSocket()
> 14:29:50,464 INFO [stdout] (http--0.0.0.0-8443-4) fatal, description =
> unexpected_message
>
> 14:56:15,896 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> WRITE: TLSv1 Handshake, length = 48
> 14:56:15,903 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> READ: TLSv1 Change Cipher Spec, length = 1
> 14:56:15,905 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> READ: TLSv1 Handshake, length = 48
> 14:56:15,906 INFO [stdout] (http--0.0.0.0-8443-3) *** Finished
> 14:56:15,906 INFO [stdout] (http--0.0.0.0-8443-3) verify_data: { 107,
> 133, 194, 246, 254, 149, 3, 99, 208, 155, 18, 181 }
> 14:56:15,907 INFO [stdout] (http--0.0.0.0-8443-3) ***
> 14:56:15,908 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> READ: TLSv1 Application Data, length = 32
> 14:56:15,909 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> READ: TLSv1 Application Data, length = 528
> 14:56:15,911 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> WRITE: TLSv1 Application Data, length = 368
> 14:56:15,969 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> READ: TLSv1 Application Data, length = 32
> 14:56:15,970 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> READ: TLSv1 Application Data, length = 464
> 14:56:15,973 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> WRITE: TLSv1 Application Data, length = 32
> 14:56:15,974 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> WRITE: TLSv1 Application Data, length = 5344
> 14:56:21,959 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> READ: TLSv1 Alert, length = 32
> 14:56:21,961 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> RECV TLSv1 ALERT: warning, close_notify
> 14:56:21,962 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> called closeInternal(false)
> 14:56:21,962 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> SEND TLSv1 ALERT: warning, description = close_notify
> 14:56:21,964 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> WRITE: TLSv1 Alert, length = 32
> 14:56:21,965 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> called close()
> 14:56:21,966 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
> called closeInternal(true)
>
> thank you, Timur
>
>
> 2014-06-24 15:14 GMT+06:00 Tomas Gustavsson <to...@pr...
> <mailto:to...@pr...>>:
>
>
> Hi Timur,
>
> No there is no such table available that would be very time consuming to
> produce on free basis.
>
> Customized development help is usually a professional services business.
>
> Kind regards,
> Tomas
>
> On 2014-06-24 11:03, Тимур wrote:
> > Hello, Tomas.
> > Thank you for your prompt.
> > Is there any external interfaces comparison table among different
> > versions of EJBCA to see what calls to EJBCA 6.1.1 must be
> corrected ?
> > For example, usual operations like check common name, check
> certificate
> > validity are still the same between EJBCA 3.11.x and 6.1.x ?
> >
> > thank you, Timur.
> >
> >
> >
> > 2014-06-24 14:43 GMT+06:00 Tomas Gustavsson <to...@pr...
> <mailto:to...@pr...>
> > <mailto:to...@pr... <mailto:to...@pr...>>>:
> >
> >
> > Depending on what interfaces you are using, things have
> changed. Some
> > interfaces have not changed, while some have.
> >
> > Cheers,
> > Tomas
> > ---
> > Save time and money with an Enterprise support subscription.
> Please see
> > www.primekey.se <http://www.primekey.se> <http://www.primekey.se>
> for more information.
> > http://www.primekey.se/Products/EJBCA+PKI/
> > http://www.primekey.se/Services/Support/
> >
> > On 2014-06-24 09:32, Тимур wrote:
> > > Dears,
> > > (there was wrong typing in EJBCA version in my previous
> post , so
> > > repeating the question in a correct way)
> > > Could you please to confirm/refute whether EJBCA 3.11.0
> versus EJBCA
> > > 6.1.1 has any difference in their external interfaces for
> interaction
> > > with external java applications ?
> > > Is some custom java applicaton (which was designed for
> > interaction with
> > > EJBCA 3.11.0 (r10752) external interface) compatible with
> EJBCA 6.1.1
> > > external interface ?
> > >
> > > thanks, Timur
> > >
> > >
> > >
> > > 2014-06-08 17:26 GMT+06:00 Branko Majic <br...@ma...
> <mailto:br...@ma...>
> > <mailto:br...@ma... <mailto:br...@ma...>>
> > > <mailto:br...@ma... <mailto:br...@ma...>
> <mailto:br...@ma... <mailto:br...@ma...>>>>:
> > >
> > > On Sat, 7 Jun 2014 23:04:37 +0600
> > > Тимур <tim...@gm...
> <mailto:tim...@gm...>
> > <mailto:tim...@gm...
> <mailto:tim...@gm...>> <mailto:tim...@gm...
> <mailto:tim...@gm...>
> > <mailto:tim...@gm...
> <mailto:tim...@gm...>>>>
> > > wrote:
> > >
> > > > Hello, Branko !
> > > > Thank you for your good advice about SSL debugging
> on JBoss.
> > > IP-address
> > > > was replaced by FQDN but still JBoss rejects
> connection.
> > > > Then SSL debug had been enabled on JBoss 7.1.1:
> > > >
> > > > [oracle@duo ~]$ curl -v
> "https://rootca.teka.kz:8442/ejbca" -E
> > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer
> > > > --key
> /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass
> > > welcome123
> > > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem
> > > > ....
> > > > 21:10:53,179 INFO [stdout]
> (http--0.0.0.0-8442-Acceptor-0) Is
> > > initial
> > > > handshake: true
> > > > 21:10:53,180 INFO [stdout]
> > (http--0.0.0.0-8442-Acceptor-0) Is secure
> > > > renegotiation: false
> > > > 21:10:53,183 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > setSoTimeout(60000) called
> > > > 21:10:53,187 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > READ: SSL v2, contentType = Handshake, translated
> length = 95
> > > > 21:10:53,190 INFO [stdout] (http--0.0.0.0-8442-1) ***
> > > ClientHello, TLSv1
> > > > .....
> > > > 21:10:53,286 INFO [stdout] (http--0.0.0.0-8442-1) ***
> > > ServerHello, TLSv1
> > > > .....
> > > > 21:10:53,550 INFO [stdout] (http--0.0.0.0-8442-1) ***
> > > ServerHelloDone
> > > > 21:10:53,552 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > WRITE: TLSv1 Handshake, length = 2722
> > > > 21:10:53,561 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > READ: TLSv1 Alert, length = 2
> > > > 21:10:53,563 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > RECV TLSv1 ALERT: fatal, unknown_ca
> > > > 21:10:53,564 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > called closeSocket()
> > > > 21:10:53,566 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > handling exception:
> javax.net.ssl.SSLHandshakeException:
> > Received
> > > fatal
> > > > alert: unknown_ca
> > > > 21:10:53,567 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > IOException in getSession():
> > > javax.net.ssl.SSLHandshakeException: Received
> > > > fatal alert:
> > > > unknown_ca <-------!!!!!!!
> > > > 21:10:53,577 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > called close()
> > > >
> > > > JBoss SSL-certificate is for CN=rootca.teka.kz
> <http://rootca.teka.kz>
> > <http://rootca.teka.kz>
> > > <http://rootca.teka.kz> which belongs to the CA
> > > > named "ROOTCA.TEKA.KZ <http://ROOTCA.TEKA.KZ>
> <http://ROOTCA.TEKA.KZ>
> > <http://ROOTCA.TEKA.KZ>
> > > <http://rootca.teka.kz/>".
> > > > BUT I run "curl" utlity for CA named "BTA Ipoteka
> CA" - all
> > > certificates
> > > > used in "curl" options are emitted by CA "BTA
> Ipoteka CA":
> > > >
> > > > [oracle@duo ~]$ curl -v
> "https://rootca.teka.kz:8442/ejbca" -E
> > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer \
> > > > --key
> /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass
> > > welcome123 \
> > > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem
> > > >
> > > > I cannot use CA "ROOTCA.TEKA.KZ
> <http://ROOTCA.TEKA.KZ> <http://ROOTCA.TEKA.KZ>
> > <http://ROOTCA.TEKA.KZ>
> > > <http://rootca.teka.kz/>" as it has too
> > > > strong key which is not supported by my eToken
> Client; I
> > had to
> > > create one
> > > > more CA "BTA Ipoteka CA" with shorter key length.
> > > > What steps to do if certificates for customer
> devices are
> > emitted
> > > by CA
> > > > "BTA Ipoteka CA" but initial CA is "ROOTCA.TEKA.KZ
> <http://ROOTCA.TEKA.KZ>
> > <http://ROOTCA.TEKA.KZ>
> > > <http://ROOTCA.TEKA.KZ> <http://rootca.teka.kz/>"
> > > > and JBoss certificate is for initial CA.
> > > > Probably some reconfiguration are to be done on
> JBoss to
> > let one
> > > receive
> > > > requests for new CA also ?
> > > >
> > > > thank you for your great job, Timur.
> > > >
> > > >
> > > >
> > > > 2014-06-07 17:07 GMT+06:00 Branko Majic
> <br...@ma... <mailto:br...@ma...>
> > <mailto:br...@ma... <mailto:br...@ma...>>
> > > <mailto:br...@ma... <mailto:br...@ma...>
> <mailto:br...@ma... <mailto:br...@ma...>>>>:
> > > >
> > > > > On Fri, 6 Jun 2014 23:06:26 +0600
> > > > > Тимур <tim...@gm...
> <mailto:tim...@gm...>
> > <mailto:tim...@gm...
> <mailto:tim...@gm...>>
> > > <mailto:tim...@gm...
> <mailto:tim...@gm...>
> > <mailto:tim...@gm...
> <mailto:tim...@gm...>>>> wrote:
> > > > >
> > > > > > Hello, dears
> > > > > >
> > > > > > I have successfuly installed EJBCA 6.1.1, JBoss
> > 7.1.1.Final,
> > > openjdk 6,
> > > > > > Oracle 9.2.0.5, ojdbc6.jar, on Ubuntu Linux
> ("13.04,
> > Raring
> > > Ringtail").
> > > > > No
> > > > > > any deployment and
> > > > > > installation mistakes for this software
> combination. I
> > have
> > > successfully
> > > > > > created all profiles , add entuty and I have
> issued my
> > first
> > > > > > SSL-certificate and write one to USB HSM with
> eToken
> > Client.
> > > So, I have
> > > > > > full-functional EJBCA 6.1.1 at present.
> > > > > > I have a custom java-application which uses eToken
> > > authentication and
> > > > > this
> > > > > > java-application worked fine with previous
> version of
> > EJBCA
> > > and I need to
> > > > > > organize connectivity between this
> java-application and
> > > EJBCA. There is a
> > > > > > parameter for EJBCA URL in java-application config
> > file and I
> > > pointed out
> > > > > > this parameter to "https://10.62.2.88:8443/ejbca".
> > > > > > Java-application uses jdk cacerts and I
> imported issued
> > > certificate with
> > > > > CA
> > > > > > certificate of EJBCA to cacerts but no
> connection yet.
> > > > > > Checking connectivity to EJBCA by curl utility
> also gives
> > > negative
> > > > > result:
> > > > > >
> > > > > > CA-certificate in PEM-format:
> > > > > >
> > > > > > [oracle@duo ~]$ curl -v
> "https://10.62.2.88:8443/ejbca" -E
> > > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer
> --key
> > > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key
> --pass
> > > > > >
> > > > > > welcome123 --cacert
> /home/oracle/BTAIpotekaCA.cacert.pem
> > > > > > * About to connect() to 10.62.2.88 port 8443
> > > > > > * Trying 10.62.2.88... * connected
> > > > > > * Connected to 10.62.2.88 (10.62.2.88) port 8443
> > > > > > * successfully set certificate verify locations:
> > > > > > * CAfile: /home/oracle/BTAIpotekaCA.cacert.pem
> > > > > > CApath: none
> > > > > > * SSL certificate problem, verify that the CA
> cert is OK.
> > > Details:
> > > > > > error:14090086:SSL
> > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > > > > verify
> > > > > > failed
> > > > > >
> > > > > > CA-certificate in BASE-64 format:
> > > > > >
> > > > > > [oracle@duo ~]$ curl -v
> > "https://10.62.2.88:8443/ejbca" -E
> > > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer
> --key
> > > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key
> --pass
> > > > > >
> > > > > > welcome123 --cacert
> > > /home/oracle/BTAIpotekaCA.cacert-base64.cer --sslv3
> > > > > > --trace-ascii /tmp/curl.log
> > > > > > curl: (60) SSL certificate problem, verify that
> the CA
> > cert
> > > is OK.
> > > > > Details:
> > > > > > error:14090086:SSL
> > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > > > > verify
> > > > > > failed
> > > > > > More details here:
> http://curl.haxx.se/docs/sslcerts.html
> > > > > >
> > > > > > EJBCA console log contains no records to
> understand why no
> > > connectivity
> > > > > to
> > > > > > EJBCA.
> > > > > > Could you please to help to find out which URL
> must be
> > used
> > > to connect to
> > > > > > EJBCA for authentication ? If
> > "https://10.62.2.88:8443/ejbca" is
> > > > > correct
> > > > > > what's the reason
> > > > > > of trouble with EJBCA connection ?
> > > > > >
> > > > > > thank you, Timur.
> > > > >
> > > > > Hello Timur,
> > > > >
> > > > > The problem you are facing happens during the TLS
> handshake
> > > between the
> > > > > server and client, where (at least) client is
> unable to
> > verify the
> > > > > certificate presented by JBoss.
> > > > >
> > > > > Since the TLS is handled by JBoss, you won't get any
> > useful logging
> > > > > messages from EJBCA. In fact, not even JBoss as
> such will
> > > produce any
> > > > > useful debugging info. You could try enabling
> debugging
> > of TLS
> > > > > handshake via JAVA_OPTS, though.
> > > > >
> > > > > I've noticed you are using the IP address for
> connecting to
> > > JBoss/EJBCA
> > > > > - are you sure that you have this IP address
> specified
> > in your
> > > server
> > > > > certificate (on JBoss)? If not, that is your problem.
> > The IP,
> > > FQDN, or
> > > > > hostname used for connecting has to be part of
> > subjectAltName
> > > DNS name
> > > > > (or, if subjectAltName DNS name is not present,
> CN has
> > to be used).
> > > > >
> > > > > As a side-note, you should avoid using IP address in
> > > certificates or
> > > > > for TLS connections in general, and instead rely
> on FQDN or
> > > hostname,
> > > > > with FQDN being the recommended thing to use.
> > > > >
> > > > > I hope this explanation will help you a bit :)
> > > > >
> > > > > Best regards
> > > > >
> > >
> > > Hello Timur,
> > >
> > > If you are getting a validation error on port 8442,
> that is
> > probably
> > > the client-side validation failing. Keep in mind that
> if you
> > deploy
> > > EJBCA on JBoss using default ports, port 8442 does _not_
> > require client
> > > certificate authentication.
> > >
> > > You could test if JBoss will return anything at all to
> you on
> > port 8442
> > > with wget --no-check-certificate (just to see if
> content gets
> > served),
> > > and then try to figure out why your client fails to
> validate
> > the server
> > > certificate.
> > >
> > > If the JBoss certificate was issued by ROOTCA.TEKA.KZ
> <http://ROOTCA.TEKA.KZ>
> > <http://ROOTCA.TEKA.KZ>
> > > <http://ROOTCA.TEKA.KZ>, you will most
> > > definitively need to have this CA certificate in the
> > truststore of your
> > > client.
> > >
> > > As for trusted client certificates on (for EJBCA commonly)
> > port 8443,
> > > you will need to update the JBoss truststore to
> contain the
> > new CA
> > > certificate (used for issuing client certificates).
> > >
> > > Best regards
> > >
> > > --
> > > Branko Majic
> > > Jabber: br...@ma... <mailto:br...@ma...>
> <mailto:br...@ma... <mailto:br...@ma...>>
> > <mailto:br...@ma... <mailto:br...@ma...>
> <mailto:br...@ma... <mailto:br...@ma...>>>
> > > Please use only Free formats when sending attachments
> to me.
> > >
> > > Бранко Мајић
> > > Џабер: br...@ma... <mailto:br...@ma...>
> <mailto:br...@ma... <mailto:br...@ma...>>
> > <mailto:br...@ma... <mailto:br...@ma...>
> <mailto:br...@ma... <mailto:br...@ma...>>>
> > > Молим вас да додатке шаљете искључиво у слободним
> форматима.
> > >
> > >
> >
> ------------------------------------------------------------------------------
> > > Learn Graph Databases - Download FREE O'Reilly Book
> > > "Graph Databases" is the definitive new guide to graph
> > databases and
> > > their
> > > applications. Written by three acclaimed leaders in
> the field,
> > > this first edition is now available. Download your
> free book
> > today!
> > > http://p.sf.net/sfu/NeoTech
> > > _______________________________________________
> > > Ejbca-develop mailing list
> > > Ejb...@li...
> <mailto:Ejb...@li...>
> > <mailto:Ejb...@li...
> <mailto:Ejb...@li...>>
> > > <mailto:Ejb...@li...
> <mailto:Ejb...@li...>
> > <mailto:Ejb...@li...
> <mailto:Ejb...@li...>>>
> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > >
> > >
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------------
> > > Open source business process management suite built on
> Java and
> > Eclipse
> > > Turn processes into business applications with Bonita BPM
> > Community Edition
> > > Quickly connect people, data, and systems into organized
> workflows
> > > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > > http://p.sf.net/sfu/Bonitasoft
> > >
> > >
> > >
> > > _______________________________________________
> > > Ejbca-develop mailing list
> > > Ejb...@li...
> <mailto:Ejb...@li...>
> > <mailto:Ejb...@li...
> <mailto:Ejb...@li...>>
> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > >
> >
> >
> ------------------------------------------------------------------------------
> > Open source business process management suite built on Java
> and Eclipse
> > Turn processes into business applications with Bonita BPM
> Community
> > Edition
> > Quickly connect people, data, and systems into organized
> workflows
> > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > http://p.sf.net/sfu/Bonitasoft
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> <mailto:Ejb...@li...>
> > <mailto:Ejb...@li...
> <mailto:Ejb...@li...>>
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Open source business process management suite built on Java and
> Eclipse
> > Turn processes into business applications with Bonita BPM
> Community Edition
> > Quickly connect people, data, and systems into organized workflows
> > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > http://p.sf.net/sfu/Bonitasoft
> >
> >
> >
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> <mailto:Ejb...@li...>
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community
> Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> <mailto:Ejb...@li...>
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
>
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
>
>
>
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
|
|
From: Тимур <tim...@gm...> - 2014-06-26 09:13:09
|
Hello, Tomas !
Could you please to prompt how to switch EJBCA 6.1.1 from TLSv1 to SSLv3
for serving incoming requests from external java-application which tries to
connect to EJBCA host:8443 ? (external java-app is old enough and was
created for EJBCA 3.11)
14:29:50,458 INFO [stdout] (http--0.0.0.0-8443-1) http--0.0.0.0-8443-1,
SEND TLSv1 ALERT: fatal, description = unexpected_message
14:29:50,460 INFO [stdout] (http--0.0.0.0-8443-1) http--0.0.0.0-8443-4,
SEND TLSv1 ALERT: http--0.0.0.0-8443-1, WRITE: TLSv1 Alert, length = 2
14:29:50,461 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
handling exception: java.net.SocketTimeoutException: Read timed out
14:29:50,463 INFO [stdout] (http--0.0.0.0-8443-1) http--0.0.0.0-8443-1,
called closeSocket()
14:29:50,464 INFO [stdout] (http--0.0.0.0-8443-4) fatal, description =
unexpected_message
14:56:15,896 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
WRITE: TLSv1 Handshake, length = 48
14:56:15,903 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
READ: TLSv1 Change Cipher Spec, length = 1
14:56:15,905 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
READ: TLSv1 Handshake, length = 48
14:56:15,906 INFO [stdout] (http--0.0.0.0-8443-3) *** Finished
14:56:15,906 INFO [stdout] (http--0.0.0.0-8443-3) verify_data: { 107,
133, 194, 246, 254, 149, 3, 99, 208, 155, 18, 181 }
14:56:15,907 INFO [stdout] (http--0.0.0.0-8443-3) ***
14:56:15,908 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
READ: TLSv1 Application Data, length = 32
14:56:15,909 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
READ: TLSv1 Application Data, length = 528
14:56:15,911 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
WRITE: TLSv1 Application Data, length = 368
14:56:15,969 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
READ: TLSv1 Application Data, length = 32
14:56:15,970 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
READ: TLSv1 Application Data, length = 464
14:56:15,973 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
WRITE: TLSv1 Application Data, length = 32
14:56:15,974 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
WRITE: TLSv1 Application Data, length = 5344
14:56:21,959 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
READ: TLSv1 Alert, length = 32
14:56:21,961 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
RECV TLSv1 ALERT: warning, close_notify
14:56:21,962 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
called closeInternal(false)
14:56:21,962 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
SEND TLSv1 ALERT: warning, description = close_notify
14:56:21,964 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
WRITE: TLSv1 Alert, length = 32
14:56:21,965 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
called close()
14:56:21,966 INFO [stdout] (http--0.0.0.0-8443-3) http--0.0.0.0-8443-3,
called closeInternal(true)
thank you, Timur
2014-06-24 15:14 GMT+06:00 Tomas Gustavsson <to...@pr...>:
>
> Hi Timur,
>
> No there is no such table available that would be very time consuming to
> produce on free basis.
>
> Customized development help is usually a professional services business.
>
> Kind regards,
> Tomas
>
> On 2014-06-24 11:03, Тимур wrote:
> > Hello, Tomas.
> > Thank you for your prompt.
> > Is there any external interfaces comparison table among different
> > versions of EJBCA to see what calls to EJBCA 6.1.1 must be corrected ?
> > For example, usual operations like check common name, check certificate
> > validity are still the same between EJBCA 3.11.x and 6.1.x ?
> >
> > thank you, Timur.
> >
> >
> >
> > 2014-06-24 14:43 GMT+06:00 Tomas Gustavsson <to...@pr...
> > <mailto:to...@pr...>>:
> >
> >
> > Depending on what interfaces you are using, things have changed. Some
> > interfaces have not changed, while some have.
> >
> > Cheers,
> > Tomas
> > ---
> > Save time and money with an Enterprise support subscription. Please
> see
> > www.primekey.se <http://www.primekey.se> for more information.
> > http://www.primekey.se/Products/EJBCA+PKI/
> > http://www.primekey.se/Services/Support/
> >
> > On 2014-06-24 09:32, Тимур wrote:
> > > Dears,
> > > (there was wrong typing in EJBCA version in my previous post , so
> > > repeating the question in a correct way)
> > > Could you please to confirm/refute whether EJBCA 3.11.0 versus
> EJBCA
> > > 6.1.1 has any difference in their external interfaces for
> interaction
> > > with external java applications ?
> > > Is some custom java applicaton (which was designed for
> > interaction with
> > > EJBCA 3.11.0 (r10752) external interface) compatible with EJBCA
> 6.1.1
> > > external interface ?
> > >
> > > thanks, Timur
> > >
> > >
> > >
> > > 2014-06-08 17:26 GMT+06:00 Branko Majic <br...@ma...
> > <mailto:br...@ma...>
> > > <mailto:br...@ma... <mailto:br...@ma...>>>:
> > >
> > > On Sat, 7 Jun 2014 23:04:37 +0600
> > > Тимур <tim...@gm...
> > <mailto:tim...@gm...> <mailto:tim...@gm...
> > <mailto:tim...@gm...>>>
> > > wrote:
> > >
> > > > Hello, Branko !
> > > > Thank you for your good advice about SSL debugging on
> JBoss.
> > > IP-address
> > > > was replaced by FQDN but still JBoss rejects connection.
> > > > Then SSL debug had been enabled on JBoss 7.1.1:
> > > >
> > > > [oracle@duo ~]$ curl -v "https://rootca.teka.kz:8442/ejbca"
> -E
> > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer
> > > > --key /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key
> --pass
> > > welcome123
> > > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem
> > > > ....
> > > > 21:10:53,179 INFO [stdout]
> (http--0.0.0.0-8442-Acceptor-0) Is
> > > initial
> > > > handshake: true
> > > > 21:10:53,180 INFO [stdout]
> > (http--0.0.0.0-8442-Acceptor-0) Is secure
> > > > renegotiation: false
> > > > 21:10:53,183 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > setSoTimeout(60000) called
> > > > 21:10:53,187 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > READ: SSL v2, contentType = Handshake, translated length
> = 95
> > > > 21:10:53,190 INFO [stdout] (http--0.0.0.0-8442-1) ***
> > > ClientHello, TLSv1
> > > > .....
> > > > 21:10:53,286 INFO [stdout] (http--0.0.0.0-8442-1) ***
> > > ServerHello, TLSv1
> > > > .....
> > > > 21:10:53,550 INFO [stdout] (http--0.0.0.0-8442-1) ***
> > > ServerHelloDone
> > > > 21:10:53,552 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > WRITE: TLSv1 Handshake, length = 2722
> > > > 21:10:53,561 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > READ: TLSv1 Alert, length = 2
> > > > 21:10:53,563 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > RECV TLSv1 ALERT: fatal, unknown_ca
> > > > 21:10:53,564 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > called closeSocket()
> > > > 21:10:53,566 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > handling exception: javax.net.ssl.SSLHandshakeException:
> > Received
> > > fatal
> > > > alert: unknown_ca
> > > > 21:10:53,567 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > IOException in getSession():
> > > javax.net.ssl.SSLHandshakeException: Received
> > > > fatal alert:
> > > > unknown_ca <-------!!!!!!!
> > > > 21:10:53,577 INFO [stdout] (http--0.0.0.0-8442-1)
> > > http--0.0.0.0-8442-1,
> > > > called close()
> > > >
> > > > JBoss SSL-certificate is for CN=rootca.teka.kz
> > <http://rootca.teka.kz>
> > > <http://rootca.teka.kz> which belongs to the CA
> > > > named "ROOTCA.TEKA.KZ <http://ROOTCA.TEKA.KZ>
> > <http://ROOTCA.TEKA.KZ>
> > > <http://rootca.teka.kz/>".
> > > > BUT I run "curl" utlity for CA named "BTA Ipoteka CA" - all
> > > certificates
> > > > used in "curl" options are emitted by CA "BTA Ipoteka CA":
> > > >
> > > > [oracle@duo ~]$ curl -v "https://rootca.teka.kz:8442/ejbca"
> -E
> > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer \
> > > > --key /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key
> --pass
> > > welcome123 \
> > > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem
> > > >
> > > > I cannot use CA "ROOTCA.TEKA.KZ <http://ROOTCA.TEKA.KZ>
> > <http://ROOTCA.TEKA.KZ>
> > > <http://rootca.teka.kz/>" as it has too
> > > > strong key which is not supported by my eToken Client; I
> > had to
> > > create one
> > > > more CA "BTA Ipoteka CA" with shorter key length.
> > > > What steps to do if certificates for customer devices are
> > emitted
> > > by CA
> > > > "BTA Ipoteka CA" but initial CA is "ROOTCA.TEKA.KZ
> > <http://ROOTCA.TEKA.KZ>
> > > <http://ROOTCA.TEKA.KZ> <http://rootca.teka.kz/>"
> > > > and JBoss certificate is for initial CA.
> > > > Probably some reconfiguration are to be done on JBoss to
> > let one
> > > receive
> > > > requests for new CA also ?
> > > >
> > > > thank you for your great job, Timur.
> > > >
> > > >
> > > >
> > > > 2014-06-07 17:07 GMT+06:00 Branko Majic <br...@ma...
> > <mailto:br...@ma...>
> > > <mailto:br...@ma... <mailto:br...@ma...>>>:
> > > >
> > > > > On Fri, 6 Jun 2014 23:06:26 +0600
> > > > > Тимур <tim...@gm...
> > <mailto:tim...@gm...>
> > > <mailto:tim...@gm...
> > <mailto:tim...@gm...>>> wrote:
> > > > >
> > > > > > Hello, dears
> > > > > >
> > > > > > I have successfuly installed EJBCA 6.1.1, JBoss
> > 7.1.1.Final,
> > > openjdk 6,
> > > > > > Oracle 9.2.0.5, ojdbc6.jar, on Ubuntu Linux ("13.04,
> > Raring
> > > Ringtail").
> > > > > No
> > > > > > any deployment and
> > > > > > installation mistakes for this software combination. I
> > have
> > > successfully
> > > > > > created all profiles , add entuty and I have issued my
> > first
> > > > > > SSL-certificate and write one to USB HSM with eToken
> > Client.
> > > So, I have
> > > > > > full-functional EJBCA 6.1.1 at present.
> > > > > > I have a custom java-application which uses eToken
> > > authentication and
> > > > > this
> > > > > > java-application worked fine with previous version of
> > EJBCA
> > > and I need to
> > > > > > organize connectivity between this java-application and
> > > EJBCA. There is a
> > > > > > parameter for EJBCA URL in java-application config
> > file and I
> > > pointed out
> > > > > > this parameter to "https://10.62.2.88:8443/ejbca".
> > > > > > Java-application uses jdk cacerts and I imported issued
> > > certificate with
> > > > > CA
> > > > > > certificate of EJBCA to cacerts but no connection yet.
> > > > > > Checking connectivity to EJBCA by curl utility also
> gives
> > > negative
> > > > > result:
> > > > > >
> > > > > > CA-certificate in PEM-format:
> > > > > >
> > > > > > [oracle@duo ~]$ curl -v "https://10.62.2.88:8443/ejbca"
> -E
> > > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer --key
> > > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass
> > > > > >
> > > > > > welcome123 --cacert
> /home/oracle/BTAIpotekaCA.cacert.pem
> > > > > > * About to connect() to 10.62.2.88 port 8443
> > > > > > * Trying 10.62.2.88... * connected
> > > > > > * Connected to 10.62.2.88 (10.62.2.88) port 8443
> > > > > > * successfully set certificate verify locations:
> > > > > > * CAfile: /home/oracle/BTAIpotekaCA.cacert.pem
> > > > > > CApath: none
> > > > > > * SSL certificate problem, verify that the CA cert is
> OK.
> > > Details:
> > > > > > error:14090086:SSL
> > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > > > > verify
> > > > > > failed
> > > > > >
> > > > > > CA-certificate in BASE-64 format:
> > > > > >
> > > > > > [oracle@duo ~]$ curl -v
> > "https://10.62.2.88:8443/ejbca" -E
> > > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer --key
> > > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass
> > > > > >
> > > > > > welcome123 --cacert
> > > /home/oracle/BTAIpotekaCA.cacert-base64.cer --sslv3
> > > > > > --trace-ascii /tmp/curl.log
> > > > > > curl: (60) SSL certificate problem, verify that the CA
> > cert
> > > is OK.
> > > > > Details:
> > > > > > error:14090086:SSL
> > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > > > > verify
> > > > > > failed
> > > > > > More details here:
> http://curl.haxx.se/docs/sslcerts.html
> > > > > >
> > > > > > EJBCA console log contains no records to understand
> why no
> > > connectivity
> > > > > to
> > > > > > EJBCA.
> > > > > > Could you please to help to find out which URL must be
> > used
> > > to connect to
> > > > > > EJBCA for authentication ? If
> > "https://10.62.2.88:8443/ejbca" is
> > > > > correct
> > > > > > what's the reason
> > > > > > of trouble with EJBCA connection ?
> > > > > >
> > > > > > thank you, Timur.
> > > > >
> > > > > Hello Timur,
> > > > >
> > > > > The problem you are facing happens during the TLS
> handshake
> > > between the
> > > > > server and client, where (at least) client is unable to
> > verify the
> > > > > certificate presented by JBoss.
> > > > >
> > > > > Since the TLS is handled by JBoss, you won't get any
> > useful logging
> > > > > messages from EJBCA. In fact, not even JBoss as such will
> > > produce any
> > > > > useful debugging info. You could try enabling debugging
> > of TLS
> > > > > handshake via JAVA_OPTS, though.
> > > > >
> > > > > I've noticed you are using the IP address for connecting
> to
> > > JBoss/EJBCA
> > > > > - are you sure that you have this IP address specified
> > in your
> > > server
> > > > > certificate (on JBoss)? If not, that is your problem.
> > The IP,
> > > FQDN, or
> > > > > hostname used for connecting has to be part of
> > subjectAltName
> > > DNS name
> > > > > (or, if subjectAltName DNS name is not present, CN has
> > to be used).
> > > > >
> > > > > As a side-note, you should avoid using IP address in
> > > certificates or
> > > > > for TLS connections in general, and instead rely on FQDN
> or
> > > hostname,
> > > > > with FQDN being the recommended thing to use.
> > > > >
> > > > > I hope this explanation will help you a bit :)
> > > > >
> > > > > Best regards
> > > > >
> > >
> > > Hello Timur,
> > >
> > > If you are getting a validation error on port 8442, that is
> > probably
> > > the client-side validation failing. Keep in mind that if you
> > deploy
> > > EJBCA on JBoss using default ports, port 8442 does _not_
> > require client
> > > certificate authentication.
> > >
> > > You could test if JBoss will return anything at all to you on
> > port 8442
> > > with wget --no-check-certificate (just to see if content gets
> > served),
> > > and then try to figure out why your client fails to validate
> > the server
> > > certificate.
> > >
> > > If the JBoss certificate was issued by ROOTCA.TEKA.KZ
> > <http://ROOTCA.TEKA.KZ>
> > > <http://ROOTCA.TEKA.KZ>, you will most
> > > definitively need to have this CA certificate in the
> > truststore of your
> > > client.
> > >
> > > As for trusted client certificates on (for EJBCA commonly)
> > port 8443,
> > > you will need to update the JBoss truststore to contain the
> > new CA
> > > certificate (used for issuing client certificates).
> > >
> > > Best regards
> > >
> > > --
> > > Branko Majic
> > > Jabber: br...@ma... <mailto:br...@ma...>
> > <mailto:br...@ma... <mailto:br...@ma...>>
> > > Please use only Free formats when sending attachments to me.
> > >
> > > Бранко Мајић
> > > Џабер: br...@ma... <mailto:br...@ma...>
> > <mailto:br...@ma... <mailto:br...@ma...>>
> > > Молим вас да додатке шаљете искључиво у слободним форматима.
> > >
> > >
> >
> ------------------------------------------------------------------------------
> > > Learn Graph Databases - Download FREE O'Reilly Book
> > > "Graph Databases" is the definitive new guide to graph
> > databases and
> > > their
> > > applications. Written by three acclaimed leaders in the field,
> > > this first edition is now available. Download your free book
> > today!
> > > http://p.sf.net/sfu/NeoTech
> > > _______________________________________________
> > > Ejbca-develop mailing list
> > > Ejb...@li...
> > <mailto:Ejb...@li...>
> > > <mailto:Ejb...@li...
> > <mailto:Ejb...@li...>>
> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > >
> > >
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------------
> > > Open source business process management suite built on Java and
> > Eclipse
> > > Turn processes into business applications with Bonita BPM
> > Community Edition
> > > Quickly connect people, data, and systems into organized workflows
> > > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > > http://p.sf.net/sfu/Bonitasoft
> > >
> > >
> > >
> > > _______________________________________________
> > > Ejbca-develop mailing list
> > > Ejb...@li...
> > <mailto:Ejb...@li...>
> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > >
> >
> >
> ------------------------------------------------------------------------------
> > Open source business process management suite built on Java and
> Eclipse
> > Turn processes into business applications with Bonita BPM Community
> > Edition
> > Quickly connect people, data, and systems into organized workflows
> > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > http://p.sf.net/sfu/Bonitasoft
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> > <mailto:Ejb...@li...>
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Open source business process management suite built on Java and Eclipse
> > Turn processes into business applications with Bonita BPM Community
> Edition
> > Quickly connect people, data, and systems into organized workflows
> > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > http://p.sf.net/sfu/Bonitasoft
> >
> >
> >
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
|
|
From: Viktor M. <mas...@gm...> - 2014-06-26 06:41:10
|
>> check .. softTokenRequest.
I was confused with "The user's token type must be set to
UserDataVOWS.TOKEN_TYPE_ (JKS or P12)".
Does this mean that "PEM" tokenType doesn't let me receive the private key
via EjbcaWS ?
(How I know the "batch" CLI command generates also the private key
("/pem/xxxx-Key.pem" file) in case of "PEM" tokenType)
Viktor
On Wed, Jun 25, 2014 at 4:31 PM, Tomas Gustavsson <to...@pr...> wrote:
>
> Did you check the API doc?
>
> http://ejbca.org/docs/ws/org/ejbca/core/protocol/ws/client/gen/EjbcaWS.html
>
>
> check pkcs12Req or softTokenReq.
>
> Cheers,
> Tomas
>
> On 2014-06-25 15:21, Viktor Massalogin wrote:
> > Which EjbcaWS command could I use to get a keypair and cert (generated
> > on the server) ?
> > How I see, all "cert request" commands (certificateRequest,
> > pkcs10Request, spkacRequest etc) need a CSR as an argument.
> >
> > Viktor
> >
> >
> > On Wed, Jun 25, 2014 at 3:59 PM, Tomas Gustavsson <to...@pr...
> > <mailto:to...@pr...>> wrote:
> >
> >
> > Why do you want to generate a key pair and a CSR on the server side?
> > Just to send the CSR to the CA again and get a certificate? That is
> > unneeded roundtrips.
> > Simply set keystore type to PEM, P12 or JKS, and you will get a key
> pair
> > and a certificates generated on the server.
> >
> > Cheers,
> > Tomas
> >
> > On 2014-06-25 14:54, Viktor Massalogin wrote:
> > > Hi!
> > >
> > > I'm trying to use EjbcaWS to enroll certificates.
> > > Currently I generate a keypair and CSR on client side and call
> > > certificateRequest command (EndEntity's tokenType is
> > "USERGENERATED").
> > > Am I right that there are no way to generate a keypair and CSR on
> > server
> > > side (via EjbcaWS)?
> > > (How I got, all "cert request" commands (certificateRequest,
> > > pkcs10Request,..) need a CSR as an argument, but I see no command
> to
> > > generate a CSR)
> > > Does this also mean that only "USERGENERATED" tokenType (no "PEM"
> > etc)
> > > is allowed for enrollment via EjbcaWS?
> > >
> > > Viktor
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------------
> > > Open source business process management suite built on Java and
> > Eclipse
> > > Turn processes into business applications with Bonita BPM
> > Community Edition
> > > Quickly connect people, data, and systems into organized workflows
> > > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > > http://p.sf.net/sfu/Bonitasoft
> > >
> > >
> > >
> > > _______________________________________________
> > > Ejbca-develop mailing list
> > > Ejb...@li...
> > <mailto:Ejb...@li...>
> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > >
> >
> >
> ------------------------------------------------------------------------------
> > Open source business process management suite built on Java and
> Eclipse
> > Turn processes into business applications with Bonita BPM Community
> > Edition
> > Quickly connect people, data, and systems into organized workflows
> > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > http://p.sf.net/sfu/Bonitasoft
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> > <mailto:Ejb...@li...>
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Open source business process management suite built on Java and Eclipse
> > Turn processes into business applications with Bonita BPM Community
> Edition
> > Quickly connect people, data, and systems into organized workflows
> > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > http://p.sf.net/sfu/Bonitasoft
> >
> >
> >
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
|
|
From: Tomas G. <to...@pr...> - 2014-06-26 06:05:15
|
CA operations are not part of the SCEP protocol as far as I know. Perhaps you mean automatic updates of client certificates? Or can you specify what SCEP message you are thinking about. The SCEP protocol does not evolve much, so don't worry about draft versions, EJBCA updates to support new use cases as needed. There are always parts of a protocol that nobody uses. You may also want to take a look at the CMP protocol that is much more powerful. Regards, Tomas -- PrimeKey Solutions AB Internet: www.primekey.se Twitter: twitter.com/primekeyPKI Mob: +46 (0)707421096 On June 26, 2014 7:50:05 AM CEST, "Ou Jin (ojin)" <oj...@ci...> wrote: >Hi, EJBCA experts > >We are trying to set up EJBCA as CA server in our solution. When I'm >reading the document I have some questions about the SCEP support. > >>From EJBCA Admin guide, I saw the section of "Level of SCEP support" >writes: >"EJBCA implements features from (at least) draft 11 of the SCEP >specification. This means that we implement the following SCEP >messages: >PKCSReq >GetCRL >GetCACert >GetCACertChain >GetCACaps" > >As draft 11 is relatively old version and given the messages listed, it >seems like EJBCA doesn't support CA key rollover. Is that correct? I'm >not sure whether this part of document is up-to-date or not. I went >through release notes but didn't get a clear picture. If something has >changed, could you please provide the list of SCEP support for current >6.2 version? Thanks a lot. > >Definitely we'll set up EJBCA and do some investigation. But it'll be >great to get first-hand info from you. Your help is really appreciated. > >Regards, >Ou > > > >------------------------------------------------------------------------ > >------------------------------------------------------------------------------ >Open source business process management suite built on Java and Eclipse >Turn processes into business applications with Bonita BPM Community >Edition >Quickly connect people, data, and systems into organized workflows >Winner of BOSSIE, CODIE, OW2 and Gartner awards >http://p.sf.net/sfu/Bonitasoft > >------------------------------------------------------------------------ > >_______________________________________________ >Ejbca-develop mailing list >Ejb...@li... >https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Ou J. (ojin) <oj...@ci...> - 2014-06-26 05:50:14
|
Hi, EJBCA experts We are trying to set up EJBCA as CA server in our solution. When I'm reading the document I have some questions about the SCEP support. >From EJBCA Admin guide, I saw the section of "Level of SCEP support" writes: "EJBCA implements features from (at least) draft 11 of the SCEP specification. This means that we implement the following SCEP messages: PKCSReq GetCRL GetCACert GetCACertChain GetCACaps" As draft 11 is relatively old version and given the messages listed, it seems like EJBCA doesn't support CA key rollover. Is that correct? I'm not sure whether this part of document is up-to-date or not. I went through release notes but didn't get a clear picture. If something has changed, could you please provide the list of SCEP support for current 6.2 version? Thanks a lot. Definitely we'll set up EJBCA and do some investigation. But it'll be great to get first-hand info from you. Your help is really appreciated. Regards, Ou |
|
From: Tomas G. <to...@pr...> - 2014-06-25 13:31:54
|
Did you check the API doc? http://ejbca.org/docs/ws/org/ejbca/core/protocol/ws/client/gen/EjbcaWS.html check pkcs12Req or softTokenReq. Cheers, Tomas On 2014-06-25 15:21, Viktor Massalogin wrote: > Which EjbcaWS command could I use to get a keypair and cert (generated > on the server) ? > How I see, all "cert request" commands (certificateRequest, > pkcs10Request, spkacRequest etc) need a CSR as an argument. > > Viktor > > > On Wed, Jun 25, 2014 at 3:59 PM, Tomas Gustavsson <to...@pr... > <mailto:to...@pr...>> wrote: > > > Why do you want to generate a key pair and a CSR on the server side? > Just to send the CSR to the CA again and get a certificate? That is > unneeded roundtrips. > Simply set keystore type to PEM, P12 or JKS, and you will get a key pair > and a certificates generated on the server. > > Cheers, > Tomas > > On 2014-06-25 14:54, Viktor Massalogin wrote: > > Hi! > > > > I'm trying to use EjbcaWS to enroll certificates. > > Currently I generate a keypair and CSR on client side and call > > certificateRequest command (EndEntity's tokenType is > "USERGENERATED"). > > Am I right that there are no way to generate a keypair and CSR on > server > > side (via EjbcaWS)? > > (How I got, all "cert request" commands (certificateRequest, > > pkcs10Request,..) need a CSR as an argument, but I see no command to > > generate a CSR) > > Does this also mean that only "USERGENERATED" tokenType (no "PEM" > etc) > > is allowed for enrollment via EjbcaWS? > > > > Viktor > > > > > > > ------------------------------------------------------------------------------ > > Open source business process management suite built on Java and > Eclipse > > Turn processes into business applications with Bonita BPM > Community Edition > > Quickly connect people, data, and systems into organized workflows > > Winner of BOSSIE, CODIE, OW2 and Gartner awards > > http://p.sf.net/sfu/Bonitasoft > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community > Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Viktor M. <mas...@gm...> - 2014-06-25 13:21:20
|
Which EjbcaWS command could I use to get a keypair and cert (generated on the server) ? How I see, all "cert request" commands (certificateRequest, pkcs10Request, spkacRequest etc) need a CSR as an argument. Viktor On Wed, Jun 25, 2014 at 3:59 PM, Tomas Gustavsson <to...@pr...> wrote: > > Why do you want to generate a key pair and a CSR on the server side? > Just to send the CSR to the CA again and get a certificate? That is > unneeded roundtrips. > Simply set keystore type to PEM, P12 or JKS, and you will get a key pair > and a certificates generated on the server. > > Cheers, > Tomas > > On 2014-06-25 14:54, Viktor Massalogin wrote: > > Hi! > > > > I'm trying to use EjbcaWS to enroll certificates. > > Currently I generate a keypair and CSR on client side and call > > certificateRequest command (EndEntity's tokenType is "USERGENERATED"). > > Am I right that there are no way to generate a keypair and CSR on server > > side (via EjbcaWS)? > > (How I got, all "cert request" commands (certificateRequest, > > pkcs10Request,..) need a CSR as an argument, but I see no command to > > generate a CSR) > > Does this also mean that only "USERGENERATED" tokenType (no "PEM" etc) > > is allowed for enrollment via EjbcaWS? > > > > Viktor > > > > > > > ------------------------------------------------------------------------------ > > Open source business process management suite built on Java and Eclipse > > Turn processes into business applications with Bonita BPM Community > Edition > > Quickly connect people, data, and systems into organized workflows > > Winner of BOSSIE, CODIE, OW2 and Gartner awards > > http://p.sf.net/sfu/Bonitasoft > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Tomas G. <to...@pr...> - 2014-06-25 13:00:02
|
Why do you want to generate a key pair and a CSR on the server side? Just to send the CSR to the CA again and get a certificate? That is unneeded roundtrips. Simply set keystore type to PEM, P12 or JKS, and you will get a key pair and a certificates generated on the server. Cheers, Tomas On 2014-06-25 14:54, Viktor Massalogin wrote: > Hi! > > I'm trying to use EjbcaWS to enroll certificates. > Currently I generate a keypair and CSR on client side and call > certificateRequest command (EndEntity's tokenType is "USERGENERATED"). > Am I right that there are no way to generate a keypair and CSR on server > side (via EjbcaWS)? > (How I got, all "cert request" commands (certificateRequest, > pkcs10Request,..) need a CSR as an argument, but I see no command to > generate a CSR) > Does this also mean that only "USERGENERATED" tokenType (no "PEM" etc) > is allowed for enrollment via EjbcaWS? > > Viktor > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Viktor M. <mas...@gm...> - 2014-06-25 12:55:11
|
Hi! I'm trying to use EjbcaWS to enroll certificates. Currently I generate a keypair and CSR on client side and call certificateRequest command (EndEntity's tokenType is "USERGENERATED"). Am I right that there are no way to generate a keypair and CSR on server side (via EjbcaWS)? (How I got, all "cert request" commands (certificateRequest, pkcs10Request,..) need a CSR as an argument, but I see no command to generate a CSR) Does this also mean that only "USERGENERATED" tokenType (no "PEM" etc) is allowed for enrollment via EjbcaWS? Viktor |
|
From: Tomas G. <to...@pr...> - 2014-06-24 09:14:33
|
Hi Timur, No there is no such table available that would be very time consuming to produce on free basis. Customized development help is usually a professional services business. Kind regards, Tomas On 2014-06-24 11:03, Тимур wrote: > Hello, Tomas. > Thank you for your prompt. > Is there any external interfaces comparison table among different > versions of EJBCA to see what calls to EJBCA 6.1.1 must be corrected ? > For example, usual operations like check common name, check certificate > validity are still the same between EJBCA 3.11.x and 6.1.x ? > > thank you, Timur. > > > > 2014-06-24 14:43 GMT+06:00 Tomas Gustavsson <to...@pr... > <mailto:to...@pr...>>: > > > Depending on what interfaces you are using, things have changed. Some > interfaces have not changed, while some have. > > Cheers, > Tomas > --- > Save time and money with an Enterprise support subscription. Please see > www.primekey.se <http://www.primekey.se> for more information. > http://www.primekey.se/Products/EJBCA+PKI/ > http://www.primekey.se/Services/Support/ > > On 2014-06-24 09:32, Тимур wrote: > > Dears, > > (there was wrong typing in EJBCA version in my previous post , so > > repeating the question in a correct way) > > Could you please to confirm/refute whether EJBCA 3.11.0 versus EJBCA > > 6.1.1 has any difference in their external interfaces for interaction > > with external java applications ? > > Is some custom java applicaton (which was designed for > interaction with > > EJBCA 3.11.0 (r10752) external interface) compatible with EJBCA 6.1.1 > > external interface ? > > > > thanks, Timur > > > > > > > > 2014-06-08 17:26 GMT+06:00 Branko Majic <br...@ma... > <mailto:br...@ma...> > > <mailto:br...@ma... <mailto:br...@ma...>>>: > > > > On Sat, 7 Jun 2014 23:04:37 +0600 > > Тимур <tim...@gm... > <mailto:tim...@gm...> <mailto:tim...@gm... > <mailto:tim...@gm...>>> > > wrote: > > > > > Hello, Branko ! > > > Thank you for your good advice about SSL debugging on JBoss. > > IP-address > > > was replaced by FQDN but still JBoss rejects connection. > > > Then SSL debug had been enabled on JBoss 7.1.1: > > > > > > [oracle@duo ~]$ curl -v "https://rootca.teka.kz:8442/ejbca" -E > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer > > > --key /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > > welcome123 > > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > > .... > > > 21:10:53,179 INFO [stdout] (http--0.0.0.0-8442-Acceptor-0) Is > > initial > > > handshake: true > > > 21:10:53,180 INFO [stdout] > (http--0.0.0.0-8442-Acceptor-0) Is secure > > > renegotiation: false > > > 21:10:53,183 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > setSoTimeout(60000) called > > > 21:10:53,187 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > READ: SSL v2, contentType = Handshake, translated length = 95 > > > 21:10:53,190 INFO [stdout] (http--0.0.0.0-8442-1) *** > > ClientHello, TLSv1 > > > ..... > > > 21:10:53,286 INFO [stdout] (http--0.0.0.0-8442-1) *** > > ServerHello, TLSv1 > > > ..... > > > 21:10:53,550 INFO [stdout] (http--0.0.0.0-8442-1) *** > > ServerHelloDone > > > 21:10:53,552 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > WRITE: TLSv1 Handshake, length = 2722 > > > 21:10:53,561 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > READ: TLSv1 Alert, length = 2 > > > 21:10:53,563 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > RECV TLSv1 ALERT: fatal, unknown_ca > > > 21:10:53,564 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > called closeSocket() > > > 21:10:53,566 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > handling exception: javax.net.ssl.SSLHandshakeException: > Received > > fatal > > > alert: unknown_ca > > > 21:10:53,567 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > IOException in getSession(): > > javax.net.ssl.SSLHandshakeException: Received > > > fatal alert: > > > unknown_ca <-------!!!!!!! > > > 21:10:53,577 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > called close() > > > > > > JBoss SSL-certificate is for CN=rootca.teka.kz > <http://rootca.teka.kz> > > <http://rootca.teka.kz> which belongs to the CA > > > named "ROOTCA.TEKA.KZ <http://ROOTCA.TEKA.KZ> > <http://ROOTCA.TEKA.KZ> > > <http://rootca.teka.kz/>". > > > BUT I run "curl" utlity for CA named "BTA Ipoteka CA" - all > > certificates > > > used in "curl" options are emitted by CA "BTA Ipoteka CA": > > > > > > [oracle@duo ~]$ curl -v "https://rootca.teka.kz:8442/ejbca" -E > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer \ > > > --key /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > > welcome123 \ > > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > > > > > I cannot use CA "ROOTCA.TEKA.KZ <http://ROOTCA.TEKA.KZ> > <http://ROOTCA.TEKA.KZ> > > <http://rootca.teka.kz/>" as it has too > > > strong key which is not supported by my eToken Client; I > had to > > create one > > > more CA "BTA Ipoteka CA" with shorter key length. > > > What steps to do if certificates for customer devices are > emitted > > by CA > > > "BTA Ipoteka CA" but initial CA is "ROOTCA.TEKA.KZ > <http://ROOTCA.TEKA.KZ> > > <http://ROOTCA.TEKA.KZ> <http://rootca.teka.kz/>" > > > and JBoss certificate is for initial CA. > > > Probably some reconfiguration are to be done on JBoss to > let one > > receive > > > requests for new CA also ? > > > > > > thank you for your great job, Timur. > > > > > > > > > > > > 2014-06-07 17:07 GMT+06:00 Branko Majic <br...@ma... > <mailto:br...@ma...> > > <mailto:br...@ma... <mailto:br...@ma...>>>: > > > > > > > On Fri, 6 Jun 2014 23:06:26 +0600 > > > > Тимур <tim...@gm... > <mailto:tim...@gm...> > > <mailto:tim...@gm... > <mailto:tim...@gm...>>> wrote: > > > > > > > > > Hello, dears > > > > > > > > > > I have successfuly installed EJBCA 6.1.1, JBoss > 7.1.1.Final, > > openjdk 6, > > > > > Oracle 9.2.0.5, ojdbc6.jar, on Ubuntu Linux ("13.04, > Raring > > Ringtail"). > > > > No > > > > > any deployment and > > > > > installation mistakes for this software combination. I > have > > successfully > > > > > created all profiles , add entuty and I have issued my > first > > > > > SSL-certificate and write one to USB HSM with eToken > Client. > > So, I have > > > > > full-functional EJBCA 6.1.1 at present. > > > > > I have a custom java-application which uses eToken > > authentication and > > > > this > > > > > java-application worked fine with previous version of > EJBCA > > and I need to > > > > > organize connectivity between this java-application and > > EJBCA. There is a > > > > > parameter for EJBCA URL in java-application config > file and I > > pointed out > > > > > this parameter to "https://10.62.2.88:8443/ejbca". > > > > > Java-application uses jdk cacerts and I imported issued > > certificate with > > > > CA > > > > > certificate of EJBCA to cacerts but no connection yet. > > > > > Checking connectivity to EJBCA by curl utility also gives > > negative > > > > result: > > > > > > > > > > CA-certificate in PEM-format: > > > > > > > > > > [oracle@duo ~]$ curl -v "https://10.62.2.88:8443/ejbca" -E > > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer --key > > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > > > > > > > > > > welcome123 --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > > > > * About to connect() to 10.62.2.88 port 8443 > > > > > * Trying 10.62.2.88... * connected > > > > > * Connected to 10.62.2.88 (10.62.2.88) port 8443 > > > > > * successfully set certificate verify locations: > > > > > * CAfile: /home/oracle/BTAIpotekaCA.cacert.pem > > > > > CApath: none > > > > > * SSL certificate problem, verify that the CA cert is OK. > > Details: > > > > > error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > > > verify > > > > > failed > > > > > > > > > > CA-certificate in BASE-64 format: > > > > > > > > > > [oracle@duo ~]$ curl -v > "https://10.62.2.88:8443/ejbca" -E > > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer --key > > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > > > > > > > > > > welcome123 --cacert > > /home/oracle/BTAIpotekaCA.cacert-base64.cer --sslv3 > > > > > --trace-ascii /tmp/curl.log > > > > > curl: (60) SSL certificate problem, verify that the CA > cert > > is OK. > > > > Details: > > > > > error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > > > verify > > > > > failed > > > > > More details here: http://curl.haxx.se/docs/sslcerts.html > > > > > > > > > > EJBCA console log contains no records to understand why no > > connectivity > > > > to > > > > > EJBCA. > > > > > Could you please to help to find out which URL must be > used > > to connect to > > > > > EJBCA for authentication ? If > "https://10.62.2.88:8443/ejbca" is > > > > correct > > > > > what's the reason > > > > > of trouble with EJBCA connection ? > > > > > > > > > > thank you, Timur. > > > > > > > > Hello Timur, > > > > > > > > The problem you are facing happens during the TLS handshake > > between the > > > > server and client, where (at least) client is unable to > verify the > > > > certificate presented by JBoss. > > > > > > > > Since the TLS is handled by JBoss, you won't get any > useful logging > > > > messages from EJBCA. In fact, not even JBoss as such will > > produce any > > > > useful debugging info. You could try enabling debugging > of TLS > > > > handshake via JAVA_OPTS, though. > > > > > > > > I've noticed you are using the IP address for connecting to > > JBoss/EJBCA > > > > - are you sure that you have this IP address specified > in your > > server > > > > certificate (on JBoss)? If not, that is your problem. > The IP, > > FQDN, or > > > > hostname used for connecting has to be part of > subjectAltName > > DNS name > > > > (or, if subjectAltName DNS name is not present, CN has > to be used). > > > > > > > > As a side-note, you should avoid using IP address in > > certificates or > > > > for TLS connections in general, and instead rely on FQDN or > > hostname, > > > > with FQDN being the recommended thing to use. > > > > > > > > I hope this explanation will help you a bit :) > > > > > > > > Best regards > > > > > > > > Hello Timur, > > > > If you are getting a validation error on port 8442, that is > probably > > the client-side validation failing. Keep in mind that if you > deploy > > EJBCA on JBoss using default ports, port 8442 does _not_ > require client > > certificate authentication. > > > > You could test if JBoss will return anything at all to you on > port 8442 > > with wget --no-check-certificate (just to see if content gets > served), > > and then try to figure out why your client fails to validate > the server > > certificate. > > > > If the JBoss certificate was issued by ROOTCA.TEKA.KZ > <http://ROOTCA.TEKA.KZ> > > <http://ROOTCA.TEKA.KZ>, you will most > > definitively need to have this CA certificate in the > truststore of your > > client. > > > > As for trusted client certificates on (for EJBCA commonly) > port 8443, > > you will need to update the JBoss truststore to contain the > new CA > > certificate (used for issuing client certificates). > > > > Best regards > > > > -- > > Branko Majic > > Jabber: br...@ma... <mailto:br...@ma...> > <mailto:br...@ma... <mailto:br...@ma...>> > > Please use only Free formats when sending attachments to me. > > > > Бранко Мајић > > Џабер: br...@ma... <mailto:br...@ma...> > <mailto:br...@ma... <mailto:br...@ma...>> > > Молим вас да додатке шаљете искључиво у слободним форматима. > > > > > ------------------------------------------------------------------------------ > > Learn Graph Databases - Download FREE O'Reilly Book > > "Graph Databases" is the definitive new guide to graph > databases and > > their > > applications. Written by three acclaimed leaders in the field, > > this first edition is now available. Download your free book > today! > > http://p.sf.net/sfu/NeoTech > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > > > > > > ------------------------------------------------------------------------------ > > Open source business process management suite built on Java and > Eclipse > > Turn processes into business applications with Bonita BPM > Community Edition > > Quickly connect people, data, and systems into organized workflows > > Winner of BOSSIE, CODIE, OW2 and Gartner awards > > http://p.sf.net/sfu/Bonitasoft > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community > Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Тимур <tim...@gm...> - 2014-06-24 09:03:35
|
Hello, Tomas. Thank you for your prompt. Is there any external interfaces comparison table among different versions of EJBCA to see what calls to EJBCA 6.1.1 must be corrected ? For example, usual operations like check common name, check certificate validity are still the same between EJBCA 3.11.x and 6.1.x ? thank you, Timur. 2014-06-24 14:43 GMT+06:00 Tomas Gustavsson <to...@pr...>: > > Depending on what interfaces you are using, things have changed. Some > interfaces have not changed, while some have. > > Cheers, > Tomas > --- > Save time and money with an Enterprise support subscription. Please see > www.primekey.se for more information. > http://www.primekey.se/Products/EJBCA+PKI/ > http://www.primekey.se/Services/Support/ > > On 2014-06-24 09:32, Тимур wrote: > > Dears, > > (there was wrong typing in EJBCA version in my previous post , so > > repeating the question in a correct way) > > Could you please to confirm/refute whether EJBCA 3.11.0 versus EJBCA > > 6.1.1 has any difference in their external interfaces for interaction > > with external java applications ? > > Is some custom java applicaton (which was designed for interaction with > > EJBCA 3.11.0 (r10752) external interface) compatible with EJBCA 6.1.1 > > external interface ? > > > > thanks, Timur > > > > > > > > 2014-06-08 17:26 GMT+06:00 Branko Majic <br...@ma... > > <mailto:br...@ma...>>: > > > > On Sat, 7 Jun 2014 23:04:37 +0600 > > Тимур <tim...@gm... <mailto:tim...@gm...>> > > wrote: > > > > > Hello, Branko ! > > > Thank you for your good advice about SSL debugging on JBoss. > > IP-address > > > was replaced by FQDN but still JBoss rejects connection. > > > Then SSL debug had been enabled on JBoss 7.1.1: > > > > > > [oracle@duo ~]$ curl -v "https://rootca.teka.kz:8442/ejbca" -E > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer > > > --key /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > > welcome123 > > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > > .... > > > 21:10:53,179 INFO [stdout] (http--0.0.0.0-8442-Acceptor-0) Is > > initial > > > handshake: true > > > 21:10:53,180 INFO [stdout] (http--0.0.0.0-8442-Acceptor-0) Is > secure > > > renegotiation: false > > > 21:10:53,183 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > setSoTimeout(60000) called > > > 21:10:53,187 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > READ: SSL v2, contentType = Handshake, translated length = 95 > > > 21:10:53,190 INFO [stdout] (http--0.0.0.0-8442-1) *** > > ClientHello, TLSv1 > > > ..... > > > 21:10:53,286 INFO [stdout] (http--0.0.0.0-8442-1) *** > > ServerHello, TLSv1 > > > ..... > > > 21:10:53,550 INFO [stdout] (http--0.0.0.0-8442-1) *** > > ServerHelloDone > > > 21:10:53,552 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > WRITE: TLSv1 Handshake, length = 2722 > > > 21:10:53,561 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > READ: TLSv1 Alert, length = 2 > > > 21:10:53,563 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > RECV TLSv1 ALERT: fatal, unknown_ca > > > 21:10:53,564 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > called closeSocket() > > > 21:10:53,566 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > handling exception: javax.net.ssl.SSLHandshakeException: Received > > fatal > > > alert: unknown_ca > > > 21:10:53,567 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > IOException in getSession(): > > javax.net.ssl.SSLHandshakeException: Received > > > fatal alert: > > > unknown_ca <-------!!!!!!! > > > 21:10:53,577 INFO [stdout] (http--0.0.0.0-8442-1) > > http--0.0.0.0-8442-1, > > > called close() > > > > > > JBoss SSL-certificate is for CN=rootca.teka.kz > > <http://rootca.teka.kz> which belongs to the CA > > > named "ROOTCA.TEKA.KZ <http://ROOTCA.TEKA.KZ> > > <http://rootca.teka.kz/>". > > > BUT I run "curl" utlity for CA named "BTA Ipoteka CA" - all > > certificates > > > used in "curl" options are emitted by CA "BTA Ipoteka CA": > > > > > > [oracle@duo ~]$ curl -v "https://rootca.teka.kz:8442/ejbca" -E > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer \ > > > --key /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > > welcome123 \ > > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > > > > > I cannot use CA "ROOTCA.TEKA.KZ <http://ROOTCA.TEKA.KZ> > > <http://rootca.teka.kz/>" as it has too > > > strong key which is not supported by my eToken Client; I had to > > create one > > > more CA "BTA Ipoteka CA" with shorter key length. > > > What steps to do if certificates for customer devices are emitted > > by CA > > > "BTA Ipoteka CA" but initial CA is "ROOTCA.TEKA.KZ > > <http://ROOTCA.TEKA.KZ> <http://rootca.teka.kz/>" > > > and JBoss certificate is for initial CA. > > > Probably some reconfiguration are to be done on JBoss to let one > > receive > > > requests for new CA also ? > > > > > > thank you for your great job, Timur. > > > > > > > > > > > > 2014-06-07 17:07 GMT+06:00 Branko Majic <br...@ma... > > <mailto:br...@ma...>>: > > > > > > > On Fri, 6 Jun 2014 23:06:26 +0600 > > > > Тимур <tim...@gm... > > <mailto:tim...@gm...>> wrote: > > > > > > > > > Hello, dears > > > > > > > > > > I have successfuly installed EJBCA 6.1.1, JBoss 7.1.1.Final, > > openjdk 6, > > > > > Oracle 9.2.0.5, ojdbc6.jar, on Ubuntu Linux ("13.04, Raring > > Ringtail"). > > > > No > > > > > any deployment and > > > > > installation mistakes for this software combination. I have > > successfully > > > > > created all profiles , add entuty and I have issued my first > > > > > SSL-certificate and write one to USB HSM with eToken Client. > > So, I have > > > > > full-functional EJBCA 6.1.1 at present. > > > > > I have a custom java-application which uses eToken > > authentication and > > > > this > > > > > java-application worked fine with previous version of EJBCA > > and I need to > > > > > organize connectivity between this java-application and > > EJBCA. There is a > > > > > parameter for EJBCA URL in java-application config file and I > > pointed out > > > > > this parameter to "https://10.62.2.88:8443/ejbca". > > > > > Java-application uses jdk cacerts and I imported issued > > certificate with > > > > CA > > > > > certificate of EJBCA to cacerts but no connection yet. > > > > > Checking connectivity to EJBCA by curl utility also gives > > negative > > > > result: > > > > > > > > > > CA-certificate in PEM-format: > > > > > > > > > > [oracle@duo ~]$ curl -v "https://10.62.2.88:8443/ejbca" -E > > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer --key > > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > > > > > > > > > > welcome123 --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > > > > * About to connect() to 10.62.2.88 port 8443 > > > > > * Trying 10.62.2.88... * connected > > > > > * Connected to 10.62.2.88 (10.62.2.88) port 8443 > > > > > * successfully set certificate verify locations: > > > > > * CAfile: /home/oracle/BTAIpotekaCA.cacert.pem > > > > > CApath: none > > > > > * SSL certificate problem, verify that the CA cert is OK. > > Details: > > > > > error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > > > verify > > > > > failed > > > > > > > > > > CA-certificate in BASE-64 format: > > > > > > > > > > [oracle@duo ~]$ curl -v "https://10.62.2.88:8443/ejbca" -E > > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer --key > > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > > > > > > > > > > welcome123 --cacert > > /home/oracle/BTAIpotekaCA.cacert-base64.cer --sslv3 > > > > > --trace-ascii /tmp/curl.log > > > > > curl: (60) SSL certificate problem, verify that the CA cert > > is OK. > > > > Details: > > > > > error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > > > verify > > > > > failed > > > > > More details here: http://curl.haxx.se/docs/sslcerts.html > > > > > > > > > > EJBCA console log contains no records to understand why no > > connectivity > > > > to > > > > > EJBCA. > > > > > Could you please to help to find out which URL must be used > > to connect to > > > > > EJBCA for authentication ? If "https://10.62.2.88:8443/ejbca" > is > > > > correct > > > > > what's the reason > > > > > of trouble with EJBCA connection ? > > > > > > > > > > thank you, Timur. > > > > > > > > Hello Timur, > > > > > > > > The problem you are facing happens during the TLS handshake > > between the > > > > server and client, where (at least) client is unable to verify > the > > > > certificate presented by JBoss. > > > > > > > > Since the TLS is handled by JBoss, you won't get any useful > logging > > > > messages from EJBCA. In fact, not even JBoss as such will > > produce any > > > > useful debugging info. You could try enabling debugging of TLS > > > > handshake via JAVA_OPTS, though. > > > > > > > > I've noticed you are using the IP address for connecting to > > JBoss/EJBCA > > > > - are you sure that you have this IP address specified in your > > server > > > > certificate (on JBoss)? If not, that is your problem. The IP, > > FQDN, or > > > > hostname used for connecting has to be part of subjectAltName > > DNS name > > > > (or, if subjectAltName DNS name is not present, CN has to be > used). > > > > > > > > As a side-note, you should avoid using IP address in > > certificates or > > > > for TLS connections in general, and instead rely on FQDN or > > hostname, > > > > with FQDN being the recommended thing to use. > > > > > > > > I hope this explanation will help you a bit :) > > > > > > > > Best regards > > > > > > > > Hello Timur, > > > > If you are getting a validation error on port 8442, that is probably > > the client-side validation failing. Keep in mind that if you deploy > > EJBCA on JBoss using default ports, port 8442 does _not_ require > client > > certificate authentication. > > > > You could test if JBoss will return anything at all to you on port > 8442 > > with wget --no-check-certificate (just to see if content gets > served), > > and then try to figure out why your client fails to validate the > server > > certificate. > > > > If the JBoss certificate was issued by ROOTCA.TEKA.KZ > > <http://ROOTCA.TEKA.KZ>, you will most > > definitively need to have this CA certificate in the truststore of > your > > client. > > > > As for trusted client certificates on (for EJBCA commonly) port 8443, > > you will need to update the JBoss truststore to contain the new CA > > certificate (used for issuing client certificates). > > > > Best regards > > > > -- > > Branko Majic > > Jabber: br...@ma... <mailto:br...@ma...> > > Please use only Free formats when sending attachments to me. > > > > Бранко Мајић > > Џабер: br...@ma... <mailto:br...@ma...> > > Молим вас да додатке шаљете искључиво у слободним форматима. > > > > > ------------------------------------------------------------------------------ > > Learn Graph Databases - Download FREE O'Reilly Book > > "Graph Databases" is the definitive new guide to graph databases and > > their > > applications. Written by three acclaimed leaders in the field, > > this first edition is now available. Download your free book today! > > http://p.sf.net/sfu/NeoTech > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > > > > > > ------------------------------------------------------------------------------ > > Open source business process management suite built on Java and Eclipse > > Turn processes into business applications with Bonita BPM Community > Edition > > Quickly connect people, data, and systems into organized workflows > > Winner of BOSSIE, CODIE, OW2 and Gartner awards > > http://p.sf.net/sfu/Bonitasoft > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Tomas G. <to...@pr...> - 2014-06-24 08:43:52
|
Depending on what interfaces you are using, things have changed. Some interfaces have not changed, while some have. Cheers, Tomas --- Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information. http://www.primekey.se/Products/EJBCA+PKI/ http://www.primekey.se/Services/Support/ On 2014-06-24 09:32, Тимур wrote: > Dears, > (there was wrong typing in EJBCA version in my previous post , so > repeating the question in a correct way) > Could you please to confirm/refute whether EJBCA 3.11.0 versus EJBCA > 6.1.1 has any difference in their external interfaces for interaction > with external java applications ? > Is some custom java applicaton (which was designed for interaction with > EJBCA 3.11.0 (r10752) external interface) compatible with EJBCA 6.1.1 > external interface ? > > thanks, Timur > > > > 2014-06-08 17:26 GMT+06:00 Branko Majic <br...@ma... > <mailto:br...@ma...>>: > > On Sat, 7 Jun 2014 23:04:37 +0600 > Тимур <tim...@gm... <mailto:tim...@gm...>> > wrote: > > > Hello, Branko ! > > Thank you for your good advice about SSL debugging on JBoss. > IP-address > > was replaced by FQDN but still JBoss rejects connection. > > Then SSL debug had been enabled on JBoss 7.1.1: > > > > [oracle@duo ~]$ curl -v "https://rootca.teka.kz:8442/ejbca" -E > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer > > --key /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > welcome123 > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > .... > > 21:10:53,179 INFO [stdout] (http--0.0.0.0-8442-Acceptor-0) Is > initial > > handshake: true > > 21:10:53,180 INFO [stdout] (http--0.0.0.0-8442-Acceptor-0) Is secure > > renegotiation: false > > 21:10:53,183 INFO [stdout] (http--0.0.0.0-8442-1) > http--0.0.0.0-8442-1, > > setSoTimeout(60000) called > > 21:10:53,187 INFO [stdout] (http--0.0.0.0-8442-1) > http--0.0.0.0-8442-1, > > READ: SSL v2, contentType = Handshake, translated length = 95 > > 21:10:53,190 INFO [stdout] (http--0.0.0.0-8442-1) *** > ClientHello, TLSv1 > > ..... > > 21:10:53,286 INFO [stdout] (http--0.0.0.0-8442-1) *** > ServerHello, TLSv1 > > ..... > > 21:10:53,550 INFO [stdout] (http--0.0.0.0-8442-1) *** > ServerHelloDone > > 21:10:53,552 INFO [stdout] (http--0.0.0.0-8442-1) > http--0.0.0.0-8442-1, > > WRITE: TLSv1 Handshake, length = 2722 > > 21:10:53,561 INFO [stdout] (http--0.0.0.0-8442-1) > http--0.0.0.0-8442-1, > > READ: TLSv1 Alert, length = 2 > > 21:10:53,563 INFO [stdout] (http--0.0.0.0-8442-1) > http--0.0.0.0-8442-1, > > RECV TLSv1 ALERT: fatal, unknown_ca > > 21:10:53,564 INFO [stdout] (http--0.0.0.0-8442-1) > http--0.0.0.0-8442-1, > > called closeSocket() > > 21:10:53,566 INFO [stdout] (http--0.0.0.0-8442-1) > http--0.0.0.0-8442-1, > > handling exception: javax.net.ssl.SSLHandshakeException: Received > fatal > > alert: unknown_ca > > 21:10:53,567 INFO [stdout] (http--0.0.0.0-8442-1) > http--0.0.0.0-8442-1, > > IOException in getSession(): > javax.net.ssl.SSLHandshakeException: Received > > fatal alert: > > unknown_ca <-------!!!!!!! > > 21:10:53,577 INFO [stdout] (http--0.0.0.0-8442-1) > http--0.0.0.0-8442-1, > > called close() > > > > JBoss SSL-certificate is for CN=rootca.teka.kz > <http://rootca.teka.kz> which belongs to the CA > > named "ROOTCA.TEKA.KZ <http://ROOTCA.TEKA.KZ> > <http://rootca.teka.kz/>". > > BUT I run "curl" utlity for CA named "BTA Ipoteka CA" - all > certificates > > used in "curl" options are emitted by CA "BTA Ipoteka CA": > > > > [oracle@duo ~]$ curl -v "https://rootca.teka.kz:8442/ejbca" -E > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer \ > > --key /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > welcome123 \ > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > > > I cannot use CA "ROOTCA.TEKA.KZ <http://ROOTCA.TEKA.KZ> > <http://rootca.teka.kz/>" as it has too > > strong key which is not supported by my eToken Client; I had to > create one > > more CA "BTA Ipoteka CA" with shorter key length. > > What steps to do if certificates for customer devices are emitted > by CA > > "BTA Ipoteka CA" but initial CA is "ROOTCA.TEKA.KZ > <http://ROOTCA.TEKA.KZ> <http://rootca.teka.kz/>" > > and JBoss certificate is for initial CA. > > Probably some reconfiguration are to be done on JBoss to let one > receive > > requests for new CA also ? > > > > thank you for your great job, Timur. > > > > > > > > 2014-06-07 17:07 GMT+06:00 Branko Majic <br...@ma... > <mailto:br...@ma...>>: > > > > > On Fri, 6 Jun 2014 23:06:26 +0600 > > > Тимур <tim...@gm... > <mailto:tim...@gm...>> wrote: > > > > > > > Hello, dears > > > > > > > > I have successfuly installed EJBCA 6.1.1, JBoss 7.1.1.Final, > openjdk 6, > > > > Oracle 9.2.0.5, ojdbc6.jar, on Ubuntu Linux ("13.04, Raring > Ringtail"). > > > No > > > > any deployment and > > > > installation mistakes for this software combination. I have > successfully > > > > created all profiles , add entuty and I have issued my first > > > > SSL-certificate and write one to USB HSM with eToken Client. > So, I have > > > > full-functional EJBCA 6.1.1 at present. > > > > I have a custom java-application which uses eToken > authentication and > > > this > > > > java-application worked fine with previous version of EJBCA > and I need to > > > > organize connectivity between this java-application and > EJBCA. There is a > > > > parameter for EJBCA URL in java-application config file and I > pointed out > > > > this parameter to "https://10.62.2.88:8443/ejbca". > > > > Java-application uses jdk cacerts and I imported issued > certificate with > > > CA > > > > certificate of EJBCA to cacerts but no connection yet. > > > > Checking connectivity to EJBCA by curl utility also gives > negative > > > result: > > > > > > > > CA-certificate in PEM-format: > > > > > > > > [oracle@duo ~]$ curl -v "https://10.62.2.88:8443/ejbca" -E > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer --key > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > > > > > > > > welcome123 --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > > > * About to connect() to 10.62.2.88 port 8443 > > > > * Trying 10.62.2.88... * connected > > > > * Connected to 10.62.2.88 (10.62.2.88) port 8443 > > > > * successfully set certificate verify locations: > > > > * CAfile: /home/oracle/BTAIpotekaCA.cacert.pem > > > > CApath: none > > > > * SSL certificate problem, verify that the CA cert is OK. > Details: > > > > error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > > verify > > > > failed > > > > > > > > CA-certificate in BASE-64 format: > > > > > > > > [oracle@duo ~]$ curl -v "https://10.62.2.88:8443/ejbca" -E > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer --key > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > > > > > > > > welcome123 --cacert > /home/oracle/BTAIpotekaCA.cacert-base64.cer --sslv3 > > > > --trace-ascii /tmp/curl.log > > > > curl: (60) SSL certificate problem, verify that the CA cert > is OK. > > > Details: > > > > error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > > verify > > > > failed > > > > More details here: http://curl.haxx.se/docs/sslcerts.html > > > > > > > > EJBCA console log contains no records to understand why no > connectivity > > > to > > > > EJBCA. > > > > Could you please to help to find out which URL must be used > to connect to > > > > EJBCA for authentication ? If "https://10.62.2.88:8443/ejbca" is > > > correct > > > > what's the reason > > > > of trouble with EJBCA connection ? > > > > > > > > thank you, Timur. > > > > > > Hello Timur, > > > > > > The problem you are facing happens during the TLS handshake > between the > > > server and client, where (at least) client is unable to verify the > > > certificate presented by JBoss. > > > > > > Since the TLS is handled by JBoss, you won't get any useful logging > > > messages from EJBCA. In fact, not even JBoss as such will > produce any > > > useful debugging info. You could try enabling debugging of TLS > > > handshake via JAVA_OPTS, though. > > > > > > I've noticed you are using the IP address for connecting to > JBoss/EJBCA > > > - are you sure that you have this IP address specified in your > server > > > certificate (on JBoss)? If not, that is your problem. The IP, > FQDN, or > > > hostname used for connecting has to be part of subjectAltName > DNS name > > > (or, if subjectAltName DNS name is not present, CN has to be used). > > > > > > As a side-note, you should avoid using IP address in > certificates or > > > for TLS connections in general, and instead rely on FQDN or > hostname, > > > with FQDN being the recommended thing to use. > > > > > > I hope this explanation will help you a bit :) > > > > > > Best regards > > > > > Hello Timur, > > If you are getting a validation error on port 8442, that is probably > the client-side validation failing. Keep in mind that if you deploy > EJBCA on JBoss using default ports, port 8442 does _not_ require client > certificate authentication. > > You could test if JBoss will return anything at all to you on port 8442 > with wget --no-check-certificate (just to see if content gets served), > and then try to figure out why your client fails to validate the server > certificate. > > If the JBoss certificate was issued by ROOTCA.TEKA.KZ > <http://ROOTCA.TEKA.KZ>, you will most > definitively need to have this CA certificate in the truststore of your > client. > > As for trusted client certificates on (for EJBCA commonly) port 8443, > you will need to update the JBoss truststore to contain the new CA > certificate (used for issuing client certificates). > > Best regards > > -- > Branko Majic > Jabber: br...@ma... <mailto:br...@ma...> > Please use only Free formats when sending attachments to me. > > Бранко Мајић > Џабер: br...@ma... <mailto:br...@ma...> > Молим вас да додатке шаљете искључиво у слободним форматима. > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and > their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/NeoTech > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Тимур <tim...@gm...> - 2014-06-24 07:32:27
|
Dears, (there was wrong typing in EJBCA version in my previous post , so repeating the question in a correct way) Could you please to confirm/refute whether EJBCA 3.11.0 versus EJBCA 6.1.1 has any difference in their external interfaces for interaction with external java applications ? Is some custom java applicaton (which was designed for interaction with EJBCA 3.11.0 (r10752) external interface) compatible with EJBCA 6.1.1 external interface ? thanks, Timur 2014-06-08 17:26 GMT+06:00 Branko Majic <br...@ma...>: > On Sat, 7 Jun 2014 23:04:37 +0600 > Тимур <tim...@gm...> wrote: > > > Hello, Branko ! > > Thank you for your good advice about SSL debugging on JBoss. IP-address > > was replaced by FQDN but still JBoss rejects connection. > > Then SSL debug had been enabled on JBoss 7.1.1: > > > > [oracle@duo ~]$ curl -v "https://rootca.teka.kz:8442/ejbca" -E > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer > > --key /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass welcome123 > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > .... > > 21:10:53,179 INFO [stdout] (http--0.0.0.0-8442-Acceptor-0) Is initial > > handshake: true > > 21:10:53,180 INFO [stdout] (http--0.0.0.0-8442-Acceptor-0) Is secure > > renegotiation: false > > 21:10:53,183 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > setSoTimeout(60000) called > > 21:10:53,187 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > READ: SSL v2, contentType = Handshake, translated length = 95 > > 21:10:53,190 INFO [stdout] (http--0.0.0.0-8442-1) *** ClientHello, TLSv1 > > ..... > > 21:10:53,286 INFO [stdout] (http--0.0.0.0-8442-1) *** ServerHello, TLSv1 > > ..... > > 21:10:53,550 INFO [stdout] (http--0.0.0.0-8442-1) *** ServerHelloDone > > 21:10:53,552 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > WRITE: TLSv1 Handshake, length = 2722 > > 21:10:53,561 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > READ: TLSv1 Alert, length = 2 > > 21:10:53,563 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > RECV TLSv1 ALERT: fatal, unknown_ca > > 21:10:53,564 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > called closeSocket() > > 21:10:53,566 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > handling exception: javax.net.ssl.SSLHandshakeException: Received fatal > > alert: unknown_ca > > 21:10:53,567 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > IOException in getSession(): javax.net.ssl.SSLHandshakeException: > Received > > fatal alert: > > unknown_ca <-------!!!!!!! > > 21:10:53,577 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > called close() > > > > JBoss SSL-certificate is for CN=rootca.teka.kz which belongs to the CA > > named "ROOTCA.TEKA.KZ <http://rootca.teka.kz/>". > > BUT I run "curl" utlity for CA named "BTA Ipoteka CA" - all certificates > > used in "curl" options are emitted by CA "BTA Ipoteka CA": > > > > [oracle@duo ~]$ curl -v "https://rootca.teka.kz:8442/ejbca" -E > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer \ > > --key /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass welcome123 \ > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > > > I cannot use CA "ROOTCA.TEKA.KZ <http://rootca.teka.kz/>" as it has too > > strong key which is not supported by my eToken Client; I had to create > one > > more CA "BTA Ipoteka CA" with shorter key length. > > What steps to do if certificates for customer devices are emitted by CA > > "BTA Ipoteka CA" but initial CA is "ROOTCA.TEKA.KZ < > http://rootca.teka.kz/>" > > and JBoss certificate is for initial CA. > > Probably some reconfiguration are to be done on JBoss to let one receive > > requests for new CA also ? > > > > thank you for your great job, Timur. > > > > > > > > 2014-06-07 17:07 GMT+06:00 Branko Majic <br...@ma...>: > > > > > On Fri, 6 Jun 2014 23:06:26 +0600 > > > Тимур <tim...@gm...> wrote: > > > > > > > Hello, dears > > > > > > > > I have successfuly installed EJBCA 6.1.1, JBoss 7.1.1.Final, openjdk > 6, > > > > Oracle 9.2.0.5, ojdbc6.jar, on Ubuntu Linux ("13.04, Raring > Ringtail"). > > > No > > > > any deployment and > > > > installation mistakes for this software combination. I have > successfully > > > > created all profiles , add entuty and I have issued my first > > > > SSL-certificate and write one to USB HSM with eToken Client. So, I > have > > > > full-functional EJBCA 6.1.1 at present. > > > > I have a custom java-application which uses eToken authentication and > > > this > > > > java-application worked fine with previous version of EJBCA and I > need to > > > > organize connectivity between this java-application and EJBCA. There > is a > > > > parameter for EJBCA URL in java-application config file and I > pointed out > > > > this parameter to "https://10.62.2.88:8443/ejbca". > > > > Java-application uses jdk cacerts and I imported issued certificate > with > > > CA > > > > certificate of EJBCA to cacerts but no connection yet. > > > > Checking connectivity to EJBCA by curl utility also gives negative > > > result: > > > > > > > > CA-certificate in PEM-format: > > > > > > > > [oracle@duo ~]$ curl -v "https://10.62.2.88:8443/ejbca" -E > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer --key > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > > > > > > > > welcome123 --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > > > * About to connect() to 10.62.2.88 port 8443 > > > > * Trying 10.62.2.88... * connected > > > > * Connected to 10.62.2.88 (10.62.2.88) port 8443 > > > > * successfully set certificate verify locations: > > > > * CAfile: /home/oracle/BTAIpotekaCA.cacert.pem > > > > CApath: none > > > > * SSL certificate problem, verify that the CA cert is OK. Details: > > > > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > > verify > > > > failed > > > > > > > > CA-certificate in BASE-64 format: > > > > > > > > [oracle@duo ~]$ curl -v "https://10.62.2.88:8443/ejbca" -E > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer --key > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > > > > > > > > welcome123 --cacert /home/oracle/BTAIpotekaCA.cacert-base64.cer > --sslv3 > > > > --trace-ascii /tmp/curl.log > > > > curl: (60) SSL certificate problem, verify that the CA cert is OK. > > > Details: > > > > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > > verify > > > > failed > > > > More details here: http://curl.haxx.se/docs/sslcerts.html > > > > > > > > EJBCA console log contains no records to understand why no > connectivity > > > to > > > > EJBCA. > > > > Could you please to help to find out which URL must be used to > connect to > > > > EJBCA for authentication ? If "https://10.62.2.88:8443/ejbca" is > > > correct > > > > what's the reason > > > > of trouble with EJBCA connection ? > > > > > > > > thank you, Timur. > > > > > > Hello Timur, > > > > > > The problem you are facing happens during the TLS handshake between the > > > server and client, where (at least) client is unable to verify the > > > certificate presented by JBoss. > > > > > > Since the TLS is handled by JBoss, you won't get any useful logging > > > messages from EJBCA. In fact, not even JBoss as such will produce any > > > useful debugging info. You could try enabling debugging of TLS > > > handshake via JAVA_OPTS, though. > > > > > > I've noticed you are using the IP address for connecting to JBoss/EJBCA > > > - are you sure that you have this IP address specified in your server > > > certificate (on JBoss)? If not, that is your problem. The IP, FQDN, or > > > hostname used for connecting has to be part of subjectAltName DNS name > > > (or, if subjectAltName DNS name is not present, CN has to be used). > > > > > > As a side-note, you should avoid using IP address in certificates or > > > for TLS connections in general, and instead rely on FQDN or hostname, > > > with FQDN being the recommended thing to use. > > > > > > I hope this explanation will help you a bit :) > > > > > > Best regards > > > > > Hello Timur, > > If you are getting a validation error on port 8442, that is probably > the client-side validation failing. Keep in mind that if you deploy > EJBCA on JBoss using default ports, port 8442 does _not_ require client > certificate authentication. > > You could test if JBoss will return anything at all to you on port 8442 > with wget --no-check-certificate (just to see if content gets served), > and then try to figure out why your client fails to validate the server > certificate. > > If the JBoss certificate was issued by ROOTCA.TEKA.KZ, you will most > definitively need to have this CA certificate in the truststore of your > client. > > As for trusted client certificates on (for EJBCA commonly) port 8443, > you will need to update the JBoss truststore to contain the new CA > certificate (used for issuing client certificates). > > Best regards > > -- > Branko Majic > Jabber: br...@ma... > Please use only Free formats when sending attachments to me. > > Бранко Мајић > Џабер: br...@ma... > Молим вас да додатке шаљете искључиво у слободним форматима. > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/NeoTech > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > |
|
From: Тимур <tim...@gm...> - 2014-06-24 07:03:06
|
Dears, could you please to confirm/refute whether EJBCA 3.1.1 versus EJBCA 6.1.1 has any difference in their external interfaces for interaction with external java-systems ? Will some custom java applicaton (which was created for EJBCA 3.1.1 external interface) work with EJBCA 6.1.1 ? thanks, Timur 2014-06-08 17:26 GMT+06:00 Branko Majic <br...@ma...>: > On Sat, 7 Jun 2014 23:04:37 +0600 > Тимур <tim...@gm...> wrote: > > > Hello, Branko ! > > Thank you for your good advice about SSL debugging on JBoss. IP-address > > was replaced by FQDN but still JBoss rejects connection. > > Then SSL debug had been enabled on JBoss 7.1.1: > > > > [oracle@duo ~]$ curl -v "https://rootca.teka.kz:8442/ejbca" -E > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer > > --key /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass welcome123 > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > .... > > 21:10:53,179 INFO [stdout] (http--0.0.0.0-8442-Acceptor-0) Is initial > > handshake: true > > 21:10:53,180 INFO [stdout] (http--0.0.0.0-8442-Acceptor-0) Is secure > > renegotiation: false > > 21:10:53,183 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > setSoTimeout(60000) called > > 21:10:53,187 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > READ: SSL v2, contentType = Handshake, translated length = 95 > > 21:10:53,190 INFO [stdout] (http--0.0.0.0-8442-1) *** ClientHello, TLSv1 > > ..... > > 21:10:53,286 INFO [stdout] (http--0.0.0.0-8442-1) *** ServerHello, TLSv1 > > ..... > > 21:10:53,550 INFO [stdout] (http--0.0.0.0-8442-1) *** ServerHelloDone > > 21:10:53,552 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > WRITE: TLSv1 Handshake, length = 2722 > > 21:10:53,561 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > READ: TLSv1 Alert, length = 2 > > 21:10:53,563 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > RECV TLSv1 ALERT: fatal, unknown_ca > > 21:10:53,564 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > called closeSocket() > > 21:10:53,566 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > handling exception: javax.net.ssl.SSLHandshakeException: Received fatal > > alert: unknown_ca > > 21:10:53,567 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > IOException in getSession(): javax.net.ssl.SSLHandshakeException: > Received > > fatal alert: > > unknown_ca <-------!!!!!!! > > 21:10:53,577 INFO [stdout] (http--0.0.0.0-8442-1) http--0.0.0.0-8442-1, > > called close() > > > > JBoss SSL-certificate is for CN=rootca.teka.kz which belongs to the CA > > named "ROOTCA.TEKA.KZ <http://rootca.teka.kz/>". > > BUT I run "curl" utlity for CA named "BTA Ipoteka CA" - all certificates > > used in "curl" options are emitted by CA "BTA Ipoteka CA": > > > > [oracle@duo ~]$ curl -v "https://rootca.teka.kz:8442/ejbca" -E > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer \ > > --key /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass welcome123 \ > > --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > > > I cannot use CA "ROOTCA.TEKA.KZ <http://rootca.teka.kz/>" as it has too > > strong key which is not supported by my eToken Client; I had to create > one > > more CA "BTA Ipoteka CA" with shorter key length. > > What steps to do if certificates for customer devices are emitted by CA > > "BTA Ipoteka CA" but initial CA is "ROOTCA.TEKA.KZ < > http://rootca.teka.kz/>" > > and JBoss certificate is for initial CA. > > Probably some reconfiguration are to be done on JBoss to let one receive > > requests for new CA also ? > > > > thank you for your great job, Timur. > > > > > > > > 2014-06-07 17:07 GMT+06:00 Branko Majic <br...@ma...>: > > > > > On Fri, 6 Jun 2014 23:06:26 +0600 > > > Тимур <tim...@gm...> wrote: > > > > > > > Hello, dears > > > > > > > > I have successfuly installed EJBCA 6.1.1, JBoss 7.1.1.Final, openjdk > 6, > > > > Oracle 9.2.0.5, ojdbc6.jar, on Ubuntu Linux ("13.04, Raring > Ringtail"). > > > No > > > > any deployment and > > > > installation mistakes for this software combination. I have > successfully > > > > created all profiles , add entuty and I have issued my first > > > > SSL-certificate and write one to USB HSM with eToken Client. So, I > have > > > > full-functional EJBCA 6.1.1 at present. > > > > I have a custom java-application which uses eToken authentication and > > > this > > > > java-application worked fine with previous version of EJBCA and I > need to > > > > organize connectivity between this java-application and EJBCA. There > is a > > > > parameter for EJBCA URL in java-application config file and I > pointed out > > > > this parameter to "https://10.62.2.88:8443/ejbca". > > > > Java-application uses jdk cacerts and I imported issued certificate > with > > > CA > > > > certificate of EJBCA to cacerts but no connection yet. > > > > Checking connectivity to EJBCA by curl utility also gives negative > > > result: > > > > > > > > CA-certificate in PEM-format: > > > > > > > > [oracle@duo ~]$ curl -v "https://10.62.2.88:8443/ejbca" -E > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer --key > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > > > > > > > > welcome123 --cacert /home/oracle/BTAIpotekaCA.cacert.pem > > > > * About to connect() to 10.62.2.88 port 8443 > > > > * Trying 10.62.2.88... * connected > > > > * Connected to 10.62.2.88 (10.62.2.88) port 8443 > > > > * successfully set certificate verify locations: > > > > * CAfile: /home/oracle/BTAIpotekaCA.cacert.pem > > > > CApath: none > > > > * SSL certificate problem, verify that the CA cert is OK. Details: > > > > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > > verify > > > > failed > > > > > > > > CA-certificate in BASE-64 format: > > > > > > > > [oracle@duo ~]$ curl -v "https://10.62.2.88:8443/ejbca" -E > > > > /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer --key > > > > /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass > > > > > > > > welcome123 --cacert /home/oracle/BTAIpotekaCA.cacert-base64.cer > --sslv3 > > > > --trace-ascii /tmp/curl.log > > > > curl: (60) SSL certificate problem, verify that the CA cert is OK. > > > Details: > > > > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > > verify > > > > failed > > > > More details here: http://curl.haxx.se/docs/sslcerts.html > > > > > > > > EJBCA console log contains no records to understand why no > connectivity > > > to > > > > EJBCA. > > > > Could you please to help to find out which URL must be used to > connect to > > > > EJBCA for authentication ? If "https://10.62.2.88:8443/ejbca" is > > > correct > > > > what's the reason > > > > of trouble with EJBCA connection ? > > > > > > > > thank you, Timur. > > > > > > Hello Timur, > > > > > > The problem you are facing happens during the TLS handshake between the > > > server and client, where (at least) client is unable to verify the > > > certificate presented by JBoss. > > > > > > Since the TLS is handled by JBoss, you won't get any useful logging > > > messages from EJBCA. In fact, not even JBoss as such will produce any > > > useful debugging info. You could try enabling debugging of TLS > > > handshake via JAVA_OPTS, though. > > > > > > I've noticed you are using the IP address for connecting to JBoss/EJBCA > > > - are you sure that you have this IP address specified in your server > > > certificate (on JBoss)? If not, that is your problem. The IP, FQDN, or > > > hostname used for connecting has to be part of subjectAltName DNS name > > > (or, if subjectAltName DNS name is not present, CN has to be used). > > > > > > As a side-note, you should avoid using IP address in certificates or > > > for TLS connections in general, and instead rely on FQDN or hostname, > > > with FQDN being the recommended thing to use. > > > > > > I hope this explanation will help you a bit :) > > > > > > Best regards > > > > > Hello Timur, > > If you are getting a validation error on port 8442, that is probably > the client-side validation failing. Keep in mind that if you deploy > EJBCA on JBoss using default ports, port 8442 does _not_ require client > certificate authentication. > > You could test if JBoss will return anything at all to you on port 8442 > with wget --no-check-certificate (just to see if content gets served), > and then try to figure out why your client fails to validate the server > certificate. > > If the JBoss certificate was issued by ROOTCA.TEKA.KZ, you will most > definitively need to have this CA certificate in the truststore of your > client. > > As for trusted client certificates on (for EJBCA commonly) port 8443, > you will need to update the JBoss truststore to contain the new CA > certificate (used for issuing client certificates). > > Best regards > > -- > Branko Majic > Jabber: br...@ma... > Please use only Free formats when sending attachments to me. > > Бранко Мајић > Џабер: br...@ma... > Молим вас да додатке шаљете искључиво у слободним форматима. > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/NeoTech > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > |
|
From: Tomas G. <to...@pr...> - 2014-06-12 07:38:47
|
It will be supported in the next release. https://jira.primekey.se/secure/ReleaseNote.jspa?projectId=10000&version=11140 Cheers, Tomas On 2014-06-12 09:16, Chris Verza wrote: > Hi, > > we are using version EJBCA 4.0.16 and online web enrolment is not > supported with Internet Explorer 11 unless the compatibility view is > activated. > > Is it supported on the more recent version of EJBCA ? > > > Thanks. > > > ------------------------------------------------------------------------------ > HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions > Find What Matters Most in Your Big Data with HPCC Systems > Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. > Leverages Graph Analysis for Fast Processing & Easy Data Exploration > http://p.sf.net/sfu/hpccsystems > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
106 messages has been excluded from this view by a project administrator.
