Menu
▾
▴
ejbca-develop — Development discussions
You can subscribe to this list here.
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
(3) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2002 |
Jan
(3) |
Feb
(2) |
Mar
(8) |
Apr
(3) |
May
(6) |
Jun
(1) |
Jul
(15) |
Aug
(6) |
Sep
|
Oct
(10) |
Nov
(2) |
Dec
(4) |
| 2003 |
Jan
(1) |
Feb
(7) |
Mar
(3) |
Apr
(6) |
May
(7) |
Jun
(5) |
Jul
(5) |
Aug
(25) |
Sep
(14) |
Oct
(2) |
Nov
|
Dec
(2) |
| 2004 |
Jan
(7) |
Feb
(4) |
Mar
(12) |
Apr
(16) |
May
(43) |
Jun
(56) |
Jul
(43) |
Aug
(40) |
Sep
(66) |
Oct
(12) |
Nov
(26) |
Dec
(10) |
| 2005 |
Jan
(13) |
Feb
(33) |
Mar
(16) |
Apr
(7) |
May
(10) |
Jun
(34) |
Jul
(41) |
Aug
(8) |
Sep
(4) |
Oct
(32) |
Nov
(20) |
Dec
(25) |
| 2006 |
Jan
(30) |
Feb
(101) |
Mar
(5) |
Apr
(75) |
May
(74) |
Jun
(22) |
Jul
(6) |
Aug
(70) |
Sep
(19) |
Oct
(21) |
Nov
(31) |
Dec
(50) |
| 2007 |
Jan
(15) |
Feb
(20) |
Mar
(24) |
Apr
(33) |
May
(13) |
Jun
(18) |
Jul
(13) |
Aug
(7) |
Sep
(63) |
Oct
(68) |
Nov
(29) |
Dec
(68) |
| 2008 |
Jan
(30) |
Feb
(33) |
Mar
(30) |
Apr
(103) |
May
(78) |
Jun
(48) |
Jul
(72) |
Aug
(24) |
Sep
(62) |
Oct
(63) |
Nov
(70) |
Dec
(37) |
| 2009 |
Jan
(34) |
Feb
(35) |
Mar
(64) |
Apr
(34) |
May
(34) |
Jun
(58) |
Jul
(30) |
Aug
(30) |
Sep
(46) |
Oct
(52) |
Nov
(12) |
Dec
(23) |
| 2010 |
Jan
(121) |
Feb
(18) |
Mar
(53) |
Apr
(62) |
May
(62) |
Jun
(20) |
Jul
(33) |
Aug
(20) |
Sep
(36) |
Oct
(35) |
Nov
(44) |
Dec
(63) |
| 2011 |
Jan
(19) |
Feb
(32) |
Mar
(94) |
Apr
(41) |
May
(47) |
Jun
(25) |
Jul
(34) |
Aug
(20) |
Sep
(9) |
Oct
(41) |
Nov
(33) |
Dec
(24) |
| 2012 |
Jan
(12) |
Feb
(36) |
Mar
(48) |
Apr
(32) |
May
(20) |
Jun
(15) |
Jul
(32) |
Aug
(13) |
Sep
(33) |
Oct
(54) |
Nov
(25) |
Dec
(16) |
| 2013 |
Jan
(45) |
Feb
(39) |
Mar
(38) |
Apr
(50) |
May
(29) |
Jun
(30) |
Jul
(33) |
Aug
(12) |
Sep
(9) |
Oct
(25) |
Nov
(29) |
Dec
(20) |
| 2014 |
Jan
(25) |
Feb
(19) |
Mar
(16) |
Apr
(33) |
May
(27) |
Jun
(37) |
Jul
(29) |
Aug
(27) |
Sep
(37) |
Oct
(58) |
Nov
(109) |
Dec
(26) |
| 2015 |
Jan
(4) |
Feb
(35) |
Mar
(22) |
Apr
(35) |
May
(28) |
Jun
(20) |
Jul
(4) |
Aug
(16) |
Sep
(37) |
Oct
(13) |
Nov
(13) |
Dec
(14) |
| 2016 |
Jan
(22) |
Feb
(7) |
Mar
(23) |
Apr
(30) |
May
(10) |
Jun
(10) |
Jul
(15) |
Aug
(12) |
Sep
(22) |
Oct
(31) |
Nov
(5) |
Dec
(5) |
| 2017 |
Jan
(30) |
Feb
(25) |
Mar
(28) |
Apr
(4) |
May
(19) |
Jun
(13) |
Jul
(7) |
Aug
(1) |
Sep
(2) |
Oct
(5) |
Nov
(12) |
Dec
(2) |
| 2018 |
Jan
(7) |
Feb
|
Mar
(7) |
Apr
(2) |
May
(8) |
Jun
(18) |
Jul
(6) |
Aug
(3) |
Sep
(15) |
Oct
(33) |
Nov
(13) |
Dec
(7) |
| 2019 |
Jan
(5) |
Feb
(7) |
Mar
(30) |
Apr
(5) |
May
(4) |
Jun
(69) |
Jul
(86) |
Aug
(22) |
Sep
(6) |
Oct
(7) |
Nov
(5) |
Dec
(3) |
| 2020 |
Jan
(10) |
Feb
(12) |
Mar
(22) |
Apr
(5) |
May
(1) |
Jun
(4) |
Jul
(6) |
Aug
|
Sep
(9) |
Oct
|
Nov
|
Dec
(1) |
| 2021 |
Jan
(4) |
Feb
(11) |
Mar
(7) |
Apr
(7) |
May
|
Jun
(3) |
Jul
(10) |
Aug
(6) |
Sep
|
Oct
|
Nov
(18) |
Dec
(2) |
| 2022 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(1) |
Jun
|
Jul
|
Aug
(5) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Duarte S. <dua...@se...> - 2013-05-17 16:02:06
|
On Tuesday 16 April 2013 08:41:00 Tomas Gustavsson wrote: > There are always alternatives... > > I think you have many options depending on how much you know about > databases, or java programming etc. And how much time/money you want to > spend. > > If you want to migrate to another database: > > You can write a program to export database contents and import into > another database. You can find HSQLDB tools (don't know if there is > any?) to SQL dump the database contents to import into another database. > Or you can export the CAs and individual certificates to file (of not > too many) and import it all in a new installation using the EJBCA CLI. Hi all, I only had the time to finish this migration yesterday. I have successfully (I think :D) migrated the older version database to the new SQLServer. Follows in the attachments the scripts I used to migrate from the older version to the new (maybe it will be usefull to someone in the future). I had to do some changes to the new schema since some columns have a different maximum size and I was getting errors while importing the data. We have done some tests (certificate renewalls) and EJBCA seems to be running fine. Thanks for all the support and brainstorming. Bets regards, Duarte Silva > > PrimeKey has some tools for the common criteria certified version of > EJBCA, EJBCA 5, that can be used to migrate between databases. > > Cheers, > Tomas > > On 04/15/2013 09:28 PM, Duarte Silva wrote: > > Hi David, > > > > the answer I was afraid of, specially because the older version > > installation is using a HSQLDB. There aren't any passwords defined in the > > config files and it's been a long time, I don't even remember what I have > > hate yesterday :| > > > > Is there an alternative way of exporting every CA and bulk export the > > entities to then re-import them in the new installation? > > > > > > Best regards, > > Duarte Silva > > > > On Monday 15 April 2013 14:51:00 David CARELLA wrote: > >> Hi Duarte, > >> > >> You can see the documentation in EJBCA_HOME/doc/RELEASE_NOTES and > >> UPGRADE for information about upgrading from an earlier version of EJBCA. > >> > >> To upgrade from 3.8.0, you will need to upgrade from 3.8.0 to 3.11.x, > >> then from 3.11.x to 4.0.14. > >> > >> Cheers, > >> David Carella > >> > >> On 04/15/2013 01:48 PM, Duarte Silva wrote: > >>> Hi all, > >>> > >>> I have been using EJBCA since 2008, it is a old version (3.8.0) and at > >>> the > >>> time the way the installation was done, wasn't the smartest. Now I'm > >>> trying to migrate the old system to the new version of EJBCA. > >>> > >>> I have installed the new version in a proper manner (with an actual > >>> database and so on) in a different machine and I'm now trying to migrate > >>> the CA's and Entities to the newly created system. > >>> > >>> Whats the best approach to do this migration? > >>> > >>> Thanks in advance, > >>> Duarte Silva > >>> > >>> ------------------------------------------------------------------------ > >>> -- > >>> ---- Precog is a next-generation analytics platform capable of advanced > >>> analytics on semi-structured data. The platform includes APIs for > >>> building apps and a phenomenal toolset for data science. Developers can > >>> use our toolset for easy data analysis & visualization. Get a free > >>> account! http://www2.precog.com/precogplatform/slashdotnewsletter > >>> _______________________________________________ > >>> Ejbca-develop mailing list > >>> Ejb...@li... > >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > -------------------------------------------------------------------------- > > ---- Precog is a next-generation analytics platform capable of advanced > > analytics on semi-structured data. The platform includes APIs for > > building apps and a phenomenal toolset for data science. Developers can > > use our toolset for easy data analysis & visualization. Get a free > > account! http://www2.precog.com/precogplatform/slashdotnewsletter > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > ---------------------------------------------------------------------------- > -- Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use our > toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Gémes G. <ge...@kz...> - 2013-05-14 21:16:26
|
Thank you! That really made it lot more readable. > On Tue, 14 May 2013 21:04:17 +0200 > Gémes Géza <ge...@kz...> wrote: > >>> - Lines 156 through 166 - you can avoid lots of conditionals here by >>> simply having the default values setup for option/argument >>> parser. >> I'm probably too dumb/tried to get your point here, could you >> elaborate please. > Just tired, no worries :) Have a look at these two links: > > http://docs.python.org/2/library/optparse.html#default-values > > http://docs.python.org/2/library/argparse.html#default > > So, what you can do is something like this: > > ----%---- > ... > parser.add_argument ( '--keylength' , default=1024, help='The length of the key (in bits), 1024 by default' ) > parser.add_argument ( '--digest' , digest="sha1", help='The digest to be used (sha1 if unspecified)' ) > ... > parser.add_option ( '--keylength' , default=1024, help='The length of the key (in bits), 1024 by default' ) > parser.add_option ( '--digest' , default="sha1", help='The digest to be used (sha1 if unspecified)' ) > ... > def main(): > DCdata = GetDC ( hostname=params.hostname ) > generate_req ( hostname=DCdata.hostname, keylength=params.keylength, digest=params.digest ) > DCdata.writeinfo () > return 0 > ----%---- > > This way, if the user does not provide the keylength and/or digest > arguments, you still have them set to something (default values), so > you don't need to do the whole if/elif block in the main(). > > Best regards > > > > ------------------------------------------------------------------------------ > AlienVault Unified Security Management (USM) platform delivers complete > security visibility with the essential security capabilities. Easily and > efficiently configure, manage, and operate all of your security controls > from a single console and one unified framework. Download a free trial. > http://p.sf.net/sfu/alienvault_d2d > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Branko M. <br...@ma...> - 2013-05-14 19:42:05
|
On Tue, 14 May 2013 21:04:17 +0200 Gémes Géza <ge...@kz...> wrote: > > - Lines 156 through 166 - you can avoid lots of conditionals here by > > simply having the default values setup for option/argument > > parser. > I'm probably too dumb/tried to get your point here, could you > elaborate please. Just tired, no worries :) Have a look at these two links: http://docs.python.org/2/library/optparse.html#default-values http://docs.python.org/2/library/argparse.html#default So, what you can do is something like this: ----%---- ... parser.add_argument ( '--keylength' , default=1024, help='The length of the key (in bits), 1024 by default' ) parser.add_argument ( '--digest' , digest="sha1", help='The digest to be used (sha1 if unspecified)' ) ... parser.add_option ( '--keylength' , default=1024, help='The length of the key (in bits), 1024 by default' ) parser.add_option ( '--digest' , default="sha1", help='The digest to be used (sha1 if unspecified)' ) ... def main(): DCdata = GetDC ( hostname=params.hostname ) generate_req ( hostname=DCdata.hostname, keylength=params.keylength, digest=params.digest ) DCdata.writeinfo () return 0 ----%---- This way, if the user does not provide the keylength and/or digest arguments, you still have them set to something (default values), so you don't need to do the whole if/elif block in the main(). Best regards -- Branko Majic Jabber: br...@ma... Please use only Free formats when sending attachments to me. Бранко Мајић Џабер: br...@ma... Молим вас да додатке шаљете искључиво у слободним форматима. |
|
From: Gémes G. <ge...@kz...> - 2013-05-14 19:04:41
|
Hello Branko,
Thank you for your suggestions!
> Hello again :)
>
> Once again, be warned, nothing really wrong with script, just me
> nitpicking :)
>
> - Ran a quick PEP8 on it again, and actually learned something
> interesting myself. In line 94 you have check "hostname ==
> None" (instead of "is None"). Seeing you used elsewhere "is not
> None", probably just an oversight.
Yes, thanks, fixed.
>
> - You could probably optimise the Samba Python path guessing by setting
> default value of samba_install_path to "/usr/local/samba/" (and
> dropping the two elif's). One thing to keep in mind, though - if the
> user had installed Samba from a package, they probably already have
> their Python path set-up correctly to find Samba modules. Personally,
> I would probably not try to guess the directory, and instead either
> expect the user to set-up his/her PYTHON_PATH, or provide the path
> explicitly with the --samba_install_path option.
Simplified it, although too many installs defaults to /usr/local/samba
to just drop the default (in the worst case there are two useless
os.path.exists checks).
>
> - On line 118 - typo, should say "could not".
Absolutely
>
> - Lines 156 through 166 - you can avoid lots of conditionals here by
> simply having the default values setup for option/argument parser.
I'm probably too dumb/tried to get your point here, could you elaborate
please.
>
> - One thing I'm curious about - when initialising the GetDC class, you
> prompt for username/password when hostname has been specified, but if
> it's not specified you set the username/password to ''. I'm guessing
> when it connects to localhost it doesn't need to authenticate at all?
> If so, maybe just add a small note for the "--hostname" option ("if
> specified, you will be prompted for username and password for
> logging-in into the provided serrver")
1. please have a look at the attached script it tries to connect via
kerberos if python-krbV is installed and provides option to force
kerberos connect if it is not, or the ntlm/simple bind otherwise.
2. in the case of running against the local host samba libraries use the
ldb files which they access as an ldap like database and operate on
them. The empty username and password specify that the connection should
be allowed (with local ldb files it is always) based on file-system
access rights.
>
> - Don't default the hostname parameter to None in function generate_req
> - that's probably something that should always be provided (plus, if
> it's None, the None + "somestring" will throw you an exception).
Fixed
>
> Otherwise, very nice - it's great you added the error handling and
> checks for existing files :)
>
> Best regards
>
>
>
Cheers
Geza Gemes
|
|
From: Branko M. <br...@ma...> - 2013-05-14 15:40:25
|
On Mon, 13 May 2013 18:32:37 +0200
Gémes Géza <ge...@kz...> wrote:
> Hi,
>
> Fixed lib64 handling in the attached script
>
> Started to work on forcing a kerberized bind in the case of a remote
> server.
>
> Cheers
>
> Geza Gemes
Hello again :)
Once again, be warned, nothing really wrong with script, just me
nitpicking :)
- Ran a quick PEP8 on it again, and actually learned something
interesting myself. In line 94 you have check "hostname ==
None" (instead of "is None"). Seeing you used elsewhere "is not
None", probably just an oversight.
- You could probably optimise the Samba Python path guessing by setting
default value of samba_install_path to "/usr/local/samba/" (and
dropping the two elif's). One thing to keep in mind, though - if the
user had installed Samba from a package, they probably already have
their Python path set-up correctly to find Samba modules. Personally,
I would probably not try to guess the directory, and instead either
expect the user to set-up his/her PYTHON_PATH, or provide the path
explicitly with the --samba_install_path option.
- On line 118 - typo, should say "could not".
- Lines 156 through 166 - you can avoid lots of conditionals here by
simply having the default values setup for option/argument parser.
- One thing I'm curious about - when initialising the GetDC class, you
prompt for username/password when hostname has been specified, but if
it's not specified you set the username/password to ''. I'm guessing
when it connects to localhost it doesn't need to authenticate at all?
If so, maybe just add a small note for the "--hostname" option ("if
specified, you will be prompted for username and password for
logging-in into the provided serrver")
- Don't default the hostname parameter to None in function generate_req
- that's probably something that should always be provided (plus, if
it's None, the None + "somestring" will throw you an exception).
Otherwise, very nice - it's great you added the error handling and
checks for existing files :)
Best regards
--
Branko Majic
Jabber: br...@ma...
Please use only Free formats when sending attachments to me.
Бранко Мајић
Џабер: br...@ma...
Молим вас да додатке шаљете искључиво у слободним форматима.
|
|
From: Bruno B. <as...@as...> - 2013-05-14 14:59:57
|
On Wed 08 May, David Malcolm wrote: > Hi > > > > I’m trying to use ejbca as a scep server and am having some problems. I > have created a self-signed CA cert and installed it but I keep getting a > 404 error when I try issuing a scep GetCACert operation. Hi Dave, dunno what is your final goal, but https://github.com/asyd/jscep-cli-jdk6 may help you. It's a command line tool I wrote based on the excellent JSCEP project http://code.google.com/p/jscep/. JSCEP CLI was designed to work with EJBCA. Best regards -- http://asyd.net/home/ - Home Page http://netvibes.com/asyd - Portal |
|
From: Gémes G. <ge...@kz...> - 2013-05-13 16:33:00
|
Hi, Fixed lib64 handling in the attached script Started to work on forcing a kerberized bind in the case of a remote server. Cheers Geza Gemes |
|
From: Gémes G. <ge...@kz...> - 2013-05-11 14:16:25
|
Hi Branko, First of all thank you for taking time to look trough it! I've followed your suggestions, see bellow and attached version. > On Mon, 06 May 2013 16:36:44 +0200 > Gémes Géza <ge...@kz...> wrote: > >> Hi, >> >> The attached python script generates a certificate request and an >> info file to be submitted to EJBCA in order to generate an AD DC >> certificate for samba. >> It requires m2crypto and a samba (>=4.x) installation (no need for a >> provision, it can be run remotely by specifying the name of the DC on >> command line, then it asks for a username and a password). >> >> Please write your comments/suggestions/patches about it. >> >> I'm going forward to trying to code the certificate installation to >> the Samba DC. >> >> Cheers >> >> Geza Gemes > Hello Géza > > Going through the script, seems to be ok, although I have no clue about > correctness of the Samba-related code, but you know what you're doing > there I believe :) > > Take the below comments with a grain of salt, since I'm a bit nitpicky, > and this in no way means your code is bad. Not to mention it's always > easy to criticise other people's code :) > > Of course, thanks for the contribution, it's really great to get more > instructions, scripts etc that help with integration of X.509 and > EJBCA! > > Here's a couple of general remarks (most of them are PEP8 styling ones, > actually): > > - [PEP8] Break-up import os, sys, socket, argparse into separate import > lines. Done > > - [PEP8] Use 4-space indentation instead of tabs. Done > - Don't hard-code Python path detection. It's better to let the user > handle this (you could show informative message to user). New command line option added, although /usr/local/samba (as the default installation path) remains > - [PEP8] Don't use lower-case class name (the getdc). Use CamelCase. > I'd possibly name it a bit differently - I guess that one started off > as a plain function? Typo, fixed > > - Move the 'import getpass' to the top (not much reason to have it in > the middle of code). Done > > - The LDAP is hard-coded to non-encrypted (no STARTTLS/SSL) > connection. No idea how the SamDB handles it afterwards, though. Thats a catch 22 situation, you can't use SSL or StartTLS without a valid certificate. > > - If possible, you should add some explanation on the self.hexGUID=GUID > line. Six months later when you get back to it you'll be thankful for > it :) Done (http://en.wikipedia.org/wiki/Globally_unique_identifier) > > - Existing files will be overwritten (.txt, .pem etc). No idea if it's > worth it to make the code more resilient to this or not, though. Not anymore, however could be problematic only if you have sent your request to EJBCA and waiting for the cert. > > - Seeing that you're not defining any meaningful callback function > for gen_key, you can completely drop it (by default it's None). Fixed > > - RSA key length is hard-coded to 1024 bits. This might be a bit too > low as well (2048 would be a saner value). Having an option to > specify this would be a very good idea. Option added (1024 was selected based on the code at: http://download.primekey.se/ejbca/smartcardlogon/) > > - Signing algorithm hash is hard-coded to SHA1 (then again, this might > not be too big of a problem). As this could be a problem for WinXP clients around (http://blogs.msdn.com/b/alejacma/archive/2009/01/23/sha-2-support-on-windows-xp.aspx) sha1 remains the default, with option added to select other digest method > > - There's not much error handling in the script. What happens if log-in > to LDAP/domain fails? Error handling added > > - Small warning on argparse - that module is available starting > with Python 2.7. On RHEL 6 they still have 2.6 series > (unfortunately). Added failback to optparse if argparse import fails. > > Best regards > > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and > their applications. This 200-page book is written by three acclaimed > leaders in the field. The early access version is available now. > Download your free book today! http://p.sf.net/sfu/neotech_d2d_may > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop As before comments/patches welcome! Cheers Geza Gemes |
|
From: Tomas G. <to...@pr...> - 2013-05-10 09:58:12
|
The EJBCA team is happy to announce that EJBCA 4.0.15 has been released! This is a maintenance release of the EJBCA Community version – 5 issues have been resolved. The most noteworthy changes can be seen below. This maintenance release contains 2 new features and 3 improvements. * It is now possible to publish certificate serial number in LDAP using a custom LDAP schema. * You can now use a certificate profile when creating link certificates. Improvements * Add two new fields, C and UID, to end entity email notification, by David Carella. * Add a debug log message when healthcheck fails, making it easier to debug. Please visit http://www.ejbca.org/ for more information. Kind regards, PrimeKey EJBCA Team ********** PrimeKey Solutions AB Anderstorpsvägen 16, 171 54 Solna, Sweden Internet: www.primekey.se Twitter: twitter.com/primekeyPKI ********** |
|
From: Branko M. <br...@ma...> - 2013-05-08 11:46:31
|
On Mon, 06 May 2013 16:36:44 +0200 Gémes Géza <ge...@kz...> wrote: > Hi, > > The attached python script generates a certificate request and an > info file to be submitted to EJBCA in order to generate an AD DC > certificate for samba. > It requires m2crypto and a samba (>=4.x) installation (no need for a > provision, it can be run remotely by specifying the name of the DC on > command line, then it asks for a username and a password). > > Please write your comments/suggestions/patches about it. > > I'm going forward to trying to code the certificate installation to > the Samba DC. > > Cheers > > Geza Gemes Hello Géza Going through the script, seems to be ok, although I have no clue about correctness of the Samba-related code, but you know what you're doing there I believe :) Take the below comments with a grain of salt, since I'm a bit nitpicky, and this in no way means your code is bad. Not to mention it's always easy to criticise other people's code :) Of course, thanks for the contribution, it's really great to get more instructions, scripts etc that help with integration of X.509 and EJBCA! Here's a couple of general remarks (most of them are PEP8 styling ones, actually): - [PEP8] Break-up import os, sys, socket, argparse into separate import lines. - [PEP8] Use 4-space indentation instead of tabs. - Don't hard-code Python path detection. It's better to let the user handle this (you could show informative message to user). - [PEP8] Don't use lower-case class name (the getdc). Use CamelCase. I'd possibly name it a bit differently - I guess that one started off as a plain function? - Move the 'import getpass' to the top (not much reason to have it in the middle of code). - The LDAP is hard-coded to non-encrypted (no STARTTLS/SSL) connection. No idea how the SamDB handles it afterwards, though. - If possible, you should add some explanation on the self.hexGUID=GUID line. Six months later when you get back to it you'll be thankful for it :) - Existing files will be overwritten (.txt, .pem etc). No idea if it's worth it to make the code more resilient to this or not, though. - Seeing that you're not defining any meaningful callback function for gen_key, you can completely drop it (by default it's None). - RSA key length is hard-coded to 1024 bits. This might be a bit too low as well (2048 would be a saner value). Having an option to specify this would be a very good idea. - Signing algorithm hash is hard-coded to SHA1 (then again, this might not be too big of a problem). - There's not much error handling in the script. What happens if log-in to LDAP/domain fails? - Small warning on argparse - that module is available starting with Python 2.7. On RHEL 6 they still have 2.6 series (unfortunately). Best regards -- Branko Majic Jabber: br...@ma... Please use only Free formats when sending attachments to me. Бранко Мајић Џабер: br...@ma... Молим вас да додатке шаљете искључиво у слободним форматима. |
|
From: EJBCA S. <ejb...@pr...> - 2013-05-08 08:47:54
|
The password for end entities is the password you register when you "add end entity". Cheers, Tomas ----- PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact in...@pr... for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ <http://www.primekey.se/Services/Training/> On 05/08/2013 08:19 AM, David Malcolm wrote: > Thanks that helped a lot. > > But ... I'm now getting an unauthorised 401 error and the ejbca log > says that I have used an invalid password for my end user entity. What > is the default challenge password to use on the livecd installation? > I've looked in /home/jboss/ejbca/conf/ejbca.properties but all entries > are commented out. I've tried foo123, !secret! and the password I > entered when I created the end user entity associated with my cacert > but all csr enrollments come back as being unauthorised due to invalid > password. > > cheers > Dave > > On 8 May 2013 14:10, ejbca-support <ejb...@pr... > <mailto:ejb...@pr...>> wrote: > > On 2013-05-08 01:42, David Malcolm wrote: > > Hi > > > > > > > > I’m trying to use ejbca as a scep server and am having some > problems. > > I have created a self-signed CA cert and installed it but I > keep getting > > a 404 error when I try issuing a scep GetCACert operation. > > > > > > > > > http://127.0.0.1:8080/ejbca/publicweb/apply/scep/pkiclient.exe?operation=GetCACert&message= > > message must contain an URL-encoded CA-name where the name is the > internal name > used in EJBCA. > > Cheers > Anders > Tech support > > > > > > > > > HTTP Status 404 - No CA certificates found. > > > > type Status report > > > > message No CA certificates found. > > > > description The requested resource (No CA certificates found.) > is not available. > > > > JBoss Web/2.1.3.GA <http://2.1.3.GA> <http://2.1.3.GA> > > > > > > > > I get a valid response to the GetCACaps message though > > > > > > > > > http://127.0.0.1:8080/ejbca/publicweb/apply/scep/pkiclient.exe?operation=GetCACaps&message= > > > > > > > > POSTPKIOperation > > > > SHA-1 > > > > > > > > What am I doing wrong or what have I missed? > > > > > > > > thanks > > > > Dave > > > > > > > > > > > ------------------------------------------------------------------------------ > > Learn Graph Databases - Download FREE O'Reilly Book > > "Graph Databases" is the definitive new guide to graph databases and > > their applications. This 200-page book is written by three acclaimed > > leaders in the field. The early access version is available now. > > Download your free book today! http://p.sf.net/sfu/neotech_d2d_may > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > |
|
From: ejbca-support <ejb...@pr...> - 2013-05-08 04:11:04
|
On 2013-05-08 01:42, David Malcolm wrote: > Hi > > > > I’m trying to use ejbca as a scep server and am having some problems. > I have created a self-signed CA cert and installed it but I keep getting > a 404 error when I try issuing a scep GetCACert operation. > > > > http://127.0.0.1:8080/ejbca/publicweb/apply/scep/pkiclient.exe?operation=GetCACert&message= message must contain an URL-encoded CA-name where the name is the internal name used in EJBCA. Cheers Anders Tech support > > > > HTTP Status 404 - No CA certificates found. > > type Status report > > message No CA certificates found. > > description The requested resource (No CA certificates found.) is not available. > > JBoss Web/2.1.3.GA <http://2.1.3.GA> > > > > I get a valid response to the GetCACaps message though > > > > http://127.0.0.1:8080/ejbca/publicweb/apply/scep/pkiclient.exe?operation=GetCACaps&message= > > > > POSTPKIOperation > > SHA-1 > > > > What am I doing wrong or what have I missed? > > > > thanks > > Dave > > > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and > their applications. This 200-page book is written by three acclaimed > leaders in the field. The early access version is available now. > Download your free book today! http://p.sf.net/sfu/neotech_d2d_may > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: David M. <djm...@gm...> - 2013-05-07 23:42:11
|
Hi I’m trying to use ejbca as a scep server and am having some problems. I have created a self-signed CA cert and installed it but I keep getting a 404 error when I try issuing a scep GetCACert operation. http://127.0.0.1:8080/ejbca/publicweb/apply/scep/pkiclient.exe?operation=GetCACert&message = HTTP Status 404 - No CA certificates found. type Status report message No CA certificates found. description The requested resource (No CA certificates found.) is not available. JBoss Web/2.1.3.GA I get a valid response to the GetCACaps message though http://127.0.0.1:8080/ejbca/publicweb/apply/scep/pkiclient.exe?operation=GetCACaps&message = POSTPKIOperation SHA-1 What am I doing wrong or what have I missed? thanks Dave |
|
From: Gémes G. <ge...@kz...> - 2013-05-06 16:28:21
|
Resending as it didn't arrive (at least for me) Hi, The attached python script generates a certificate request and an info file to be submitted to EJBCA in order to generate an AD DC certificate for samba. It requires m2crypto and a samba (>=4.x) installation (no need for a provision, it can be run remotely by specifying the name of the DC on command line, then it asks for a username and a password). Please write your comments/suggestions/patches about it. I'm going forward to trying to code the certificate installation to the Samba DC. Cheers Geza Gemes |
|
From: Gémes G. <ge...@kz...> - 2013-05-06 14:37:07
|
Hi, The attached python script generates a certificate request and an info file to be submitted to EJBCA in order to generate an AD DC certificate for samba. It requires m2crypto and a samba (>=4.x) installation (no need for a provision, it can be run remotely by specifying the name of the DC on command line, then it asks for a username and a password). Please write your comments/suggestions/patches about it. I'm going forward to trying to code the certificate installation to the Samba DC. Cheers Geza Gemes |
|
From: Gémes G. <ge...@kz...> - 2013-05-06 07:23:55
|
Thank you! That means I can finish the request part today! Cheers Geza Gemes > The extensions are added by EJBCA, from the certificate profile > configured in EJBCA. By default the extensions (potentially harmful) > in the request are ignored. > > Cheers, > Tomas > > > "Gémes Géza" <ge...@kz...> skrev: > > Hi, > > Another question about the request: are the Requested Extensions > important, or are they added to the cert by EJBCA regardless if the > certificate profile is domain controller? I ask that because still > couldn't figure out how to add both DNS and otherName as SubjectAltname > programaticaly (with m2crypto) (the first always wins). > > Cheers, > > Geza Gemes > > Hi, This sounds awesome! If you get it working we will really > like an updated guide for that. Attributes in the certificate > request should not be needed. EJBCA by default uses the > information registered when you create the end entity in > EJBCA, and ignores the user supplied attributes in the request > (they may be dangerous, the user probably knows nothing about > PKI). The certificate request is fully valid without any extra > attributes. Cheers, Tomas On 05/01/2013 07:49 PM, Gémes Géza > wrote: > > Hi, I'm working on an addendum to the smart card logon > howto (http://download.primekey.se/ejbca/smartcardlogon/) > in order to make an equivalent (the Windows dc part) for a > Samba Active Directory DC. As samba already has python > interfaces I've decided to try to code the whole in > python. As the ssl library I've choose M2Crypto. The > attached python script produces a similar request > (attached) as the vbscript attached to the howto, but it > misses to add any attributes. The question is are they > needed, is the certificate request valid without? Cheers > Geza Gemes > ------------------------------------------------------------------------ > Introducing AppDynamics Lite, a free troubleshooting tool > for Java/.NET Get 100% visibility into your production > application - at no cost. Code-level diagnostics for > performance bottlenecks with <2% overhead Download for > free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap1 > ------------------------------------------------------------------------ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > ------------------------------------------------------------------------ > Introducing AppDynamics Lite, a free troubleshooting tool for > Java/.NET Get 100% visibility into your production application > - at no cost. Code-level diagnostics for performance > bottlenecks with <2% overhead Download for free and get > started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap1 > ------------------------------------------------------------------------ > Ejbca-develop mailing list Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------------------ > > Get 100% visibility into Java/.NET code with AppDynamics Lite > It's a free troubleshooting tool designed for production > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap2 > ------------------------------------------------------------------------ > > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Tomas G. <to...@pr...> - 2013-05-06 06:46:35
|
The extensions are added by EJBCA, from the certificate profile configured in EJBCA. By default the extensions (potentially harmful) in the request are ignored. Cheers, Tomas "Gémes Géza" <ge...@kz...> skrev: >Hi, > >Another question about the request: are the Requested Extensions >important, or are they added to the cert by EJBCA regardless if the >certificate profile is domain controller? I ask that because still >couldn't figure out how to add both DNS and otherName as SubjectAltname > >programaticaly (with m2crypto) (the first always wins). > >Cheers, > >Geza Gemes >> Hi, >> >> This sounds awesome! If you get it working we will really like an >> updated guide for that. >> >> Attributes in the certificate request should not be needed. EJBCA by >> default uses the information registered when you create the end >entity >> in EJBCA, and ignores the user supplied attributes in the request >(they >> may be dangerous, the user probably knows nothing about PKI). >> >> The certificate request is fully valid without any extra attributes. >> >> Cheers, >> Tomas >> >> On 05/01/2013 07:49 PM, Gémes Géza wrote: >>> Hi, >>> >>> I'm working on an addendum to the smart card logon howto >>> (http://download.primekey.se/ejbca/smartcardlogon/) in order to make >an >>> equivalent (the Windows dc part) for a Samba Active Directory DC. As >>> samba already has python interfaces I've decided to try to code the >>> whole in python. As the ssl library I've choose M2Crypto. The >attached >>> python script produces a similar request (attached) as the vbscript >>> attached to the howto, but it misses to add any attributes. The >question >>> is are they needed, is the certificate request valid without? >>> >>> Cheers >>> >>> Geza Gemes >>> >>> >>> >------------------------------------------------------------------------------ >>> Introducing AppDynamics Lite, a free troubleshooting tool for >Java/.NET >>> Get 100% visibility into your production application - at no cost. >>> Code-level diagnostics for performance bottlenecks with <2% overhead >>> Download for free and get started troubleshooting in minutes. >>> http://p.sf.net/sfu/appdyn_d2d_ap1 >>> >>> >>> >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >> >------------------------------------------------------------------------------ >> Introducing AppDynamics Lite, a free troubleshooting tool for >Java/.NET >> Get 100% visibility into your production application - at no cost. >> Code-level diagnostics for performance bottlenecks with <2% overhead >> Download for free and get started troubleshooting in minutes. >> http://p.sf.net/sfu/appdyn_d2d_ap1 >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > >------------------------------------------------------------------------------ >Get 100% visibility into Java/.NET code with AppDynamics Lite >It's a free troubleshooting tool designed for production >Get down to code-level detail for bottlenecks, with <2% overhead. >Download for free and get started troubleshooting in minutes. >http://p.sf.net/sfu/appdyn_d2d_ap2 >_______________________________________________ >Ejbca-develop mailing list >Ejb...@li... >https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Gémes G. <ge...@kz...> - 2013-05-05 18:00:37
|
Hi, Another question about the request: are the Requested Extensions important, or are they added to the cert by EJBCA regardless if the certificate profile is domain controller? I ask that because still couldn't figure out how to add both DNS and otherName as SubjectAltname programaticaly (with m2crypto) (the first always wins). Cheers, Geza Gemes > Hi, > > This sounds awesome! If you get it working we will really like an > updated guide for that. > > Attributes in the certificate request should not be needed. EJBCA by > default uses the information registered when you create the end entity > in EJBCA, and ignores the user supplied attributes in the request (they > may be dangerous, the user probably knows nothing about PKI). > > The certificate request is fully valid without any extra attributes. > > Cheers, > Tomas > > On 05/01/2013 07:49 PM, Gémes Géza wrote: >> Hi, >> >> I'm working on an addendum to the smart card logon howto >> (http://download.primekey.se/ejbca/smartcardlogon/) in order to make an >> equivalent (the Windows dc part) for a Samba Active Directory DC. As >> samba already has python interfaces I've decided to try to code the >> whole in python. As the ssl library I've choose M2Crypto. The attached >> python script produces a similar request (attached) as the vbscript >> attached to the howto, but it misses to add any attributes. The question >> is are they needed, is the certificate request valid without? >> >> Cheers >> >> Geza Gemes >> >> >> ------------------------------------------------------------------------------ >> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET >> Get 100% visibility into your production application - at no cost. >> Code-level diagnostics for performance bottlenecks with <2% overhead >> Download for free and get started troubleshooting in minutes. >> http://p.sf.net/sfu/appdyn_d2d_ap1 >> >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > ------------------------------------------------------------------------------ > Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET > Get 100% visibility into your production application - at no cost. > Code-level diagnostics for performance bottlenecks with <2% overhead > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap1 > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Gémes G. <ge...@kz...> - 2013-05-02 18:12:25
|
Thank you! That is really awesome, then I'll quit fighting to put the correct attributes in the request. Cheers Geza Gemes > Hi, > > This sounds awesome! If you get it working we will really like an > updated guide for that. > > Attributes in the certificate request should not be needed. EJBCA by > default uses the information registered when you create the end entity > in EJBCA, and ignores the user supplied attributes in the request (they > may be dangerous, the user probably knows nothing about PKI). > > The certificate request is fully valid without any extra attributes. > > Cheers, > Tomas > > On 05/01/2013 07:49 PM, Gémes Géza wrote: >> Hi, >> >> I'm working on an addendum to the smart card logon howto >> (http://download.primekey.se/ejbca/smartcardlogon/) in order to make an >> equivalent (the Windows dc part) for a Samba Active Directory DC. As >> samba already has python interfaces I've decided to try to code the >> whole in python. As the ssl library I've choose M2Crypto. The attached >> python script produces a similar request (attached) as the vbscript >> attached to the howto, but it misses to add any attributes. The question >> is are they needed, is the certificate request valid without? >> >> Cheers >> >> Geza Gemes >> >> >> ------------------------------------------------------------------------------ >> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET >> Get 100% visibility into your production application - at no cost. >> Code-level diagnostics for performance bottlenecks with <2% overhead >> Download for free and get started troubleshooting in minutes. >> http://p.sf.net/sfu/appdyn_d2d_ap1 >> >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > ------------------------------------------------------------------------------ > Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET > Get 100% visibility into your production application - at no cost. > Code-level diagnostics for performance bottlenecks with <2% overhead > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap1 > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Tomas G. <to...@pr...> - 2013-05-02 15:42:46
|
Hi, This sounds awesome! If you get it working we will really like an updated guide for that. Attributes in the certificate request should not be needed. EJBCA by default uses the information registered when you create the end entity in EJBCA, and ignores the user supplied attributes in the request (they may be dangerous, the user probably knows nothing about PKI). The certificate request is fully valid without any extra attributes. Cheers, Tomas On 05/01/2013 07:49 PM, Gémes Géza wrote: > Hi, > > I'm working on an addendum to the smart card logon howto > (http://download.primekey.se/ejbca/smartcardlogon/) in order to make an > equivalent (the Windows dc part) for a Samba Active Directory DC. As > samba already has python interfaces I've decided to try to code the > whole in python. As the ssl library I've choose M2Crypto. The attached > python script produces a similar request (attached) as the vbscript > attached to the howto, but it misses to add any attributes. The question > is are they needed, is the certificate request valid without? > > Cheers > > Geza Gemes > > > ------------------------------------------------------------------------------ > Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET > Get 100% visibility into your production application - at no cost. > Code-level diagnostics for performance bottlenecks with <2% overhead > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap1 > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Jian W. <wan...@gm...> - 2013-05-02 11:43:35
|
Hi, I test XKMS command line client provided by EJBCA 4.0.14. I run ./xkmscli.sh register "CN=test6" "5203344" "NULL" "NOGEN" pem, or ./xkmscli.sh register "CN=test6" "5203344" "5203344" "NOGEN" pem and got the same error: "Error password couldn't be verified" The password of user "test6" is really "5203344". I test in Mac and Ubuntu, and got the same error. I check every detail, but failed to find the reason. I am not sure it is a bug of client itself or my configuration mistake. I need some clue and help. I run "ant test:xkms" and got the two failures related with register process, but others are successful. test06RegisterWithNoPOPFailurenull junit.framework.AssertionFailedError: null at org.ejbca.core.protocol.xkms.XKMSKRSSTest.test06RegisterWithNoPOP(XKMSKRSSTest.java:520) 0.238test07RegisterWithBasicAuthenticationFailurenull junit.framework.AssertionFailedError: null at org.ejbca.core.protocol.xkms.XKMSKRSSTest.test07RegisterWithBasicAuthentication(XKMSKRSSTest.java:557) 0.037 JBOSS output: 23:22:42,859 WARN [StatelessBeanContext] EJBTHREE-1337: do not get WebServiceContext property from stateless bean context, it should already have been injected 23:22:42,877 ERROR [KRSSResponseGenerator] Error performing authentication verification : java.lang.NullPointerException at gnu.inet.encoding.Stringprep.saslprep(Stringprep.java:65) at gnu.inet.encoding.Stringprep.saslprep(Stringprep.java:50) at org.ejbca.core.protocol.xkms.common.XKMSUtil.getSecretKeyFromPassphrase(XKMSUtil.java:323) at org.ejbca.core.protocol.xkms.generators.KRSSResponseGenerator.getEncryptedPassword(KRSSResponseGenerator.java:405) at org.ejbca.core.protocol.xkms.generators.RegisterResponseGenerator.getResponse(RegisterResponseGenerator.java:79) at org.ejbca.core.protocol.xkms.XKMSProvider.register(XKMSProvider.java:263) at org.ejbca.core.protocol.xkms.XKMSProvider.invoke(XKMSProvider.java:212) at org.ejbca.core.protocol.xkms.XKMSProvider.invoke(XKMSProvider.java:114) at sun.reflect.GeneratedMethodAccessor617.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111) at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69) at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:73) at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:59) at sun.reflect.GeneratedMethodAccessor315.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72) at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_2039244428.invoke(InvocationContextInterceptor_z_fillMethod_2039244428.java) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88) at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_2039244428.invoke(InvocationContextInterceptor_z_setup_2039244428.java) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79) at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:190) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:306) at org.jboss.ejb3.stateless.StatelessContainer.invokeEndpoint(StatelessContainer.java:662) at org.jboss.wsf.container.jboss50.invocation.InvocationHandlerEJB3.invoke(InvocationHandlerEJB3.java:96) at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:222) at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:474) at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:295) at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:205) at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:131) at org.jboss.wsf.common.servlet.AbstractEndpointServlet.service(AbstractEndpointServlet.java:85) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:680) 23:22:42,882 WARN [StatelessBeanContext] EJBTHREE-1337: do not get WebServiceContext property from stateless bean context, it should already have been injected -- _________________________________________ Dr. Jian Wang College of Computer Science and Technology Jilin University 2699 Qianjin Road, Changchun, P.R. China Tel: +86-431-85159419 Email: wan...@gm... QQ: 1332552 Home Page: http://ccst.jlu.edu.cn/~wangj _________________________________________ |
|
From: Gémes G. <ge...@kz...> - 2013-05-01 17:50:09
|
Hi, I'm working on an addendum to the smart card logon howto (http://download.primekey.se/ejbca/smartcardlogon/) in order to make an equivalent (the Windows dc part) for a Samba Active Directory DC. As samba already has python interfaces I've decided to try to code the whole in python. As the ssl library I've choose M2Crypto. The attached python script produces a similar request (attached) as the vbscript attached to the howto, but it misses to add any attributes. The question is are they needed, is the certificate request valid without? Cheers Geza Gemes |
|
From: Samuel L. B. <sa...@pr...> - 2013-04-23 08:19:19
|
Hi Nuno, It's not possible currently. Self-registration only supports a small subset of the options that are available in the end-entity page (common ones subject DN, subject alt name, e-mail, etc..). We might implement this sometime in the future, but I can't make any promises. Best Regards, Samuel 2013-04-23 01:37, Nuno Ricardo Vinha da Silva skrev: > Good evening. > > > > I am writing to the list requesting for some inside information/help > from someone more experienced than me in EJBCA. > > I am trying to implement EJBC for internal certificate generation and > allowing the users to make their own requests. This works flawless and > am now trying to implement this with key recovery also. > > I can make both feature working “standalone” but when I try to make the > self-registration work with the key recovery feature at the same time I > keep hitting a brick wall. :/ > > > > > > Can anyone tell me if this is even possible? > > > > Best regards > > > > Nuno Silva > > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Nuno R. V. da S. <nr...@is...> - 2013-04-22 23:52:54
|
Good evening. I am writing to the list requesting for some inside information/help from someone more experienced than me in EJBCA. I am trying to implement EJBC for internal certificate generation and allowing the users to make their own requests. This works flawless and am now trying to implement this with key recovery also. I can make both feature working "standalone" but when I try to make the self-registration work with the key recovery feature at the same time I keep hitting a brick wall. :/ Can anyone tell me if this is even possible? Best regards Nuno Silva |
|
From: ejbca-support <ejb...@pr...> - 2013-04-22 12:34:42
|
On 2013-04-22 16:27, Toru Tanaka wrote: > Hi, all > I read this article. > > http://blog.ejbca.org/2012/05/new-features-in-ejbca-5.html > > And I understand the difference between EJBCA 4 and EJBCA 5. > This arcticle said EJBCA 5.0 has follows features except Common Criteria Certificaion. > > -Certified access control and authorization module, for assurance and high trust role separation. > -Integrity protected security audit log, with digital signature or HMAC protection. > -Improved security audit log messages, complete information that is auditable. > -Full database integrity protection of all tables, to detect database manipulation. > -Authentication of local CLI users enabling role separation also for local CLI. > -Penetration tested with improved security. > > About these feature,I have a question. > Has EJBCA 5.0 these feature as standard feature? > Or > in order to have these feature, does EJBCA 5.0 need other software, modules, and so on? This is similar to the JBoss enterprise version: http://www.primekey.se/Products/EJBCA+PKI/Editions Cheers Anders tech support > > Please give me infomation. > Thanks in advance > Toru Tanaka > > > > > > > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
106 messages has been excluded from this view by a project administrator.
