Menu
▾
▴
ejbca-develop
|
From: Manuel R. <MR...@e-...> - 2002-07-03 09:50:26
|
Thanks for the reply, things seem to be looking up with regards to getting the admin panel working. But (there is always a "but") could anybody clarify the following line in the doc/README file : "Download the CA certificate, transfer to PEM-format and concatenate the certificates together in 'tomcat.pem.'" Following the steps detailed previously to this one, I now have a tomcat.req and a tomcat.pem in my EJBCA directory Thanks in advance M -----Original Message----- From: Tomas Gustavsson [mailto:to...@pr...] Sent: 02 July 2002 09:09 To: Manuel Reyes Cc: ejb...@li... Subject: Re: [Ejbca-develop] RA Admin Web Interface Nice to see people try out the experimental features The RA web interface is currently work-in-progress, but does however somewhat work. There is a preliminary section in the end of doc/README which describes the rather crude current setup procedure. The RA web administration requires authentication with a client certificate (this is real sensitive stuff), which currently only works with JBoss-Tomcat. JBoss-Jetty will probably support it when JBoss integrates v 4.1 of Jetty, once that is finished, today it does not support CLIENT-CERT authentication in 'web.xml'. As you may guess it has been quiet about the RA web admin interface because it is not yet completed. Take a peek in doc/README. Regards, Tomas Manuel Reyes wrote: > Does anybody have any experience of using the RA Admin web interface which > is deployed in the raadmin.war contained in ejbca-ca.ear? > > If I open the raadmin.war file I find all the various jsp scripts etc for > the web interface, but there doesnt seem to be any documentation available > anywhere (e.g. the files in help\ (all html) seem to be simply place holders > for future (hopefully planned) documentation, and there seems to be nothing > on the ejbca sourceforge website). > > The problem that I am encountering is that when I try and access the web > interface (http://servername:8080/raadmin/index.jsp) I am presented with the > following error(s) in my browser : > > 1) javax.servlet.ServletException: Client certificate required. > 2) se.anatom.ejbca.webdist.ejbcaathorization.AuthorizationDeniedException: > Client certificate required. > > (these errors are mirror by the jboss server output. For the sake of size > and readability of this post I have stripped out the majority of the java > generated error) > > As far as I can tell the client has a valid certificate installed, and > ejbca/jboss are working fine > > Versions : > EJBCA-2.0 pre1 (http://ejbca.sourceforge.net) > jboss-3.0.0RC1_tomcat-4.0.3 (http://www.jboss.org) > > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Manuel R. <MR...@e-...> - 2002-07-03 14:25:29
|
Something seems to be failing when I try to create the PEM file with the CA
Certificate (unfortunaly I do not have openssl to try the second method of
creating this), the batch.sh file processes correctly (i.e. no errors) and
creates a "pem" directory in ejbca/ but this is empty so I have nothing to
concatenate.
These are the steps I am following :
keytool -genkey -keyalg RSA -alias raa-alias -keystore .keystore -storepass
1qaz1qaz
What is your first and last name? : JOHN DOE
What is the name of your organizational unit? : ORG-UNIT
What is the name of your organization?]: ORG
What is the name of your City or Locality? : SMALLVILLE
What is the name of your State or Province? : SMALLSHIRE
What is the two-letter country code for this unit? : GB
Is CN=JOHN DOE, OU=ORG-UNIT, O=ORG, L=SMALLVILLE, ST=SMALLSHIRE,
C=GB correct? : yes
Enter key password for <raa-alias>
(RETURN if same as keystore password):
keytool -certreq -alias raa-alias -file raa-admin.req -keystore .keystore
-storepass 1qaz1qaz
./ra.sh adduser raa-users 1qaz1qaz "CN=JOHN DOE, OU=ORG-UNIT, O=ORG, C=GB"
"na...@se..." 32
Trying to add user:
Username: raa-users
Password (hashed only): 1qaz1qaz
DN: CN=JOHN DOE, OU=ORG-UNIT, O=ORG, C=GB
Email: na...@se...
Type: 32
User 'raa-users' has been added.
Note: If batch processing should be possible,
also use 'ra setclearpwd raa-users <pwd>'.
./ra.sh setuserstatus raa-users 10
./ca.sh processreq raa-users 1qaz1qaz raa-admin.req raa-admin.pem
Processing cert request:
Username: raa-users
Password: 1qaz1qaz
Request file: raa-admin.req
Wrote certificate (PEM-format) to file raa-admin.pem
./ra.sh setclearpwd raa-users 1qaz1qaz
Setting clear text password 1qaz1qaz for user raa-users
[NOTES : sh ./batch.sh -pem searches for users with status 10 (new)
following the above creates a user with status 40]
./ra.sh setuserstatus raa-users 10
New status for user raa-users is 10
sh ./batch.sh -pem
0 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating
PEM-files.
7 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating
for all NEW.
285 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating
keys for raa-users
11421 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Created P12
for raa-users.
11486 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - 1 new users
generated successfully - :raa-users
11487 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating
for all FAILED.
11568 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - 0 new users
generated successfully -
At this stage the "pem" directory created in ejbca/ but this is empty
-----Original Message-----
From: Tomas Gustavsson [mailto:to...@pr...]
Sent: 03 July 2002 05:23
To: Manuel Reyes
Cc: ejb...@li...
Subject: RE: [Ejbca-develop] RA Admin Web Interface
While it is 'herrvendil' who is doing the work on the admin panel, I can
still answer quesitons :-)
> "Download the CA certificate, transfer to PEM-format and concatenate the
> certificates together in 'tomcat.pem.'"
When I import the certificates with keytool I must have one file
containing both the ra-admins certificate and the CA-certificate. If I try
to import them one by one using keytool, it complains.
When getting the CA-certificate using ca.sh/cmd it is stored in raw
DER-encoded format, so (at least I) must make it into PEM-format (using
for instance openssl) and then put both certificates together in one file,
tomcat.pem as I called it.
Eventually the CA-certificate will be possible to store in PEM-format as
well...
> Following the steps detailed previously to this one, I now have a
tomcat.req
> and a tomcat.pem in my EJBCA directory
And the tomcat.pem should contain both the ra-admins certificate and the
CA-certificate.
Regards,
Tomas
|
|
From: Tomas G. <to...@pr...> - 2002-07-03 15:37:37
|
> Something seems to be failing when I try to create the PEM file with the CA > Certificate (unfortunaly I do not have openssl to try the second method of > creating this), the batch.sh file processes correctly (i.e. no errors) and > creates a "pem" directory in ejbca/ but this is empty so I have nothing to > concatenate. This may be a bug in directory creation or something... When I try a direcotry is created 'ejbca/p12/pem' where all pem files are stored. Regards, Tomas |
|
From: Manuel R. <MR...@e-...> - 2002-07-04 11:08:03
Attachments:
command.txt
|
>This may be a bug in directory creation or something... >When I try a direcotry is created 'ejbca/p12/pem' where all pem files >are stored. Looks like you are right, as mentioned previous the batch.sh -pem command does create the ejbca/pem directory but this is empty, but the necessary files can be found in ejbca/p12/pem/. In fact it creates 3 files (JOHN DOE-CA.pem, JOHN DOE-Key.pem, JOHN DOE.pem), I used JOHN DOE.pem to concatenate. Following on from there, I have now reached the end of the documentation regarding RAADMIN in ejbca/doc/README but I have still come up agaisnt the original errors : 1) javax.servlet.ServletException: Client certificate required. 2) se.anatom.ejbca.webdist.ejbcaathorization.AuthorizationDeniedException: Client certificate required. The only point which I didnt fully understand was : 6. Create a PKCS12 file with EJBCA for a user with CN=walter and the RAADMIN bit (temporarily CN=walter gives adminrights). What exactly is the "RAADMIN bit" Also there seems to be a discrepency in that the initial keytool commands (point 3) use .keystore, this same keystore name doesnt work in point 3 - "Import to the keystore" (see [COMMENTS] below for notes), so .keystore needs to be changed to simply "keystore". This is then renamed (point 4) to .keystore which I assume would overwrite the .keystore generated at the beginning of point 3. (I am currently looking at this, and will try using all keytool commands with simply "keystore", and then renaming) Did that last paragraph make sense ? :-) Also, just incase anybody else is following this thread, these are my notes from the expedition into the RA Admin Web Interface (not sure how these will display in your mail reader, so I have also attach a plain text document) : ========================================================= RA Admin Web Interface - Installation/Configuration Notes ========================================================= ========================================================= Guidelines from /usr/local/ejbca/doc/README : ========================================================= Preliminary documentation - TODO: Installation procedure will be enhanced. 1. Copy src/ra/web/raadmin/WEB-INF/tomcat-services.xml to JBOSS_HOME/server/default/deploy 2. Edit parameters in src/ra/web/raadmin/WEB-INF/web.xml. 3. Create a tomcat server keystore with 'keytool' (create a certificate request that is processed by EJBCA and import the returned certificate). keytool -genkey -keyalg RSA -alias tomcat -keystore .keystore -storepass foo123 keytool -certreq -alias tomcat -file tomcat.req -keystore .keystore -storepass foo123 Create a user in EJBCA, DN="C=SE,O=PrimeKEy,CN=localhost" or similar. Process the request from keytool and write the certificate to 'tomcat.pem'. Download the CA certificate, transfer to PEM-format and concatenate the certificates together in 'tomcat.pem.' Import to the keystore: keytool -import -alias tomcat -file tomcat.pem -keystore .keystore -storepass foo123 4. Name the keystore '.keystore' and put in $JBOSS_HOME. 5. Add the EJBCA CA certificate to the trust-keystore in $JAVA_HOME/jre/lib/security/cacerts keytool -import -trustcacerts -file ejbca-ca.pem -keystore cacerts -storepass changeit 6. Create a PKCS12 file with EJBCA for a user with CN=walter and the RAADMIN bit (temporarily CN=walter gives adminrights). 7. Install the PKCS12 file in the browser. 8. Start JBoss. 11. Go to https://localhost:8443/raadmin ========================================================= ========================================================= Notes ========================================================= [ACTION] cp /usr/local/src/ra/web/raadmin/WEB-INF/tomcat-services.xml $JBOSS_HOME/server/default/deploy [ACTION] Edit parameters in src/ra/web/raadmin/WEB-INF/web.xml [NOTES] Create a tomcat server keystore with 'keytool' (create a certificate request that is processed by EJBCA and import the returned certificate). [COMMAND] keytool -genkey -keyalg RSA -alias raadmin-alias -keystore .keystore -storepass 1qaz1qaz [OUTPUT] What is your first and last name? : JOHN DOE [OUTPUT] What is the name of your organizational unit? : ORG-UNIT [OUTPUT] What is the name of your organization?]: ORG [OUTPUT] What is the name of your City or Locality? : SMALLVILLE [OUTPUT] What is the name of your State or Province? : SMALLSHIRE [OUTPUT] What is the two-letter country code for this unit? : GB [OUTPUT] Is CN=JOHN DOE, OU=ORG-UNIT, O=ORG, L=SMALLVILLE, ST=SMALLSHIRE, C=GB correct? : yes [OUTPUT] [OUTPUT] Enter key password for <raa-alias> [OUTPUT] (RETURN if same as keystore password): [COMMAND] keytool -certreq -alias raa-alias -file raadmin.req -keystore .keystore -storepass 1qaz1qaz [NOTES] Create a user in EJBCA, DN="C=SE,O=PrimeKEy,CN=localhost" or similar. [COMMAND] ./ra.sh adduser raadmin-user 1qaz1qaz "CN=JOHN DOE, OU=ORG-UNIT, O=ORG, C=GB" "na...@se..." 32 [OUTPUT] Trying to add user: [OUTPUT] Username: raa-users [OUTPUT] Password (hashed only): 1qaz1qaz [OUTPUT] DN: CN=JOHN DOE, OU=ORG-UNIT, O=ORG, C=GB [OUTPUT] Email: na...@se... [OUTPUT] Type: 32 [OUTPUT] User 'raa-users' has been added. [OUTPUT] [OUTPUT] Note: If batch processing should be possible, [OUTPUT] also use 'ra setclearpwd raa-users <pwd>'. [NOTES] Process the request from keytool and write the certificate to 'raadmin.pem'. [COMMAND] ./ca.sh processreq raadmin-user 1qaz1qaz raadmin.req raadmin.pem [OUTPUT] Processing cert request: [OUTPUT] Username: raa-users [OUTPUT] Password: 1qaz1qaz [OUTPUT] Request file: raa-admin.req [OUTPUT] Wrote certificate (PEM-format) to file raa-admin.pem [NOTES] Set user password to clear text [COMMAND] ./ra.sh setclearpwd raadmin-user 1qaz1qaz [OUTPUT] Setting clear text password 1qaz1qaz for user raa-users [NOTES] [sh ./batch.sh -pem searches for users with status 10 (new) follow the above creates a user with status 40] [COMMAND] ./ra.sh setuserstatus raadmin-user 10 [OUTPUT] New status for user raa-users is 10 [NOTES] Download the CA certificate, transfer to PEM-format and concatenate the certificates together in 'raadmin.pem.' [COMMAND] sh ./batch.sh -pem [OUTPUT] 0 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating PEM-files. [OUTPUT] 7 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating for all NEW. [OUTPUT] 285 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating keys for raa-users [OUTPUT] 11421 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Created P12 for raa-users. [OUTPUT] 11486 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - 1 new users generated successfully - :raa-users [OUTPUT] 11487 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating for all FAILED. [OUTPUT] 11568 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - 0 new users generated successfully - [ACTION] Concatenate ejbca/p12/pem/JOHN DOE.pem to ejbca/raadmin.pem [NOTES] Import to the keystore [COMMAND] keytool -import -alias raadmin-alias -file raadmin.pem -keystore keystore -storepass 1qaz1qaz [OUTPUT] Owner: C=GB, O=ORG, OU=ORG-UNIT, CN=JOHN DOE [OUTPUT] Issuer: C=GB, O=ETrusted, OU=Security Department, CN=ETrusted Certificate Authority [OUTPUT] Serial number: 3dc8221452bc4c99 [OUTPUT] Valid from: Thu Jul 04 09:54:01 BST 2002 until: Sat Jul 03 10:04:01 BST 2004 [OUTPUT] Certificate fingerprints: [OUTPUT] MD5: 98:F9:32:D7:85:AF:58:C0:C3:39:AE:E9:33:14:7F:FB [OUTPUT] SHA1: F7:06:60:56:9F:D3:81:A8:8C:E7:30:A4:8A:14:81:63:E1:34:E9:3B [OUTPUT] Trust this certificate? [no]: yes [OUTPUT] Certificate was added to keystore [COMMENTS] Point 3 advises the following command [COMMENTS] keytool -import -alias raadmin-alias -file raadmin.pem -keystore .keystore -storepass 1qaz1qaz [COMMENTS] This fails with : [COMMENTS] keytool error: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: insufficient data [COMMENTS] Changing the command to : [COMMENTS] keytool -import -alias raadmin-alias -file raadmin.pem -keystore keystore -storepass 1qaz1qaz [COMMENTS] seems to work fine, but does this effect the initial commands using .keystore [NOTES] Name the keystore '.keystore' and put in $JBOSS_HOME. [ACTION] mv keystore .keystore [ACTION] cp .keystore $JBOSS_HOME [NOTES] Add the EJBCA CA certificate to the trust-keystore in $JAVA_HOME/jre/lib/security/cacerts [COMMAND] ./ca.sh getrootcert rootcert.cer [OUTPUT] Wrote Root CA certificate to 'rootcert.cer' [COMMAND] keytool -import -trustcacerts -file rootcert.cer -keystore cacerts -storepass 1qaz1qaz [OUTPUT] Owner: C=GB, O=ETrusted, OU=Security Department, CN=ETrusted Certificate Authority [OUTPUT] Issuer: C=GB, O=ETrusted, OU=Security Department, CN=ETrusted Certificate Authority [OUTPUT] Serial number: 45d3f0c305d5429c [OUTPUT] Valid from: Tue Jun 25 14:06:49 BST 2002 until: Wed Jun 25 14:16:49 BST 2003 [OUTPUT] Certificate fingerprints: [OUTPUT] MD5: 70:31:88:BB:79:76:D3:4B:D4:98:97:10:9F:32:52:30 [OUTPUT] SHA1: A8:B8:D2:18:85:33:A7:F8:D8:3F:DD:2B:96:5D:8D:4A:43:1D:3B:B7 [OUTPUT] Trust this certificate? [no]: yes [OUTPUT] Certificate was added to keystore [ACTION] cp cacerts $JAVA_HOME/jre/lib/security/cacerts ?[NOTES] Create a PKCS12 file with EJBCA for a user with CN=walter and the RAADMIN bit (temporarily CN=walter gives adminrights). [COMMAND] ./ra.sh adduser raadmin-user2 1qaz1qaz "CN=walter, OU=ORG-UNIT, O=ORG, C=GB" "na...@se..." 32 [OUTPUT] Trying to add user: [OUTPUT] Username: raadmin-user2 [OUTPUT] Password (hashed only): 1qaz1qaz [OUTPUT] DN: CN=walter, OU=ORG-UNIT, O=ORG, C=GB [OUTPUT] Email: na...@se... [OUTPUT] Type: 32 [OUTPUT] User 'raadmin-user2' has been added. [OUTPUT] [OUTPUT] Note: If batch processing should be possible, [OUTPUT] also use 'ra setclearpwd raadmin-user2 <pwd>'. [COMMAND] ./ra.sh setclearpwd raadmin-user 1qaz1qaz [OUTPUT] Setting clear text password 1qaz1qaz for user raadmin-user2 [COMMAND] sh ./batch.sh [OUTPUT] 1 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating for all NEW. [OUTPUT] 278 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating keys for raadmin-user2 [OUTPUT] 11562 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Created P12 for raadmin-user2. [OUTPUT] 11629 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - 1 new users generated successfully - :raadmin-user2 [OUTPUT] 11629 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - Generating for all FAILED. [OUTPUT] 11716 [main] INFO se.anatom.ejbca.batch.BatchMakeP12 - 0 new users generated successfully - [ACTION] Restart JBOSS [NOTES] Install the PKCS12 file in the browser. [NOTES] Reset raadmin-user2 to status 10 to allow browser to install cert [COMMAND] ./ra.sh setuserstatus raadmin-user2 10 [ACTION] Goto http://servername:8080/apply/apply_exp.jsp install Root CA and get cert for raadmin-user2/1qaz1qaz [ACTION] Goto https://servername:8443/raadmin [FAILURE] Browser IE : Page cannot be displayed [ACTION] Goto http://servername:8080/raadmin/ [FAILURE] javax.servlet.ServletException: Client certificate required. [FAILURE] se.anatom.ejbca.webdist.ejbcaathorization.AuthorizationDeniedException: Client certificate required. -----Original Message----- From: Tomas Gustavsson [mailto:to...@pr...] Sent: 03 July 2002 08:47 To: Manuel Reyes Cc: ejb...@li... Subject: Re: [Ejbca-develop] RA Admin Web Interface > Something seems to be failing when I try to create the PEM file with the CA > Certificate (unfortunaly I do not have openssl to try the second method of > creating this), the batch.sh file processes correctly (i.e. no errors) and > creates a "pem" directory in ejbca/ but this is empty so I have nothing to > concatenate. This may be a bug in directory creation or something... When I try a direcotry is created 'ejbca/p12/pem' where all pem files are stored. Regards, Tomas |
|
From: Tomas G. <to...@pr...> - 2002-07-04 15:32:57
|
> 1) javax.servlet.ServletException: Client certificate required. > 2) se.anatom.ejbca.webdist.ejbcaathorization.AuthorizationDeniedException: > Client certificate required. > > The only point which I didnt fully understand was : > > 6. Create a PKCS12 file with EJBCA for a user with CN=walter and the RAADMIN > bit (temporarily CN=walter gives adminrights). > > What exactly is the "RAADMIN bit" You must create your 'walter' user with type RAADMIN (32) ra.sh adduser walter foo "C=SE,O=Foo,CN=walter" null 32 The user-type is a bitmask, this is why it says RAADMIN bit, i.e. a user can be both an END_USER, CAADMIN and RAADMIN at the same time. After creating a user with CN=walter you must get a certificate for that user in your browser, this can be done either by: 1. Normal enrollment att http://localhost:8080/apply 2. By batch-creating a p12-file and importing it in the browser (may not work in Mozilla/Netscape for the moment due to unknown reasons, but it will eventually). > Also there seems to be a discrepency in that the initial keytool commands > (point 3) use .keystore, this same keystore name doesnt work in point 3 - > "Import to the keystore" (see [COMMENTS] below for notes), so .keystore > needs to be changed to simply "keystore". This is then renamed (point 4) to > .keystore which I assume would overwrite the .keystore generated at the > beginning of point 3. (I am currently looking at this, and will try using > all keytool commands with simply "keystore", and then renaming) > > Did that last paragraph make sense ? :-) I think it did, thanks for the document! I will use it to update the documentation (next week). Regards, Tomas |
|
From: Tomas G. <to...@pr...> - 2002-07-09 13:28:42
|
I updated the section in doc/README about installation of the RA-ADMIN GUI with information from your file Manuel, thanks. Regards, Tomas Manuel Reyes wrote: >>This may be a bug in directory creation or something... >>When I try a direcotry is created 'ejbca/p12/pem' where all pem files >>are stored. > > > Looks like you are right, as mentioned previous the batch.sh -pem command > does create the ejbca/pem directory but this is empty, but the necessary > files can be found in ejbca/p12/pem/. In fact it creates 3 files (JOHN > DOE-CA.pem, JOHN DOE-Key.pem, JOHN DOE.pem), I used JOHN DOE.pem to > concatenate. <snip> |
|
From: Tomas G. <to...@pr...> - 2002-07-03 12:28:17
|
While it is 'herrvendil' who is doing the work on the admin panel, I can still answer quesitons :-) > "Download the CA certificate, transfer to PEM-format and concatenate the > certificates together in 'tomcat.pem.'" When I import the certificates with keytool I must have one file containing both the ra-admins certificate and the CA-certificate. If I try to import them one by one using keytool, it complains. When getting the CA-certificate using ca.sh/cmd it is stored in raw DER-encoded format, so (at least I) must make it into PEM-format (using for instance openssl) and then put both certificates together in one file, tomcat.pem as I called it. Eventually the CA-certificate will be possible to store in PEM-format as well... > Following the steps detailed previously to this one, I now have a tomcat.req > and a tomcat.pem in my EJBCA directory And the tomcat.pem should contain both the ra-admins certificate and the CA-certificate. Regards, Tomas |
