From: Johan E. <ejb...@pr...> - 2009-03-20 13:35:20
|
Andrea skrev: > Johan Eklund ha scritto: >> Andrea skrev: >>> Johan Eklund ha scritto: >>> >>>> Andrea skrev: >>>> >>>>> Johan Eklund ha scritto: >>>>> >>>>> >>>>>> Andrea skrev: >>>>>> >>>>>>> Johan Eklund ha scritto: >>>>>>> >>>>>>> >>>>>>>> Andrea skrev: >>>>>>>> >>>>>>>>> Johan Eklund ha scritto: >>>>>>>>> >>>>>>>>> >>>>>>>>>> Andrea skrev: >>>>>>>>>> >>>>>>>>>>> Johan Eklund ha scritto: >>>>>>>>>>> >>>>>>>>>>>> Andrea skrev: >>>>>>>>>>>> >>>>>>>>>>>>> Andrea ha scritto: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> Johan Eklund ha scritto: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Andrea skrev: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Johan Eklund ha scritto: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Andrea skrev: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Tomas Gustavsson ha scritto: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Hi, yes I meant the wrong superadmin certificate. If >>>>>>>>>>>>>>>>>>> the client >>>>>>>>>>>>>>>>>>> certificate is not available at all it usually gives >>>>>>>>>>>>>>>>>>> a message like >>>>>>>>>>>>>>>>>>> that. This would also be the case if there is a >>>>>>>>>>>>>>>>>>> missmatch between the >>>>>>>>>>>>>>>>>>> server certificate (tomcat.jks) and the >>>>>>>>>>>>>>>>>>> superadmin.p12, so that the >>>>>>>>>>>>>>>>>>> browser does not send the superadmin certificate at >>>>>>>>>>>>>>>>>>> all to the server. >>>>>>>>>>>>>>>>>>> You can usually figure out this if for example >>>>>>>>>>>>>>>>>>> configuring Firefox to >>>>>>>>>>>>>>>>>>> always ask which certificate to use. If firefox then >>>>>>>>>>>>>>>>>>> does not ask for >>>>>>>>>>>>>>>>>>> any certificate you don't have a matching superadmin >>>>>>>>>>>>>>>>>>> certificate. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Andrea wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Tomas Gustavsson ha scritto: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Couldn't bad cert alert be because the wrong >>>>>>>>>>>>>>>>>>>>> superadmin cert was used? I have a feeling this is >>>>>>>>>>>>>>>>>>>>> what I get when using the wrong superadmincert... >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Johan Eklund <ejb...@pr...> wrote: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> This is the CN of the tomcat-user.. but you have >>>>>>>>>>>>>>>>>>>>>> to generate a new certificate and deploy this new >>>>>>>>>>>>>>>>>>>>>> one. Check the user guide for instructions on how >>>>>>>>>>>>>>>>>>>>>> to renew the SSL certificate. >>>>>>>>>>>>>>>>>>>>>> /Johan >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Andrea skrev: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Johan Eklund ha scritto: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Hi Andrea, >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Since you copied the entire database, the CA >>>>>>>>>>>>>>>>>>>>>>>> stored in the database is already "imported". >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> "ssl_error_bad_cert_alert" might be caused by >>>>>>>>>>>>>>>>>>>>>>>> the name in the SSL server certificate not >>>>>>>>>>>>>>>>>>>>>>>> being the same on the new machine.. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Best Regards, >>>>>>>>>>>>>>>>>>>>>>>> Johan >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Hi Johan, thanks a lot your answer !! >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> As regards to SSL error, how can i verify and >>>>>>>>>>>>>>>>>>>>>>> solve this ??? >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> --Andrea >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Apps built with the Adobe(R) Flex(R) framework >>>>>>>>>>>>>>>>>>>>>>> and Flex Builder(TM) are >>>>>>>>>>>>>>>>>>>>>>> powering Web 2.0 with engaging, cross-platform >>>>>>>>>>>>>>>>>>>>>>> capabilities. Quickly and >>>>>>>>>>>>>>>>>>>>>>> easily build your RIAs with Flex Builder, the >>>>>>>>>>>>>>>>>>>>>>> Eclipse(TM)based development >>>>>>>>>>>>>>>>>>>>>>> software that enables intelligent coding and >>>>>>>>>>>>>>>>>>>>>>> step-through debugging. >>>>>>>>>>>>>>>>>>>>>>> Download the free 60 day trial. >>>>>>>>>>>>>>>>>>>>>>> http://p.sf.net/sfu/www-adobe-com >>>>>>>>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>>>>>>>> Ejbca-develop mailing list >>>>>>>>>>>>>>>>>>>>>>> Ejb...@li... >>>>>>>>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>>>>> PrimeKey Solutions offers a commercial EJBCA >>>>>>>>>>>>>>>>>>>>>> support subscription and training for EJBCA. >>>>>>>>>>>>>>>>>>>>>> Please see www.primekey.se or contact >>>>>>>>>>>>>>>>>>>>>> in...@pr... for more information. >>>>>>>>>>>>>>>>>>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf >>>>>>>>>>>>>>>>>>>>>> http://download.primekey.se/documents/ejbca_training.pdf >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Apps built with the Adobe(R) Flex(R) framework >>>>>>>>>>>>>>>>>>>>>> and Flex Builder(TM) are >>>>>>>>>>>>>>>>>>>>>> powering Web 2.0 with engaging, cross-platform >>>>>>>>>>>>>>>>>>>>>> capabilities. Quickly and >>>>>>>>>>>>>>>>>>>>>> easily build your RIAs with Flex Builder, the >>>>>>>>>>>>>>>>>>>>>> Eclipse(TM)based development >>>>>>>>>>>>>>>>>>>>>> software that enables intelligent coding and >>>>>>>>>>>>>>>>>>>>>> step-through debugging. >>>>>>>>>>>>>>>>>>>>>> Download the free 60 day trial. >>>>>>>>>>>>>>>>>>>>>> http://p.sf.net/sfu/www-adobe-com_______________________________________________ >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Ejbca-develop mailing list >>>>>>>>>>>>>>>>>>>>>> Ejb...@li... >>>>>>>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Apps built with the Adobe(R) Flex(R) framework >>>>>>>>>>>>>>>>>>>>>> and Flex Builder(TM) are >>>>>>>>>>>>>>>>>>>>>> powering Web 2.0 with engaging, cross-platform >>>>>>>>>>>>>>>>>>>>>> capabilities. Quickly and >>>>>>>>>>>>>>>>>>>>>> easily build your RIAs with Flex Builder, the >>>>>>>>>>>>>>>>>>>>>> Eclipse(TM)based development >>>>>>>>>>>>>>>>>>>>>> software that enables intelligent coding and >>>>>>>>>>>>>>>>>>>>>> step-through debugging. >>>>>>>>>>>>>>>>>>>>>> Download the free 60 day trial. >>>>>>>>>>>>>>>>>>>>>> http://p.sf.net/sfu/www-adobe-com >>>>>>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>>>>>>> Ejbca-develop mailing list >>>>>>>>>>>>>>>>>>>>>> Ejb...@li... >>>>>>>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Hi again, and thanks for your responses; now i'm >>>>>>>>>>>>>>>>>>>> not in office any more till Monday.....so i'll test >>>>>>>>>>>>>>>>>>>> your hints on that day.... >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> But what do you mean Tomas when you say the wrong >>>>>>>>>>>>>>>>>>>> superadmincert ?? is the superadmin.p12 file ?? if >>>>>>>>>>>>>>>>>>>> this is the case i copied it ( all the dir p12 ) >>>>>>>>>>>>>>>>>>>> from the original EJBCA install to the one on the >>>>>>>>>>>>>>>>>>>> new server before doing "ant deploy" >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> --Andrea >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Apps built with the Adobe(R) Flex(R) framework and >>>>>>>>>>>>>>>>>>>> Flex Builder(TM) are >>>>>>>>>>>>>>>>>>>> powering Web 2.0 with engaging, cross-platform >>>>>>>>>>>>>>>>>>>> capabilities. Quickly and >>>>>>>>>>>>>>>>>>>> easily build your RIAs with Flex Builder, the >>>>>>>>>>>>>>>>>>>> Eclipse(TM)based development >>>>>>>>>>>>>>>>>>>> software that enables intelligent coding and >>>>>>>>>>>>>>>>>>>> step-through debugging. >>>>>>>>>>>>>>>>>>>> Download the free 60 day trial. >>>>>>>>>>>>>>>>>>>> http://p.sf.net/sfu/www-adobe-com >>>>>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>>>>> Ejbca-develop mailing list >>>>>>>>>>>>>>>>>>>> Ejb...@li... >>>>>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Ok, i tryed with a total fresh new install on the >>>>>>>>>>>>>>>>>> backup server but with the conf and src directory ( >>>>>>>>>>>>>>>>>> of ejbca ) of the production server; >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> made: >>>>>>>>>>>>>>>>>> 1 ) ant bootstrap >>>>>>>>>>>>>>>>>> 2 ) started jboss >>>>>>>>>>>>>>>>>> 3 ) ant installl >>>>>>>>>>>>>>>>>> 4 ) stopped jboss >>>>>>>>>>>>>>>>>> 5 ) ant deploy >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Then with the new superadmin.p12 i succesfully >>>>>>>>>>>>>>>>>> entered the admin webUI. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Then i exported the profiles in the production server >>>>>>>>>>>>>>>>>> ( with ./ejbca ca exportprofiles ) and succesfully >>>>>>>>>>>>>>>>>> imported with ./ejbca.sh ca importprofiles. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Now i'm trying to export and import users cert; i did >>>>>>>>>>>>>>>>>> this: >>>>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>> from the webUI i went to the "list/edit end >>>>>>>>>>>>>>>>>> entities", selected one entity to make a test, and >>>>>>>>>>>>>>>>>> then "View_Certificates"; then click on "Download PEM >>>>>>>>>>>>>>>>>> file" and downloaded the correposding pem file. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> The problem arise when i tryed to import it in the >>>>>>>>>>>>>>>>>> "new install": >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> the command-help says this: >>>>>>>>>>>>>>>>>> ###################### >>>>>>>>>>>>>>>>>> ./ejbca.sh ca importcert >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Usage: importcert <username> <password> <caname> >>>>>>>>>>>>>>>>>> <status> <certificate file> [<endentityprofile> | >>>>>>>>>>>>>>>>>> <endentityprofile> <certificateprofile>] >>>>>>>>>>>>>>>>>> ###################### >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> MY BIG problem now seem to be the "password": which >>>>>>>>>>>>>>>>>> password is this ?? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Thanks a lot in advance, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> --Andrea >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Apps built with the Adobe(R) Flex(R) framework and >>>>>>>>>>>>>>>>>> Flex Builder(TM) are >>>>>>>>>>>>>>>>>> powering Web 2.0 with engaging, cross-platform >>>>>>>>>>>>>>>>>> capabilities. Quickly and >>>>>>>>>>>>>>>>>> easily build your RIAs with Flex Builder, the >>>>>>>>>>>>>>>>>> Eclipse(TM)based development >>>>>>>>>>>>>>>>>> software that enables intelligent coding and >>>>>>>>>>>>>>>>>> step-through debugging. >>>>>>>>>>>>>>>>>> Download the free 60 day trial. >>>>>>>>>>>>>>>>>> http://p.sf.net/sfu/www-adobe-com >>>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>>> Ejbca-develop mailing list >>>>>>>>>>>>>>>>>> Ejb...@li... >>>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I can see why this is a bit confusing. =) The password >>>>>>>>>>>>>>>>> isn't used for anything unless you change the status >>>>>>>>>>>>>>>>> of the user to NEW and generate new certificates, so >>>>>>>>>>>>>>>>> set it to any random string. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> /Johan >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ..opps, sorry for the precedent mail; i agree with you >>>>>>>>>>>>>>>> it was just a bit confusing...... >>>>>>>>>>>>>>>> i tryed with a random string as you said, but i got: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> "Error: Invalid certificate or certificate not issued >>>>>>>>>>>>>>>> by specified CA: TrustAnchor found but certificate >>>>>>>>>>>>>>>> validation failed." >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Is this related with the fact that i set up a new ejbca >>>>>>>>>>>>>>>> install ?; i used the conf files of the original server >>>>>>>>>>>>>>>> ( the name of the CA, it's time validity ...etc ) but >>>>>>>>>>>>>>>> the "superadmin.p12" and the "tomcat.jks" are new... >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Yes! If the entity you are trying to import is issued by >>>>>>>>>>>>>>> for example AdminCA1 and this also exists in the new >>>>>>>>>>>>>>> EJBCA, but with a different key it will not be pretty.. =/ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> In a precedent post i explained i tryed to use also the >>>>>>>>>>>>>>>> original version of these files but i could not get in >>>>>>>>>>>>>>>> the admin webUI; you suggested that was related to the >>>>>>>>>>>>>>>> CN of the tomcat-user. >>>>>>>>>>>>>>>> So you told me to generate a new certificate and deploy >>>>>>>>>>>>>>>> this new one ( IN THE NEW SERVER ?? ) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Yes, on the new server! If you have a copied the exact >>>>>>>>>>>>>>> installation "orginalcaserver.company.com" to a new >>>>>>>>>>>>>>> machine "newcaserver.company.com", you have to change CN >>>>>>>>>>>>>>> of the tomcat user from "orginalcaserver.company.com" to >>>>>>>>>>>>>>> "newcaserver.company.com", enter a new passsword, set >>>>>>>>>>>>>>> status to NEW and then batch-generate a new certificate. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I cheked the user guide for instructions on how to >>>>>>>>>>>>>>>> renew the SSL certificate, but ( OBVIOUSLY due to my >>>>>>>>>>>>>>>> errors in searching ) i was not able to find the >>>>>>>>>>>>>>>> correct procedure... >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Might be a bit hard to find.. =) >>>>>>>>>>>>>>> http://www.ejbca.org/manual.html#SSL%20certificate%20expire >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Finally i found how to generate a new certificate for >>>>>>>>>>>>>>>> superadmin, but when i type ( on the new server ): >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> bin/ejbca.sh ra setuserstatus superadmin 10 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> it exit with errors dealing that connection to the >>>>>>>>>>>>>>>> database was refused..... >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Is the database running? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Which is the correct way on doing this ?? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> --Andrea >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> What was the exact error you got in your browser? Where >>>>>>>>>>>>>>> you using Firefox? Could you add an exception? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Are all your certificates on the old machine issued by >>>>>>>>>>>>>>> "AdminCA1"? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> This is what i did: >>>>>>>>>>>>>> 1) Copied the ejbca/conf, /ejbca/src and /ejbca/p12 >>>>>>>>>>>>>> directories from the production server on the new-one >>>>>>>>>>>>>> 2) I did not use the default AdminCA1, but i set up a new >>>>>>>>>>>>>> CA-name that is OvpnCA: this on the original server, so >>>>>>>>>>>>>> the same thing is on the new one since i copied all >>>>>>>>>>>>>> conf-files >>>>>>>>>>>>>> 3) Made "ant deploy" in ejbca dir on the new-server which >>>>>>>>>>>>>> compile correctly >>>>>>>>>>>>>> 4) Copied all the dir jboss/server/default/data from the >>>>>>>>>>>>>> original server on the new-one ( i used the default >>>>>>>>>>>>>> HypersonicSQL DB ) >>>>>>>>>>>>>> 5) Started jboss >>>>>>>>>>>>>> >>>>>>>>>>>>>> Then i tryed to renew the SSl cert doing this: >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1) go to ejbca/bin and then did >>>>>>>>>>>>>> ##### >>>>>>>>>>>>>> ./ejbca.sh ra setuserstatus superadmin 10 >>>>>>>>>>>>>> AND I GET >>>>>>>>>>>>>> >>>>>>>>>>>>>> Using JBoss JNDI provider... >>>>>>>>>>>>>> New status for user superadmin is 10 >>>>>>>>>>>>>> ###### >>>>>>>>>>>>>> then >>>>>>>>>>>>>> >>>>>>>>>>>>>> ./ejbca.sh ra setclearpwd tomcat serverpwd >>>>>>>>>>>>>> >>>>>>>>>>>>>> AND I GET >>>>>>>>>>>>>> >>>>>>>>>>>>>> Using JBoss JNDI provider... >>>>>>>>>>>>>> Setting clear text password serverpwd for user tomcat >>>>>>>>>>>>>> ###### >>>>>>>>>>>>>> >>>>>>>>>>>>>> Then >>>>>>>>>>>>>> >>>>>>>>>>>>>> ./ejbca.sh batch >>>>>>>>>>>>>> >>>>>>>>>>>>>> BUT I GET >>>>>>>>>>>>>> >>>>>>>>>>>>>> Using JBoss JNDI provider... >>>>>>>>>>>>>> 0 [main] INFO org.ejbca.ui.cli.batch.BatchMakeP12 - >>>>>>>>>>>>>> Generating keys in directory /usr/local/ejbca/bin/p12. >>>>>>>>>>>>>> 2 [main] INFO org.ejbca.ui.cli.batch.BatchMakeP12 - >>>>>>>>>>>>>> Generating for all NEW. >>>>>>>>>>>>>> 691 [main] INFO org.ejbca.ui.cli.batch.BatchMakeP12 - >>>>>>>>>>>>>> Batch generating 0 users. >>>>>>>>>>>>>> 691 [main] INFO org.ejbca.ui.cli.batch.BatchMakeP12 - >>>>>>>>>>>>>> Generating for all FAILED. >>>>>>>>>>>>>> 1265 [main] INFO org.ejbca.ui.cli.batch.BatchMakeP12 - >>>>>>>>>>>>>> Batch generating 0 users. >>>>>>>>>>>>>> >>>>>>>>>>>>>> SO THERE IS NOTHING IN THE DIR /usr/local/ejbca/bin/p12 >>>>>>>>>>>>>> >>>>>>>>>>>>>> How is the correct way of doing this ?? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Why it seems that there's no tomcat users to set to NEW ?? >>>>>>>>>>>>>> >>>>>>>>>>>>>> --Andrea >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>>>>>> >>>>>>>>>>>>>> Apps built with the Adobe(R) Flex(R) framework and Flex >>>>>>>>>>>>>> Builder(TM) are >>>>>>>>>>>>>> powering Web 2.0 with engaging, cross-platform >>>>>>>>>>>>>> capabilities. Quickly and >>>>>>>>>>>>>> easily build your RIAs with Flex Builder, the >>>>>>>>>>>>>> Eclipse(TM)based development >>>>>>>>>>>>>> software that enables intelligent coding and step-through >>>>>>>>>>>>>> debugging. >>>>>>>>>>>>>> Download the free 60 day trial. >>>>>>>>>>>>>> http://p.sf.net/sfu/www-adobe-com >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> Ejbca-develop mailing list >>>>>>>>>>>>>> Ejb...@li... >>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> ...I have to do an "errata corrige": i did a mistake in >>>>>>>>>>>>> doing "./ejbca.sh ra setuserstatus superadmin 10" !! >>>>>>>>>>>>> >>>>>>>>>>>>> Obviously the right users is tomcat, so i startup again >>>>>>>>>>>>> and now did : >>>>>>>>>>>>> >>>>>>>>>>>>> ./ejbca.sh ra setuserstatus tomcat 10 >>>>>>>>>>>>> ./ejbca.sh ra setclearpwd tomcat serverpwd >>>>>>>>>>>>> ./ejbca.sh batch >>>>>>>>>>>>> cp p12/tomcat.jks >>>>>>>>>>>>> /usr/local/jboss/server/default/conf/keystore/keystore.jks >>>>>>>>>>>>> >>>>>>>>>>>>> Then restarted jboss >>>>>>>>>>>>> >>>>>>>>>>>>> ANYWAY THE PROBLEM PERSIST: >>>>>>>>>>>>> >>>>>>>>>>>>> When ( with firefox and after load the original >>>>>>>>>>>>> superadmin.p12 ) i try to go to the page >>>>>>>>>>>>> >>>>>>>>>>>>> "https://192.168.5.156:8443/ejbca/adminweb/index.jsp" >>>>>>>>>>>>> >>>>>>>>>>>>> It gives an error to connect to the ssl connection: >>>>>>>>>>>>> "ssl_error_certificate_unknown_alert" >>>>>>>>>>>>> >>>>>>>>>>>>> Is it possible that is due to the fact i use a new >>>>>>>>>>>>> tomcat.jks BUT the original superadmin.p12 ?? >>>>>>>>>>>>> >>>>>>>>>>>>> --Andrea >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>>>>> >>>>>>>>>>>>> Apps built with the Adobe(R) Flex(R) framework and Flex >>>>>>>>>>>>> Builder(TM) are >>>>>>>>>>>>> powering Web 2.0 with engaging, cross-platform >>>>>>>>>>>>> capabilities. Quickly and >>>>>>>>>>>>> easily build your RIAs with Flex Builder, the >>>>>>>>>>>>> Eclipse(TM)based development >>>>>>>>>>>>> software that enables intelligent coding and step-through >>>>>>>>>>>>> debugging. >>>>>>>>>>>>> Download the free 60 day trial. >>>>>>>>>>>>> http://p.sf.net/sfu/www-adobe-com >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Ejbca-develop mailing list >>>>>>>>>>>>> Ejb...@li... >>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> First try connecting to c instead (844*2*). This will only >>>>>>>>>>>> require server-side certificate, so if this doesn't work we >>>>>>>>>>>> can exclude the superadmin-cert. >>>>>>>>>>>> >>>>>>>>>>>> If this doesn't work: >>>>>>>>>>>> 1. Are you viewing this in firefox? >>>>>>>>>>>> 2. Have you made an exception for this site (check the link >>>>>>>>>>>> at the bottom of the error page) or added the issuing CA to >>>>>>>>>>>> the list of trusted CAs in Firefox list? >>>>>>>>>>>> >>>>>>>>>>>> /Johan >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> ..As a test i tryed ( prior receiving your answer ) to clear >>>>>>>>>>> also superadmin user: so i did the same procedure to re-new >>>>>>>>>>> superadmin and got a new superadmin.p12 file. >>>>>>>>>>> Stopped and restarted jboss... >>>>>>>>>>> >>>>>>>>>>> Now, if i connect to https://192.168.5.156:8442/ejbca/ i >>>>>>>>>>> correctly see to "Welcome to Ejbca" page, but when i try the >>>>>>>>>>> "Administration" link firefox says: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Authorization Denied >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Cause : Client certificate required. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ...i cannot understand whre the problem lies >>>>>>>>>>> >>>>>>>>>>> --Andrea >>>>>>>>>>> >>>>>>>>>> Did you change the port number to 8443 for accessing the >>>>>>>>>> admin web? 8442 does not ask the browser for a client >>>>>>>>>> certificate, but 8443 will. >>>>>>>>>> >>>>>>>>>> /Johan >>>>>>>>>> >>>>>>>>>> >>>>>>>>> No i did not change the port numbers; >>>>>>>>> As i told when i click on the "Administration" link in the >>>>>>>>> "Welcome to Ejbca" page ( http://192.168.5.156:8080/ejbca ) >>>>>>>>> i'm asked to ( i'll try to translate from italian to english >>>>>>>>> what Firefox popup says ): >>>>>>>>> >>>>>>>>> ...This site ask for a client certificate: >>>>>>>>> localhost (:8443) >>>>>>>>> Organization: "EJBCA sample" >>>>>>>>> Published by: "Comune di Modena" >>>>>>>>> >>>>>>>>> ...Then ask to select the certificate which is the new >>>>>>>>> superadmin.p12 i got renewing the original one >>>>>>>>> >>>>>>>>> One strange thing: why firefox is telling me that the >>>>>>>>> organization is "EJBCA sample", instead of the correct "Comune >>>>>>>>> di Modena" ?? >>>>>>>>> In the ejbca.properties file i configured the DN of the ca in >>>>>>>>> this way: >>>>>>>>> >>>>>>>>> "ca.dn=CN=Ovpn CoMo CA,O=Comune di Modena,C=IT" >>>>>>>>> >>>>>>>>> and not use the dafault which is: >>>>>>>>> >>>>>>>>> "ca.dn=CN=AdminCA1,O=EJBCA Sample,C=SE" >>>>>>>>> >>>>>>>>> >>>>>>>>> --Andrea >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> The tomcat.jks (the SSL server cert) you are using was >>>>>>>> generated when SubjectDN included "O=EJBCA Sample" during some >>>>>>>> installation. Either on the old machine or when you installed >>>>>>>> it on the new one. Changing this configuration will not change >>>>>>>> to content of the "tomcat" user in the database later, so if >>>>>>>> you regenerate this certificate and like to change the "O=", >>>>>>>> you have to edit the user as any other.. >>>>>>>> >>>>>>>> /J >>>>>>>> >>>>>>> Sorry Johan, do you mean that this is the problem ??? >>>>>>> >>>>>>> --Andrea >>>>>>> >>>>>>> >>>>>> Sorry I'm starting to get really confused what is and what is not >>>>>> done in this thread. The "EJBCA Sample" probably comes from >>>>>> conf/web.properties:"httpsserver.dn=CN=ca-server,O=EJBCA >>>>>> Sample,C=SE". >>>>>> >>>>>> Where you able to connect to >>>>>> http://192.168.5.156:8443/ejbca/adminweb/ or not? Or where you >>>>>> just confused by the "EJBCA Sample" text? >>>>>> >>>>>> /J >>>>>> >>>>> ...hope you apologize me if i seem confused in my posts: >>>>> >>>>> In effect the big problem is that i cannot connect to >>>>> https://192.168.5.156:8443/ejbca/adminweb/ >>>>> >>>>> And i tryed: >>>>> First to renew the tomcat user; >>>>> Then renewing even the superadmin.p12 and re-import it in the >>>>> browser >>>>> >>>>> --Andrea >>>>> >>>> Np.. it's just a bit hard to help sometimes, when it's not exactly >>>> clear what you have done/changed between two emails. =) >>>> >>> ...i agree, i'm sorry but, believe me, i was sure it was very easy >>> to clone the EJBCA install and i'm getting really crazy..... >>> >>>> Did you deploy the new tomcat.jks to JBoss and restart JBoss? >>>> >>> Yes >>> >>>> Did you remove the old superadmin from you webbrowser so you are >>>> sure it's the new one that is used? >>>> >>> Yes >>> >>>> The thing I don't understand is: if you are trying to clone another >>>> EJBCA installation and the only problem was the SSL server >>>> certificate (tomcat.jks), why did you renew the superadmin.p12? >>>> >>> ...just to test it, i was not sure it was the problem >>> >>>> If you copy the entire database, this means that you will have the >>>> same AdminCA, the old superadmin is issued by this CA and it will >>>> work if you stick to a server certificate generated by the same CA. >>>> If you use firefox the old tomcat.jks should work, but you will get >>>> an error/warning that you can ignore temporarlily. Once you have >>>> accessed the Admin pages you can edit the CN of the tomcat user to >>>> the new hostname, batch generate it, redeploy EJBCA, restart JBoss >>>> and it should work.. Sometimes starting over saves a lot of time.. >>>> >>>> /Johan >>>> >>> I agree again, i'll try again from scratch even if i've already done >>> it many times.... >>> >>> Just another doubt: the original server is a CentOS release 4.4 >>> (Final) with openssl-0.9.7a-43.14. >>> >>> The new one on which i'm trying to clone EJBCA is a CentOS release >>> 5.2 (Final) with openssl-0.9.8b-10.el5_2.1 >>> >>> Maybe different openssl version cause problems on certificates ?? >>> >>> --Andrea >>> >>> >> I can not imagine this would affect anything, unless you perform a >> lot of openSSL-operation on the side.. =) EJBCA relies entirely on a >> bundled BouncyCastle library for crypto operations. >> >> /Johan >> > ....YES YES YES, finally i GOT IT !! > > Reading this thread > "http://osdir.com/ml/java.ejbca.devel/2007-09/msg00010.html" ...... > > I run "ant javatruststore", stopped and restarted JBOSS and now i can > successfully access the admin-page at > > https://192.168.5.156:8443/ejbca/adminweb/index.jsp > > So the problem was related to the java keystore ..... > > Thanks again to all of you, in particular Johan, for the patience and > kindness put in helping me .....!! > > Thanks again.... > > P.S. Johan, if you ever come in Italy for holidays and stop near > Modena, i'll be glad to bring you a couple of beers !!! > > > --Andrea Awesome! Nice to see that your hard work finally paid off! If you ever feel that you need more knowledge about EJBCA (or just want an excuse to take a trip somewhere in Europe) I would recommend http://download.primekey.se/documents/ejbca_training.pdf . Also, if you have a large installation that you like to brag about we always have this page: http://www.ejbca.org/installations.html Modena looks like a beautiful city (http://en.wikipedia.org/wiki/Modena).. I just might hold you to it if I ever come by.. =) Best Regards, Johan -- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact in...@pr... for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf |