From: Ejbca S. <ejb...@pr...> - 2009-09-21 14:31:42
|
Hi, You don't say which versions of EJBCA and ExtRA you use. 1) It you use debug logging there might be interesting information surrounding your error. For example does it happen for the createOrEdituserRequest() or the PKCS10Request()? 2) the same here with debug logs, it would show exactly when the error happns. I don't think there can be an issue with mixing up names and Ids. Does the myra user have access to the needed RA functions in the administrator group? Regards, Tomas ----- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact in...@pr... for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ cristinapro wrote: > Hi, > > We have a PKI structure like: > > -CA: AdminCA1 > -RA: myra - end entity with certificate issued by AdminCA1 > -RA Administrator Group with RA Administrator Role, AuthorizedCA = AdminCA1 > and access to /ca/AdminCA1 and /administrator resources > -myra end entity is added to the above administrator group > > We use External RA API and signing with the myra certificate. We have 2 > complementary errors: > > 1)When processing a BD message with 2 submessages: > - PKCS10Request() > - createOrEdituserRequest() > > we got a strange error message: CA 'AdminCA1' doesn't exists. > > 2)If endentity was created by myra user from Admin Interface but call to > revoke is made via ext ra messaging for a message like: RevocationRequest() > > we got another error message: Administrator not authorized to CA -1688117755 > that existing user test_ra:32 was created with. > > Actually AdminCA1 has the id=1688117755. > Is it possible that the Extra api uses name [AdminCA1] and EJBCA CA - RA > service processor uses Id-s [1688117755 ] for CA identification? > Is it a missconfiguration of CA or RA endentity? > > Best Regards, > Cristina > |