From: datadudewayne <dat...@ya...> - 2010-02-01 23:13:58
|
An update: I used the AdminCA1 CA to sign the an enduser certificate and I can administer the box. but if I use one of the CA's I have created it still doesnot work. This could still point to the truststore but it has to be using the same truststore for all CA's. I am leaning towards the fact that there is something going on with the CA's that I have created what might I have missed there? One thing I noticed too was the request looked different when I created the certificate file, it installed directly to the browser vs just downloading. It also only had two options for keylength (high grade,medium grade). So there are differences somewhere. datadudewayne wrote: > > I did use a custom profile based on the ENDUSER profile. I am assuming you > are referring to the extended key usage parameter "Client Authentication" > with the "SSL Client Authentication reference? If so that is highlighted > so I am assuming that means activated. I will create one based directly > off the ENDUSER profile just to take that out of the equation. > > I am not sure why there would be or you would expect there to be an issue > with the truststore when I am using the LiveCD that was downloaded off the > community site. Is there any known issues with this being loaded/booted > into a VM enviroment. I saw that it required 1.5G of memory in which we > provided to that VM. > > > Johan Eklund wrote: >> >> Hi again, >> >> The error code means that you don't have a client certificate that >> matches the one on the server side.. So it could be a truststore-issue >> as discussed below.. or it could be that there is something wrong with >> the client-cert.. >> >> How did you issue the client certificate? Did you use a custom >> certificate profile without "SSL Client Authentication" extended key >> usage? You can use the "openssl x509 -in cert-file.pem inform PEM -text" >> command to view the certificates and compare the one you are using with >> the superadmin certificate. >> >> Best Regards, >> Johan >> >> datadudewayne skrev: >>> Hi Johan, >>> >>> well I did notice that the truststore.jks file in the >>> .../jboss/server/default/conf/keystores dir gets set to root as owner >>> everytime I run that 'sudo -Dca...' command. I change it back and and >>> restart jboss but it doesn't help. I did try your suggestion on the >>> chown -R >>> but still same results. Only Cert that seems to work is the superadmin. >>> >>> The -12227 error is only thrown up on a windows box, on a linux box it >>> just >>> says 'peer unable to negotiate acceptable security params' >>> >>> grrr..thought eval with LiveCD would go smoother a little frustrating. >>> >>> I appreciate any other suggestions >>> >>> Regards, >>> Wayne >>> >>> >>> >>> Johan Eklund wrote: >>> >>>> Hi datadudewayne, >>>> >>>> Sorry, but the tutorial (video) is getting pretty out of date and >>>> should >>>> be replaced/removed. The bundled documentation with every EJBCA release >>>> is always accurate. From EJBCA 3.8 (I think) there is no longer such >>>> flag. It's recommended to match with the certificate serial number of >>>> the certificate (at least in production). But the error you see does >>>> not >>>> seem to be an EJBCA error message, so this is still a connection >>>> problem >>>> to JBoss. >>>> >>>> In the last email you used "sudo" to create the truststore and look at >>>> it.. are you sure that there are no permission problems remaining >>>> somewhere? You might want to "sudo chown -R ..." the whole home >>>> directory just in case.. >>>> >>>> Do you see any errors in the JBoss server log during startup? >>>> (~/jboss/server/default/log/server.log) >>>> >>>> Best Regards, >>>> Johan >>>> >>>> datadudewayne skrev: >>>> >>>>> One thing I noticed differently between the Tutorial and the LiveCD is >>>>> the >>>>> "Administrator Flag/option" missing from the End Entity Profile. Where >>>>> is >>>>> that or what replaced it? >>>>> >>>>> >>>>> >>>>> Tomas Gustavsson wrote: >>>>> >>>>> >>>>>> Hi, >>>>>> >>>>>> If you get -12227 the server does not accept your certificate, which >>>>>> means that the 'javatruststore' command was not succefull. Perhaps it >>>>>> even failed to copy it from ejbca/p12 to the JBoss directory? Compare >>>>>> those files. You can also look at the contents of truststore with >>>>>> java >>>>>> keytool. 'keytool -list ...'. >>>>>> >>>>>> Permission issues are not too uncommon. We recommend that everything >>>>>> and >>>>>> every operation is run as the ejbca user. >>>>>> >>>>>> Cheers, >>>>>> Tomas >>>>>> ----- >>>>>> PrimeKey Solutions offers a commercial EJBCA support subscription and >>>>>> training for EJBCA. Please see www.primekey.se or contact >>>>>> in...@pr... for more information. >>>>>> http://www.primekey.se/Services/Support/ >>>>>> http://www.primekey.se/Services/Training/ >>>>>> >>>>>> datadudewayne wrote: >>>>>> >>>>>> >>>>>>> Working with the current live CD trying to figure this thing out. I >>>>>>> have >>>>>>> kind >>>>>>> of followed the admin tutorials. >>>>>>> >>>>>>> So, where I am at, What I have done. >>>>>>> >>>>>>> 1. I have created a new CA other than the adminCA. >>>>>>> 2. I have created the templates and also the administrative end >>>>>>> entity >>>>>>> set >>>>>>> up the admin settings for xxxxxCA01 to key in on CN. >>>>>>> 3. I went to the public page of the box and downloaded the p12 file >>>>>>> for >>>>>>> that >>>>>>> user. installed that p12 in the browser (FF). >>>>>>> 4. Tried to connect with that p12 installed and received error >>>>>>> -12227 >>>>>>> 5. Found in the FAQ that I need to update the truststore. >>>>>>> 6. Ran "sudo ant -Dca.name="xxxxxxCA01" javatruststore from in the >>>>>>> ejbca >>>>>>> directory. (failed failed in jboss dir) >>>>>>> looked as though that was successful >>>>>>> 7. restarted the jboss (/etc/init.d/jboss stop:start ) >>>>>>> 8. Tried to connect again still same error. Noticed when jboss was >>>>>>> coming >>>>>>> that there was a permissions error for the truststore.xxx file, was >>>>>>> owned >>>>>>> by >>>>>>> root changed that to jboss >>>>>>> 9. restarted jboss again and am still getting that error when >>>>>>> connecting >>>>>>> through a browser (FF) with only the p12 for the end entity I >>>>>>> created. >>>>>>> >>>>>>> Any pointers? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>> Stay online with enterprise data centers and the best network in the >>>>>> business >>>>>> Choose flexible plans and management services without long-term >>>>>> contracts >>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>>>> away. >>>>>> http://p.sf.net/sfu/theplanet-com >>>>>> _______________________________________________ >>>>>> Ejbca-develop mailing list >>>>>> Ejb...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> -- >>>> PrimeKey Solutions offers a commercial EJBCA support subscription and >>>> training for EJBCA. Please see www.primekey.se or contact >>>> in...@pr... >>>> for more information. >>>> http://download.primekey.se/documents/ejbca_subscription.pdf >>>> http://download.primekey.se/documents/ejbca_training.pdf >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>>> business >>>> Choose flexible plans and management services without long-term >>>> contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >>>> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> >>>> >>>> >>> >>> >> >> >> -- >> PrimeKey Solutions offers a commercial EJBCA support subscription and >> training for EJBCA. Please see www.primekey.se or contact >> in...@pr... for more information. >> http://download.primekey.se/documents/ejbca_subscription.pdf >> http://download.primekey.se/documents/ejbca_training.pdf >> >> >> >> >> ------------------------------------------------------------------------------ >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call >> away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> >> > > -- View this message in context: http://old.nabble.com/Noob-working-with-LIveCD-need-pointers-tp27373369p27413090.html Sent from the EjbCA - Dev mailing list archive at Nabble.com. |