Menu
▾
▴
Re: [Ejbca-develop] Interop cmpforopenssl with EJBCA
|
From: dominic p. <dom...@gm...> - 2012-10-10 11:00:03
|
Hi Tomas, I tried after updating the EJBCA CMP configuration for RA mode and * re-deploy*. The 'ir' message exchange sequence worked fine. But a 'cr' message exchange after this failed. Following are the commands that i executed on the cmpforopenssl cmpclient, *Initial request: *./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --ir --user user1 --password password --newclcert user1-cert.der --newkey user1-key.pem --subject "C=IN,CN=User1" This command was successful and the initial client certificate was successfully received. *Certificate request:* ./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --cr --user user1 --password password --newclcert user1-cert-new.der --newkey user1-key-new.pem --clcert user1-cert.der --key user1-key.pem This command failed. and the following error was observed on the EJBCA side. 15:48:28,521 INFO [CmpServlet] CMP message received from: 127.0.0.1. *15:48:28,535 ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer* 15:48:28,538 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1, process time 15 Any idea why i am getting this error ? I am just trying to test cmpforopenssl (basic CMP message exchanges) with EJBCA in RA mode. I tried client mode as nothing was working for me previously. Regards Dominic On Wed, Oct 10, 2012 at 3:38 PM, Tomas Gustavsson <to...@pr...> wrote: > Hi, > > You need to re-deploy after changing configuration. > > You also must be more detailed when asking for help. If you are using > cmpforopenssl you need to give the command you are using, otherwise you > may be using an invalid command and there is no way for anyone to know. > > Since you are playing around with both RA and Client mode, perhaps you > should tell what you actually want to do? > > Cheers, > Tomas > ----- > PrimeKey Solutions offers commercial EJBCA and SignServer support > subscriptions and training courses. Please see www.primekey.se or > contact in...@pr... for more information. > http://www.primekey.se/Services/Support/ > http://www.primekey.se/Services/Training/ > > > On 10/10/2012 05:22 PM, dominic peter wrote: > > Hi Anders, > > > > Thank you very much for the reply. > > > > *_RA mode:_ > > > > *I checked by updating the cmp configuration for '*RA*' mode as per the > > link that you sent. > > But still i am getting the same error. Following is the content of the > > cmp.properties file, > > > > cmp.operationmode=ra > > cmp.responseprotection=pbe > > cmp.ra.authenticationsecret=password > > > > Am i missing something here ? Is just updating the configuration file > > enough for the configurations to take effect ? > > > > Also can you please help me understand why i am getting the following > > error on the EJBC server, > > > > *ERROR [CrmfMessageHandler] Could not extract password from CRMF request > > using the RegTokenPwd authentication module > > * > > Is this due to some missing parameters in the 'ir' message sent from > > cmpclient ? > > > > _*Client Mode:*_ > > > > I also tried by configuring the EJBCA in */client mode/*. In this case, > > the 'ir' message exchange was successful. But the 'cr' message exchange > > failed. Following was the error message on the EJBCA server, > > > > *ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer* > > > > Any idea what is the reason for this error ? > > > > Packet captures for both RA and client mode is attached to this mail. > > > > Also please help me understand the necessary initializations or any > > other prerequisites on the cmpclient side if any for interop with EJBCA. > > > > Regards > > Dominic > > > > On Tue, Oct 9, 2012 at 5:42 PM, ejbca-support <ejb...@pr... > > <mailto:ejb...@pr...>> wrote: > > > > On 2012-10-09 13:59, dominic peter wrote: > > > Hi, > > > > Hi Dominic, > > > > > > Has anyone tried to interop cmpforopenssl client with EJBCA. > > > > > > Yes, > > http://www.ejbca.org/adminguide.html#Interoperability > > > > > > > > I am trying to send an 'ir' request to EJBCA from the > > cmpforopenssl client using the following command, > > > > > > ./cmpclient --server localhost --port 8080 --path > > ejbca/publicweb/cmp --srvcert myAdminCA.cacert.pem --ir --user test1 > > --password test1 --newclcert test1.pem --newkey test1.key --subject > > "C=IN,ST=KAR,L=TEST,O=TEST,OU= > > > EN,CN=EETest1" > > > > > > I am seeing the following error on the EJBCA after sending the > > 'ir' request from the client, > > > > > > 15:40:36,975 ERROR [CrmfMessageHandler] Could not extract > > password from CRMF request using the RegTokenPwd authentication > module > > > 15:40:36,997 INFO [CmpServlet] Sent a CMP response to: > > 127.0.0.1, process time 217. > > > > > > On the cmpclient i am seeing the following error, > > > > > > INFO: Sending Initialization Request > > > ERROR: received no initial Client Certificate. FILE cmpclient.c, > > LINE 401 > > > 3078551176 <tel:3078551176> <tel:3078551176 > > <tel:3078551176>>:error:0D0680A8:asn1 encoding > > routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319: > > > 3078551176 <tel:3078551176> <tel:3078551176 > > <tel:3078551176>>:error:0D07803A:asn1 encoding > > routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509 > > > 3078551176 <tel:3078551176>:error:32090087:CMP > > routines:CMP_doInitialRequestSeq:pkibody > > error:cmp_ses.c:384:bodytype=23, error="PKIStatus: rejection, > > PKIFailureInfo: wrongAuthority" > > > > > > And ideas ? > > > > Check configuration. > > > > Cheers, > > Anders > > tech support > > > > > > > > Thanks in advance. > > > > > > Regards > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Don't let slow site performance ruin your business. Deploy New > > Relic APM > > > Deploy New Relic app performance management and know exactly > > > what is happening inside your Ruby, Python, PHP, Java, and .NET > app > > > Try New Relic at no cost today and get our sweet Data Nerd shirt > too! > > > http://p.sf.net/sfu/newrelic-dev2dev > > > > > > > > > > > > _______________________________________________ > > > Ejbca-develop mailing list > > > Ejb...@li... > > <mailto:Ejb...@li...> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > Don't let slow site performance ruin your business. Deploy New Relic APM > > Deploy New Relic app performance management and know exactly > > what is happening inside your Ruby, Python, PHP, Java, and .NET app > > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > > http://p.sf.net/sfu/newrelic-dev2dev > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
