Menu
▾
▴
Re: [Ejbca-develop] Interop cmpforopenssl with EJBCA
|
From: Tomas G. <to...@pr...> - 2012-10-10 15:20:01
|
Yeah, unless you have a very good reason why to use cr instead if ir I would not spend time digging into it. The aim with CMP is not to support every of the 10.000 options of CMP (nobody can actually do that), but to suppport real world use cases and work-flows. This is why I asked the question "what you actually want to do?". If it is not a real use case, it is not so interesting for EJBCA to try to support it. Cheers, Tomas On 10/10/2012 07:49 PM, ejbca-support wrote: > On 2012-10-10 12:59, dominic peter wrote: >> Hi Tomas, >> >> I tried after updating the EJBCA CMP configuration for RA mode and *re-deploy*. >> The 'ir' message exchange sequence worked fine. But a 'cr' message exchange after this failed. >> >> Following are the commands that i executed on the cmpforopenssl cmpclient, >> >> _*Initial request: >> >> *_./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --ir --user user1 --password password --newclcert user1-cert.der --newkey user1-key.pem --subject "C=IN,CN=User1" >> >> This command was successful and the initial client certificate was successfully received. >> >> _*Certificate request:*_ >> >> ./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --cr --user user1 --password password --newclcert user1-cert-new.der --newkey user1-key-new.pem --clcert user1-cert.der --key user1-key.pem >> >> This command failed. and the following error was observed on the EJBCA side. >> >> 15:48:28,521 INFO [CmpServlet] CMP message received from: 127.0.0.1. >> *15:48:28,535 ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer* >> 15:48:28,538 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1, process time 15 >> >> Any idea why i am getting this error ? > > Debugging CMP is very difficult. > Is there no strack trace? > You may need to set JBoss debug-level to DEBUG. > > Cheers, > Anders > tech support > >> >> I am just trying to test cmpforopenssl (basic CMP message exchanges) with EJBCA in RA mode. I tried client mode as nothing was working for me previously. >> >> Regards >> Dominic >> >> On Wed, Oct 10, 2012 at 3:38 PM, Tomas Gustavsson <to...@pr... <mailto:to...@pr...>> wrote: >> >> Hi, >> >> You need to re-deploy after changing configuration. >> >> You also must be more detailed when asking for help. If you are using >> cmpforopenssl you need to give the command you are using, otherwise you >> may be using an invalid command and there is no way for anyone to know. >> >> Since you are playing around with both RA and Client mode, perhaps you >> should tell what you actually want to do? >> >> Cheers, >> Tomas >> ----- >> PrimeKey Solutions offers commercial EJBCA and SignServer support >> subscriptions and training courses. Please see www.primekey.se <http://www.primekey.se> or >> contact in...@pr... <mailto:in...@pr...> for more information. >> http://www.primekey.se/Services/Support/ >> http://www.primekey.se/Services/Training/ >> >> >> On 10/10/2012 05:22 PM, dominic peter wrote: >> > Hi Anders, >> > >> > Thank you very much for the reply. >> > >> > *_RA mode:_ >> > >> > *I checked by updating the cmp configuration for '*RA*' mode as per the >> > link that you sent. >> > But still i am getting the same error. Following is the content of the >> > cmp.properties file, >> > >> > cmp.operationmode=ra >> > cmp.responseprotection=pbe >> > cmp.ra.authenticationsecret=password >> > >> > Am i missing something here ? Is just updating the configuration file >> > enough for the configurations to take effect ? >> > >> > Also can you please help me understand why i am getting the following >> > error on the EJBC server, >> > >> > *ERROR [CrmfMessageHandler] Could not extract password from CRMF request >> > using the RegTokenPwd authentication module >> > * >> > Is this due to some missing parameters in the 'ir' message sent from >> > cmpclient ? >> > >> > _*Client Mode:*_ >> > >> > I also tried by configuring the EJBCA in */client mode/*. In this case, >> > the 'ir' message exchange was successful. But the 'cr' message exchange >> > failed. Following was the error message on the EJBCA server, >> > >> > *ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer* >> > >> > Any idea what is the reason for this error ? >> > >> > Packet captures for both RA and client mode is attached to this mail. >> > >> > Also please help me understand the necessary initializations or any >> > other prerequisites on the cmpclient side if any for interop with EJBCA. >> > >> > Regards >> > Dominic >> > >> > On Tue, Oct 9, 2012 at 5:42 PM, ejbca-support <ejb...@pr... <mailto:ejb...@pr...> >> > <mailto:ejb...@pr... <mailto:ejb...@pr...>>> wrote: >> > >> > On 2012-10-09 13:59, dominic peter wrote: >> > > Hi, >> > >> > Hi Dominic, >> > > >> > > Has anyone tried to interop cmpforopenssl client with EJBCA. >> > >> > >> > Yes, >> > http://www.ejbca.org/adminguide.html#Interoperability >> > >> > > >> > > I am trying to send an 'ir' request to EJBCA from the >> > cmpforopenssl client using the following command, >> > > >> > > ./cmpclient --server localhost --port 8080 --path >> > ejbca/publicweb/cmp --srvcert myAdminCA.cacert.pem --ir --user test1 >> > --password test1 --newclcert test1.pem --newkey test1.key --subject >> > "C=IN,ST=KAR,L=TEST,O=TEST,OU= >> > > EN,CN=EETest1" >> > > >> > > I am seeing the following error on the EJBCA after sending the >> > 'ir' request from the client, >> > > >> > > 15:40:36,975 ERROR [CrmfMessageHandler] Could not extract >> > password from CRMF request using the RegTokenPwd authentication module >> > > 15:40:36,997 INFO [CmpServlet] Sent a CMP response to: >> > 127.0.0.1, process time 217. >> > > >> > > On the cmpclient i am seeing the following error, >> > > >> > > INFO: Sending Initialization Request >> > > ERROR: received no initial Client Certificate. FILE cmpclient.c, >> > LINE 401 >> > > 3078551176 <tel:3078551176> <tel:3078551176 <tel:3078551176>> <tel:3078551176 <tel:3078551176> >> > <tel:3078551176 <tel:3078551176>>>:error:0D0680A8:asn1 encoding >> > routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319: >> > > 3078551176 <tel:3078551176> <tel:3078551176 <tel:3078551176>> <tel:3078551176 <tel:3078551176> >> > <tel:3078551176 <tel:3078551176>>>:error:0D07803A:asn1 encoding >> > routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509 >> > > 3078551176 <tel:3078551176> <tel:3078551176 <tel:3078551176>>:error:32090087:CMP >> > routines:CMP_doInitialRequestSeq:pkibody >> > error:cmp_ses.c:384:bodytype=23, error="PKIStatus: rejection, >> > PKIFailureInfo: wrongAuthority" >> > > >> > > And ideas ? >> > >> > Check configuration. >> > >> > Cheers, >> > Anders >> > tech support >> > >> > > >> > > Thanks in advance. >> > > >> > > Regards >> > > >> > > >> > > >> > ------------------------------------------------------------------------------ >> > > Don't let slow site performance ruin your business. Deploy New >> > Relic APM >> > > Deploy New Relic app performance management and know exactly >> > > what is happening inside your Ruby, Python, PHP, Java, and .NET app >> > > Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> > > http://p.sf.net/sfu/newrelic-dev2dev >> > > >> > > >> > > >> > > _______________________________________________ >> > > Ejbca-develop mailing list >> > > Ejb...@li... <mailto:Ejb...@li...> >> > <mailto:Ejb...@li... <mailto:Ejb...@li...>> >> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > >> > >> > >> > >> > >> > ------------------------------------------------------------------------------ >> > Don't let slow site performance ruin your business. Deploy New Relic APM >> > Deploy New Relic app performance management and know exactly >> > what is happening inside your Ruby, Python, PHP, Java, and .NET app >> > Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> > http://p.sf.net/sfu/newrelic-dev2dev >> > >> > >> > >> > _______________________________________________ >> > Ejbca-develop mailing list >> > Ejb...@li... <mailto:Ejb...@li...> >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > >> >> >> ------------------------------------------------------------------------------ >> Don't let slow site performance ruin your business. Deploy New Relic APM >> Deploy New Relic app performance management and know exactly >> what is happening inside your Ruby, Python, PHP, Java, and .NET app >> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> http://p.sf.net/sfu/newrelic-dev2dev >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... <mailto:Ejb...@li...> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> >> >> >> >> ------------------------------------------------------------------------------ >> Don't let slow site performance ruin your business. Deploy New Relic APM >> Deploy New Relic app performance management and know exactly >> what is happening inside your Ruby, Python, PHP, Java, and .NET app >> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> http://p.sf.net/sfu/newrelic-dev2dev >> >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
