Menu
▾
▴
Re: [Ejbca-develop] Interop cmpforopenssl with EJBCA
|
From: Tomas G. <to...@pr...> - 2012-10-13 10:59:17
|
Hi Peter, CMP is quite complex and usually needs different configuration for different use cases. All use cases so far use different CMP options and ways of operating. We are supporting several different types in EJBCA like different card management systems, 3GPP/LTE networks and various custom apps. Investigating for a new use case will be a bit time consuming. We (meaning PrimeKey) does not have time to spend a few hours on this right now. If you like you can contact me off-line if you want to dive deeper into the secrets of CMP. From the CMP guide at http://www.ejbca.org/adminguide.html#CMP you can see that 4 and 5 in your list below are not currently supported by EJBCA. We have to date no seen any request for those. Announcements from the CA is a limited use case since it requires the client to act as a server, which is probably why it is not used in any application we have seen. Cheers, Tomas On 10/11/2012 05:22 PM, dominic peter wrote: > Hi Tomas, > > I am planning to use cmpforopenssl CMPv2 client on an End Entity. And i > want to test the following scenarios's on the End Entity. For testing > the following scenarios, i have configured the EJBCA CMP in the client mode. > > 1) Get an initial client certificate from the CA > 2) Request for a new certificate (eg. upon certificate expiry etc.,) > 3) Update the client key > 4) Get CRL update announcements > 5) Get CA key update announcements etc., > > I assume that for senarios (1) 'IR' request can be used and for > scenarios (2) and (3) 'KUR' request can be used. Am i correct ? > > Using the following cmpclient command i was able to get the initial > client certificate, > > ./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp > --srvcert ~/Downloads/AdminCA1.cacert.pem --ir --user user1 --password > password --newclcert user1-cert.der --newkey user1-key.pem --subject > "C=SE,CN=user1" > > This command was successful and initial client certificate was received > successfully. > > After this i tried to update the client key/get a new certificate using > the following command, > > ./cmpclient --kur --server localhost --port 8080 --path > ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --key > user1-key.pem --newkey user1-key-new.pem --clcert user1-cert.der > --newclcert user1-cert-new.der > > But this command failed, i saw the following log messages on the server, > > 13:06:23,957 INFO [CmpServlet] CMP message received from: 127.0.0.1. > 13:06:23,999 INFO [EndEntityCertificateAuthenticationModule] Admin > user1 not authorized to resource /ca/-1688117755 > 13:06:23,999 INFO [EndEntityCertificateAuthenticationModule] Admin > user1 is not authorized for CA -1688117755 > 13:06:24,000 ERROR [CrmfKeyUpdateHandler] "CN=user1,C=SE" is not an > authorized administrator. > 13:06:24,003 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1, > process time 46. > > Any idea why i am getting this error ? Is this some configuration issue ? > I am also attaching the packet capture for the same. > > Regards > Dominic > > On Wed, Oct 10, 2012 at 8:49 PM, Tomas Gustavsson <to...@pr... > <mailto:to...@pr...>> wrote: > > > Yeah, unless you have a very good reason why to use cr instead if ir I > would not spend time digging into it. > > The aim with CMP is not to support every of the 10.000 options of CMP > (nobody can actually do that), but to suppport real world use cases and > work-flows. > This is why I asked the question "what you actually want to do?". > > If it is not a real use case, it is not so interesting for EJBCA to try > to support it. > > Cheers, > Tomas > > On 10/10/2012 07:49 PM, ejbca-support wrote: > > On 2012-10-10 12:59, dominic peter wrote: > >> Hi Tomas, > >> > >> I tried after updating the EJBCA CMP configuration for RA mode > and *re-deploy*. > >> The 'ir' message exchange sequence worked fine. But a 'cr' > message exchange after this failed. > >> > >> Following are the commands that i executed on the cmpforopenssl > cmpclient, > >> > >> _*Initial request: > >> > >> *_./cmpclient --server localhost --port 8080 --path > ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --ir > --user user1 --password password --newclcert user1-cert.der --newkey > user1-key.pem --subject "C=IN,CN=User1" > >> > >> This command was successful and the initial client certificate > was successfully received. > >> > >> _*Certificate request:*_ > >> > >> ./cmpclient --server localhost --port 8080 --path > ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --cr > --user user1 --password password --newclcert user1-cert-new.der > --newkey user1-key-new.pem --clcert user1-cert.der --key user1-key.pem > >> > >> This command failed. and the following error was observed on the > EJBCA side. > >> > >> 15:48:28,521 INFO [CmpServlet] CMP message received from: > 127.0.0.1. > >> *15:48:28,535 ERROR [CrmfMessageHandler] Could not create > CmpPbeVerifyer* > >> 15:48:28,538 INFO [CmpServlet] Sent a CMP response to: > 127.0.0.1, process time 15 > >> > >> Any idea why i am getting this error ? > > > > Debugging CMP is very difficult. > > Is there no strack trace? > > You may need to set JBoss debug-level to DEBUG. > > > > Cheers, > > Anders > > tech support > > > >> > >> I am just trying to test cmpforopenssl (basic CMP message > exchanges) with EJBCA in RA mode. I tried client mode as nothing was > working for me previously. > >> > >> Regards > >> Dominic > >> > >> On Wed, Oct 10, 2012 at 3:38 PM, Tomas Gustavsson > <to...@pr... <mailto:to...@pr...> > <mailto:to...@pr... <mailto:to...@pr...>>> wrote: > >> > >> Hi, > >> > >> You need to re-deploy after changing configuration. > >> > >> You also must be more detailed when asking for help. If you > are using > >> cmpforopenssl you need to give the command you are using, > otherwise you > >> may be using an invalid command and there is no way for > anyone to know. > >> > >> Since you are playing around with both RA and Client mode, > perhaps you > >> should tell what you actually want to do? > >> > >> Cheers, > >> Tomas > >> ----- > >> PrimeKey Solutions offers commercial EJBCA and SignServer > support > >> subscriptions and training courses. Please see > www.primekey.se <http://www.primekey.se> <http://www.primekey.se> or > >> contact in...@pr... <mailto:in...@pr...> > <mailto:in...@pr... <mailto:in...@pr...>> for more > information. > >> http://www.primekey.se/Services/Support/ > >> http://www.primekey.se/Services/Training/ > >> > >> > >> On 10/10/2012 05:22 PM, dominic peter wrote: > >> > Hi Anders, > >> > > >> > Thank you very much for the reply. > >> > > >> > *_RA mode:_ > >> > > >> > *I checked by updating the cmp configuration for '*RA*' > mode as per the > >> > link that you sent. > >> > But still i am getting the same error. Following is the > content of the > >> > cmp.properties file, > >> > > >> > cmp.operationmode=ra > >> > cmp.responseprotection=pbe > >> > cmp.ra.authenticationsecret=password > >> > > >> > Am i missing something here ? Is just updating the > configuration file > >> > enough for the configurations to take effect ? > >> > > >> > Also can you please help me understand why i am getting > the following > >> > error on the EJBC server, > >> > > >> > *ERROR [CrmfMessageHandler] Could not extract password > from CRMF request > >> > using the RegTokenPwd authentication module > >> > * > >> > Is this due to some missing parameters in the 'ir' > message sent from > >> > cmpclient ? > >> > > >> > _*Client Mode:*_ > >> > > >> > I also tried by configuring the EJBCA in */client mode/*. > In this case, > >> > the 'ir' message exchange was successful. But the 'cr' > message exchange > >> > failed. Following was the error message on the EJBCA server, > >> > > >> > *ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer* > >> > > >> > Any idea what is the reason for this error ? > >> > > >> > Packet captures for both RA and client mode is attached > to this mail. > >> > > >> > Also please help me understand the necessary > initializations or any > >> > other prerequisites on the cmpclient side if any for > interop with EJBCA. > >> > > >> > Regards > >> > Dominic > >> > > >> > On Tue, Oct 9, 2012 at 5:42 PM, ejbca-support > <ejb...@pr... <mailto:ejb...@pr...> > <mailto:ejb...@pr... <mailto:ejb...@pr...>> > >> > <mailto:ejb...@pr... > <mailto:ejb...@pr...> <mailto:ejb...@pr... > <mailto:ejb...@pr...>>>> wrote: > >> > > >> > On 2012-10-09 13:59, dominic peter wrote: > >> > > Hi, > >> > > >> > Hi Dominic, > >> > > > >> > > Has anyone tried to interop cmpforopenssl client > with EJBCA. > >> > > >> > > >> > Yes, > >> > http://www.ejbca.org/adminguide.html#Interoperability > >> > > >> > > > >> > > I am trying to send an 'ir' request to EJBCA from the > >> > cmpforopenssl client using the following command, > >> > > > >> > > ./cmpclient --server localhost --port 8080 --path > >> > ejbca/publicweb/cmp --srvcert myAdminCA.cacert.pem > --ir --user test1 > >> > --password test1 --newclcert test1.pem --newkey > test1.key --subject > >> > "C=IN,ST=KAR,L=TEST,O=TEST,OU= > >> > > EN,CN=EETest1" > >> > > > >> > > I am seeing the following error on the EJBCA after > sending the > >> > 'ir' request from the client, > >> > > > >> > > 15:40:36,975 ERROR [CrmfMessageHandler] Could not > extract > >> > password from CRMF request using the RegTokenPwd > authentication module > >> > > 15:40:36,997 INFO [CmpServlet] Sent a CMP > response to: > >> > 127.0.0.1, process time 217. > >> > > > >> > > On the cmpclient i am seeing the following error, > >> > > > >> > > INFO: Sending Initialization Request > >> > > ERROR: received no initial Client Certificate. > FILE cmpclient.c, > >> > LINE 401 > >> > > 3078551176 <tel:3078551176> <tel:3078551176 > <tel:3078551176>> <tel:3078551176 <tel:3078551176> > >> > <tel:3078551176 > <tel:3078551176>>>:error:0D0680A8:asn1 encoding > >> > routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319: > >> > > 3078551176 <tel:3078551176> <tel:3078551176 > <tel:3078551176>> <tel:3078551176 <tel:3078551176> > >> > <tel:3078551176 > <tel:3078551176>>>:error:0D07803A:asn1 encoding > >> > routines:ASN1_ITEM_EX_D2I:nested asn1 > error:tasn_dec.c:381:Type=X509 > >> > > 3078551176 <tel:3078551176> <tel:3078551176 > <tel:3078551176>>:error:32090087:CMP > >> > routines:CMP_doInitialRequestSeq:pkibody > >> > error:cmp_ses.c:384:bodytype=23, error="PKIStatus: > rejection, > >> > PKIFailureInfo: wrongAuthority" > >> > > > >> > > And ideas ? > >> > > >> > Check configuration. > >> > > >> > Cheers, > >> > Anders > >> > tech support > >> > > >> > > > >> > > Thanks in advance. > >> > > > >> > > Regards > >> > > > >> > > > >> > > > >> > > ------------------------------------------------------------------------------ > >> > > Don't let slow site performance ruin your > business. Deploy New > >> > Relic APM > >> > > Deploy New Relic app performance management and > know exactly > >> > > what is happening inside your Ruby, Python, PHP, > Java, and .NET app > >> > > Try New Relic at no cost today and get our sweet > Data Nerd shirt too! > >> > > http://p.sf.net/sfu/newrelic-dev2dev > >> > > > >> > > > >> > > > >> > > _______________________________________________ > >> > > Ejbca-develop mailing list > >> > > Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > >> > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>>> > >> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > > > >> > > >> > > >> > > >> > > >> > > ------------------------------------------------------------------------------ > >> > Don't let slow site performance ruin your business. > Deploy New Relic APM > >> > Deploy New Relic app performance management and know exactly > >> > what is happening inside your Ruby, Python, PHP, Java, > and .NET app > >> > Try New Relic at no cost today and get our sweet Data > Nerd shirt too! > >> > http://p.sf.net/sfu/newrelic-dev2dev > >> > > >> > > >> > > >> > _______________________________________________ > >> > Ejbca-develop mailing list > >> > Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > > >> > >> > >> > ------------------------------------------------------------------------------ > >> Don't let slow site performance ruin your business. Deploy > New Relic APM > >> Deploy New Relic app performance management and know exactly > >> what is happening inside your Ruby, Python, PHP, Java, and > .NET app > >> Try New Relic at no cost today and get our sweet Data Nerd > shirt too! > >> http://p.sf.net/sfu/newrelic-dev2dev > >> _______________________________________________ > >> Ejbca-develop mailing list > >> Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > >> > >> > >> > >> > ------------------------------------------------------------------------------ > >> Don't let slow site performance ruin your business. Deploy New > Relic APM > >> Deploy New Relic app performance management and know exactly > >> what is happening inside your Ruby, Python, PHP, Java, and .NET app > >> Try New Relic at no cost today and get our sweet Data Nerd shirt > too! > >> http://p.sf.net/sfu/newrelic-dev2dev > >> > >> > >> > >> _______________________________________________ > >> Ejbca-develop mailing list > >> Ejb...@li... > <mailto:Ejb...@li...> > >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > > > > > > > ------------------------------------------------------------------------------ > > Don't let slow site performance ruin your business. Deploy New > Relic APM > > Deploy New Relic app performance management and know exactly > > what is happening inside your Ruby, Python, PHP, Java, and .NET app > > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > > http://p.sf.net/sfu/newrelic-dev2dev > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
