Re: [Ejbca-develop] Error in the OCSP Responder

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

You are a lucky guy!. Yesterday I spent 2 hour reading the installation
Instructions and in 1 hour I got the OCSP working in the first attempt
(weird on systems world!)

I wrote down all the steeps to replicate the installation in other
environment. Here are the steps done (assuming you have done the Jboss and
EJBCA installation property) :

ON OCSP NODE 1 and 2
===================

1- DB Creation

mysql> create database ejbca;
mysql> create user ejbca;
mysql> grant all on ejbca.* to 'ejbca'@'%' identified by 'ejbca';
mysql> grant all on ejbca.* to 'ejbca'@'localhost' identified by 'ejbca';
mysql> flush privileges;

2- Edit Properties files

$ cd
$ mkdir -p ejbca-custom/conf
$ cp ejbca/conf/ejbca.properties.sample ejbca-custom/conf/ejbca.properties
$ vi ejbca-custom/conf/ejbca.properties

appserver.home=/home/jboss/jboss
ejbca.productionmode=ocsp

$ cp ejbca/conf/database.properties.sample
ejbca-custom/conf/database.properties
$ vi ejbca-custom/conf/database.properties

datasource.jndi-name=EjbcaDS
database.name=mysql
database.url=jdbc:mysql://localhost:3306/ejbca
database.driver=com.mysql.jdbc.Driver
database.username=ejbca
database.password=ejbca

$ cp ejbca/conf/ocsp.properties.sample ejbca-custom/conf/ocsp.properties
$ vi ejbca-custom/conf/ocsp.properties

ocsp.defaultresponder=CN=ocsp.example.com,L=Buenos Aires,C=AR
ocsp.restrictsignatures=true
ocsp.restrictsignaturesbymethod=issuer
ocsp.signtrustdir=/home/jboss/ejbca/cas
ocsp.signtrustvalidtime=1800
ocsp.keys.dir=/home/jboss/ejbca/keys
ocsp.keys.storePassword=ejbca
ocsp.keys.keyPassword=ejbca

$ mkdir /home/jboss/ejbca/keys
$ mkdir /home/jboss/ejbca/cas

$ cp ejbca/conf/web.properties.sample ejbca-custom/conf/web.properties
$ vi ejbca-custom/conf/web.properties

httpsserver.hostname=ocsp.buenosaires.gob.ar
httpsserver.dn=CN=${httpsserver.hostname},L=Buenos Aires,C=AR

3- Create cert for OCSP
a) Create a User Profile (OCSP)
   - From Admin CA Web Console
   - Go Edit End Entity Profiles
   - Write OCSP in Add Profile edit box and press Add
   - Select the OCSP from the list and press Edit End Entity Profile
   - Select OCSPSIGNER  on Default Certificate Profile
   - In Available Certificate Profiles choose OCSPSIGNER
   - In Available CAs select what you want
   - In Default Token seleccionar P12 file (I will use soft tokens)
   - In Available Tokens seleccionar p12, jks y pem
   - Save
b) Create a user with this new profile
   - From Admin CA Web Console
   - Go Add End Entity
   - Select OCSP as End Entity
   - username: ocsp
   - password: ejbca
   - CN: ocsp.example.com
   - Certificate Profile: OCSPSIGNER
   - Token P12 file
   - Add
c) Generate the cert
   - From Public CA's web
   - Create Browser Certificate
   - login ocsp/ejbca
   - Select 2048bits for key lenght
   - P12 as token
   - Gen cert

4- Install the cert in OCSP
   - Copy the generated cert in  /home/jboss/ejbca/keys
   - Copy CA cert (PEM format) in /home/jboss/ejbca/cas

5- Build
$ cd
$ cd ejbca
$ ant bootstarp
# service jboss start
$ ant install
# service jboss stop
$ ant va-deploy
# service jboss start

IN THE CA
=========

1- Config VA-PUBLISHER

$ cp ejbca/conf/va-publisher.properties.sample
ejbca-custom/conf/va-publisher.properties
$ vi ejbca-custom/conf/va-publisher.properties

ocsp-datasource.jndi-name=OcspDS
ocsp-database.url=jdbc:mysql://ocsp1.example.com:3306/ejbca
ocsp-database.driver=com.mysql.jdbc.Driver
ocsp-database.username=ejbca
ocsp-database.password=ejbca

2- Deploy changes

$ ant deploy

(If you have more than 1 OCSP)

$ cp $JBOSS_HOME/server/default/deploy/ocsp-ds.xml
$JBOSS_HOME/server/default/deploy/ocsp2-ds.xml
$ vi $JBOSS_HOME/server/default/deploy/ocsp2-ds.xml

<jndi-name>Ocsp2DS</jndi-name>
      <connection-url>jdbc:mysql://ocsp2.example.com:3306/ejbca
</connection-url>
Agragado del DS para el OCSP-2

3- Create Publisher
In the CA you should add as many publisher as OCSP responders you have

- From Admin CA Web Console
- Go to Edit Publishers
- Enter name OCSPX (where X is the OCSP number) and press Add
- Select the publisher and press Edit Publisher
- Select Publisher Type as Validation Authority Publisher
- Select "No direct publishing, only use queue", "Use queue for CRLs", "Use
queue for certificates"
- Save

4- Attach the publisher with the profiles
- From Admin CA Web Console
- Edit Certificate Profile
- Select your profile
- Press Edit
- In Publishers Seleccionar  Select  OCSPX (all X)
- Save

5- Create/Modify Publishing Service
- From Admin CA Web Console
- Go Edit Services
- Enter name Re-Publisher
- Press Add
- Select Republisher and press Edit
- Select Publish Queue Process Service
- Select all queues
- Period: 2 minutes
- Check Active
- Save

DB Migration baseline
================
On CA DB node
# mysqldump  -p --compress ejbca CertificateData > CertificateData.dat
# mysqldump  -p --compress ejbca CRLData > CRLData.dat

# cat CertificateData.dat | mysql -h ocsp1 -u ejbca -b ejbca -p
# cat CRLData.dat | mysql -h ocsp1 -u ejbca -b ejbca -p

TEST
====
I tested with this command

$ openssl ocsp -url
http://ocsp1.example.com:8080/ejbca/publicweb/status/ocsp -issuer
CA.cacert.pem -cert user.pem

2013/1/9 M.G.R <mg....@ni...>

>
> while requesting for validating the certificate issued by external CA using
> openssl OCSP client shows the following error in the OCSP server side
>
> ERROR [org.ejbca.ui.web.protocol.OCSPServletBase] (http-0.0.0.0-8080-1)
> Error processing OCSP request. Message: java.lang.RuntimeException:
> java.lang.NullPointerException.
>
> &
>
> Shows the following error in the client side
>
> Error querying OCSP responsder
>
> is there any way to trace the problem. please help me.
>
>
> Thanks in advance.
>
> --
> View this message in context:
> http://old.nabble.com/Error-in-the-OCSP-Responder-tp34877232p34877232.html
> Sent from the EjbCA - Dev mailing list archive at Nabble.com.
>
>
>
> ------------------------------------------------------------------------------
> Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
> and much more. Keep your Java skills current with LearnJavaNow -
> 200+ hours of step-by-step video tutorials by Java experts.
> SALE $49.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122612
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

-- 

Juan Caracoche | Business Developer
jua...@re...
Mobile: +54.911.4198.8941
www.redb.ee