Menu
▾
▴
Re: [Ejbca-develop] stand-alone OCSP responder => unauthorized(6)
|
From: Michael S. <mi...@st...> - 2014-11-27 12:30:35
|
Tomas Gustavsson <to...@pr...> wrote: > > CA certificates are loaded (by type) at startup. The responder will log > during startup which CA certificates it finds. The hashes are calculated > and looked up in this cache (which is refreshed now and then), so no db > lookup for hashes. How can I see which issuer name/key hashes are currently in the cache? If I hit [Clear All Caches] is there a forced re-load of the OCSP responder's cache? It seems the CAs are loaded (see below) but it does not work. I've initialized completely with ejbca.sh (see below). But in the adminweb the links from the OCSPKeyBinding to the CA cert and the OCSP responder cert result in 404. The Crypto Token does work when hitting [Test]. I can easily send the log_statement output of the postgresql DB server if that would help. Ciao, Michael. --------------------------- setup commands --------------------------- cd /opt/ejbca ant clientToolBox /opt/ejbca/bin/ejbca.sh ca importcacert --caname Interims-CA -f /opt/ejbca/p12/Interims-CA.crt /opt/ejbca/bin/ejbca.sh ca importcert --caname Interims-CA -f /opt/ejbca/p12/superadmin.crt --username superadmin --password null -a ACTIVE --certprofile ENDUSER --eeprofile EMPTY /opt/ejbca/bin/ejbca.sh roles addadmin --role "Super Administrator Role" --caname "Interims-CA" --with WITH_COMMONNAME --type TYPE_EQUALCASE --value "SuperAdmin" /opt/ejbca/bin/ejbca.sh ca importcacert --caname CA_Test-Root-CA-1-2014-10 -f p12/TestRootCA1201410.cacert.pem /opt/ejbca/bin/ejbca.sh ca importcacert --caname CA_Test-Admin-CA-1-2014-10 -f p12/TestAdminCA1201410.pem /opt/ejbca/bin/ejbca.sh ca importcacert --caname CA_Test-Email-CA-1-2014-10 -f p12/TestEmailCA1201410.pem /opt/ejbca/bin/ejbca.sh ca importcacert --caname CA_Test-Server-CA-1-2014-10 -f p12/TestServerCA1201410.pem /opt/ejbca/bin/ejbca.sh ca editca --caname CA_Test-Server-CA-1-2014-10 --field externalCdp --value 'http://vm-ejbca-ca-03.example.com:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN%3dTest+Server-CA+%231+2014-10%2cOU%3dITO%2cC%3dDE' [..] /opt/ejbca/bin/ejbca.sh cryptotoken create --token CT_OCSP1 --type SoftCryptoToken --autoactivate true --pin null /opt/ejbca/bin/ejbca.sh cryptotoken generatekey --token CT_OCSP1 --alias privatesignkeyalias --keyspec 2048 /opt/ejbca/bin/ejbca.sh keybind create --name KB_OCSP_Server_1 --token CT_OCSP1 --type OcspKeyBinding --alias privatesignkeyalias --sigalg SHA1WithRSA --verbose --status ACTIVE --cert null /opt/ejbca/bin/ejbca.sh keybind setstatus --name KB_OCSP_Server_1 -v ACTIVE /opt/ejbca/bin/ejbca.sh keybind gencsr --name KB_OCSP_Server_1 -f /opt/ejbca/p12/KB_OCSP_Server_1.csr --verbose /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh EjbcaWsRaCli pkcs10req ocsp-server-ca-vm-ejbca-ocsp-01 secret p12/KB_OCSP_Server_1.csr PEM NONE /opt/ejbca/p12/ /opt/ejbca/bin/ejbca.sh keybind import --name KB_OCSP_Server_1 -f /opt/ejbca/p12/ocsp-server-ca-vm-ejbca-ocsp-01.pem --verbose ------------------------- startup log ------------------------- 13:07:51,667 INFO [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (MSC service thread 1-3) Initialized CA: Interims-CA, with expire time: Mon Oct 07 16:16:51 CEST 2024 13:07:51,729 INFO [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (MSC service thread 1-3) Initialized CA: CA_Test-Server-CA-1-2014-10, with expire time: Fri Nov 27 10:58:12 CET 2015 13:07:51,782 INFO [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (MSC service thread 1-3) Initialized CA: CA_Test-Email-CA-1-2014-10, with expire time: Fri Oct 16 14:12:58 CEST 2015 13:07:51,835 INFO [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (MSC service thread 1-3) Initialized CA: CA_Test-Admin-CA-1-2014-10, with expire time: Wed Oct 14 14:27:58 CEST 2015 13:07:51,865 INFO [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (MSC service thread 1-3) Initialized CA: CA_Test-Root-CA-1-2014-10, with expire time: Sun Oct 02 17:49:53 CEST 2016 13:07:51,901 INFO [org.cesecore.audit.AuditDevicesConfig] (MSC service thread 1-3) Registered audit device using implementation: org.cesecore.audit.impl.log4j.Log4jDevice 13:07:51,903 INFO [org.cesecore.audit.AuditDevicesConfig] (MSC service thread 1-3) Configured exporter AuditExporterDummy for device Log4jDevice 13:07:51,904 INFO [org.cesecore.audit.AuditDevicesConfig] (MSC service thread 1-3) Registered audit device using implementation: org.cesecore.audit.impl.integrityprotected.IntegrityProtectedDevice 13:07:51,905 INFO [org.cesecore.audit.AuditDevicesConfig] (MSC service thread 1-3) Configured exporter AuditExporterXml for device IntegrityProtectedDevice 13:07:51,916 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (MSC service thread 1-3) 2014-11-27 13:07:51+01:00;EJBCA_STARTING;SUCCESS;SERVICE;EJBCA;StartServicesServlet.init;;vm-ejbca-ocsp-01.example.com;;msg=Init, EJBCA 6.3.0Alpha (working copy) startup. 13:07:52,022 INFO [org.ejbca.ui.web.admin.configuration.StartServicesServlet] (MSC service thread 1-3) No database integrity protection available in this version of EJBCA. 13:07:52,025 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (MSC service thread 1-3) 2014-11-27 13:07:52+01:00;LOG_MANAGEMENT_CHANGE;VOID;SECURITY_AUDIT;CORE;StartServicesServlet.init;;;;msg=No integrity protected security audit logger devices configured. 13:07:52,095 INFO [org.ejbca.core.ejb.authorization.ComplexAccessControlSessionBean] (MSC service thread 1-3) Roles or CAs exist, not intializing Super Administrator Role 13:07:52,228 INFO [org.cesecore.certificates.certificate.CertificateStoreSessionBean] (MSC service thread 1-3) Custom certificate serial number not allowed since there is no unique index on (issuerDN,serialNumber) on the 'CertificateData' table. 13:07:52,258 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (MSC service thread 1-3) 2014-11-27 13:07:52+01:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;StartServicesServlet.init;;;;resource0=/ 13:07:52,272 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (MSC service thread 1-3) 2014-11-27 13:07:52+01:00;SYSTEMCONF_EDIT;SUCCESS;GLOBALCONF;CORE;StartServicesServlet.init;;;;msg=Saved global configuration with id OCSP. 13:07:52,431 INFO [org.cesecore.certificates.ocsp.cache.OcspSigningCache] (MSC service thread 1-3) No default responder was defined. OCSP requests for certificates issued by unknown CAs will return "unauthorized" as per RFC6960, Section 2.3 13:07:52,443 INFO [org.jboss.web] (MSC service thread 1-3) JBAS018210: Registering web context: /ejbca/adminweb 13:07:52,449 INFO [org.jboss.as] (MSC service thread 1-1) JBAS015951: Admin console listening on http://127.0.0.1:9990 13:07:52,450 INFO [org.jboss.as] (MSC service thread 1-1) JBAS015874: JBoss AS 7.1.1.Final "Brontes" started in 16617ms - Started 2454 of 2569 services (112 services are passive or on-demand) 13:07:52,513 INFO [org.jboss.as.server] (DeploymentScanner-threads - 2) JBAS018559: Deployed "ejbca.ear" -- Michael Ströder Klauprechtstr. 11 Dipl.-Inform. D-76137 Karlsruhe, Germany Tel.: +49 721 8304316 Mobil: +49 170 2391920 E-Mail: mi...@st... http://www.stroeder.com |