Menu
▾
▴
Re: [Ejbca-develop] stand-alone OCSP responder => unauthorized(6)
|
From: Michael S. <mi...@st...> - 2014-11-28 13:15:21
|
It turned out that this command has to be used at the *end*: /opt/ejbca/bin/ejbca.sh keybind setstatus --name KB_OCSP_Server_1 -v ACTIVE Ciao, Michael. On Thu, 27 Nov 2014 13:30:10 +0100 "Michael Ströder" <mi...@st...> wrote > Tomas Gustavsson <to...@pr...> wrote: > > > > CA certificates are loaded (by type) at startup. The responder will log > > during startup which CA certificates it finds. The hashes are calculated > > and looked up in this cache (which is refreshed now and then), so no db > > lookup for hashes. > > How can I see which issuer name/key hashes are currently in the cache? > If I hit [Clear All Caches] is there a forced re-load of the OCSP responder's > cache? > > It seems the CAs are loaded (see below) but it does not work. > > I've initialized completely with ejbca.sh (see below). > > But in the adminweb the links from the OCSPKeyBinding to the CA cert and the > OCSP responder cert result in 404. > The Crypto Token does work when hitting [Test]. > > I can easily send the log_statement output of the postgresql DB server if > that would help. > > Ciao, Michael. > > --------------------------- setup commands --------------------------- > > cd /opt/ejbca > ant clientToolBox > > /opt/ejbca/bin/ejbca.sh ca importcacert --caname Interims-CA -f > /opt/ejbca/p12/Interims-CA.crt > /opt/ejbca/bin/ejbca.sh ca importcert --caname Interims-CA -f > /opt/ejbca/p12/superadmin.crt --username superadmin --password null -a ACTIVE > --certprofile ENDUSER --eeprofile EMPTY > /opt/ejbca/bin/ejbca.sh roles addadmin --role "Super Administrator Role" > --caname "Interims-CA" --with WITH_COMMONNAME --type TYPE_EQUALCASE --value > "SuperAdmin" > > /opt/ejbca/bin/ejbca.sh ca importcacert --caname CA_Test-Root-CA-1-2014-10 -f > p12/TestRootCA1201410.cacert.pem > /opt/ejbca/bin/ejbca.sh ca importcacert --caname CA_Test-Admin-CA-1-2014-10 > -f p12/TestAdminCA1201410.pem > /opt/ejbca/bin/ejbca.sh ca importcacert --caname CA_Test-Email-CA-1-2014-10 > -f p12/TestEmailCA1201410.pem > /opt/ejbca/bin/ejbca.sh ca importcacert --caname CA_Test-Server-CA-1-2014-10 > -f p12/TestServerCA1201410.pem > > /opt/ejbca/bin/ejbca.sh ca editca --caname CA_Test-Server-CA-1-2014-10 > --field externalCdp --value > 'http://vm-ejbca-ca-03.example.com:8080/ejbca/publicweb/webdist/certdist?cmd= > crl&issuer=CN%3dTest+Server-CA+%231+2014-10%2cOU%3dITO%2cC%3dDE' [..] > > /opt/ejbca/bin/ejbca.sh cryptotoken create --token CT_OCSP1 --type > SoftCryptoToken --autoactivate true --pin null > /opt/ejbca/bin/ejbca.sh cryptotoken generatekey --token CT_OCSP1 --alias > privatesignkeyalias --keyspec 2048 > > /opt/ejbca/bin/ejbca.sh keybind create --name KB_OCSP_Server_1 --token > CT_OCSP1 --type OcspKeyBinding --alias privatesignkeyalias --sigalg > SHA1WithRSA --verbose --status ACTIVE --cert null > /opt/ejbca/bin/ejbca.sh keybind setstatus --name KB_OCSP_Server_1 -v ACTIVE > /opt/ejbca/bin/ejbca.sh keybind gencsr --name KB_OCSP_Server_1 -f > /opt/ejbca/p12/KB_OCSP_Server_1.csr --verbose > > /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh EjbcaWsRaCli pkcs10req > ocsp-server-ca-vm-ejbca-ocsp-01 secret p12/KB_OCSP_Server_1.csr PEM NONE > /opt/ejbca/p12/ > > /opt/ejbca/bin/ejbca.sh keybind import --name KB_OCSP_Server_1 -f > /opt/ejbca/p12/ocsp-server-ca-vm-ejbca-ocsp-01.pem --verbose > > ------------------------- startup log ------------------------- > > 13:07:51,667 INFO [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (MSC > service thread 1-3) Initialized CA: Interims-CA, with expire time: Mon Oct 07 > 16:16:51 CEST 2024 > 13:07:51,729 INFO [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (MSC > service thread 1-3) Initialized CA: CA_Test-Server-CA-1-2014-10, with expire > time: Fri Nov 27 10:58:12 CET 2015 > 13:07:51,782 INFO [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (MSC > service thread 1-3) Initialized CA: CA_Test-Email-CA-1-2014-10, with expire > time: Fri Oct 16 14:12:58 CEST 2015 > 13:07:51,835 INFO [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (MSC > service thread 1-3) Initialized CA: CA_Test-Admin-CA-1-2014-10, with expire > time: Wed Oct 14 14:27:58 CEST 2015 > 13:07:51,865 INFO [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (MSC > service thread 1-3) Initialized CA: CA_Test-Root-CA-1-2014-10, with expire > time: Sun Oct 02 17:49:53 CEST 2016 > 13:07:51,901 INFO [org.cesecore.audit.AuditDevicesConfig] (MSC service > thread 1-3) Registered audit device using implementation: > org.cesecore.audit.impl.log4j.Log4jDevice > 13:07:51,903 INFO [org.cesecore.audit.AuditDevicesConfig] (MSC service > thread 1-3) Configured exporter AuditExporterDummy for device Log4jDevice > 13:07:51,904 INFO [org.cesecore.audit.AuditDevicesConfig] (MSC service > thread 1-3) Registered audit device using implementation: > org.cesecore.audit.impl.integrityprotected.IntegrityProtectedDevice > 13:07:51,905 INFO [org.cesecore.audit.AuditDevicesConfig] (MSC service > thread 1-3) Configured exporter AuditExporterXml for device > IntegrityProtectedDevice 13:07:51,916 INFO > [org.cesecore.audit.impl.log4j.Log4jDevice] (MSC service thread 1-3) > 2014-11-27 > 13:07:51+01:00;EJBCA_STARTING;SUCCESS;SERVICE;EJBCA;StartServicesServlet.init > ;;vm-ejbca-ocsp-01.example.com;;msg=Init, EJBCA 6.3.0Alpha (working copy) > startup. 13:07:52,022 INFO > [org.ejbca.ui.web.admin.configuration.StartServicesServlet] (MSC service > thread 1-3) No database integrity protection available in this version of > EJBCA. 13:07:52,025 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (MSC > service thread 1-3) 2014-11-27 > 13:07:52+01:00;LOG_MANAGEMENT_CHANGE;VOID;SECURITY_AUDIT;CORE;StartServicesSe > rvlet.init;;;;msg=No integrity protected security audit logger devices > configured. 13:07:52,095 INFO > [org.ejbca.core.ejb.authorization.ComplexAccessControlSessionBean] (MSC > service thread 1-3) Roles or CAs exist, not intializing Super Administrator > Role 13:07:52,228 INFO > [org.cesecore.certificates.certificate.CertificateStoreSessionBean] (MSC > service thread 1-3) Custom certificate serial number not allowed since there > is no unique index on (issuerDN,serialNumber) on the 'CertificateData' table. > 13:07:52,258 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (MSC service > thread 1-3) 2014-11-27 > 13:07:52+01:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;StartServicesServlet > .init;;;;resource0=/ 13:07:52,272 INFO > [org.cesecore.audit.impl.log4j.Log4jDevice] (MSC service thread 1-3) > 2014-11-27 > 13:07:52+01:00;SYSTEMCONF_EDIT;SUCCESS;GLOBALCONF;CORE;StartServicesServlet.i > nit;;;;msg=Saved global configuration with id OCSP. > 13:07:52,431 INFO [org.cesecore.certificates.ocsp.cache.OcspSigningCache] > (MSC service thread 1-3) No default responder was defined. OCSP requests for > certificates issued by unknown CAs will return "unauthorized" as per RFC6960, > Section 2.3 > 13:07:52,443 INFO [org.jboss.web] (MSC service thread 1-3) JBAS018210: > Registering web context: /ejbca/adminweb > 13:07:52,449 INFO [org.jboss.as] (MSC service thread 1-1) JBAS015951: Admin > console listening on http://127.0.0.1:9990 > 13:07:52,450 INFO [org.jboss.as] (MSC service thread 1-1) JBAS015874: JBoss > AS 7.1.1.Final "Brontes" started in 16617ms - Started 2454 of 2569 services > (112 services are passive or on-demand) > 13:07:52,513 INFO [org.jboss.as.server] (DeploymentScanner-threads - 2) > JBAS018559: Deployed "ejbca.ear" |
