WS: Administrator not authorized to resource

[PALAZZOLO]

Hello everybody,
I'm using signserver webservices with PHP (Zend_framework)
but i always get this exception response:

"Administrator not authorized to resource." and no messages about certificate (witch is the case with no certificate autentication)
I've added the right certificate number in the WSADMINS autorized admins with the admingui.
but all is allright with admingui with the same certificate

Do anyone have the answer ? I'm blocked….

Thanx a lot

[Tomas Gustavsson]

What ws methods are you trying to use?

[PALAZZOLO]

Thnax for this quick answer:

I'm trying to use every available methods:

getWorkerId, getStatus, reloadConfiguration, globalReload, process ..

only getFunctions works for the moment…

[PALAZZOLO]

the AdmiGUI is using this webServices isn't it ? or perhaps not with SOAP?

[PALAZZOLO]

I'm talking about this web service:

https://localhost:8443/signserver/AdminWSService/AdminWS?wsdl

[Anonymous]

Hi Oika,
I talked to our SignServer guru Markus (thanx!) and he suggested looking into the server log for the following lines:

2011-09-11 16:48:36,112 DEBUG  >requireAdminAuthorization
2011-09-11 16:48:36,112 DEBUG  admin: 58a28ded5d4150c9,C=SE, O=Markus Organization, OU=Internal Testing 1, CN=MarkusAdminCA1, admins: 58
a28ded5d4150c9,C=SE, O=Markus Organization, OU=Internal Testing 1, CN=MarkusAdminCA1;

The certificate displayed must match what you have described in the Admin GUI which BTW doesn't need a certificate if it runs locally only.

Anders

[PALAZZOLO]

Hi Anders,

I'm afraid not to log with DEBUG level !
I don't have any DEBUG sections in my logs

I've got this error :
2011-09-11 17:27:30,218 INFO   (http-0.0.0.0-8443-3) ADMIN OPERATION; subjectDN=CN=SuperAdmin; serialNumber=11aa1162e2e312d9; issuerDN=C=fr, O=gercop, CN=GERCOPCA1; authorized=false; operation=getStatus; arguments=13,;
2011-09-11 17:27:30,218 WARN   (http-0.0.0.0-8443-3) EJBTHREE-1337: do not get WebServiceContext property from stateless bean context, it should already have been injected

I'll try to activate de DEBUG Level for jboss-5.1.0.GA (i only knows apache 2.2 ….) and after search for some DEBUG level informations…

[PALAZZOLO]

for info: the authentication and the usage of EJBCA web services works great with the same certificate.

[Anonymous]

The matching specification may be wrong.  Could you post it?

Anders

[PALAZZOLO]

matching specification ? what is it I'm confused ! i don't understand…(i'm French…)

[Anonymous]

Pas de problème!

I just meant what you specified in WSADMINS regarding the superadmin certificate.  It is very "picky" about certificate attribute order, case etc.

Anders

[PALAZZOLO]

in mysql database, at table "globalconfigurationdata":
GLOB.WSADMINS=11AA1162E2E312D9,CN=GERCOPCA1,O=gercop,C=fr;
11AA1162E2E312D9 is the SuperAdmin certificate serial number

I'm authenticating with a pem format certificate (the same for both EJBCA and Signserver)
here's the content of this pem file:

Bag Attributes
    friendlyName: SuperAdmin
    localKeyID: 29 A5 54 AD 26 55 95 C5 39 8E 29 28 9E C5 FE 1B 11 18 4D 72
Key Attributes: <No Attributes>
---BEGIN RSA PRIVATE KEY---
…
---END RSA PRIVATE KEY---
Bag Attributes
    friendlyName: SuperAdmin
    localKeyID: 29 A5 54 AD 26 55 95 C5 39 8E 29 28 9E C5 FE 1B 11 18 4D 72
subject=/CN=SuperAdmin
issuer=/CN=GERCOPCA1/O=gercop/C=fr
---BEGIN CERTIFICATE---
…
---END CERTIFICATE---

[Anonymous]

Salut Oika,

After again talking to our SignServer guru Markus (thanx pal!) I think we hit the right spot.
If you look again into your log file you will note a difference between what the log says and your specification.

I.e. serial number should be in lowercase and issuerDN in the opposite order and with an extra space after each comma like:

C=fr, O=gercop, CN=GERCOPCA1

Anders

[PALAZZOLO]

IT WORKS !! you are the n°1 of technical assistance…almost on sunday !
I can keep on working on my project

thanx a lot