Hello everybody,
I'm using signserver webservices with PHP (Zend_framework)
but i always get this exception response:
"Administrator not authorized to resource." and no messages about certificate (witch is the case with no certificate autentication)
I've added the right certificate number in the WSADMINS autorized admins with the admingui.
but all is allright with admingui with the same certificate
Do anyone have the answer ? I'm blocked….
Thanx a lot
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm afraid not to log with DEBUG level !
I don't have any DEBUG sections in my logs
I've got this error :
2011-09-11 17:27:30,218 INFO (http-0.0.0.0-8443-3) ADMIN OPERATION; subjectDN=CN=SuperAdmin; serialNumber=11aa1162e2e312d9; issuerDN=C=fr, O=gercop, CN=GERCOPCA1; authorized=false; operation=getStatus; arguments=13,;
2011-09-11 17:27:30,218 WARN (http-0.0.0.0-8443-3) EJBTHREE-1337: do not get WebServiceContext property from stateless bean context, it should already have been injected
I'll try to activate de DEBUG Level for jboss-5.1.0.GA (i only knows apache 2.2 ….) and after search for some DEBUG level informations…
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
in mysql database, at table "globalconfigurationdata":
GLOB.WSADMINS=11AA1162E2E312D9,CN=GERCOPCA1,O=gercop,C=fr;
11AA1162E2E312D9 is the SuperAdmin certificate serial number
I'm authenticating with a pem format certificate (the same for both EJBCA and Signserver)
here's the content of this pem file:
Bag Attributes
friendlyName: SuperAdmin
localKeyID: 29 A5 54 AD 26 55 95 C5 39 8E 29 28 9E C5 FE 1B 11 18 4D 72
Key Attributes: <No Attributes>
---BEGIN RSA PRIVATE KEY---
…
---END RSA PRIVATE KEY---
Bag Attributes
friendlyName: SuperAdmin
localKeyID: 29 A5 54 AD 26 55 95 C5 39 8E 29 28 9E C5 FE 1B 11 18 4D 72
subject=/CN=SuperAdmin
issuer=/CN=GERCOPCA1/O=gercop/C=fr
---BEGIN CERTIFICATE---
…
---END CERTIFICATE---
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2011-09-11
Salut Oika,
After again talking to our SignServer guru Markus (thanx pal!) I think we hit the right spot.
If you look again into your log file you will note a difference between what the log says and your specification.
I.e. serial number should be in lowercase and issuerDN in the opposite order and with an extra space after each comma like:
C=fr, O=gercop, CN=GERCOPCA1
Anders
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello everybody,
I'm using signserver webservices with PHP (Zend_framework)
but i always get this exception response:
"Administrator not authorized to resource." and no messages about certificate (witch is the case with no certificate autentication)
I've added the right certificate number in the WSADMINS autorized admins with the admingui.
but all is allright with admingui with the same certificate
Do anyone have the answer ? I'm blocked….
Thanx a lot
What ws methods are you trying to use?
Thnax for this quick answer:
I'm trying to use every available methods:
getWorkerId, getStatus, reloadConfiguration, globalReload, process ..
only getFunctions works for the moment…
the AdmiGUI is using this webServices isn't it ? or perhaps not with SOAP?
I'm talking about this web service:
https://localhost:8443/signserver/AdminWSService/AdminWS?wsdl
Hi Oika,
I talked to our SignServer guru Markus (thanx!) and he suggested looking into the server log for the following lines:
2011-09-11 16:48:36,112 DEBUG >requireAdminAuthorization
2011-09-11 16:48:36,112 DEBUG admin: 58a28ded5d4150c9,C=SE, O=Markus Organization, OU=Internal Testing 1, CN=MarkusAdminCA1, admins: 58
a28ded5d4150c9,C=SE, O=Markus Organization, OU=Internal Testing 1, CN=MarkusAdminCA1;
The certificate displayed must match what you have described in the Admin GUI which BTW doesn't need a certificate if it runs locally only.
Anders
Hi Anders,
I'm afraid not to log with DEBUG level !
I don't have any DEBUG sections in my logs
I've got this error :
2011-09-11 17:27:30,218 INFO (http-0.0.0.0-8443-3) ADMIN OPERATION; subjectDN=CN=SuperAdmin; serialNumber=11aa1162e2e312d9; issuerDN=C=fr, O=gercop, CN=GERCOPCA1; authorized=false; operation=getStatus; arguments=13,;
2011-09-11 17:27:30,218 WARN (http-0.0.0.0-8443-3) EJBTHREE-1337: do not get WebServiceContext property from stateless bean context, it should already have been injected
I'll try to activate de DEBUG Level for jboss-5.1.0.GA (i only knows apache 2.2 ….) and after search for some DEBUG level informations…
for info: the authentication and the usage of EJBCA web services works great with the same certificate.
The matching specification may be wrong. Could you post it?
Anders
matching specification ? what is it I'm confused ! i don't understand…(i'm French…)
Pas de problème!
I just meant what you specified in WSADMINS regarding the superadmin certificate. It is very "picky" about certificate attribute order, case etc.
Anders
in mysql database, at table "globalconfigurationdata":
GLOB.WSADMINS=11AA1162E2E312D9,CN=GERCOPCA1,O=gercop,C=fr;
11AA1162E2E312D9 is the SuperAdmin certificate serial number
I'm authenticating with a pem format certificate (the same for both EJBCA and Signserver)
here's the content of this pem file:
Bag Attributes
friendlyName: SuperAdmin
localKeyID: 29 A5 54 AD 26 55 95 C5 39 8E 29 28 9E C5 FE 1B 11 18 4D 72
Key Attributes: <No Attributes>
---BEGIN RSA PRIVATE KEY---
…
---END RSA PRIVATE KEY---
Bag Attributes
friendlyName: SuperAdmin
localKeyID: 29 A5 54 AD 26 55 95 C5 39 8E 29 28 9E C5 FE 1B 11 18 4D 72
subject=/CN=SuperAdmin
issuer=/CN=GERCOPCA1/O=gercop/C=fr
---BEGIN CERTIFICATE---
…
---END CERTIFICATE---
Salut Oika,
After again talking to our SignServer guru Markus (thanx pal!) I think we hit the right spot.
If you look again into your log file you will note a difference between what the log says and your specification.
I.e. serial number should be in lowercase and issuerDN in the opposite order and with an extra space after each comma like:
C=fr, O=gercop, CN=GERCOPCA1
Anders
IT WORKS !! you are the n°1 of technical assistance…almost on sunday !
I can keep on working on my project
thanx a lot