Re: [Signserver-develop] Informations and tests

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I am not able to reproduce the test failure you are getting. I also
checked the certificate for worker 5802 and it should not expire until
year 2021 so it is a very strange error message.

Have you tried clearing th database before running the tests in case
some signers are left from previous test runs?

Best regards,
Markus

On 2012-07-30 16:54, Antoine Louiset wrote:
> Ok Markus, no problem ! Thanks !
> 
> Best regards,
> 
> Antoine
> 
> Le 30/07/2012 16:53, Markus Kilås a écrit :
>> On 2012-07-30 15:08, Antoine Louiset wrote:
>>> Hi Markus,
>>>
>>> Thanks for your fast answer !
>>>
>>> I have just one remark for the JCE installation. I don't find it in the
>>> installation guide (I read it quickly).
>> I was really surprised it wasn't there. I have registered
>> https://jira.primekey.se/browse/DSS-514.
>>
>>> I download JCE policy and it resolves one fail. The problem of the
>>> signer 5802 will resolve one fail and one error. So there will be no
>>> more fails but I have no idea about the other errors. What do you think
>>> about them ?
>> I will try to get back about them. I haven't yet had to time to test it
>> on my machine.
>>
>> Best regards,
>> Markus
>>
>>> Good afternoon !
>>>
>>>
>>> Antoine
>>>
>>> Le 30/07/2012 10:47, Markus Kilås a écrit :
>>>> Hi Antoine,
>>>>
>>>> See answers below.
>>>>
>>>> On 2012-07-28 23:24, Antoine Louiset wrote:
>>>>> Hi Markus,
>>>>>
>>>>> The p12 directory seems to be used to set truststore certificates for
>>>>> JBoss (see
>>>>> http://signserver.org/manual/complete.en.html#4.%20Configure%20web%20server%20keystores)
>>>>>
>>>>>
>>>>> but I think this truststore is just used in the tests of signserver
>>>>> and
>>>>> could be used for the java trust keystore. Jboss and glassfish have
>>>>> their own truststore and keystore, why don't you use them ?
>>>> That is correct. The truststore in the p12 folder is used both by JBoss
>>>> and the tests. So if you are going to run the tests you can put a
>>>> truststore in the p12 folder. I believe the reason for handling it this
>>>> way is that different application servers have different locations for
>>>> the truststore and the tests would not know where to find it. In fact
>>>> where JBoss finds it depends on what is written in the server.xml,
>>>> so it
>>>> could also be different if SignServer isn't used for deploying it. The
>>>> solution we use, to not depend on different application servers and
>>>> configurations is to decide that it should be placed in the p12 folder
>>>> of SignServer.
>>>>
>>>>> In the signserver_build.properties file, there are several properties
>>>>> which are written for the use of JBoss but we do not know if they are
>>>>> needed for Glassfish : httpsserver.bindaddress.* | database.url |
>>>>> deploy.hostname.node*
>>>> Some are explained in the installation guide, such as "database.url"
>>>> which is said to be used by JBoss and some comments talks about
>>>> JBoss in
>>>> the sample configuration file. But the documentation is lacking for
>>>> many
>>>> of the other properties in this aspect.
>>>>
>>>>> What is the aim of deploy.ssh.* properties ?
>>>> I think the idea is to be able to deploy to a remote server by
>>>> transferring the files (signserver.ear etc) over SSH. Not sure if it is
>>>> working though as I can not find any documentation about it. You are
>>>> very welcome to test it out if you want and let us know if it is
>>>> working. If not we might consider either fixing it and adding
>>>> documentation for it or remove it.
>>>>
>>>>> Why j2ee.web-nohttps has to be set to true to launch the tests while
>>>>> https is used in these tests ?
>>>> j2ee.web-nohttps is controlling wither the keystores and truststores
>>>> should be deployed (to JBoss) or not. The tests should not depend on
>>>> this setting so if it says somewhere that it must be set to true I
>>>> would
>>>> suspect that to be a bug in the documentation. Please report a bug with
>>>> where you seen it in that case.
>>>>
>>>>> The most important thing for me today is tests ! I run them, I resolve
>>>>> the problem about trustanchors. I join the results, I do not
>>>>> understand
>>>>> the errors and the fails, have you ever seen them ?
>>>>   From the test report you attached I can see two different failures
>>>> which
>>>> probably is also the cause of all the errors.
>>>> 1.     ExtendedHardCodedCryptoTokenTest testStrongCryptoAvailable
>>>> JCE crypto policy was not installed as the key length was limited
>>>> expected:<2147483647> but was:<64>
>>>>
>>>> This means that you are running the Oracle JDK and have not installed
>>>> JCE crypto policy. See the installation guide.
>>>>
>>>> 2. LimitKeyUsagesTest test01Limit Error Signer 5802 expired at Fri Apr
>>>> 20 16:18:57 CEST 2012
>>>> Looks like the demo signer certificate used has expired. I will run the
>>>> tests on your continues integration server and see if we have the same
>>>> problem there. They might just have to be renewed.
>>>>
>>>>> How can I send my script to install signserver ?
>>>> If it is less then 40 KB you can just send it to the mailing list,
>>>> otherwise try to upload it somewhere and send the link or send it
>>>> directly to me.
>>>>
>>>>> I take this mail to congratulate you and your team for this project
>>>>> which is really good.
>>>> Thanks to you for reporting the issues you find.
>>>>
>>>> Best regards,
>>>> Markus
>>>>
>>>>> Have a nice weekend.
>>>>>
>>>>> Best regards,
>>>>>
>>>>
>>
>>
> 

-- 
Kind regards,
Markus Kilås
Security Consultant & Developer

PrimeKey Solutions AB

Anderstorpsv. 16
171 54 Solna
Sweden

Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...

www.primekey.se