Re: [SignServer-develop] Informations and tests

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I did the same thing but I have much later dates for the
TestLimitKeyUsageSigner (5802). Are you really using the latest release
(ie. 3.2.2) otherwise upgrading should solve the problem.

Best regards,
Markus

On 2012-07-30 20:56, Antoine Louiset wrote:
> You were right Markus (as always ! ) !
> 
> I have got 2 errors and one fail. I join a screenshot of the admin gui
> (in the reports.rar file). After launching the tests, we can see that
> the worker 5802 and others are unavailable.
> 
> After removing this worker, I launch bin/signserver.sh setproperties
> modules/SignServer-Module-XMLSigner/src/conf/junittest-part-config.properties
> to activate its and then the reload command.
> 
> We can see in the Capture-1.png the result. The signer certificate is
> indeed valid until 20/04/12.
> 
> After resolving this problem, there will be one last error !!
> 
> Have a nice evening.
> 
> Best regards,
> 
> Le 30/07/2012 19:05, Markus Kilås a écrit :
>> I am not able to reproduce the test failure you are getting. I also
>> checked the certificate for worker 5802 and it should not expire until
>> year 2021 so it is a very strange error message.
>>
>> Have you tried clearing th database before running the tests in case
>> some signers are left from previous test runs?
>>
>> Best regards,
>> Markus
>>
>> On 2012-07-30 16:54, Antoine Louiset wrote:
>>> Ok Markus, no problem ! Thanks !
>>>
>>> Best regards,
>>>
>>> Antoine
>>>
>>> Le 30/07/2012 16:53, Markus Kilås a écrit :
>>>> On 2012-07-30 15:08, Antoine Louiset wrote:
>>>>> Hi Markus,
>>>>>
>>>>> Thanks for your fast answer !
>>>>>
>>>>> I have just one remark for the JCE installation. I don't find it in
>>>>> the
>>>>> installation guide (I read it quickly).
>>>> I was really surprised it wasn't there. I have registered
>>>> https://jira.primekey.se/browse/DSS-514.
>>>>
>>>>> I download JCE policy and it resolves one fail. The problem of the
>>>>> signer 5802 will resolve one fail and one error. So there will be no
>>>>> more fails but I have no idea about the other errors. What do you
>>>>> think
>>>>> about them ?
>>>> I will try to get back about them. I haven't yet had to time to test it
>>>> on my machine.
>>>>
>>>> Best regards,
>>>> Markus
>>>>
>>>>> Good afternoon !
>>>>>
>>>>>
>>>>> Antoine
>>>>>
>>>>> Le 30/07/2012 10:47, Markus Kilås a écrit :
>>>>>> Hi Antoine,
>>>>>>
>>>>>> See answers below.
>>>>>>
>>>>>> On 2012-07-28 23:24, Antoine Louiset wrote:
>>>>>>> Hi Markus,
>>>>>>>
>>>>>>> The p12 directory seems to be used to set truststore certificates
>>>>>>> for
>>>>>>> JBoss (see
>>>>>>> http://signserver.org/manual/complete.en.html#4.%20Configure%20web%20server%20keystores)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> but I think this truststore is just used in the tests of signserver
>>>>>>> and
>>>>>>> could be used for the java trust keystore. Jboss and glassfish have
>>>>>>> their own truststore and keystore, why don't you use them ?
>>>>>> That is correct. The truststore in the p12 folder is used both by
>>>>>> JBoss
>>>>>> and the tests. So if you are going to run the tests you can put a
>>>>>> truststore in the p12 folder. I believe the reason for handling it
>>>>>> this
>>>>>> way is that different application servers have different locations
>>>>>> for
>>>>>> the truststore and the tests would not know where to find it. In fact
>>>>>> where JBoss finds it depends on what is written in the server.xml,
>>>>>> so it
>>>>>> could also be different if SignServer isn't used for deploying it.
>>>>>> The
>>>>>> solution we use, to not depend on different application servers and
>>>>>> configurations is to decide that it should be placed in the p12
>>>>>> folder
>>>>>> of SignServer.
>>>>>>
>>>>>>> In the signserver_build.properties file, there are several
>>>>>>> properties
>>>>>>> which are written for the use of JBoss but we do not know if they
>>>>>>> are
>>>>>>> needed for Glassfish : httpsserver.bindaddress.* | database.url |
>>>>>>> deploy.hostname.node*
>>>>>> Some are explained in the installation guide, such as "database.url"
>>>>>> which is said to be used by JBoss and some comments talks about
>>>>>> JBoss in
>>>>>> the sample configuration file. But the documentation is lacking for
>>>>>> many
>>>>>> of the other properties in this aspect.
>>>>>>
>>>>>>> What is the aim of deploy.ssh.* properties ?
>>>>>> I think the idea is to be able to deploy to a remote server by
>>>>>> transferring the files (signserver.ear etc) over SSH. Not sure if
>>>>>> it is
>>>>>> working though as I can not find any documentation about it. You are
>>>>>> very welcome to test it out if you want and let us know if it is
>>>>>> working. If not we might consider either fixing it and adding
>>>>>> documentation for it or remove it.
>>>>>>
>>>>>>> Why j2ee.web-nohttps has to be set to true to launch the tests while
>>>>>>> https is used in these tests ?
>>>>>> j2ee.web-nohttps is controlling wither the keystores and truststores
>>>>>> should be deployed (to JBoss) or not. The tests should not depend on
>>>>>> this setting so if it says somewhere that it must be set to true I
>>>>>> would
>>>>>> suspect that to be a bug in the documentation. Please report a bug
>>>>>> with
>>>>>> where you seen it in that case.
>>>>>>
>>>>>>> The most important thing for me today is tests ! I run them, I
>>>>>>> resolve
>>>>>>> the problem about trustanchors. I join the results, I do not
>>>>>>> understand
>>>>>>> the errors and the fails, have you ever seen them ?
>>>>>>    From the test report you attached I can see two different failures
>>>>>> which
>>>>>> probably is also the cause of all the errors.
>>>>>> 1.     ExtendedHardCodedCryptoTokenTest testStrongCryptoAvailable
>>>>>> JCE crypto policy was not installed as the key length was limited
>>>>>> expected:<2147483647> but was:<64>
>>>>>>
>>>>>> This means that you are running the Oracle JDK and have not installed
>>>>>> JCE crypto policy. See the installation guide.
>>>>>>
>>>>>> 2. LimitKeyUsagesTest test01Limit Error Signer 5802 expired at Fri
>>>>>> Apr
>>>>>> 20 16:18:57 CEST 2012
>>>>>> Looks like the demo signer certificate used has expired. I will
>>>>>> run the
>>>>>> tests on your continues integration server and see if we have the
>>>>>> same
>>>>>> problem there. They might just have to be renewed.
>>>>>>
>>>>>>> How can I send my script to install signserver ?
>>>>>> If it is less then 40 KB you can just send it to the mailing list,
>>>>>> otherwise try to upload it somewhere and send the link or send it
>>>>>> directly to me.
>>>>>>
>>>>>>> I take this mail to congratulate you and your team for this project
>>>>>>> which is really good.
>>>>>> Thanks to you for reporting the issues you find.
>>>>>>
>>>>>> Best regards,
>>>>>> Markus
>>>>>>
>>>>>>> Have a nice weekend.
>>>>>>>
>>>>>>> Best regards,
>>>>>>>
>>>>
>>
>>
> 

-- 
Kind regards,
Markus Kilås
Security Consultant & Developer

PrimeKey Solutions AB

Anderstorpsv. 16
171 54 Solna
Sweden

Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...

www.primekey.se